Edit tour

Windows Analysis Report
5n2U8ZZZbc.exe

Overview

General Information

Sample name:	5n2U8ZZZbc.exe renamed because original name is a hash value
Original sample name:	28132e1015622452ad4e449031910968d4c5b85d180de1211a34b0ac9ba7f335.exe
Analysis ID:	1588769
MD5:	4441de8460ebceeb46680832f1780860
SHA1:	5f351eab56bfaaa0eaf7d03ff4fbb6fd6df0fac3
SHA256:	28132e1015622452ad4e449031910968d4c5b85d180de1211a34b0ac9ba7f335
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

5n2U8ZZZbc.exe (PID: 7776 cmdline: "C:\Users\user\Desktop\5n2U8ZZZbc.exe" MD5: 4441DE8460EBCEEB46680832F1780860)

svchost.exe (PID: 7832 cmdline: "C:\Users\user\Desktop\5n2U8ZZZbc.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1407057028.0000000002E90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1406798842.0000000000620000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.620000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.620000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\5n2U8ZZZbc.exe", CommandLine: "C:\Users\user\Desktop\5n2U8ZZZbc.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\5n2U8ZZZbc.exe", ParentImage: C:\Users\user\Desktop\5n2U8ZZZbc.exe, ParentProcessId: 7776, ParentProcessName: 5n2U8ZZZbc.exe, ProcessCommandLine: "C:\Users\user\Desktop\5n2U8ZZZbc.exe", ProcessId: 7832, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\5n2U8ZZZbc.exe", CommandLine: "C:\Users\user\Desktop\5n2U8ZZZbc.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\5n2U8ZZZbc.exe", ParentImage: C:\Users\user\Desktop\5n2U8ZZZbc.exe, ParentProcessId: 7776, ParentProcessName: 5n2U8ZZZbc.exe, ProcessCommandLine: "C:\Users\user\Desktop\5n2U8ZZZbc.exe", ProcessId: 7832, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 5n2U8ZZZbc.exe	Virustotal: Detection: 63%			Perma Link
Source: 5n2U8ZZZbc.exe	ReversingLabs: Detection: 68%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.620000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1407057028.0000000002E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1406798842.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 5n2U8ZZZbc.exe

Joe Sandbox ML: detected

Source: 5n2U8ZZZbc.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: 5n2U8ZZZbc.exe, 00000000.00000003.1351967894.0000000003D90000.00000004.00001000.00020000.00000000.sdmp, 5n2U8ZZZbc.exe, 00000000.00000003.1353287635.0000000003F30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1407088896.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1358569148.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364938661.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1407088896.0000000003100000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 5n2U8ZZZbc.exe, 00000000.00000003.1351967894.0000000003D90000.00000004.00001000.00020000.00000000.sdmp, 5n2U8ZZZbc.exe, 00000000.00000003.1353287635.0000000003F30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1407088896.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1358569148.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364938661.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1407088896.0000000003100000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B5445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B5445A
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B5C6D1 FindFirstFileW,FindClose,	0_2_00B5C6D1
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B5C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B5C75C
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B5EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B5EF95
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B5F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B5F0F2
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B5F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B5F3F3
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B537EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B537EF
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B53B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B53B12
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B5BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B5BCBC

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00B622EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00B622EE

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00B64164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00B64164

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00B64164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00B64164

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00B63F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00B63F66

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00B5001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00B5001C

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00B7CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00B7CABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.620000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1407057028.0000000002E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1406798842.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00AF3B3A
Source: 5n2U8ZZZbc.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 5n2U8ZZZbc.exe, 00000000.00000000.1343851273.0000000000BA4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_be33ac07-9
Source: 5n2U8ZZZbc.exe, 00000000.00000000.1343851273.0000000000BA4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_ae238ed1-f
Source: 5n2U8ZZZbc.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a97c807b-c
Source: 5n2U8ZZZbc.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_7660f628-a

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00621A26 NtProtectVirtualMemory,	2_2_00621A26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0064C593 NtClose,	2_2_0064C593
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172B60 NtClose,LdrInitializeThunk,	2_2_03172B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03172DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031735C0 NtCreateMutant,LdrInitializeThunk,	2_2_031735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03174340 NtSetContextThread,	2_2_03174340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03174650 NtSuspendThread,	2_2_03174650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172B80 NtQueryInformationFile,	2_2_03172B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172BA0 NtEnumerateValueKey,	2_2_03172BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172BF0 NtAllocateVirtualMemory,	2_2_03172BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172BE0 NtQueryValueKey,	2_2_03172BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172AB0 NtWaitForSingleObject,	2_2_03172AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172AD0 NtReadFile,	2_2_03172AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172AF0 NtWriteFile,	2_2_03172AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172F30 NtCreateSection,	2_2_03172F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172F60 NtCreateProcessEx,	2_2_03172F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172F90 NtProtectVirtualMemory,	2_2_03172F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172FB0 NtResumeThread,	2_2_03172FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172FA0 NtQuerySection,	2_2_03172FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172FE0 NtCreateFile,	2_2_03172FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172E30 NtWriteVirtualMemory,	2_2_03172E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172E80 NtReadVirtualMemory,	2_2_03172E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172EA0 NtAdjustPrivilegesToken,	2_2_03172EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172EE0 NtQueueApcThread,	2_2_03172EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172D10 NtMapViewOfSection,	2_2_03172D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172D00 NtSetInformationFile,	2_2_03172D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172D30 NtUnmapViewOfSection,	2_2_03172D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172DB0 NtEnumerateKey,	2_2_03172DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172DD0 NtDelayExecution,	2_2_03172DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172C00 NtQueryInformationProcess,	2_2_03172C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172C70 NtFreeVirtualMemory,	2_2_03172C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172C60 NtCreateKey,	2_2_03172C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172CA0 NtQueryInformationToken,	2_2_03172CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172CC0 NtQueryVirtualMemory,	2_2_03172CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172CF0 NtOpenProcess,	2_2_03172CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03173010 NtOpenDirectoryObject,	2_2_03173010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03173090 NtSetValueKey,	2_2_03173090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031739B0 NtGetContextThread,	2_2_031739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03173D10 NtOpenProcessToken,	2_2_03173D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03173D70 NtOpenThread,	2_2_03173D70

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00B5A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00B5A1EF

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00B48310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00B48310

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00B551BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00B551BD

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B1D975	0_2_00B1D975
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00AFFCE0	0_2_00AFFCE0
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B121C5	0_2_00B121C5
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B262D2	0_2_00B262D2
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B703DA	0_2_00B703DA
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B2242E	0_2_00B2242E
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B125FA	0_2_00B125FA
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00AFE6A0	0_2_00AFE6A0
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B066E1	0_2_00B066E1
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B4E616	0_2_00B4E616
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B2878F	0_2_00B2878F
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B58889	0_2_00B58889
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B08808	0_2_00B08808
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B70857	0_2_00B70857
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B26844	0_2_00B26844
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B1CB21	0_2_00B1CB21
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B26DB6	0_2_00B26DB6
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B06F9E	0_2_00B06F9E
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B03030	0_2_00B03030
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B13187	0_2_00B13187
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B1F1D9	0_2_00B1F1D9
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00AF1287	0_2_00AF1287
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B11484	0_2_00B11484
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B05520	0_2_00B05520
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B17696	0_2_00B17696
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B05760	0_2_00B05760
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B11978	0_2_00B11978
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B29AB5	0_2_00B29AB5
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B1BDA6	0_2_00B1BDA6
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B11D90	0_2_00B11D90
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B77DDB	0_2_00B77DDB
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B03FE0	0_2_00B03FE0
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00AFDF00	0_2_00AFDF00
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_014D3418	0_2_014D3418
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006210C0	2_2_006210C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006210BE	2_2_006210BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0062E109	2_2_0062E109
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0062E113	2_2_0062E113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00621210	2_2_00621210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0064EBB3	2_2_0064EBB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0062FDB3	2_2_0062FDB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00622E00	2_2_00622E00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00622610	2_2_00622610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0063674F	2_2_0063674F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00636753	2_2_00636753
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0062DFC3	2_2_0062DFC3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0062FFD3	2_2_0062FFD3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FA352	2_2_031FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032003E6	2_2_032003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E3F0	2_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C02C0	2_2_031C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DA118	2_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03130100	2_2_03130100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C8158	2_2_031C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032001AA	2_2_032001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F41A2	2_2_031F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F81CC	2_2_031F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03164750	2_2_03164750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313C7C0	2_2_0313C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315C6E0	2_2_0315C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140535	2_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03200591	2_2_03200591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E4420	2_2_031E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F2446	2_2_031F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EE4F6	2_2_031EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FAB40	2_2_031FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F6BD7	2_2_031F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03156962	2_2_03156962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0320A9A6	2_2_0320A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314A840	2_2_0314A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03142840	2_2_03142840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031268B8	2_2_031268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E8F0	2_2_0316E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03160F30	2_2_03160F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E2F30	2_2_031E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03182F28	2_2_03182F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B4F40	2_2_031B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BEFA0	2_2_031BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03132FC8	2_2_03132FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314CFE0	2_2_0314CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FEE26	2_2_031FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140E59	2_2_03140E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03152E90	2_2_03152E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FCE93	2_2_031FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FEEDB	2_2_031FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DCD1F	2_2_031DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314AD00	2_2_0314AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03158DBF	2_2_03158DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313ADE0	2_2_0313ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140C00	2_2_03140C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0CB5	2_2_031E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03130CF2	2_2_03130CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F132D	2_2_031F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312D34C	2_2_0312D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0318739A	2_2_0318739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031452A0	2_2_031452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315B2C0	2_2_0315B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E12ED	2_2_031E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0320B16B	2_2_0320B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312F172	2_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0317516C	2_2_0317516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314B1B0	2_2_0314B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EF0CC	2_2_031EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031470C0	2_2_031470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F70E9	2_2_031F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FF0E0	2_2_031FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FF7B0	2_2_031FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03185630	2_2_03185630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F16CC	2_2_031F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F7571	2_2_031F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DD5B0	2_2_031DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032095C3	2_2_032095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FF43F	2_2_031FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03131460	2_2_03131460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FFB76	2_2_031FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315FB80	2_2_0315FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B5BF0	2_2_031B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0317DBF9	2_2_0317DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FFA49	2_2_031FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F7A46	2_2_031F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B3A6C	2_2_031B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DDAAC	2_2_031DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03185AA0	2_2_03185AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E1AA3	2_2_031E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EDAC6	2_2_031EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D5910	2_2_031D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03149950	2_2_03149950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315B950	2_2_0315B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AD800	2_2_031AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031438E0	2_2_031438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FFF09	2_2_031FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03141F92	2_2_03141F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FFFB1	2_2_031FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03103FD2	2_2_03103FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03103FD5	2_2_03103FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03149EB0	2_2_03149EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F1D5A	2_2_031F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03143D40	2_2_03143D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F7D73	2_2_031F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315FDC0	2_2_0315FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B9C32	2_2_031B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FFCF2	2_2_031FFCF2

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0312B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03175130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 031BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03187E54 appears 110 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 031AEA12 appears 86 times
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: String function: 00AF7DE1 appears 36 times
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: String function: 00B18900 appears 42 times
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: String function: 00B10AE3 appears 70 times

Source: 5n2U8ZZZbc.exe, 00000000.00000003.1351518475.0000000003EB3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 5n2U8ZZZbc.exe
Source: 5n2U8ZZZbc.exe, 00000000.00000003.1354017255.000000000405D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 5n2U8ZZZbc.exe

Source: 5n2U8ZZZbc.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@3/2@0/0

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00B5A06A GetLastError,FormatMessageW,

0_2_00B5A06A

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B481CB AdjustTokenPrivileges,CloseHandle,		0_2_00B481CB
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B487E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00B487E1

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00B5B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00B5B3FB

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00B6EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00B6EE0D

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00B683BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00B683BB

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00AF4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00AF4E89

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

File created: C:\Users\user\AppData\Local\Temp\aut579.tmp

Jump to behavior

Source: 5n2U8ZZZbc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 5n2U8ZZZbc.exe	Virustotal: Detection: 63%
Source: 5n2U8ZZZbc.exe	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\5n2U8ZZZbc.exe "C:\Users\user\Desktop\5n2U8ZZZbc.exe"
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\5n2U8ZZZbc.exe"
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\5n2U8ZZZbc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: 5n2U8ZZZbc.exe

Static file information: File size 1205248 > 1048576

Source: 5n2U8ZZZbc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 5n2U8ZZZbc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 5n2U8ZZZbc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 5n2U8ZZZbc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 5n2U8ZZZbc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 5n2U8ZZZbc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 5n2U8ZZZbc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: 5n2U8ZZZbc.exe, 00000000.00000003.1351967894.0000000003D90000.00000004.00001000.00020000.00000000.sdmp, 5n2U8ZZZbc.exe, 00000000.00000003.1353287635.0000000003F30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1407088896.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1358569148.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364938661.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1407088896.0000000003100000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 5n2U8ZZZbc.exe, 00000000.00000003.1351967894.0000000003D90000.00000004.00001000.00020000.00000000.sdmp, 5n2U8ZZZbc.exe, 00000000.00000003.1353287635.0000000003F30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1407088896.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1358569148.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364938661.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1407088896.0000000003100000.00000040.00001000.00020000.00000000.sdmp

Source: 5n2U8ZZZbc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 5n2U8ZZZbc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 5n2U8ZZZbc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 5n2U8ZZZbc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 5n2U8ZZZbc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00AF4B37 LoadLibraryA,GetProcAddress,

0_2_00AF4B37

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B18945 push ecx; ret	0_2_00B18958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00639071 push edx; iretd	2_2_00639072
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0064D0D3 push ss; ret	2_2_0064D17B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00623080 push eax; ret	2_2_00623082
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00632167 push ebx; iretd	2_2_006321AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0062D2E7 push 156EFA12h; iretd	2_2_0062D2EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00625B38 push eax; ret	2_2_00625B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00631B18 push esi; retf	2_2_00631B25
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0063A4F3 push edi; iretd	2_2_0063A4FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006435A3 push edx; retf	2_2_006435CE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0062D637 push eax; ret	2_2_0062D621
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0062D61F push eax; ret	2_2_0062D621
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006356F7 push edx; ret	2_2_00635709
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310225F pushad ; ret	2_2_031027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031027FA pushad ; ret	2_2_031027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031309AD push ecx; mov dword ptr [esp], ecx	2_2_031309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310283D push eax; iretd	2_2_03102858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310135E push eax; iretd	2_2_03101369

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00AF48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00AF48D7
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B75376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00B75376

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00B13187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00B13187

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

API/Special instruction interceptor: Address: 14D303C

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0317096E rdtsc

2_2_0317096E

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	API coverage: 4.7 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 7836

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B5445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B5445A
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B5C6D1 FindFirstFileW,FindClose,	0_2_00B5C6D1
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B5C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B5C75C
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B5EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B5EF95
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B5F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B5F0F2
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B5F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B5F3F3
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B537EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B537EF
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B53B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B53B12
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B5BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B5BCBC

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00AF49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AF49A0

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0317096E rdtsc

2_2_0317096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_006376E3 LdrLoadDll,

2_2_006376E3

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00B63F09 BlockInput,

0_2_00B63F09

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00AF3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00AF3B3A

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00B25A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00B25A7C

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00AF4B37 LoadLibraryA,GetProcAddress,

0_2_00AF4B37

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_014D3308 mov eax, dword ptr fs:[00000030h]	0_2_014D3308
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_014D32A8 mov eax, dword ptr fs:[00000030h]	0_2_014D32A8
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_014D1CB8 mov eax, dword ptr fs:[00000030h]	0_2_014D1CB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312C310 mov ecx, dword ptr fs:[00000030h]	2_2_0312C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03208324 mov eax, dword ptr fs:[00000030h]	2_2_03208324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03208324 mov ecx, dword ptr fs:[00000030h]	2_2_03208324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03208324 mov eax, dword ptr fs:[00000030h]	2_2_03208324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03208324 mov eax, dword ptr fs:[00000030h]	2_2_03208324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03150310 mov ecx, dword ptr fs:[00000030h]	2_2_03150310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A30B mov eax, dword ptr fs:[00000030h]	2_2_0316A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A30B mov eax, dword ptr fs:[00000030h]	2_2_0316A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A30B mov eax, dword ptr fs:[00000030h]	2_2_0316A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B035C mov eax, dword ptr fs:[00000030h]	2_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B035C mov eax, dword ptr fs:[00000030h]	2_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B035C mov eax, dword ptr fs:[00000030h]	2_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B035C mov ecx, dword ptr fs:[00000030h]	2_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B035C mov eax, dword ptr fs:[00000030h]	2_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B035C mov eax, dword ptr fs:[00000030h]	2_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FA352 mov eax, dword ptr fs:[00000030h]	2_2_031FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D8350 mov ecx, dword ptr fs:[00000030h]	2_2_031D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D437C mov eax, dword ptr fs:[00000030h]	2_2_031D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0320634F mov eax, dword ptr fs:[00000030h]	2_2_0320634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03128397 mov eax, dword ptr fs:[00000030h]	2_2_03128397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03128397 mov eax, dword ptr fs:[00000030h]	2_2_03128397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03128397 mov eax, dword ptr fs:[00000030h]	2_2_03128397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312E388 mov eax, dword ptr fs:[00000030h]	2_2_0312E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312E388 mov eax, dword ptr fs:[00000030h]	2_2_0312E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312E388 mov eax, dword ptr fs:[00000030h]	2_2_0312E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315438F mov eax, dword ptr fs:[00000030h]	2_2_0315438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315438F mov eax, dword ptr fs:[00000030h]	2_2_0315438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE3DB mov eax, dword ptr fs:[00000030h]	2_2_031DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE3DB mov eax, dword ptr fs:[00000030h]	2_2_031DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_031DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE3DB mov eax, dword ptr fs:[00000030h]	2_2_031DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D43D4 mov eax, dword ptr fs:[00000030h]	2_2_031D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D43D4 mov eax, dword ptr fs:[00000030h]	2_2_031D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EC3CD mov eax, dword ptr fs:[00000030h]	2_2_031EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031383C0 mov eax, dword ptr fs:[00000030h]	2_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031383C0 mov eax, dword ptr fs:[00000030h]	2_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031383C0 mov eax, dword ptr fs:[00000030h]	2_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031383C0 mov eax, dword ptr fs:[00000030h]	2_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B63C0 mov eax, dword ptr fs:[00000030h]	2_2_031B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031663FF mov eax, dword ptr fs:[00000030h]	2_2_031663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]	2_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]	2_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]	2_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]	2_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]	2_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]	2_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]	2_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]	2_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312823B mov eax, dword ptr fs:[00000030h]	2_2_0312823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312A250 mov eax, dword ptr fs:[00000030h]	2_2_0312A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136259 mov eax, dword ptr fs:[00000030h]	2_2_03136259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EA250 mov eax, dword ptr fs:[00000030h]	2_2_031EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EA250 mov eax, dword ptr fs:[00000030h]	2_2_031EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B8243 mov eax, dword ptr fs:[00000030h]	2_2_031B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B8243 mov ecx, dword ptr fs:[00000030h]	2_2_031B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03134260 mov eax, dword ptr fs:[00000030h]	2_2_03134260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03134260 mov eax, dword ptr fs:[00000030h]	2_2_03134260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03134260 mov eax, dword ptr fs:[00000030h]	2_2_03134260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312826B mov eax, dword ptr fs:[00000030h]	2_2_0312826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0320625D mov eax, dword ptr fs:[00000030h]	2_2_0320625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E284 mov eax, dword ptr fs:[00000030h]	2_2_0316E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E284 mov eax, dword ptr fs:[00000030h]	2_2_0316E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B0283 mov eax, dword ptr fs:[00000030h]	2_2_031B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B0283 mov eax, dword ptr fs:[00000030h]	2_2_031B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B0283 mov eax, dword ptr fs:[00000030h]	2_2_031B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031402A0 mov eax, dword ptr fs:[00000030h]	2_2_031402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031402A0 mov eax, dword ptr fs:[00000030h]	2_2_031402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C62A0 mov eax, dword ptr fs:[00000030h]	2_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C62A0 mov eax, dword ptr fs:[00000030h]	2_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C62A0 mov eax, dword ptr fs:[00000030h]	2_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C62A0 mov eax, dword ptr fs:[00000030h]	2_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C62A0 mov eax, dword ptr fs:[00000030h]	2_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031402E1 mov eax, dword ptr fs:[00000030h]	2_2_031402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031402E1 mov eax, dword ptr fs:[00000030h]	2_2_031402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031402E1 mov eax, dword ptr fs:[00000030h]	2_2_031402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032062D6 mov eax, dword ptr fs:[00000030h]	2_2_032062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DA118 mov ecx, dword ptr fs:[00000030h]	2_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DA118 mov eax, dword ptr fs:[00000030h]	2_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DA118 mov eax, dword ptr fs:[00000030h]	2_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DA118 mov eax, dword ptr fs:[00000030h]	2_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F0115 mov eax, dword ptr fs:[00000030h]	2_2_031F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov eax, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov ecx, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov eax, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov eax, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov ecx, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov eax, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov eax, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov ecx, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov eax, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov ecx, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03160124 mov eax, dword ptr fs:[00000030h]	2_2_03160124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312C156 mov eax, dword ptr fs:[00000030h]	2_2_0312C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C8158 mov eax, dword ptr fs:[00000030h]	2_2_031C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204164 mov eax, dword ptr fs:[00000030h]	2_2_03204164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204164 mov eax, dword ptr fs:[00000030h]	2_2_03204164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136154 mov eax, dword ptr fs:[00000030h]	2_2_03136154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136154 mov eax, dword ptr fs:[00000030h]	2_2_03136154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C4144 mov eax, dword ptr fs:[00000030h]	2_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C4144 mov eax, dword ptr fs:[00000030h]	2_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C4144 mov ecx, dword ptr fs:[00000030h]	2_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C4144 mov eax, dword ptr fs:[00000030h]	2_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C4144 mov eax, dword ptr fs:[00000030h]	2_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B019F mov eax, dword ptr fs:[00000030h]	2_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B019F mov eax, dword ptr fs:[00000030h]	2_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B019F mov eax, dword ptr fs:[00000030h]	2_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B019F mov eax, dword ptr fs:[00000030h]	2_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312A197 mov eax, dword ptr fs:[00000030h]	2_2_0312A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312A197 mov eax, dword ptr fs:[00000030h]	2_2_0312A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312A197 mov eax, dword ptr fs:[00000030h]	2_2_0312A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03170185 mov eax, dword ptr fs:[00000030h]	2_2_03170185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EC188 mov eax, dword ptr fs:[00000030h]	2_2_031EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EC188 mov eax, dword ptr fs:[00000030h]	2_2_031EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D4180 mov eax, dword ptr fs:[00000030h]	2_2_031D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D4180 mov eax, dword ptr fs:[00000030h]	2_2_031D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032061E5 mov eax, dword ptr fs:[00000030h]	2_2_032061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F61C3 mov eax, dword ptr fs:[00000030h]	2_2_031F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F61C3 mov eax, dword ptr fs:[00000030h]	2_2_031F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031601F8 mov eax, dword ptr fs:[00000030h]	2_2_031601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E016 mov eax, dword ptr fs:[00000030h]	2_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E016 mov eax, dword ptr fs:[00000030h]	2_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E016 mov eax, dword ptr fs:[00000030h]	2_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E016 mov eax, dword ptr fs:[00000030h]	2_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B4000 mov ecx, dword ptr fs:[00000030h]	2_2_031B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C6030 mov eax, dword ptr fs:[00000030h]	2_2_031C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312A020 mov eax, dword ptr fs:[00000030h]	2_2_0312A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312C020 mov eax, dword ptr fs:[00000030h]	2_2_0312C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03132050 mov eax, dword ptr fs:[00000030h]	2_2_03132050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B6050 mov eax, dword ptr fs:[00000030h]	2_2_031B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315C073 mov eax, dword ptr fs:[00000030h]	2_2_0315C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313208A mov eax, dword ptr fs:[00000030h]	2_2_0313208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F60B8 mov eax, dword ptr fs:[00000030h]	2_2_031F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_031F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031280A0 mov eax, dword ptr fs:[00000030h]	2_2_031280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C80A8 mov eax, dword ptr fs:[00000030h]	2_2_031C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B20DE mov eax, dword ptr fs:[00000030h]	2_2_031B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0312C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031720F0 mov ecx, dword ptr fs:[00000030h]	2_2_031720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0312A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031380E9 mov eax, dword ptr fs:[00000030h]	2_2_031380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B60E0 mov eax, dword ptr fs:[00000030h]	2_2_031B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03130710 mov eax, dword ptr fs:[00000030h]	2_2_03130710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03160710 mov eax, dword ptr fs:[00000030h]	2_2_03160710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316C700 mov eax, dword ptr fs:[00000030h]	2_2_0316C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316273C mov eax, dword ptr fs:[00000030h]	2_2_0316273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316273C mov ecx, dword ptr fs:[00000030h]	2_2_0316273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316273C mov eax, dword ptr fs:[00000030h]	2_2_0316273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AC730 mov eax, dword ptr fs:[00000030h]	2_2_031AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316C720 mov eax, dword ptr fs:[00000030h]	2_2_0316C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316C720 mov eax, dword ptr fs:[00000030h]	2_2_0316C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03130750 mov eax, dword ptr fs:[00000030h]	2_2_03130750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BE75D mov eax, dword ptr fs:[00000030h]	2_2_031BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172750 mov eax, dword ptr fs:[00000030h]	2_2_03172750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172750 mov eax, dword ptr fs:[00000030h]	2_2_03172750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B4755 mov eax, dword ptr fs:[00000030h]	2_2_031B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316674D mov esi, dword ptr fs:[00000030h]	2_2_0316674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316674D mov eax, dword ptr fs:[00000030h]	2_2_0316674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316674D mov eax, dword ptr fs:[00000030h]	2_2_0316674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03138770 mov eax, dword ptr fs:[00000030h]	2_2_03138770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D678E mov eax, dword ptr fs:[00000030h]	2_2_031D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031307AF mov eax, dword ptr fs:[00000030h]	2_2_031307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E47A0 mov eax, dword ptr fs:[00000030h]	2_2_031E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0313C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B07C3 mov eax, dword ptr fs:[00000030h]	2_2_031B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031347FB mov eax, dword ptr fs:[00000030h]	2_2_031347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031347FB mov eax, dword ptr fs:[00000030h]	2_2_031347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031527ED mov eax, dword ptr fs:[00000030h]	2_2_031527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031527ED mov eax, dword ptr fs:[00000030h]	2_2_031527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031527ED mov eax, dword ptr fs:[00000030h]	2_2_031527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_031BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172619 mov eax, dword ptr fs:[00000030h]	2_2_03172619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE609 mov eax, dword ptr fs:[00000030h]	2_2_031AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]	2_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]	2_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]	2_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]	2_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]	2_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]	2_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]	2_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E627 mov eax, dword ptr fs:[00000030h]	2_2_0314E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03166620 mov eax, dword ptr fs:[00000030h]	2_2_03166620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03168620 mov eax, dword ptr fs:[00000030h]	2_2_03168620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313262C mov eax, dword ptr fs:[00000030h]	2_2_0313262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314C640 mov eax, dword ptr fs:[00000030h]	2_2_0314C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03162674 mov eax, dword ptr fs:[00000030h]	2_2_03162674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F866E mov eax, dword ptr fs:[00000030h]	2_2_031F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F866E mov eax, dword ptr fs:[00000030h]	2_2_031F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A660 mov eax, dword ptr fs:[00000030h]	2_2_0316A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A660 mov eax, dword ptr fs:[00000030h]	2_2_0316A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03134690 mov eax, dword ptr fs:[00000030h]	2_2_03134690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03134690 mov eax, dword ptr fs:[00000030h]	2_2_03134690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031666B0 mov eax, dword ptr fs:[00000030h]	2_2_031666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0316C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0316A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0316A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B06F1 mov eax, dword ptr fs:[00000030h]	2_2_031B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B06F1 mov eax, dword ptr fs:[00000030h]	2_2_031B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C6500 mov eax, dword ptr fs:[00000030h]	2_2_031C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]	2_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]	2_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]	2_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]	2_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]	2_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]	2_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]	2_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140535 mov eax, dword ptr fs:[00000030h]	2_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140535 mov eax, dword ptr fs:[00000030h]	2_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140535 mov eax, dword ptr fs:[00000030h]	2_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140535 mov eax, dword ptr fs:[00000030h]	2_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140535 mov eax, dword ptr fs:[00000030h]	2_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140535 mov eax, dword ptr fs:[00000030h]	2_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E53E mov eax, dword ptr fs:[00000030h]	2_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E53E mov eax, dword ptr fs:[00000030h]	2_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E53E mov eax, dword ptr fs:[00000030h]	2_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E53E mov eax, dword ptr fs:[00000030h]	2_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E53E mov eax, dword ptr fs:[00000030h]	2_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03138550 mov eax, dword ptr fs:[00000030h]	2_2_03138550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03138550 mov eax, dword ptr fs:[00000030h]	2_2_03138550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316656A mov eax, dword ptr fs:[00000030h]	2_2_0316656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316656A mov eax, dword ptr fs:[00000030h]	2_2_0316656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316656A mov eax, dword ptr fs:[00000030h]	2_2_0316656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E59C mov eax, dword ptr fs:[00000030h]	2_2_0316E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03132582 mov eax, dword ptr fs:[00000030h]	2_2_03132582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03132582 mov ecx, dword ptr fs:[00000030h]	2_2_03132582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03164588 mov eax, dword ptr fs:[00000030h]	2_2_03164588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031545B1 mov eax, dword ptr fs:[00000030h]	2_2_031545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031545B1 mov eax, dword ptr fs:[00000030h]	2_2_031545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B05A7 mov eax, dword ptr fs:[00000030h]	2_2_031B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B05A7 mov eax, dword ptr fs:[00000030h]	2_2_031B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B05A7 mov eax, dword ptr fs:[00000030h]	2_2_031B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031365D0 mov eax, dword ptr fs:[00000030h]	2_2_031365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0316A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0316A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E5CF mov eax, dword ptr fs:[00000030h]	2_2_0316E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E5CF mov eax, dword ptr fs:[00000030h]	2_2_0316E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031325E0 mov eax, dword ptr fs:[00000030h]	2_2_031325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316C5ED mov eax, dword ptr fs:[00000030h]	2_2_0316C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316C5ED mov eax, dword ptr fs:[00000030h]	2_2_0316C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03168402 mov eax, dword ptr fs:[00000030h]	2_2_03168402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03168402 mov eax, dword ptr fs:[00000030h]	2_2_03168402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03168402 mov eax, dword ptr fs:[00000030h]	2_2_03168402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A430 mov eax, dword ptr fs:[00000030h]	2_2_0316A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312E420 mov eax, dword ptr fs:[00000030h]	2_2_0312E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312E420 mov eax, dword ptr fs:[00000030h]	2_2_0312E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312E420 mov eax, dword ptr fs:[00000030h]	2_2_0312E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312C427 mov eax, dword ptr fs:[00000030h]	2_2_0312C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]	2_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]	2_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]	2_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]	2_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]	2_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]	2_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]	2_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EA456 mov eax, dword ptr fs:[00000030h]	2_2_031EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312645D mov eax, dword ptr fs:[00000030h]	2_2_0312645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315245A mov eax, dword ptr fs:[00000030h]	2_2_0315245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]	2_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]	2_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]	2_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]	2_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]	2_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]	2_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]	2_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]	2_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315A470 mov eax, dword ptr fs:[00000030h]	2_2_0315A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315A470 mov eax, dword ptr fs:[00000030h]	2_2_0315A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315A470 mov eax, dword ptr fs:[00000030h]	2_2_0315A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BC460 mov ecx, dword ptr fs:[00000030h]	2_2_031BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EA49A mov eax, dword ptr fs:[00000030h]	2_2_031EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031644B0 mov ecx, dword ptr fs:[00000030h]	2_2_031644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_031BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031364AB mov eax, dword ptr fs:[00000030h]	2_2_031364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031304E5 mov ecx, dword ptr fs:[00000030h]	2_2_031304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204B00 mov eax, dword ptr fs:[00000030h]	2_2_03204B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315EB20 mov eax, dword ptr fs:[00000030h]	2_2_0315EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315EB20 mov eax, dword ptr fs:[00000030h]	2_2_0315EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F8B28 mov eax, dword ptr fs:[00000030h]	2_2_031F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F8B28 mov eax, dword ptr fs:[00000030h]	2_2_031F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03128B50 mov eax, dword ptr fs:[00000030h]	2_2_03128B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DEB50 mov eax, dword ptr fs:[00000030h]	2_2_031DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E4B4B mov eax, dword ptr fs:[00000030h]	2_2_031E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E4B4B mov eax, dword ptr fs:[00000030h]	2_2_031E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C6B40 mov eax, dword ptr fs:[00000030h]	2_2_031C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C6B40 mov eax, dword ptr fs:[00000030h]	2_2_031C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FAB40 mov eax, dword ptr fs:[00000030h]	2_2_031FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D8B42 mov eax, dword ptr fs:[00000030h]	2_2_031D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312CB7E mov eax, dword ptr fs:[00000030h]	2_2_0312CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03202B57 mov eax, dword ptr fs:[00000030h]	2_2_03202B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03202B57 mov eax, dword ptr fs:[00000030h]	2_2_03202B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03202B57 mov eax, dword ptr fs:[00000030h]	2_2_03202B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03202B57 mov eax, dword ptr fs:[00000030h]	2_2_03202B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140BBE mov eax, dword ptr fs:[00000030h]	2_2_03140BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140BBE mov eax, dword ptr fs:[00000030h]	2_2_03140BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_031E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_031E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_031DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03150BCB mov eax, dword ptr fs:[00000030h]	2_2_03150BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03150BCB mov eax, dword ptr fs:[00000030h]	2_2_03150BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03150BCB mov eax, dword ptr fs:[00000030h]	2_2_03150BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03130BCD mov eax, dword ptr fs:[00000030h]	2_2_03130BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03130BCD mov eax, dword ptr fs:[00000030h]	2_2_03130BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03130BCD mov eax, dword ptr fs:[00000030h]	2_2_03130BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03138BF0 mov eax, dword ptr fs:[00000030h]	2_2_03138BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03138BF0 mov eax, dword ptr fs:[00000030h]	2_2_03138BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03138BF0 mov eax, dword ptr fs:[00000030h]	2_2_03138BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315EBFC mov eax, dword ptr fs:[00000030h]	2_2_0315EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_031BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BCA11 mov eax, dword ptr fs:[00000030h]	2_2_031BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03154A35 mov eax, dword ptr fs:[00000030h]	2_2_03154A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03154A35 mov eax, dword ptr fs:[00000030h]	2_2_03154A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316CA38 mov eax, dword ptr fs:[00000030h]	2_2_0316CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316CA24 mov eax, dword ptr fs:[00000030h]	2_2_0316CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315EA2E mov eax, dword ptr fs:[00000030h]	2_2_0315EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]	2_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]	2_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]	2_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]	2_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]	2_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]	2_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]	2_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140A5B mov eax, dword ptr fs:[00000030h]	2_2_03140A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140A5B mov eax, dword ptr fs:[00000030h]	2_2_03140A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031ACA72 mov eax, dword ptr fs:[00000030h]	2_2_031ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031ACA72 mov eax, dword ptr fs:[00000030h]	2_2_031ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316CA6F mov eax, dword ptr fs:[00000030h]	2_2_0316CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316CA6F mov eax, dword ptr fs:[00000030h]	2_2_0316CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316CA6F mov eax, dword ptr fs:[00000030h]	2_2_0316CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DEA60 mov eax, dword ptr fs:[00000030h]	2_2_031DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03168A90 mov edx, dword ptr fs:[00000030h]	2_2_03168A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204A80 mov eax, dword ptr fs:[00000030h]	2_2_03204A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03138AA0 mov eax, dword ptr fs:[00000030h]	2_2_03138AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03138AA0 mov eax, dword ptr fs:[00000030h]	2_2_03138AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03186AA4 mov eax, dword ptr fs:[00000030h]	2_2_03186AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03130AD0 mov eax, dword ptr fs:[00000030h]	2_2_03130AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03164AD0 mov eax, dword ptr fs:[00000030h]	2_2_03164AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03164AD0 mov eax, dword ptr fs:[00000030h]	2_2_03164AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03186ACC mov eax, dword ptr fs:[00000030h]	2_2_03186ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03186ACC mov eax, dword ptr fs:[00000030h]	2_2_03186ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03186ACC mov eax, dword ptr fs:[00000030h]	2_2_03186ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316AAEE mov eax, dword ptr fs:[00000030h]	2_2_0316AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316AAEE mov eax, dword ptr fs:[00000030h]	2_2_0316AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BC912 mov eax, dword ptr fs:[00000030h]	2_2_031BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03128918 mov eax, dword ptr fs:[00000030h]	2_2_03128918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03128918 mov eax, dword ptr fs:[00000030h]	2_2_03128918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE908 mov eax, dword ptr fs:[00000030h]	2_2_031AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE908 mov eax, dword ptr fs:[00000030h]	2_2_031AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B892A mov eax, dword ptr fs:[00000030h]	2_2_031B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C892B mov eax, dword ptr fs:[00000030h]	2_2_031C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B0946 mov eax, dword ptr fs:[00000030h]	2_2_031B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204940 mov eax, dword ptr fs:[00000030h]	2_2_03204940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D4978 mov eax, dword ptr fs:[00000030h]	2_2_031D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D4978 mov eax, dword ptr fs:[00000030h]	2_2_031D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BC97C mov eax, dword ptr fs:[00000030h]	2_2_031BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03156962 mov eax, dword ptr fs:[00000030h]	2_2_03156962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03156962 mov eax, dword ptr fs:[00000030h]	2_2_03156962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03156962 mov eax, dword ptr fs:[00000030h]	2_2_03156962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0317096E mov eax, dword ptr fs:[00000030h]	2_2_0317096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0317096E mov edx, dword ptr fs:[00000030h]	2_2_0317096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0317096E mov eax, dword ptr fs:[00000030h]	2_2_0317096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B89B3 mov esi, dword ptr fs:[00000030h]	2_2_031B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B89B3 mov eax, dword ptr fs:[00000030h]	2_2_031B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B89B3 mov eax, dword ptr fs:[00000030h]	2_2_031B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031309AD mov eax, dword ptr fs:[00000030h]	2_2_031309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031309AD mov eax, dword ptr fs:[00000030h]	2_2_031309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031649D0 mov eax, dword ptr fs:[00000030h]	2_2_031649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_031FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C69C0 mov eax, dword ptr fs:[00000030h]	2_2_031C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031629F9 mov eax, dword ptr fs:[00000030h]	2_2_031629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031629F9 mov eax, dword ptr fs:[00000030h]	2_2_031629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_031BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BC810 mov eax, dword ptr fs:[00000030h]	2_2_031BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03152835 mov eax, dword ptr fs:[00000030h]	2_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03152835 mov eax, dword ptr fs:[00000030h]	2_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03152835 mov eax, dword ptr fs:[00000030h]	2_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03152835 mov ecx, dword ptr fs:[00000030h]	2_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03152835 mov eax, dword ptr fs:[00000030h]	2_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03152835 mov eax, dword ptr fs:[00000030h]	2_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A830 mov eax, dword ptr fs:[00000030h]	2_2_0316A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D483A mov eax, dword ptr fs:[00000030h]	2_2_031D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D483A mov eax, dword ptr fs:[00000030h]	2_2_031D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03160854 mov eax, dword ptr fs:[00000030h]	2_2_03160854

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00B480A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00B480A9

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B1A124 SetUnhandledExceptionFilter,		0_2_00B1A124
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B1A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00B1A155

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 51E008

Jump to behavior

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00B487B1 LogonUserW,

0_2_00B487B1

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00AF3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00AF3B3A

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00AF48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00AF48D7

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00B54C27 mouse_event,

0_2_00B54C27

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\5n2U8ZZZbc.exe"

Jump to behavior

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00B47CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00B47CAF

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00B4874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00B4874B

Source: 5n2U8ZZZbc.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 5n2U8ZZZbc.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00B1862B cpuid

0_2_00B1862B

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00B24E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00B24E87

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00B31E06 GetUserNameW,

0_2_00B31E06

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00B23F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00B23F3A

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe

Code function: 0_2_00AF49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AF49A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.620000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1407057028.0000000002E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1406798842.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: 5n2U8ZZZbc.exe	Binary or memory string: WIN_81
Source: 5n2U8ZZZbc.exe	Binary or memory string: WIN_XP
Source: 5n2U8ZZZbc.exe	Binary or memory string: WIN_XPe
Source: 5n2U8ZZZbc.exe	Binary or memory string: WIN_VISTA
Source: 5n2U8ZZZbc.exe	Binary or memory string: WIN_7
Source: 5n2U8ZZZbc.exe	Binary or memory string: WIN_8
Source: 5n2U8ZZZbc.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.620000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1407057028.0000000002E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1406798842.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B66283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00B66283
Source: C:\Users\user\Desktop\5n2U8ZZZbc.exe	Code function: 0_2_00B66747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00B66747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	21 Input Capture	2 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	LSASS Memory	15 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	21 Access Token Manipulation	2 Virtualization/Sandbox Evasion	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	212 Process Injection	21 Access Token Manipulation	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	212 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	115 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
5n2U8ZZZbc.exe	64%	Virustotal		Browse
5n2U8ZZZbc.exe	68%	ReversingLabs	Win32.Trojan.AutoitInject
5n2U8ZZZbc.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588769
Start date and time:	2025-01-11 05:17:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	5n2U8ZZZbc.exe renamed because original name is a hash value
Original Sample Name:	28132e1015622452ad4e449031910968d4c5b85d180de1211a34b0ac9ba7f335.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@3/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 49 Number of non-executed functions: 285
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
23:18:05	API Interceptor	3x Sleep call for process: svchost.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	iJCj3AQIBC.exe	Get hash	malicious	RevengeRAT	Browse	13.107.246.45
	leUmNO9XPu.exe	Get hash	malicious	HawkEye, MailPassView	Browse	13.107.246.45
	2976587-987347589.08.exe	Get hash	malicious	Nitol	Browse	13.107.246.45
	of5HklY9qP.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	yMXFgPOdf2.exe	Get hash	malicious	GuLoader	Browse	13.107.246.45
	1dVtYIvfHz.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	FJRUb5lb9m.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	5hD3Yjf7xD.exe	Get hash	malicious	AgentTesla	Browse	13.107.246.45
	02Eh1ah35H.exe	Get hash	malicious	GuLoader	Browse	13.107.246.45
	AJ5zYYsisA.exe	Get hash	malicious	Unknown	Browse	13.107.246.45

Process:	C:\Users\user\Desktop\5n2U8ZZZbc.exe
File Type:	data
Category:	dropped
Size (bytes):	287744
Entropy (8bit):	7.993085538757589
Encrypted:	true
SSDEEP:	6144:/dy9FOa06hJIOoqfY7HX81fXFFv8QlxAA8Fi++ZP08/:/dy9m6hoqfY38tFFv8Qlx/y+
MD5:	2572EE5DC98A7F0F61BB2E638EC70FB7
SHA1:	C314B21ACF1C51EAFD306BF0B45D6ED1D71E64A6
SHA-256:	32523E9C443A2033F3D6B3701BDD6A767FDCC676994469AB10B2CFEABF2F661F
SHA-512:	395E41257AB9F5DAD5FE366E8D612EEC596DD8EA3B2C313B8BEF192DCFF7D83B783B074E4D9085F4937E26A85A755213959E9ABA4034991851CA19DBBD26E88F
Malicious:	false
Reputation:	low
Preview:	.k.BBXY3WRO1.AX.3SRO10B.XY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SR.10BOG.=S.F...@....:&B.237>A2?oRQ,/7-.17oCE,a17.....]-%=w>^Xk10BAXY3SF.."&.dS4.rQW.[...i2(...eS4.U...}8>..;,Y."&.Y3SRO10B..Y3.SN1..].Y3SRO10B.X[2XSD10.EXY3SRO10BQMY3SBO102EXY3.RO!0BAZY3URO10BAX_3SRO10BA(]3SPO10BAX[3..O1 BAHY3SR_10RAXY3SR_10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO1.6$ -3SR.a4BAHY3S.K10RAXY3SRO10BAXY3sROQ0BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SR

C:\Users\user\AppData\Local\Temp\gobioid

Download File

Process:	C:\Users\user\Desktop\5n2U8ZZZbc.exe
File Type:	data
Category:	dropped
Size (bytes):	287744
Entropy (8bit):	7.993085538757589
Encrypted:	true
SSDEEP:	6144:/dy9FOa06hJIOoqfY7HX81fXFFv8QlxAA8Fi++ZP08/:/dy9m6hoqfY38tFFv8Qlx/y+
MD5:	2572EE5DC98A7F0F61BB2E638EC70FB7
SHA1:	C314B21ACF1C51EAFD306BF0B45D6ED1D71E64A6
SHA-256:	32523E9C443A2033F3D6B3701BDD6A767FDCC676994469AB10B2CFEABF2F661F
SHA-512:	395E41257AB9F5DAD5FE366E8D612EEC596DD8EA3B2C313B8BEF192DCFF7D83B783B074E4D9085F4937E26A85A755213959E9ABA4034991851CA19DBBD26E88F
Malicious:	false
Reputation:	low
Preview:	.k.BBXY3WRO1.AX.3SRO10B.XY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SR.10BOG.=S.F...@....:&B.237>A2?oRQ,/7-.17oCE,a17.....]-%=w>^Xk10BAXY3SF.."&.dS4.rQW.[...i2(...eS4.U...}8>..;,Y."&.Y3SRO10B..Y3.SN1..].Y3SRO10B.X[2XSD10.EXY3SRO10BQMY3SBO102EXY3.RO!0BAZY3URO10BAX_3SRO10BA(]3SPO10BAX[3..O1 BAHY3SR_10RAXY3SR_10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO1.6$ -3SR.a4BAHY3S.K10RAXY3SRO10BAXY3sROQ0BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SRO10BAXY3SR

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.1872341423660915
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	5n2U8ZZZbc.exe
File size:	1'205'248 bytes
MD5:	4441de8460ebceeb46680832f1780860
SHA1:	5f351eab56bfaaa0eaf7d03ff4fbb6fd6df0fac3
SHA256:	28132e1015622452ad4e449031910968d4c5b85d180de1211a34b0ac9ba7f335
SHA512:	3b836621faa976f5a9620c2e56931ffafca7b98d23af73591670e197d78fb53ab15875907ce72546afb4cfc0768a8fa13811be6c6c717c44dc1d8d71d12edc86
SSDEEP:	24576:+u6J33O0c+JY5UZ+XC0kGso6FaWbbTiCscLUjcFCMBSGCkbzZWY:Qu0c++OCvkGs9FaWbbTiLwGcFQGHbAY
TLSH:	D845CF2273DDC361CB669133BF2AB7016EBF7C610630B95B2F980D7DA960161262D763
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x674CF1D7 [Sun Dec 1 23:31:35 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F11DC82079Ah
jmp 00007F11DC813564h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F11DC8136EAh
cmp edi, eax
jc 00007F11DC813A4Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F11DC8136E9h
rep movsb
jmp 00007F11DC8139FCh
cmp ecx, 00000080h
jc 00007F11DC8138B4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F11DC8136F0h
bt dword ptr [004BE324h], 01h
jc 00007F11DC813BC0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F11DC81388Dh
test edi, 00000003h
jne 00007F11DC81389Eh
test esi, 00000003h
jne 00007F11DC81387Dh
bt edi, 02h
jnc 00007F11DC8136EFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F11DC8136F3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F11DC813745h
bt esi, 03h
jnc 00007F11DC813798h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x5dae4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x125000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x5dae4	0x5dc00	00df49346d5af748894bec64f7a23ccb	False	0.9298255208333334	data	7.89885118563428	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x125000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x54da9	data			1.0003337543625435
RT_GROUP_ICON	0x124564	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1245dc	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1245f0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x124604	0x14	data	English	Great Britain	1.25
RT_VERSION	0x124618	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1246f4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 05:17:58.172041893 CET	1.1.1.1	192.168.2.9	0x47db	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 05:17:58.172041893 CET	1.1.1.1	192.168.2.9	0x47db	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	23:18:01
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\5n2U8ZZZbc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\5n2U8ZZZbc.exe"
Imagebase:	0xaf0000
File size:	1'205'248 bytes
MD5 hash:	4441DE8460EBCEEB46680832F1780860
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:18:02
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\5n2U8ZZZbc.exe"
Imagebase:	0xc80000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1407057028.0000000002E90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1406798842.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	10.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	156

Executed Functions

Function 00AF3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AF3B68
IsDebuggerPresent.KERNEL32 ref: 00AF3B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,00BB52F8,00BB52E0,?,?), ref: 00AF3BEB

Part of subcall function 00AF7BCC: _memmove.LIBCMT ref: 00AF7C06

Part of subcall function 00B0092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00AF3C14,00BB52F8,?,?,?), ref: 00B0096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00AF3C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00BA7770,00000010), ref: 00B2D281
SetCurrentDirectoryW.KERNEL32(?,00BB52F8,?,?,?), ref: 00B2D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00BA4260,00BB52F8,?,?,?), ref: 00B2D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00B2D346

Part of subcall function 00AF3A46: GetSysColorBrush.USER32(0000000F), ref: 00AF3A50
Part of subcall function 00AF3A46: LoadCursorW.USER32(00000000,00007F00), ref: 00AF3A5F
Part of subcall function 00AF3A46: LoadIconW.USER32(00000063), ref: 00AF3A76
Part of subcall function 00AF3A46: LoadIconW.USER32(000000A4), ref: 00AF3A88
Part of subcall function 00AF3A46: LoadIconW.USER32(000000A2), ref: 00AF3A9A
Part of subcall function 00AF3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00AF3AC0
Part of subcall function 00AF3A46: RegisterClassExW.USER32(?), ref: 00AF3B16

Part of subcall function 00AF39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00AF3A03
Part of subcall function 00AF39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00AF3A24
Part of subcall function 00AF39D5: ShowWindow.USER32(00000000,?,?), ref: 00AF3A38
Part of subcall function 00AF39D5: ShowWindow.USER32(00000000,?,?), ref: 00AF3A41

Part of subcall function 00AF434A: _memset.LIBCMT ref: 00AF4370
Part of subcall function 00AF434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AF4415

Strings

runas, xrefs: 00B2D33A
This is a third-party compiled AutoIt script., xrefs: 00B2D279

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 3f171848e51853590de1ab7e0b08a2447fb20b0190b79310f6e8868320d76972
Instruction ID: 4c710732fe44a51e52d97f8f25122861598eac580b9e7977d6c47a9dbb37868f
Opcode Fuzzy Hash: 3f171848e51853590de1ab7e0b08a2447fb20b0190b79310f6e8868320d76972
Instruction Fuzzy Hash: E851D571D0920DABDF21EBF4ED05AFD7BB8AF05700F0041A5F655A71A1CEB04A46CB22

Function 00AF49A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00AF49CD

Part of subcall function 00AF7BCC: _memmove.LIBCMT ref: 00AF7C06

GetCurrentProcess.KERNEL32(?,00B7FAEC,00000000,00000000,?), ref: 00AF4A9A
IsWow64Process.KERNEL32(00000000), ref: 00AF4AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00AF4AE7
FreeLibrary.KERNEL32(00000000), ref: 00AF4AF2
GetSystemInfo.KERNEL32(00000000), ref: 00AF4B23
GetSystemInfo.KERNEL32(00000000), ref: 00AF4B2F

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 063673a559ca89537879cfeaa47342546101e718a0508267807eaed243abbf7d
Instruction ID: 04a9cfc0958c6b36b2f2c02e56908a730f9190687ddad08d54d711a23ed9c2a7
Opcode Fuzzy Hash: 063673a559ca89537879cfeaa47342546101e718a0508267807eaed243abbf7d
Instruction Fuzzy Hash: D291E331989BC4DEC731DBA895501BBBFF5AF2E300B4449ADE1CB97A02D224A948C759

Function 00AF4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00AF4D8E,?,?,00000000,00000000), ref: 00AF4E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00AF4D8E,?,?,00000000,00000000), ref: 00AF4EB0
LoadResource.KERNEL32(?,00000000,?,?,00AF4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00AF4E2F), ref: 00B2D937
SizeofResource.KERNEL32(?,00000000,?,?,00AF4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00AF4E2F), ref: 00B2D94C
LockResource.KERNEL32(00AF4D8E,?,?,00AF4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00AF4E2F,00000000), ref: 00B2D95F

Strings

SCRIPT, xrefs: 00AF4EA6

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: c059b7d64ebc9966c3af785b94af02bfea239f06d99a6b85ab16f2f66756e3aa
Instruction ID: 32a8df9f4ca3994ba8a7503ee02ef9754713b6a6b056af064302ffd9431d5bfc
Opcode Fuzzy Hash: c059b7d64ebc9966c3af785b94af02bfea239f06d99a6b85ab16f2f66756e3aa
Instruction Fuzzy Hash: B5119E70200305BFD7208BA5EC48F777BBAFBC9B11F204268F64987260DB61EC40C660

Function 00AFFCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 7488631a3207388d591abad56ca616eb2104987477bb34e28010db786dc99700
Instruction ID: cfb909386578cbc16af88fe3d8516090784b33d2075fb3b3c20b9c67e388fb8b
Opcode Fuzzy Hash: 7488631a3207388d591abad56ca616eb2104987477bb34e28010db786dc99700
Instruction Fuzzy Hash: 839249706183419FD720EF14C480B6ABBE1FF89304F1489ADF99A9B2A1D775EC45CB92

Function 00B5445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00B2E398), ref: 00B5446A
FindFirstFileW.KERNELBASE(?,?), ref: 00B5447B
FindClose.KERNEL32(00000000), ref: 00B5448B

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 5ed34d06230011b9dd0e8a4c32b3495e35e8f13b7eb0846fdc567462d3c182fa
Instruction ID: bee24a20f0ddac449a11ace788906f32244db645780e07538267241fc0c58bd0
Opcode Fuzzy Hash: 5ed34d06230011b9dd0e8a4c32b3495e35e8f13b7eb0846fdc567462d3c182fa
Instruction Fuzzy Hash: EDE0D8334145016B42106B38EC4D5F9779CDF0533AF100795FC39C21D0EF7459849A99

Function 00B009D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B00A5B
timeGetTime.WINMM ref: 00B00D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B00E53
Sleep.KERNEL32(0000000A), ref: 00B00E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00B00EFA
DestroyWindow.USER32 ref: 00B00F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B00F20
Sleep.KERNEL32(0000000A,?,?), ref: 00B34E83
TranslateMessage.USER32(?), ref: 00B35C60
DispatchMessageW.USER32(?), ref: 00B35C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B35C82

Strings

@COM_EVENTOBJ, xrefs: 00B354F0
@GUI_CTRLHANDLE, xrefs: 00B34FE4
@GUI_WINHANDLE, xrefs: 00B34F8F
@GUI_CTRLID, xrefs: 00B34F3A
@TRAY_ID, xrefs: 00B3578F

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: e794b2b32b8d3cb81a562a4252ad855f37d618ea28b6059d2cf54e9a4e4dc2dc
Instruction ID: 3d2732021912eee4b512bfd19bbd35e4f07231c883a1a1de2de2b517541df397
Opcode Fuzzy Hash: e794b2b32b8d3cb81a562a4252ad855f37d618ea28b6059d2cf54e9a4e4dc2dc
Instruction Fuzzy Hash: 0EB29D70608741DFD738DF64C884BAABBE5FF84304F24499DE599972A1CB74E884CB92

Function 00B59155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B58F5F: __time64.LIBCMT ref: 00B58F69

Part of subcall function 00AF4EE5: _fseek.LIBCMT ref: 00AF4EFD

__wsplitpath.LIBCMT ref: 00B59234

Part of subcall function 00B140FB: __wsplitpath_helper.LIBCMT ref: 00B1413B

_wcscpy.LIBCMT ref: 00B59247
_wcscat.LIBCMT ref: 00B5925A
__wsplitpath.LIBCMT ref: 00B5927F
_wcscat.LIBCMT ref: 00B59295
_wcscat.LIBCMT ref: 00B592A8

Part of subcall function 00B58FA5: _memmove.LIBCMT ref: 00B58FDE
Part of subcall function 00B58FA5: _memmove.LIBCMT ref: 00B58FED

_wcscmp.LIBCMT ref: 00B591EF

Part of subcall function 00B59734: _wcscmp.LIBCMT ref: 00B59824
Part of subcall function 00B59734: _wcscmp.LIBCMT ref: 00B59837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B59452
_wcsncpy.LIBCMT ref: 00B594C5
DeleteFileW.KERNEL32(?,?), ref: 00B594FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B59511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B59522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B59534

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: ff2a330da746ab8573b8e0f0983034691954e69fcca313c3856597d2c6610226
Instruction ID: fefa469ef90ae63f28a2e2253336e37bb9743c275d18a5100eb0cf8b00d9c2bc
Opcode Fuzzy Hash: ff2a330da746ab8573b8e0f0983034691954e69fcca313c3856597d2c6610226
Instruction Fuzzy Hash: B3C13FB1D00219AADF21DF95CC85AEEB7BDEF59310F0040E6F609E7151EB309A888F65

Function 00AF301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AF3074
RegisterClassExW.USER32(00000030), ref: 00AF309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AF30AF
InitCommonControlsEx.COMCTL32(?), ref: 00AF30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AF30DC
LoadIconW.USER32(000000A9), ref: 00AF30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AF3101

Strings

TaskbarCreated, xrefs: 00AF30A4
AutoIt v3 GUI, xrefs: 00AF3090
+, xrefs: 00AF305D
0, xrefs: 00AF3056

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 02dc66acd46eda44e89b3c48a1db832828b38e240c04eb86a315555c16ae8a41
Instruction ID: 0aa1ed7f9acc8cfef9e0156da382d394bc0f4a2b35935b7936f3e2e707038c15
Opcode Fuzzy Hash: 02dc66acd46eda44e89b3c48a1db832828b38e240c04eb86a315555c16ae8a41
Instruction Fuzzy Hash: 063127B194020AAFDB50DFA4EC85BDDBBF4FB08310F14422AF594A72A0DBB54585CF95

Function 00AF3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AF3074
RegisterClassExW.USER32(00000030), ref: 00AF309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AF30AF
InitCommonControlsEx.COMCTL32(?), ref: 00AF30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AF30DC
LoadIconW.USER32(000000A9), ref: 00AF30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AF3101

Strings

TaskbarCreated, xrefs: 00AF30A4
AutoIt v3 GUI, xrefs: 00AF3090
+, xrefs: 00AF305D
0, xrefs: 00AF3056

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: c6aac26f37146e99675525bdd959a28deb16019475ec393b636d94a1511a06b3
Instruction ID: 1e6a11451a206c68503590d0a505aafa6bf4b5d606a74e3047039ca21c2da375
Opcode Fuzzy Hash: c6aac26f37146e99675525bdd959a28deb16019475ec393b636d94a1511a06b3
Instruction Fuzzy Hash: 2121C7B1941219AFDB10DFA4EC49BEDBBF4FB08710F00422AF514A72A0DBB14584CF95

Function 00AF708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00BB52F8,?,00AF37AE,?), ref: 00AF4724

Part of subcall function 00B1050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00AF7165), ref: 00B1052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00AF71A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00B2E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00B2E909
RegCloseKey.ADVAPI32(?), ref: 00B2E947
_wcscat.LIBCMT ref: 00B2E9A0

Strings

Include, xrefs: 00B2E8BF, 00B2E900
\, xrefs: 00B2E9C3
\Include\, xrefs: 00AF7165
Software\AutoIt v3\AutoIt, xrefs: 00AF719E

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: c75c84c665aac3a1ebd20eaa427489bb5b03bb3cc9a737231ef506565d9b2016
Instruction ID: 47e716d670ea25dfc1d5191d23879866cc843280a133b0bf25099e4e5db41005
Opcode Fuzzy Hash: c75c84c665aac3a1ebd20eaa427489bb5b03bb3cc9a737231ef506565d9b2016
Instruction Fuzzy Hash: 97717E725083059FD704EF65EC819AFBBE8FF48350B40462EF559872B0EBB59988CB52

Function 00AF3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AF3A50
LoadCursorW.USER32(00000000,00007F00), ref: 00AF3A5F
LoadIconW.USER32(00000063), ref: 00AF3A76
LoadIconW.USER32(000000A4), ref: 00AF3A88
LoadIconW.USER32(000000A2), ref: 00AF3A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00AF3AC0
RegisterClassExW.USER32(?), ref: 00AF3B16

Part of subcall function 00AF3041: GetSysColorBrush.USER32(0000000F), ref: 00AF3074
Part of subcall function 00AF3041: RegisterClassExW.USER32(00000030), ref: 00AF309E
Part of subcall function 00AF3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AF30AF
Part of subcall function 00AF3041: InitCommonControlsEx.COMCTL32(?), ref: 00AF30CC
Part of subcall function 00AF3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AF30DC
Part of subcall function 00AF3041: LoadIconW.USER32(000000A9), ref: 00AF30F2
Part of subcall function 00AF3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AF3101

Strings

#, xrefs: 00AF3AFB
AutoIt v3, xrefs: 00AF3B05
0, xrefs: 00AF3AF4

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 004bb4962dad5cc47d2e31ffdb384ba8f62080571d4bec9fd4536b79f48286f5
Instruction ID: 19580db8140ab7fb8507c66765415c6eba0ef694e44b2cad8fc2b1efff68018c
Opcode Fuzzy Hash: 004bb4962dad5cc47d2e31ffdb384ba8f62080571d4bec9fd4536b79f48286f5
Instruction Fuzzy Hash: AB212871D01309AFEB25DFA4EC09BAD7BB4EB08711F00022AF604A72A1DBF55A408F85

Function 00AF3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00AF36D2
KillTimer.USER32(?,00000001), ref: 00AF36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AF371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AF372A
CreatePopupMenu.USER32 ref: 00AF373E
PostQuitMessage.USER32(00000000), ref: 00AF374D

Strings

TaskbarCreated, xrefs: 00AF3725

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 376ff04d476093a791d0cfd5cda2da4f6726e276023887f8c94a61ff7516f265
Instruction ID: 2740de8a0e7f66047476f2a4b523d21a061a88c54a731ddfc2f1ed70ffd44eb2
Opcode Fuzzy Hash: 376ff04d476093a791d0cfd5cda2da4f6726e276023887f8c94a61ff7516f265
Instruction Fuzzy Hash: CC41F8B310450DBBDF64BFA4EC09BBA37E4EB04341F100265F706D72A1DEA19E509666

Function 00AF3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON

Download Yara Rule

Strings

/AutoIt3ExecuteScript, xrefs: 00AF38BC
CMDLINERAW, xrefs: 00AF37FB
/ErrorStdOut, xrefs: 00AF387D
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00AF37AE
CMDLINE, xrefs: 00AF3822
/AutoIt3ExecuteLine, xrefs: 00AF38A7
/AutoIt3OutputDebug, xrefs: 00AF3892

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: c70cc3a8583e71e3206f9f734a24863c8fe0d2a826e244efc6f28bfe0f3c5600
Instruction ID: 60f8c0b7c98e1ef39ec3f03e840ca7a53e1803cc797d7964829fc3aebd82d808
Opcode Fuzzy Hash: c70cc3a8583e71e3206f9f734a24863c8fe0d2a826e244efc6f28bfe0f3c5600
Instruction Fuzzy Hash: 2CA1387290022D9ACF15EBE4DD91AFEB7B8BF14300F400569F616B7191EF749A08CBA1

Function 014D23F8 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 014D24C9
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 014D26EF

Memory Dump Source

Source File: 00000000.00000002.1360396067.00000000014CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 014CF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14cf000_5n2U8ZZZbc.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e7fcc9d0c03c8eebee60ddba528add67e317e316073a556d8272a5bdc8b54fa5
Instruction ID: db6338bec6d4f5a3c4b3f227a86ea03b90d18c79c2991328fc1909f5580644fb
Opcode Fuzzy Hash: e7fcc9d0c03c8eebee60ddba528add67e317e316073a556d8272a5bdc8b54fa5
Instruction Fuzzy Hash: CCA1F774E00209EBDF14CFA4C9A4FAEBBB5BF48304F20855AE605BB291D7B59A41CF54

Function 00AF39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00AF3A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00AF3A24
ShowWindow.USER32(00000000,?,?), ref: 00AF3A38
ShowWindow.USER32(00000000,?,?), ref: 00AF3A41

Strings

edit, xrefs: 00AF3A1E
AutoIt v3, xrefs: 00AF39FB, 00AF3A00, 00AF3A01

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 326e06f3445ea5ade693bbf56e10611d765d8b74f015e32b1ba1a1dfb8212c4f
Instruction ID: 49d72ccf7c20b5e6985a0b12d7713e52c9c7ddebec4131993001dc7fdef04afc
Opcode Fuzzy Hash: 326e06f3445ea5ade693bbf56e10611d765d8b74f015e32b1ba1a1dfb8212c4f
Instruction Fuzzy Hash: 40F0DA715426907FEA315B276C49F7B2E7DD7C6F50F00422AB904A3270CAA11C51DAB5

Function 014D21F8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 134fileCOMMON

Download Yara Rule

APIs

Part of subcall function 014D20E8: Sleep.KERNELBASE(000001F4), ref: 014D20F9

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 014D22EF

Strings

O10BAXY3SR, xrefs: 014D2352, 014D2355

Memory Dump Source

Source File: 00000000.00000002.1360396067.00000000014CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 014CF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14cf000_5n2U8ZZZbc.jbxd

Similarity

API ID: CreateFileSleep
String ID: O10BAXY3SR
API String ID: 2694422964-2878648202
Opcode ID: 69bf2103e47078d8796be1a5c587153302045f880f96032a62cfce90e77d67da
Instruction ID: 3fd59d3e371083d46cebf97e4b3442c009eef2f834ee604effec6788cb8636bf
Opcode Fuzzy Hash: 69bf2103e47078d8796be1a5c587153302045f880f96032a62cfce90e77d67da
Instruction Fuzzy Hash: 66518231D0020ADAEF11DBB4C814BEEBB79AF18700F0041A9E618BB2D0DAB55B45CBA5

Function 00AF407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00B2D3D7

Part of subcall function 00AF7BCC: _memmove.LIBCMT ref: 00AF7C06

_memset.LIBCMT ref: 00AF40FC
_wcscpy.LIBCMT ref: 00AF4150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00AF4160

Strings

Line: , xrefs: 00B2D400

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 799a7df9efab5b2c9432c5a7dd2ee43f66aaca7035b10581d6f2e9886f1e7b5c
Instruction ID: 37a4da5bf69cde2ad77f776e76398c3d7c57b380528e5327078404f8a2ef1808
Opcode Fuzzy Hash: 799a7df9efab5b2c9432c5a7dd2ee43f66aaca7035b10581d6f2e9886f1e7b5c
Instruction Fuzzy Hash: 3D318F71009709ABD331EBA0ED45BEB77E8AF54300F10461AF685931A1EFB49648CB97

Function 00AF686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00AF4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00BB52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00AF4E0F

_free.LIBCMT ref: 00B2E263
_free.LIBCMT ref: 00B2E2AA

Part of subcall function 00AF6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00AF6BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00B2E039
Bad directive syntax error, xrefs: 00B2E292

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 4c9ff9ed45391a16c320357966f6d67fbdfafe91fa252dde58fb83d6f20f0ee1
Instruction ID: 7b2b0af5fc1f7dcd2483b901a3c6215f439c3dd5d1a0fffbc503b057c13c15c2
Opcode Fuzzy Hash: 4c9ff9ed45391a16c320357966f6d67fbdfafe91fa252dde58fb83d6f20f0ee1
Instruction Fuzzy Hash: 02916F7191022DEFCF04EFA5D8819EEB7F4FF09310B1044A9F92AAB2A1DB749955CB50

Function 00AF35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00AF35A1,SwapMouseButtons,00000004,?), ref: 00AF35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00AF35A1,SwapMouseButtons,00000004,?,?,?,?,00AF2754), ref: 00AF35F5
RegCloseKey.KERNELBASE(00000000,?,?,00AF35A1,SwapMouseButtons,00000004,?,?,?,?,00AF2754), ref: 00AF3617

Strings

Control Panel\Mouse, xrefs: 00AF35D2

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 8cd127286cc806e220a41404cc86313db6536da68ee64751e03176e258d9c90e
Instruction ID: 1bfca41630232c80a0d182e2ccbbd696b84866b39d70f68bd4adf96a4e9527be
Opcode Fuzzy Hash: 8cd127286cc806e220a41404cc86313db6536da68ee64751e03176e258d9c90e
Instruction Fuzzy Hash: BE113372610208BADF208FA4D880ABFBBB8EF04740F008469FA09D7210E6719E409BA4

Function 014D10E8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 014D18A3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 014D1939
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 014D195B

Memory Dump Source

Source File: 00000000.00000002.1360396067.00000000014CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 014CF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14cf000_5n2U8ZZZbc.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
Instruction ID: 0b3514391f9a5b592d5c047e962fecfccb163650b2d27318e2589cd27de7c02f
Opcode Fuzzy Hash: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
Instruction Fuzzy Hash: D862FA30A14258DBEB24CFA4C850BEEB776EF58700F1091A9D50DEB3A0E7759E81CB59

Function 00B5955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00AF4EE5: _fseek.LIBCMT ref: 00AF4EFD

Part of subcall function 00B59734: _wcscmp.LIBCMT ref: 00B59824
Part of subcall function 00B59734: _wcscmp.LIBCMT ref: 00B59837

_free.LIBCMT ref: 00B596A2
_free.LIBCMT ref: 00B596A9
_free.LIBCMT ref: 00B59714

Part of subcall function 00B12D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00B19A24), ref: 00B12D69
Part of subcall function 00B12D55: GetLastError.KERNEL32(00000000,?,00B19A24), ref: 00B12D7B

_free.LIBCMT ref: 00B5971C

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: be7da1c804f14ec52345fe0e41c3bca9e6e51eb1f4b958f70013333f082a6fc5
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: B35130B1904258EBDF259FA4DC81AAEBBB9EF48300F1044DEF609A3241DB715E94CF58

Function 00B1470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B147A0
__flush.LIBCMT ref: 00B147C0
__write.LIBCMT ref: 00B147F3
__flsbuf.LIBCMT ref: 00B14821

Part of subcall function 00B18B28: __getptd_noexit.LIBCMT ref: 00B18B28

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 1cb8d53e49a640370e32a2078bc19fa56aed00472766e9dc6150e1d7e8f4ae6e
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 6541C475B007459BDB18CE69C8809EE7BE5EF42360BA485BDE815CB680EB70DDC18B50

Function 00AF7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B2EA39
GetOpenFileNameW.COMDLG32(?), ref: 00B2EA83

Part of subcall function 00AF4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AF4743,?,?,00AF37AE,?), ref: 00AF4770

Part of subcall function 00B10791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B107B0

Strings

X, xrefs: 00B2EA51

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 02f968b74262fb3aa5b65932561e8afaf3350cd8278843247af92f9dbc59b250
Instruction ID: ab1a85849e2292c3c44032e344e285af95df4637326e0c581ee3165d04fdca63
Opcode Fuzzy Hash: 02f968b74262fb3aa5b65932561e8afaf3350cd8278843247af92f9dbc59b250
Instruction Fuzzy Hash: AC21C031A0425C9BCF01DFD4D845BEE7BF8AF49310F00409AF508AB241DFB499898FA1

Function 00B598E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00B598F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00B5990F

Strings

aut, xrefs: 00B59909

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 23df2af2f74c6891817dca693a3394f1242793705ecbe42b61733c434e1719ae
Instruction ID: 610534ea3a03d25398e32c0d6ed52739cde200d8477a4fad7767deefca2fa946
Opcode Fuzzy Hash: 23df2af2f74c6891817dca693a3394f1242793705ecbe42b61733c434e1719ae
Instruction Fuzzy Hash: DFD05B7554030D6BDB509B90DC0DFA6777CE704700F0002F1BA54920A1ED7055948B95

Function 00B6CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4c49f7e2c14e3d94e79c5f6196089cb42072c5165cfa52b21b847153833b9d
Instruction ID: 580c121f85b025c7a64535e5067c3dcbf69232a91ca5a2eab1cdc15463db7e38
Opcode Fuzzy Hash: db4c49f7e2c14e3d94e79c5f6196089cb42072c5165cfa52b21b847153833b9d
Instruction Fuzzy Hash: 71F16971A083049FCB14DF28C484A6ABBE5FF88314F14896EF9999B351DB35E945CF82

Function 00AFF76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B10162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B10193
Part of subcall function 00B10162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B1019B
Part of subcall function 00B10162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B101A6
Part of subcall function 00B10162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B101B1
Part of subcall function 00B10162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B101B9
Part of subcall function 00B10162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B101C1

Part of subcall function 00B060F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00AFF930), ref: 00B06154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00AFF9CD
OleInitialize.OLE32(00000000), ref: 00AFFA4A
CloseHandle.KERNEL32(00000000), ref: 00B345C8

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: f961aef6a525ad42d617689cd5b904b31cdd348de0973683b899295b3218df69
Instruction ID: 7929e5a7860353f41e39ba06b9d9353abd203e9488bfb6c7b067010c8778e1a2
Opcode Fuzzy Hash: f961aef6a525ad42d617689cd5b904b31cdd348de0973683b899295b3218df69
Instruction Fuzzy Hash: 6A81DDB0901A408FC3B5EF2AE8557697BE5FB58306750866AA019CB379EFF04485CF27

Function 00AF434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AF4370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AF4415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00AF4432

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 5ba0390e2fa7f3e458d0ff85554e62c9292e07f2aff7e1632206cefd76eaef17
Instruction ID: 49dad701b3c11358d9d9646c1abe247450447f34f03d46b35c63e3afc0bd320f
Opcode Fuzzy Hash: 5ba0390e2fa7f3e458d0ff85554e62c9292e07f2aff7e1632206cefd76eaef17
Instruction Fuzzy Hash: 25316FB05057059FD731DF64D8847ABBBF8FB48309F000A2EF69A97251EBB1A944CB52

Function 00B1571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00B15733

Part of subcall function 00B1A16B: __NMSG_WRITE.LIBCMT ref: 00B1A192
Part of subcall function 00B1A16B: __NMSG_WRITE.LIBCMT ref: 00B1A19C

__NMSG_WRITE.LIBCMT ref: 00B1573A

Part of subcall function 00B1A1C8: GetModuleFileNameW.KERNEL32(00000000,00BB33BA,00000104,?,00000001,00000000), ref: 00B1A25A
Part of subcall function 00B1A1C8: ___crtMessageBoxW.LIBCMT ref: 00B1A308

Part of subcall function 00B1309F: ___crtCorExitProcess.LIBCMT ref: 00B130A5
Part of subcall function 00B1309F: ExitProcess.KERNEL32 ref: 00B130AE

Part of subcall function 00B18B28: __getptd_noexit.LIBCMT ref: 00B18B28

RtlAllocateHeap.NTDLL(01490000,00000000,00000001,00000000,?,?,?,00B10DD3,?), ref: 00B1575F

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 92cc0068a7afa63537f7952824d706eb6d4eedfb9ded48cc72343f9fff9e625e
Instruction ID: f484fae976d9f0d3261c09ff2527f5c706b791f11bbd9c41696813117927c4e8
Opcode Fuzzy Hash: 92cc0068a7afa63537f7952824d706eb6d4eedfb9ded48cc72343f9fff9e625e
Instruction Fuzzy Hash: 2E019235244A01DBD6212B35AC83AEA73C8DBC2B61FD005A9F519AB1D1DEB09CC14665

Function 00B598A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00B59548,?,?,?,?,?,00000004), ref: 00B598BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00B59548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00B598D1
CloseHandle.KERNEL32(00000000,?,00B59548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B598D8

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: f3042c023bc213c10f985acd6db28b6e791308cf1dfbc07f1199156cb75039a7
Instruction ID: 485ef2c5632fb6cfc3af3c8501ff1d4980bcb5f028d9e96964849572802c2cfa
Opcode Fuzzy Hash: f3042c023bc213c10f985acd6db28b6e791308cf1dfbc07f1199156cb75039a7
Instruction Fuzzy Hash: 48E08632141215F7E7211B64EC09FDA7B59EB06B61F104120FB187A0E08BB11951979C

Function 00B58D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B58D1B

Part of subcall function 00B12D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00B19A24), ref: 00B12D69
Part of subcall function 00B12D55: GetLastError.KERNEL32(00000000,?,00B19A24), ref: 00B12D7B

_free.LIBCMT ref: 00B58D2C
_free.LIBCMT ref: 00B58D3E

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 97b0943cfd1a619cb6feb8709f3c84d11589910cc00e6f3a8e1882e178784571
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 22E012A160160156CB24A678F940BD713FC8F5935379409FDB80DE71D6DE64F8968124

Function 00AFA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00B2FC01

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 1a9cf21d80bf6c654a1130268965f813e4484ba21ff16892e6361ce0c3dc1218
Instruction ID: e1015d5f241b6e8a3005cae18d63189a51047424a5d2f61ed41e719e83c32f49
Opcode Fuzzy Hash: 1a9cf21d80bf6c654a1130268965f813e4484ba21ff16892e6361ce0c3dc1218
Instruction Fuzzy Hash: 1C2247B0508205DFC724DF54C494ABABBF1BF58304F1489ADFA8A8B261D775ED85CB82

Function 00AF4C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AF4CBA

Strings

EA06, xrefs: 00B2D8CC

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: c940795d536ff5e5a76c05cb310711abfc511b7fffe14e6ff56bd6e10208e032
Instruction ID: 0c04b80a3fafbee3cf2757e5d802e871ad82567a457e2e314e8ee181b620b269
Opcode Fuzzy Hash: c940795d536ff5e5a76c05cb310711abfc511b7fffe14e6ff56bd6e10208e032
Instruction Fuzzy Hash: A5414832A0415C5BDF229BE4C9617BF7FB69B4D300F6844A5FF869B282D6209E4583A1

Function 00AF7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AF7AAB
_memmove.LIBCMT ref: 00AF7B16

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9dd4efb868ffb8a5767105da0b16a8b73f80e319b4c4c742e2df27cd6dceb9ed
Instruction ID: b2caae14dc24be1c739ca9a0b698d31357dab48dde747cda58b5d47ff797411f
Opcode Fuzzy Hash: 9dd4efb868ffb8a5767105da0b16a8b73f80e319b4c4c742e2df27cd6dceb9ed
Instruction Fuzzy Hash: 1431D5B160450AAFC704EFA8D8D1D6DB3A4FF493507158269F519CB391EB70E950CB90

Function 00AF47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00AF4834

Part of subcall function 00B1336C: __lock.LIBCMT ref: 00B13372
Part of subcall function 00B1336C: DecodePointer.KERNEL32(00000001,?,00AF4849,00B47C74), ref: 00B1337E
Part of subcall function 00B1336C: EncodePointer.KERNEL32(?,?,00AF4849,00B47C74), ref: 00B13389

Part of subcall function 00AF48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00AF4915
Part of subcall function 00AF48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00AF492A

Part of subcall function 00AF3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AF3B68
Part of subcall function 00AF3B3A: IsDebuggerPresent.KERNEL32 ref: 00AF3B7A
Part of subcall function 00AF3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00BB52F8,00BB52E0,?,?), ref: 00AF3BEB
Part of subcall function 00AF3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00AF3C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00AF4874

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 582b2cd891d8eee2b5b83f8fd52097a45a75d767a82bf3126046b8662d263e06
Instruction ID: 2c5c52de41d48ca912a3b2e2f5303836b68f295b7d30701287d8258ec788b6af
Opcode Fuzzy Hash: 582b2cd891d8eee2b5b83f8fd52097a45a75d767a82bf3126046b8662d263e06
Instruction Fuzzy Hash: 19119D719087059BC710DF68E845A2BBBE8EF88790F10461EF185932B1DFB09A44CFD6

Function 00B10DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B1571C: __FF_MSGBANNER.LIBCMT ref: 00B15733
Part of subcall function 00B1571C: __NMSG_WRITE.LIBCMT ref: 00B1573A
Part of subcall function 00B1571C: RtlAllocateHeap.NTDLL(01490000,00000000,00000001,00000000,?,?,?,00B10DD3,?), ref: 00B1575F

std::exception::exception.LIBCMT ref: 00B10DEC
__CxxThrowException@8.LIBCMT ref: 00B10E01

Part of subcall function 00B1859B: RaiseException.KERNEL32(?,?,?,00BA9E78,00000000,?,?,?,?,00B10E06,?,00BA9E78,?,00000001), ref: 00B185F0

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: f9a6e05662e682eec11588b93c01abda1ddda979e17489e03bbf85cbdb3d5947
Instruction ID: de14c0cce45ec21804942e8ac7ee7d141d1ba1d83d367dd5d9b7ed0c72c9c457
Opcode Fuzzy Hash: f9a6e05662e682eec11588b93c01abda1ddda979e17489e03bbf85cbdb3d5947
Instruction Fuzzy Hash: FAF0813290021DA6DB10BB94EC429DE7BE8EF05351F9044E9FD0496291DFB09AD0D3D5

Function 00B153A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B18B28: __getptd_noexit.LIBCMT ref: 00B18B28

__lock_file.LIBCMT ref: 00B153EB

Part of subcall function 00B16C11: __lock.LIBCMT ref: 00B16C34

__fclose_nolock.LIBCMT ref: 00B153F6

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 81f3e8f5aec5e19138dba3779dacf4eee2ada495c0186e680db596ea0230e9a2
Instruction ID: 2f52c77c85070c988205c3e7628efae123a7633160dc94cda326cdb69d09d1a5
Opcode Fuzzy Hash: 81f3e8f5aec5e19138dba3779dacf4eee2ada495c0186e680db596ea0230e9a2
Instruction Fuzzy Hash: 2EF09671800A04DAD7306B65A8427EE77E0BF81375FE481D9A435AB1C1CBFC59C2AB55

Function 014D10E5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 014D18A3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 014D1939
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 014D195B

Memory Dump Source

Source File: 00000000.00000002.1360396067.00000000014CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 014CF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14cf000_5n2U8ZZZbc.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
Instruction ID: ad2d69877d7c0bbed78ad7331819eb17475feaea2b794ff2114e5e24fc89f3b7
Opcode Fuzzy Hash: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
Instruction Fuzzy Hash: C212DD24E24658C6EB24DF64D8507DEB232EF68700F1090E9910DEB7A5E77A4F81CB5A

Function 00B10C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00B10CB7

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: cf2273bb8b6203029b93393137ad5e8f4f015792154d5c75f6ba52e63ca3f13e
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 5231A570A101069BC718EF58C4C4AA9FBE6FB99340BA486E5E80ACB355D671EDD1DFC0

Function 00B2FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00B2FCB7

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: e12884a1f1f18348201746e27bae93c386cd93ef37182c56a4f1be7868da887b
Instruction ID: b3d512f50f9a681a2e9149c1fcaf3d3cef388ac4ab07418371dc9873f69812cf
Opcode Fuzzy Hash: e12884a1f1f18348201746e27bae93c386cd93ef37182c56a4f1be7868da887b
Instruction Fuzzy Hash: 8B4125745043458FDB24DF54C444B6ABBE0BF48314F0988ACE9998B362C731E885CB52

Function 00AF7B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AF7BB3

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: c673acbe8b41b98e74fed41fc84613334b52efb7c6f7bed364239bc7d3b29da5
Instruction ID: bf2569d820e681e6ccfdc649ae0849a33e5715337e48bd34146a0a0d607f105d
Opcode Fuzzy Hash: c673acbe8b41b98e74fed41fc84613334b52efb7c6f7bed364239bc7d3b29da5
Instruction Fuzzy Hash: A8212772A04A18EBDB109F92F8426AD7BF4FB15350F2084AEE59AC9194EF30C1D0D745

Function 00AF4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00AF4BEF

Part of subcall function 00B1525B: __wfsopen.LIBCMT ref: 00B15266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00BB52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00AF4E0F

Part of subcall function 00AF4B6A: FreeLibrary.KERNEL32(00000000), ref: 00AF4BA4

Part of subcall function 00AF4C70: _memmove.LIBCMT ref: 00AF4CBA

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 3400c3c183e1964ca83fd5308a7ce20ef177322ac9eef4c2c4a0398fcb776df6
Instruction ID: f45af807afe58adc6842878f30f735710f2cab60c26d28ca9ab00c1ff565ffd8
Opcode Fuzzy Hash: 3400c3c183e1964ca83fd5308a7ce20ef177322ac9eef4c2c4a0398fcb776df6
Instruction Fuzzy Hash: C311E731600209ABDF21BFB0C912FBF77E4AF48710F108469F646A7192DB719A019B50

Function 00B2FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00B2FD91

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 7532d290c9668f046dbc4932b1d34607ad2f4f9e057bef9550c16c5ac9eab50f
Instruction ID: 121ec1a13a3448683424b09e85001718eafa700a16068517d95f509ad98a6ca7
Opcode Fuzzy Hash: 7532d290c9668f046dbc4932b1d34607ad2f4f9e057bef9550c16c5ac9eab50f
Instruction Fuzzy Hash: 142124B4918305DFCB14DFA4C444B6ABBE0BF88314F0589ACF98A57722D731E855CBA2

Function 00AF7DE1 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AF7E22

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8552a27d75c028384bb5dded52737eaba16b17fc97a4acef3cde4278dbd9ffc2
Instruction ID: a55c860a2816198927e206e5f7cf97c0bab8a98f650f4db6fe1e3c002b99e19e
Opcode Fuzzy Hash: 8552a27d75c028384bb5dded52737eaba16b17fc97a4acef3cde4278dbd9ffc2
Instruction Fuzzy Hash: 6101D6722147056ED3219F69D806EBBBBE49B44760F50857AFA1ACA191EA71E8808790

Function 00B1072A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B107B0

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: ff111248fafc7db42fc50a86d8fc6a402ad639279eb5107132594ed59bcd12a3
Instruction ID: d8dd55d01aa2f44d3774dadd881f1daab93826c157d50e70e774c51f52cc755c
Opcode Fuzzy Hash: ff111248fafc7db42fc50a86d8fc6a402ad639279eb5107132594ed59bcd12a3
Instruction Fuzzy Hash: AFF0BB3E5552245FE311A658AC02BF9B7DDDBC8760F208166FE98D3E81C9106C474EE2

Function 00B14863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00B148A6

Part of subcall function 00B18B28: __getptd_noexit.LIBCMT ref: 00B18B28

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 0444d64f21cbd95a7c09a86a29a0bc1c1e6b39d8c5b09a1666d9b75d6778b968
Instruction ID: 8095116ebdc3fd5529e7fceaf1b985998d6b106c48a45d031235d6fc39a96a7b
Opcode Fuzzy Hash: 0444d64f21cbd95a7c09a86a29a0bc1c1e6b39d8c5b09a1666d9b75d6778b968
Instruction Fuzzy Hash: 9AF0A931900609EBDF11AFA4CC067EE36E1FF41325F958598B424AA191CBB88AD2DB91

Function 00AF4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00BB52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00AF4E7E

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b51b6c2cbed3ed1428fa10fa97bc0801d03bb247efb007e8433c9ec9aba9e666
Instruction ID: 86d2dfb81c354de1503b5eff19926d950f31f37f479b2ecc0718b8e821cf93d5
Opcode Fuzzy Hash: b51b6c2cbed3ed1428fa10fa97bc0801d03bb247efb007e8433c9ec9aba9e666
Instruction Fuzzy Hash: AEF01C71501715CFDB349FA4E4948A3B7F1BF58365310897EF2E683610C7319880DB40

Function 00B10791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B107B0

Part of subcall function 00AF7BCC: _memmove.LIBCMT ref: 00AF7C06

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: c1d69612510d28a3092c13bb0d628d6c9763572ba1cb4a416799cbba463ba55e
Instruction ID: 64f81ed1403b2b58a1c18a395d1991c970b855aefa65b48704c96f2adb5ecd23
Opcode Fuzzy Hash: c1d69612510d28a3092c13bb0d628d6c9763572ba1cb4a416799cbba463ba55e
Instruction Fuzzy Hash: C3E0863690412857C72096989C05FFA77DDDB896A0F0441B5FD0CD7215D9609C808690

Function 00B1525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00B15266

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 2b050576f472ea595e861a0ca2e9ccb753c6e8cd6a22755012b79a27a6bc8eeb
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 6EB0927A44020CB7CE112A82EC02A893B5D9B91764F808060FB0C18162A677A6A49AC9

Function 014D20E8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 014D20F9

Memory Dump Source

Source File: 00000000.00000002.1360396067.00000000014CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 014CF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14cf000_5n2U8ZZZbc.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 3a8798521920a6f8310ee4e8cf5cfb09694ff759831c372970bab535d1f444b9
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 05E0E67494010DDFDB00DFB4D6496AD7BF4EF04701F104161FD01E2281D6709D508A72

Non-executed Functions

Function 00B7CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF2612: GetWindowLongW.USER32(?,000000EB), ref: 00AF2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00B7CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B7CB95
GetWindowLongW.USER32(?,000000F0), ref: 00B7CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B7CC00
SendMessageW.USER32 ref: 00B7CC29
_wcsncpy.LIBCMT ref: 00B7CC95
GetKeyState.USER32(00000011), ref: 00B7CCB6
GetKeyState.USER32(00000009), ref: 00B7CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B7CCD9
GetKeyState.USER32(00000010), ref: 00B7CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B7CD0C
SendMessageW.USER32 ref: 00B7CD33
SendMessageW.USER32(?,00001030,?,00B7B348), ref: 00B7CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00B7CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00B7CE60
SetCapture.USER32(?), ref: 00B7CE69
ClientToScreen.USER32(?,?), ref: 00B7CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00B7CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B7CEF5
ReleaseCapture.USER32 ref: 00B7CF00
GetCursorPos.USER32(?), ref: 00B7CF3A
ScreenToClient.USER32(?,?), ref: 00B7CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B7CFA3
SendMessageW.USER32 ref: 00B7CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B7D00E
SendMessageW.USER32 ref: 00B7D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B7D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B7D06D
GetCursorPos.USER32(?), ref: 00B7D08D
ScreenToClient.USER32(?,?), ref: 00B7D09A
GetParent.USER32(?), ref: 00B7D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B7D123
SendMessageW.USER32 ref: 00B7D154
ClientToScreen.USER32(?,?), ref: 00B7D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B7D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B7D20C
SendMessageW.USER32 ref: 00B7D22F
ClientToScreen.USER32(?,?), ref: 00B7D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B7D2B5

Part of subcall function 00AF25DB: GetWindowLongW.USER32(?,000000EB), ref: 00AF25EC

GetWindowLongW.USER32(?,000000F0), ref: 00B7D351

Strings

@GUI_DRAGID, xrefs: 00B7CE9C
F, xrefs: 00B7D235
@U=u, xrefs: 00B7CB95, 00B7CC00, 00B7CC29, 00B7CCD9, 00B7CD0C, 00B7CD33, 00B7CE37, 00B7CFA3, 00B7CFD1, 00B7D00E, 00B7D03D, 00B7D123, 00B7D154, 00B7D20C, 00B7D22F

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$@U=u$F
API String ID: 3977979337-1007936534
Opcode ID: 25b0e0fa0e126456236c076bdd75147ee748a662417304ad6021a40b6eed9f36
Instruction ID: 6fb490985d992fc24cee4f111280cf4b085ff0e5a62cd353aecf8f2b70ffba79
Opcode Fuzzy Hash: 25b0e0fa0e126456236c076bdd75147ee748a662417304ad6021a40b6eed9f36
Instruction Fuzzy Hash: 9942CD34204245AFD721CF64C884BAABFE5FF48350F14869DF6A9972A0CB71D941DB92

Function 00B06F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B071C3
_memset.LIBCMT ref: 00B07539
_memmove.LIBCMT ref: 00B076AC

Strings

[:<:]], xrefs: 00B07479
[:>:]], xrefs: 00B07492
Q\E, xrefs: 00B07FCB
\b(?=\w), xrefs: 00B43769
\b(?<=\w), xrefs: 00B43773
DEFINE, xrefs: 00B42103

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: b5784eb7747b8c35f65f5535af8a6a6b8ebd1347196625a63934f9b4e60f8e22
Instruction ID: 3b8a8ac8f50a808738498bc3b05d23e7817f7ae72831f16e20631d3625c1d852
Opcode Fuzzy Hash: b5784eb7747b8c35f65f5535af8a6a6b8ebd1347196625a63934f9b4e60f8e22
Instruction Fuzzy Hash: 3D93A371E44215DBDB24CF58C881BADBBF1FF48710F6481AAE955AB381E7709E81EB40

Function 00AF48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00AF48DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B2D665
IsIconic.USER32(?), ref: 00B2D66E
ShowWindow.USER32(?,00000009), ref: 00B2D67B
SetForegroundWindow.USER32(?), ref: 00B2D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B2D69B
GetCurrentThreadId.KERNEL32 ref: 00B2D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B2D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B2D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B2D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00B2D6CF
SetForegroundWindow.USER32(?), ref: 00B2D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B2D6E7
keybd_event.USER32(00000012,00000000), ref: 00B2D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B2D6FC
keybd_event.USER32(00000012,00000000), ref: 00B2D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B2D70A
keybd_event.USER32(00000012,00000000), ref: 00B2D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B2D719
keybd_event.USER32(00000012,00000000), ref: 00B2D71E
SetForegroundWindow.USER32(?), ref: 00B2D721
AttachThreadInput.USER32(?,?,00000000), ref: 00B2D748

Strings

Shell_TrayWnd, xrefs: 00B2D660

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: a8455e935c8340e1f7d6bdc5433a5984143e30698170bc3a8046b1b51680c4e2
Instruction ID: 3767d464624aa8e1a9eb3ed702d34072d1aed541de63d0da9e6392291971200d
Opcode Fuzzy Hash: a8455e935c8340e1f7d6bdc5433a5984143e30698170bc3a8046b1b51680c4e2
Instruction Fuzzy Hash: 95315571A403187AEB216FA19C89F7F7FACEB44B50F104065FA09EB1D1CAB05D41ABA5

Function 00B48310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00B487E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B4882B
Part of subcall function 00B487E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B48858
Part of subcall function 00B487E1: GetLastError.KERNEL32 ref: 00B48865

_memset.LIBCMT ref: 00B48353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00B483A5
CloseHandle.KERNEL32(?), ref: 00B483B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00B483CD
GetProcessWindowStation.USER32 ref: 00B483E6
SetProcessWindowStation.USER32(00000000), ref: 00B483F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00B4840A

Part of subcall function 00B481CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B48309), ref: 00B481E0
Part of subcall function 00B481CB: CloseHandle.KERNEL32(?,?,00B48309), ref: 00B481F2

Strings

winsta0, xrefs: 00B483C8
, xrefs: 00B48362
default, xrefs: 00B48405

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: c775d9630d402d53236aadc688d9233a6fb41f81adb6367716774958dab4f12c
Instruction ID: e956cb79af514f209f5e73a35b39e19866e5617e40ee1c2e4e9d96ed5f48e461
Opcode Fuzzy Hash: c775d9630d402d53236aadc688d9233a6fb41f81adb6367716774958dab4f12c
Instruction Fuzzy Hash: CA813571900209AFDF11AFA4DC45AFEBBB9EF08704F1441A9F918A7261DB318F54EB64

Function 00B5C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B5C78D
FindClose.KERNEL32(00000000), ref: 00B5C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B5C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B5C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B5C844
__swprintf.LIBCMT ref: 00B5C890
__swprintf.LIBCMT ref: 00B5C8D3

Part of subcall function 00AF7DE1: _memmove.LIBCMT ref: 00AF7E22

__swprintf.LIBCMT ref: 00B5C927

Part of subcall function 00B13698: __woutput_l.LIBCMT ref: 00B136F1

__swprintf.LIBCMT ref: 00B5C975

Part of subcall function 00B13698: __flsbuf.LIBCMT ref: 00B13713
Part of subcall function 00B13698: __flsbuf.LIBCMT ref: 00B1372B

__swprintf.LIBCMT ref: 00B5C9C4
__swprintf.LIBCMT ref: 00B5CA13
__swprintf.LIBCMT ref: 00B5CA62

Strings

%02d, xrefs: 00B5C91B, 00B5C925, 00B5C973, 00B5C9C2, 00B5CA11, 00B5CA60
%4d%02d%02d%02d%02d%02d, xrefs: 00B5C88A
%4d, xrefs: 00B5C8CD

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: a6ecb370898efd3eb1127d82285b70b0882b26dcbf59b2c5b4ce024bfb67c0a7
Instruction ID: e967b4389e6b247ef682d67aa81517544aae2f632b2e721b098b057cc9f98dbe
Opcode Fuzzy Hash: a6ecb370898efd3eb1127d82285b70b0882b26dcbf59b2c5b4ce024bfb67c0a7
Instruction Fuzzy Hash: 2BA10AB2408349AFC744EFA4C985EBFB7ECFF94704F400959F69586191EA34DA48CB62

Function 00B5EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00B5EFB6
_wcscmp.LIBCMT ref: 00B5EFCB
_wcscmp.LIBCMT ref: 00B5EFE2
GetFileAttributesW.KERNEL32(?), ref: 00B5EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00B5F00E
FindNextFileW.KERNEL32(00000000,?), ref: 00B5F026
FindClose.KERNEL32(00000000), ref: 00B5F031
FindFirstFileW.KERNEL32(*.*,?), ref: 00B5F04D
_wcscmp.LIBCMT ref: 00B5F074
_wcscmp.LIBCMT ref: 00B5F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00B5F09D
SetCurrentDirectoryW.KERNEL32(00BA8920), ref: 00B5F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B5F0C5
FindClose.KERNEL32(00000000), ref: 00B5F0D2
FindClose.KERNEL32(00000000), ref: 00B5F0E4

Strings

*.*, xrefs: 00B5F048

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 5a845216d21ec3ce6f620e619360224ef1b9bde86634446a5641e03dc1cb128e
Instruction ID: 472e7b4bb7aa636744f1db4daff656b4bb4a615816bb8942635e8e24648c47cf
Opcode Fuzzy Hash: 5a845216d21ec3ce6f620e619360224ef1b9bde86634446a5641e03dc1cb128e
Instruction Fuzzy Hash: 3331C23250021A6ADB149FA4DC49BFEB7EDDF49361F1841F5E808E30A1EF70DA88CA55

Function 00B70857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B70953
RegCreateKeyExW.ADVAPI32(?,?,00000000,00B7F910,00000000,?,00000000,?,?), ref: 00B709C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00B70A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00B70A92
RegCloseKey.ADVAPI32(?), ref: 00B70DB2
RegCloseKey.ADVAPI32(00000000), ref: 00B70DBF

Strings

REG_SZ, xrefs: 00B70AD0
REG_BINARY, xrefs: 00B70D4D
REG_QWORD, xrefs: 00B70D00
REG_MULTI_SZ, xrefs: 00B70B7A
REG_EXPAND_SZ, xrefs: 00B70A2F
REG_DWORD, xrefs: 00B70C83

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: dd9f330f560089a293e5be20019e088fd184c51c87ef4702f46d613c85af7d65
Instruction ID: d886f33c8f98b85e9ca9accffcf8a9c38c06d05228daf0a7c676836939722a97
Opcode Fuzzy Hash: dd9f330f560089a293e5be20019e088fd184c51c87ef4702f46d613c85af7d65
Instruction Fuzzy Hash: 81025A756046059FCB14EF64C981E2AB7E5FF89310F0485ADF99A9B3A2DB30ED41CB81

Function 00B5F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00B5F113
_wcscmp.LIBCMT ref: 00B5F128
_wcscmp.LIBCMT ref: 00B5F13F

Part of subcall function 00B54385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00B543A0

FindNextFileW.KERNEL32(00000000,?), ref: 00B5F16E
FindClose.KERNEL32(00000000), ref: 00B5F179
FindFirstFileW.KERNEL32(*.*,?), ref: 00B5F195
_wcscmp.LIBCMT ref: 00B5F1BC
_wcscmp.LIBCMT ref: 00B5F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00B5F1E5
SetCurrentDirectoryW.KERNEL32(00BA8920), ref: 00B5F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B5F20D
FindClose.KERNEL32(00000000), ref: 00B5F21A
FindClose.KERNEL32(00000000), ref: 00B5F22C

Strings

*.*, xrefs: 00B5F190

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 69a42454f23ea1537fbc3636d571469535468138ad817b3ab65de5a66a6948fd
Instruction ID: 3508c6a182853e4c0e73fdc8fbb274668207312d75ba393c81833144848e9ba1
Opcode Fuzzy Hash: 69a42454f23ea1537fbc3636d571469535468138ad817b3ab65de5a66a6948fd
Instruction Fuzzy Hash: 7431B37650021AAACB109EA4EC49FFEB7EDDF45361F1001F5FC04A30A0EB31DA89CA58

Function 00B5A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B5A20F
__swprintf.LIBCMT ref: 00B5A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B5A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00B5A293
_memset.LIBCMT ref: 00B5A2B2
_wcsncpy.LIBCMT ref: 00B5A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00B5A323
CloseHandle.KERNEL32(00000000), ref: 00B5A32E
RemoveDirectoryW.KERNEL32(?), ref: 00B5A337
CloseHandle.KERNEL32(00000000), ref: 00B5A341

Strings

\, xrefs: 00B5A247
\??\%s, xrefs: 00B5A22B
:, xrefs: 00B5A252

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 5d82ac4e3a05c7dd4a408961892ab89d1d87b2f3860f3048792a7f50cb4a246a
Instruction ID: 49065aac858b033ab482950a666860753f09c4c46fad937b3bf2191c21cf7688
Opcode Fuzzy Hash: 5d82ac4e3a05c7dd4a408961892ab89d1d87b2f3860f3048792a7f50cb4a246a
Instruction Fuzzy Hash: CB319F7190410AABDB209FA0DC49FEB37FCEF88701F5041F6F908E2160EB7096848B29

Function 00B066E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

UTF16), xrefs: 00B410CF
UCP), xrefs: 00B4110D
NO_START_OPT), xrefs: 00B4114F
ANYCRLF), xrefs: 00B412FB
NO_AUTO_POSSESS), xrefs: 00B4112E
UTF), xrefs: 00B410FA
LIMIT_MATCH=, xrefs: 00B41170
LIMIT_RECURSION=, xrefs: 00B411FC
CRLF), xrefs: 00B412C1
BSR_ANYCRLF), xrefs: 00B4131E
ANY), xrefs: 00B412DE
LF), xrefs: 00B412A4
BSR_UNICODE), xrefs: 00B41338
CR), xrefs: 00B41287

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: a83328b2bbd108f27b10bb79fc0146f8c7bd07cac37aade76f17e775d5d08336
Instruction ID: 2f7227e980c0a95075d7603f04dcba32ba86bb66c0c10c5f95fac20e96775be1
Opcode Fuzzy Hash: a83328b2bbd108f27b10bb79fc0146f8c7bd07cac37aade76f17e775d5d08336
Instruction Fuzzy Hash: 04726175E002199BDF24CF59C8817ADBBF5FF48710F1485AAE849EB290E7709E81DB90

Function 00B5001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B50097
SetKeyboardState.USER32(?), ref: 00B50102
GetAsyncKeyState.USER32(000000A0), ref: 00B50122
GetKeyState.USER32(000000A0), ref: 00B50139
GetAsyncKeyState.USER32(000000A1), ref: 00B50168
GetKeyState.USER32(000000A1), ref: 00B50179
GetAsyncKeyState.USER32(00000011), ref: 00B501A5
GetKeyState.USER32(00000011), ref: 00B501B3
GetAsyncKeyState.USER32(00000012), ref: 00B501DC
GetKeyState.USER32(00000012), ref: 00B501EA
GetAsyncKeyState.USER32(0000005B), ref: 00B50213
GetKeyState.USER32(0000005B), ref: 00B50221

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: e42e67d25e7b30622c132b2f72a8c685bb9205bf9659a8af02a536e6d62fed4e
Instruction ID: 12af6aea189e98fa339145510b00623e6046f57891eeb865ad11046bde38dc86
Opcode Fuzzy Hash: e42e67d25e7b30622c132b2f72a8c685bb9205bf9659a8af02a536e6d62fed4e
Instruction Fuzzy Hash: DA51B42091478829FB35FBA088557AABFF4DF02381F0C45DADDC6575C3DAA49A8CC762

Function 00B703DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B70E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B6FDAD,?,?), ref: 00B70E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B704AC

Part of subcall function 00AF9837: __itow.LIBCMT ref: 00AF9862
Part of subcall function 00AF9837: __swprintf.LIBCMT ref: 00AF98AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B7054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00B705E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00B70822
RegCloseKey.ADVAPI32(00000000), ref: 00B7082F

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 073f61b886c3f56fac68443efc7ecff44041da3f547e2b871bcd27c6865130bc
Instruction ID: 7624ad04cc2463ddae36974579d6e529d0c32289804553f0665ef6f85f04bbfc
Opcode Fuzzy Hash: 073f61b886c3f56fac68443efc7ecff44041da3f547e2b871bcd27c6865130bc
Instruction Fuzzy Hash: AAE14D31604205EFCB14EF64C995E2ABBE4EF89314F04C5ADF959DB2A1DA30ED41CB92

Function 00B683BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF9837: __itow.LIBCMT ref: 00AF9862
Part of subcall function 00AF9837: __swprintf.LIBCMT ref: 00AF98AC

CoInitialize.OLE32 ref: 00B68403
CoUninitialize.OLE32 ref: 00B6840E
CoCreateInstance.OLE32(?,00000000,00000017,00B82BEC,?), ref: 00B6846E
IIDFromString.OLE32(?,?), ref: 00B684E1
VariantInit.OLEAUT32(?), ref: 00B6857B
VariantClear.OLEAUT32(?), ref: 00B685DC

Strings

NULL Pointer assignment, xrefs: 00B684B3
Invalid parameter, xrefs: 00B684FA
Failed to create object, xrefs: 00B68479, 00B6852F

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: f835c78d40d8b662de97080d6c455e58417715eb379dd03f209b0c8cbc19efca
Instruction ID: 1f63a4004c4ea77c4e22a6e1e6da77d59d2f8ea56f01d5d65bcea391ce0dea17
Opcode Fuzzy Hash: f835c78d40d8b662de97080d6c455e58417715eb379dd03f209b0c8cbc19efca
Instruction Fuzzy Hash: 8E61CF706083129FC710DF54D889F6AB7E8EF49754F004A99F9869B2A1CF74ED44CB92

Function 00B64164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00B6418B
EmptyClipboard.USER32 ref: 00B64191
GlobalAlloc.KERNEL32(00000002,?), ref: 00B641A6
CloseClipboard.USER32 ref: 00B64245

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 06ae1958741cd56628eefef25f326da5df48704c02ef4327c7a7f4fbaa032a75
Instruction ID: 6253ebf4a5bca38cfa7733f37460f0867763e9b11b6fdbd2ec237099213ff855
Opcode Fuzzy Hash: 06ae1958741cd56628eefef25f326da5df48704c02ef4327c7a7f4fbaa032a75
Instruction Fuzzy Hash: 8821AD352006159FDB10AF60EC49B7A7BE8FF05750F10806AF94A9B2A1CF34EC40CB89

Function 00B537EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AF4743,?,?,00AF37AE,?), ref: 00AF4770

Part of subcall function 00B54A31: GetFileAttributesW.KERNEL32(?,00B5370B), ref: 00B54A32

FindFirstFileW.KERNEL32(?,?), ref: 00B538A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00B5394B
MoveFileW.KERNEL32(?,?), ref: 00B5395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00B5397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B5399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00B539B9

Strings

\*.*, xrefs: 00B5384E, 00B53857, 00B5386C

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: a34bfb1c6024d99ab2c897f7b35695cefeff076ec2e3cf1f0759da97af517604
Instruction ID: 0cbbe8201f0471562ba6ffc4a959560fa62f010349dc87dd7c67c05dd971adf0
Opcode Fuzzy Hash: a34bfb1c6024d99ab2c897f7b35695cefeff076ec2e3cf1f0759da97af517604
Instruction Fuzzy Hash: 55515C7180514D9ACB05EBE0DA92AFDB7F9AF14341F6000E9F906A7291EF616F0DCB60

Function 00B5F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF7DE1: _memmove.LIBCMT ref: 00AF7E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00B5F440
Sleep.KERNEL32(0000000A), ref: 00B5F470
_wcscmp.LIBCMT ref: 00B5F484
_wcscmp.LIBCMT ref: 00B5F49F
FindNextFileW.KERNEL32(?,?), ref: 00B5F53D
FindClose.KERNEL32(00000000), ref: 00B5F553

Strings

*.*, xrefs: 00B5F425

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 1e51613017bf616a1fe79e04f18a80b169aa74871fcde793f8852b3c1101ef27
Instruction ID: 3a3b98450b20d1688843d2cb1a8930912e3aa21128635fcdeee2be3a37b2ff26
Opcode Fuzzy Hash: 1e51613017bf616a1fe79e04f18a80b169aa74871fcde793f8852b3c1101ef27
Instruction Fuzzy Hash: C4417C7180020A9BDF14DFA8DC49BFEBBF4FF15311F1040A6E919A3291EB309A89CB50

Function 00B05760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B058A5
_memmove.LIBCMT ref: 00B058F5
_memmove.LIBCMT ref: 00B0595B

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: b142e567cbd5d5c683b7143c37bc5d503c04a732463fd9005df20da8ec9a17d9
Instruction ID: d836d376d96d39c470f38d1d538d6206df2829c88e66fc1ffb66911e3aeb60c5
Opcode Fuzzy Hash: b142e567cbd5d5c683b7143c37bc5d503c04a732463fd9005df20da8ec9a17d9
Instruction Fuzzy Hash: C8127970A00609DBDF14EFA5D981AEEBBF5FF48300F1045A9E906E7290EB35AE54DB50

Function 00B551BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00B487E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B4882B
Part of subcall function 00B487E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B48858
Part of subcall function 00B487E1: GetLastError.KERNEL32 ref: 00B48865

ExitWindowsEx.USER32(?,00000000), ref: 00B551F9

Strings

@, xrefs: 00B551EC
SeShutdownPrivilege, xrefs: 00B551C9
, xrefs: 00B551E7

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 02beff08b98ff57f58c036cf7ab740aa3009273500bdcc11b94c33956d20d277
Instruction ID: 141ffd7734c411d6e0b391122ed38302e377d76ba9456e83e08f9d3dce57c038
Opcode Fuzzy Hash: 02beff08b98ff57f58c036cf7ab740aa3009273500bdcc11b94c33956d20d277
Instruction Fuzzy Hash: CD012B317916166BF7386668ACBAFBB72D8EB05743F2004E1FD07E20D2DD521C4887A4

Function 00B66283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00B662DC
WSAGetLastError.WSOCK32(00000000), ref: 00B662EB
bind.WSOCK32(00000000,?,00000010), ref: 00B66307
listen.WSOCK32(00000000,00000005), ref: 00B66316
WSAGetLastError.WSOCK32(00000000), ref: 00B66330
closesocket.WSOCK32(00000000,00000000), ref: 00B66344

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 1c9f32d5f52450ea0d9c14b9a3db6d1b5560f05936ea84d2e24f83a9a73b5437
Instruction ID: 59ce3ab8d99f1bc3a6174c2a18aca0c2eaebef25cdeb60e95fbbe0a2ec279e0a
Opcode Fuzzy Hash: 1c9f32d5f52450ea0d9c14b9a3db6d1b5560f05936ea84d2e24f83a9a73b5437
Instruction Fuzzy Hash: A621DD316002059FCB00EF68C989B7EB7E9EF49720F1481A9F95AA73D1CB74AD41CB56

Function 00B05520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00B10DB6: std::exception::exception.LIBCMT ref: 00B10DEC
Part of subcall function 00B10DB6: __CxxThrowException@8.LIBCMT ref: 00B10E01

_memmove.LIBCMT ref: 00B40258
_memmove.LIBCMT ref: 00B4036D
_memmove.LIBCMT ref: 00B40414

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 4130c7ea696ff84f779b9ad480dc0a5548cb3a09c43a717b5accfa58e6c49658
Instruction ID: d1f6da719813b4a8b4aa9a2c1505c84966dd28eb468fe8e296567d882b478251
Opcode Fuzzy Hash: 4130c7ea696ff84f779b9ad480dc0a5548cb3a09c43a717b5accfa58e6c49658
Instruction Fuzzy Hash: A102CE70A10209DBCF14EF64D981ABEBBF5EF48300F5080A9E906DB295EB75DE50DB91

Function 00AF1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00AF2612: GetWindowLongW.USER32(?,000000EB), ref: 00AF2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00AF19FA
GetSysColor.USER32(0000000F), ref: 00AF1A4E
SetBkColor.GDI32(?,00000000), ref: 00AF1A61

Part of subcall function 00AF1290: DefDlgProcW.USER32(?,00000020,?), ref: 00AF12D8

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 441b1a22141e271728b85f1ec38d6726ca38ce1221e928f107d82f57209639cf
Instruction ID: e0252d57c60227c20d08214af778e726ee85ec745fb0adae9987541d63b208f6
Opcode Fuzzy Hash: 441b1a22141e271728b85f1ec38d6726ca38ce1221e928f107d82f57209639cf
Instruction Fuzzy Hash: 73A1567111255CFEE738BBA89C84EBF3AECDF42381B14025EF716D6192CE218D4192B2

Function 00B66747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B67D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B67DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00B6679E
WSAGetLastError.WSOCK32(00000000), ref: 00B667C7
bind.WSOCK32(00000000,?,00000010), ref: 00B66800
WSAGetLastError.WSOCK32(00000000), ref: 00B6680D
closesocket.WSOCK32(00000000,00000000), ref: 00B66821

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: ff1559c4733e1a179ddf5d6c0318e10a1974f523c235230f80b72c1c3183436c
Instruction ID: 2a17e24280d4a3164bd267e5c34792c47162ea98168c1fd0f07fcaa45fe83d6c
Opcode Fuzzy Hash: ff1559c4733e1a179ddf5d6c0318e10a1974f523c235230f80b72c1c3183436c
Instruction Fuzzy Hash: EE41E475A00208AFDB10BFA4CD86F7E77E8DF05754F048458FA59AB3C2CA749D008B92

Function 00B75376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00B753C5
IsWindowEnabled.USER32 ref: 00B753D3
GetForegroundWindow.USER32(?,?,00000001), ref: 00B753E0
IsIconic.USER32 ref: 00B753EE
IsZoomed.USER32 ref: 00B753FC

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 6c1a1888facdcdc277e86742f8ce951dbb7cd08aeec2b997c8586e3495e219c5
Instruction ID: 4a4f1314b41ba6861c13f7f643e1701d147945c76c79b3d312a1e9ac079157e9
Opcode Fuzzy Hash: 6c1a1888facdcdc277e86742f8ce951dbb7cd08aeec2b997c8586e3495e219c5
Instruction Fuzzy Hash: 6311B2317009156FDB316F26DC44A7A7BD8EF447A1B418069F85ED7251CBB0DD418AA8

Function 00B480A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B480C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B480CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B480D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B480E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B480F6

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 713134e06ea9644f808b5506b9cfb707bf2d60cca188cd08e4a0b5494a65e8c8
Instruction ID: ece079a83649c4e675b827742e24e2cf4c0d8293167ae242895124b668e179d1
Opcode Fuzzy Hash: 713134e06ea9644f808b5506b9cfb707bf2d60cca188cd08e4a0b5494a65e8c8
Instruction Fuzzy Hash: 26F04F31240205AFEB101FA5EC8DE7B3BACFF4A755F400066F949D7150CE619D81EA60

Function 00AF4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AF4AD0), ref: 00AF4B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00AF4B57

Strings

GetNativeSystemInfo, xrefs: 00AF4B51
kernel32.dll, xrefs: 00AF4B40

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: fafa42815ec8fbd6bdf9e618adf1b77a820ea7b5c55b4102b486500aa32f220d
Instruction ID: 97a74ff09cd624ba98c420ea3ff91e5bf5c8a06da44c048e240f514f0f6f49c9
Opcode Fuzzy Hash: fafa42815ec8fbd6bdf9e618adf1b77a820ea7b5c55b4102b486500aa32f220d
Instruction Fuzzy Hash: 95D01234A10717CFD7209F71D858B2676D4AF05351F11C879A499D6660EB70D4C0CA58

Function 00B03030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 277475649e125dbd176a53107f0849c6f5fccfc46b28dd0db33a64d9332a7c84
Instruction ID: d641fba659bd9010006f46a82fe508453c2577cf7915d0aa6800ebbe6c9d09ca
Opcode Fuzzy Hash: 277475649e125dbd176a53107f0849c6f5fccfc46b28dd0db33a64d9332a7c84
Instruction Fuzzy Hash: F7228B716083009FC724DF54C881BAFBBE8EF84710F50896DF99A9B291DB71E944CB92

Function 00B6EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B6EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 00B6EE4B

Part of subcall function 00AF7DE1: _memmove.LIBCMT ref: 00AF7E22

Process32NextW.KERNEL32(00000000,?), ref: 00B6EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00B6EF1A

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: a6d28c3723131fc5e8c6db6401a5c6aec303fc114467187c81ee7bb55c9cf0cb
Instruction ID: a88359258fec3bdd9b19e8d394cb3a6ca64d89a450894ac5418787975d738371
Opcode Fuzzy Hash: a6d28c3723131fc5e8c6db6401a5c6aec303fc114467187c81ee7bb55c9cf0cb
Instruction Fuzzy Hash: 83518C71504705ABD320EF60D885E7BB7E8EF88710F40482DF695972A1EB70E904CB92

Function 00B4E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00B4E628

Strings

(, xrefs: 00B4E66E
|, xrefs: 00B4E658

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 21632c538b75ab5ed50f9d16f90127f063b6b0ca54cc8dc28cc4416b50937c71
Instruction ID: 0aff5b8c9237f33826565622442b6572ec92c4f2e4a24789f3adc5d4cb342d04
Opcode Fuzzy Hash: 21632c538b75ab5ed50f9d16f90127f063b6b0ca54cc8dc28cc4416b50937c71
Instruction Fuzzy Hash: B8322775A007059FD728CF59C48196AB7F1FF48320B15C5AEE8AADB3A1D770EA81CB44

Function 00B622EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00B6180A,00000000), ref: 00B623E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00B62418

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 818771040589e61fe76b2a7a41fc9099ca64a6bf87f2c415fffc525bc6fe0575
Instruction ID: d0573145fafc806a769d4322ff73957a0da35dc688339120c61f3b5e30bf4d6c
Opcode Fuzzy Hash: 818771040589e61fe76b2a7a41fc9099ca64a6bf87f2c415fffc525bc6fe0575
Instruction Fuzzy Hash: 4141B371904A09BFFB209F95DC85FFB77ECEB40314F1040AAFA05A7240EB799E819664

Function 00B5B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B5B40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00B5B465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00B5B4B2

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 93f6baaf1254c5aaab0ae6e67247fa3cdb77b3d26532c12e800f7a793ec38c4c
Instruction ID: bc5d48ca2fe9ebbeeff75afd15c7319f6401d4b5607159b92ad5cf6addcb1458
Opcode Fuzzy Hash: 93f6baaf1254c5aaab0ae6e67247fa3cdb77b3d26532c12e800f7a793ec38c4c
Instruction Fuzzy Hash: 56214C35A00108EFCB00EFA5D880ABEBBF8FF49310F1480A9E905AB361DB319955CB51

Function 00B487E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00B10DB6: std::exception::exception.LIBCMT ref: 00B10DEC
Part of subcall function 00B10DB6: __CxxThrowException@8.LIBCMT ref: 00B10E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B4882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B48858
GetLastError.KERNEL32 ref: 00B48865

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: eaaff073c45d73bf1553f0ee95b13b2da81e6cca7499a067d2da3a1e3dea33c1
Instruction ID: 28b305f0ee1ea69ca3efea953577a45b5babd55350467d823e636e663099990b
Opcode Fuzzy Hash: eaaff073c45d73bf1553f0ee95b13b2da81e6cca7499a067d2da3a1e3dea33c1
Instruction Fuzzy Hash: 5F119DB2814205AFE718EFA4EC85D7BB7E8EB04710B60856EE45987201EA70AC808B64

Function 00B4874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00B48774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00B4878B
FreeSid.ADVAPI32(?), ref: 00B4879B

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 120bf3d12593ea75ad7e2efa52074b1ce227c0105413f6ab93333ebd6ad8c687
Instruction ID: a5ef123424e6afca8144e42a3ba92135c394a9c9aa8ea0d9d0d372d185517e1f
Opcode Fuzzy Hash: 120bf3d12593ea75ad7e2efa52074b1ce227c0105413f6ab93333ebd6ad8c687
Instruction Fuzzy Hash: B6F03C75951209BBDB00DFE49C89ABDB7B8EF08201F1044A9E505E3281D6715A448B54

Function 00B5C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B5C6FB
FindClose.KERNEL32(00000000), ref: 00B5C72B

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: b87cd28a1040a5c1ebe48c3ce5e7a03ea42d7eb73b874e815da8f547879e9698
Instruction ID: 3c001c41f4754027f9cdc9b7b70f386c1ef067e006df2eab94503b9e199751ef
Opcode Fuzzy Hash: b87cd28a1040a5c1ebe48c3ce5e7a03ea42d7eb73b874e815da8f547879e9698
Instruction Fuzzy Hash: 53118E726006049FDB10DF29C885A2AF7E9EF85361F00855EF9A987291DB30AC05CF81

Function 00B5A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00B69468,?,00B7FB84,?), ref: 00B5A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00B69468,?,00B7FB84,?), ref: 00B5A0A9

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 4c9a91f8b0d4db936ca7b3e0f883462af4618189bcdc92e4a9122f4cc20dfdf1
Instruction ID: 443878381dfb3f6b53e9d2898e777195725289bec405de3747dc75c482447b23
Opcode Fuzzy Hash: 4c9a91f8b0d4db936ca7b3e0f883462af4618189bcdc92e4a9122f4cc20dfdf1
Instruction Fuzzy Hash: 7AF0823551522DABDB219FA4DC48FFA77ACFF08361F0042A5F909E7191DA309944CBA1

Function 00B481CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B48309), ref: 00B481E0
CloseHandle.KERNEL32(?,?,00B48309), ref: 00B481F2

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 8e4c6eb3da011768e6c50b14233d9529a2f4eaf9224133a2041e71a2441180cc
Instruction ID: e81c0dfbd93bffd464796365a61436a249d9a0ac9c4e5cf647a5373501401c44
Opcode Fuzzy Hash: 8e4c6eb3da011768e6c50b14233d9529a2f4eaf9224133a2041e71a2441180cc
Instruction Fuzzy Hash: 77E0EC72010611AFE7252B71EC09DB77BEAEF08310714886DF8AA85470DB62ACE1DB14

Function 00B1A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00B18D57,?,?,?,00000001), ref: 00B1A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00B1A163

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 002cecd19b195f65ba9a8460652ab644e75b7dcfd3332b6e132700662ef45eca
Instruction ID: f097223924b55e82c06cbc54a86e01140e9c0b521a4de0651916915f3687e658
Opcode Fuzzy Hash: 002cecd19b195f65ba9a8460652ab644e75b7dcfd3332b6e132700662ef45eca
Instruction Fuzzy Hash: 90B0923105420AABCA006B91EC09BA83F68EB44AAAF414020F60D86060CF6254908A9D

Function 00AFE6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00B33E62

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 7881fbe2c8d1304c99bd4438f5a2653da20f3bd34ccc3e2efe7d6077b7e0fcf3
Instruction ID: 94281a902484407fec23a1777625792ef7c470038d2adc7f93612c8e3974c0b8
Opcode Fuzzy Hash: 7881fbe2c8d1304c99bd4438f5a2653da20f3bd34ccc3e2efe7d6077b7e0fcf3
Instruction Fuzzy Hash: FCA26C75A00209CFCB24DF98C480ABAB7F2FF58714F648169EA05AB361D775ED42CB90

Function 00B1F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e1b4ef77356ef164edd61e0afb07f3d3a764e1908a43155be89d92b6860ddd
Instruction ID: bd941f1cace5e8b3496a09bb82d410f56f509b9eb4a058c8970c8c6c2b99ee03
Opcode Fuzzy Hash: d6e1b4ef77356ef164edd61e0afb07f3d3a764e1908a43155be89d92b6860ddd
Instruction Fuzzy Hash: 6A32D431D69F024DD7239634D8723756289AFA73D4F65D737E829B69A6EF28C4C38200

Function 00B2242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf91bed03d5b1ea5821fe2ebd8f11a5bd349fc0b9ba4af7120303299e039c081
Instruction ID: 3fe065594571c9817ba200053d2c34f436b621b2644198d55b25c0823ac8fc60
Opcode Fuzzy Hash: cf91bed03d5b1ea5821fe2ebd8f11a5bd349fc0b9ba4af7120303299e039c081
Instruction Fuzzy Hash: 2AB1E130D2AF504DE62396399831336B69CAFBB2C5F51D71BFC1A75D22EB2185838241

Function 00B58889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00B5889B

Part of subcall function 00B1520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00B58F6E,00000000,?,?,?,?,00B5911F,00000000,?), ref: 00B15213
Part of subcall function 00B1520A: __aulldiv.LIBCMT ref: 00B15233

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: aaf05dc73fe469b5c2e97579f1c0a86afad47526d358a6fe7752948e009b6a15
Instruction ID: 717e089466292db27990d0ceeeda759229379ca8b994543cb1ccb5a7a4f39445
Opcode Fuzzy Hash: aaf05dc73fe469b5c2e97579f1c0a86afad47526d358a6fe7752948e009b6a15
Instruction Fuzzy Hash: 4F21A2326256108BC729CF29D841B52B3E5EBA5311B688FACD5F5CB2D0CE74BD05CB54

Function 00B54C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00B54C4A

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 931b19c2d1bb08e05e83c74df00ff5b323b1f878a922722d268defa79bc4277d
Instruction ID: 919bd30e07910c1cc2dabaaadf23ed0635c48d773cc8609767d26e9e9e497579
Opcode Fuzzy Hash: 931b19c2d1bb08e05e83c74df00ff5b323b1f878a922722d268defa79bc4277d
Instruction Fuzzy Hash: 7AD05EA116920A38ED1C57209E0FF7A11C8E38078FFD085C97D028A0C1EE805CCC5030

Function 00B487B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00B48389), ref: 00B487D1

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 928a82c69d8424538da2ac011d48742658fe18e6446a46e975e182d7b6d20bd4
Instruction ID: 1f8676cb726b085684a9883e443f63208bb07c03961816d328250f2078848fcc
Opcode Fuzzy Hash: 928a82c69d8424538da2ac011d48742658fe18e6446a46e975e182d7b6d20bd4
Instruction Fuzzy Hash: 0CD05E3226450EABEF018EA4DC01EBE3B69EB04B01F408111FE15C61A1C775D835AB60

Function 00B1A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00B1A12A

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4731d91c80972a87d82428b6dff90d252cfd5cb8bd95918b708544261f8bc974
Instruction ID: 0ec59ea93708a5a260c91debf92b2654627b94114496b0ab27bcc260369e72f1
Opcode Fuzzy Hash: 4731d91c80972a87d82428b6dff90d252cfd5cb8bd95918b708544261f8bc974
Instruction Fuzzy Hash: 0AA0123000010DA78A001B41EC044547F5CD7001947004020F40C410218B3254504988

Function 00B08808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2672439ba9bffedbdeea958d0317b4edc54296613198e4183493ba95ab92317
Instruction ID: 553c8bd5801efaf672a559cd1197bac234e24b2cecb02f54a2ca950c6f093a7e
Opcode Fuzzy Hash: b2672439ba9bffedbdeea958d0317b4edc54296613198e4183493ba95ab92317
Instruction Fuzzy Hash: A622D030A049168BDF38CA64C49467CBBE1FB41344F2884EAD9D69B9D2DF709F91DA81

Function 00B121C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 9ae15fadf361a506e17b41562a9bc4be3da521c2b26db1ece9b12f9509632a24
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 8EC175322051930ADF2D473D94750BEBAE19EA27B139A07EDD4B2CB1D4EE20C9B5D620

Function 00B125FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 21ee5bb30ffd9140dbee759c38815af2d903940c64ae963a092daa0cc51830c6
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 72C1A5322051930ADF2D473DD4751BEBAE19EA27B13AA07EDD4B2DB1D4EE10C9B4D620

Function 00B11978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: b77ac68320f39f25921614a94085b0ac4310100d30e1951950ef92646f14f414
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 11C1A53220909309DF2D463DD4751BEBAE1DEA27B139A0BEDD5B3CB1C4EE20C9A5D650

Function 014D3418 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1360396067.00000000014CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 014CF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14cf000_5n2U8ZZZbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: a262fd6f27837c6e7ea4c66c7c7194d7f3c6fc28efcf81ab5424dcd45a13093c
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: D341D5B1D1051CDBCF48CFADC991AEEBBF1AF88201F548299D516AB345D730AB41DB80

Function 014D3308 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1360396067.00000000014CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 014CF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14cf000_5n2U8ZZZbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: ca1ab7bd91b728efc5e6576502d142efc7caa88cdd50d9f08ef43ef5911585b6
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 8F0192B8A00109EFCB44DF98C6909AEF7F5FB48310F20859AD819A7315DB30AE41DB81

Function 014D32A8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1360396067.00000000014CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 014CF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14cf000_5n2U8ZZZbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 349a9e408faedde03b56f9e20b141e56b28222a22d6379b53d31c09d269f22d3
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 9D019278E00209EFCB44DF98C5909AEF7B5FB48310F20859AD819A7755D730AE41DB81

Function 014D1CB8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1360396067.00000000014CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 014CF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14cf000_5n2U8ZZZbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00B67806 Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B6785B
DeleteObject.GDI32(00000000), ref: 00B6786D
DestroyWindow.USER32 ref: 00B6787B
GetDesktopWindow.USER32 ref: 00B67895
GetWindowRect.USER32(00000000), ref: 00B6789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00B679DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00B679ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B67A35
GetClientRect.USER32(00000000,?), ref: 00B67A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B67A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B67A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B67AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B67ABB
GlobalLock.KERNEL32(00000000), ref: 00B67AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B67AD3
GlobalUnlock.KERNEL32(00000000), ref: 00B67ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B67AE3
GlobalFree.KERNEL32(00000000), ref: 00B67AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B67B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00B82CAC,00000000), ref: 00B67B16
GlobalFree.KERNEL32(00000000), ref: 00B67B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00B67B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00B67B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B67B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B67D7A

Strings

AutoIt v3, xrefs: 00B67A2D
, xrefs: 00B67D00
static, xrefs: 00B67A75, 00B67BCC
DISPLAY, xrefs: 00B67BDD
@U=u, xrefs: 00B67B6B, 00B67CFA

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $@U=u$AutoIt v3$DISPLAY$static
API String ID: 2211948467-3613752883
Opcode ID: 00ae93cd487d1b2f1ec77a6d2e33334fa794aae4093f35108c5e0c364bd7a247
Instruction ID: bebe96e73c4ada92bd7486196ed24492f2a3a80ad46c404db5c1f7c88d346d5e
Opcode Fuzzy Hash: 00ae93cd487d1b2f1ec77a6d2e33334fa794aae4093f35108c5e0c364bd7a247
Instruction Fuzzy Hash: 92026C71900109EFDB14DFA4DD89EAE7BB9FF48314F1481A8F919AB2A1CB749D41CB60

Function 00B7A5DA Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00B7A630
GetSysColorBrush.USER32(0000000F), ref: 00B7A661
GetSysColor.USER32(0000000F), ref: 00B7A66D
SetBkColor.GDI32(?,000000FF), ref: 00B7A687
SelectObject.GDI32(?,00000000), ref: 00B7A696
InflateRect.USER32(?,000000FF,000000FF), ref: 00B7A6C1
GetSysColor.USER32(00000010), ref: 00B7A6C9
CreateSolidBrush.GDI32(00000000), ref: 00B7A6D0
FrameRect.USER32(?,?,00000000), ref: 00B7A6DF
DeleteObject.GDI32(00000000), ref: 00B7A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00B7A731
FillRect.USER32(?,?,00000000), ref: 00B7A763
GetWindowLongW.USER32(?,000000F0), ref: 00B7A78E

Part of subcall function 00B7A8CA: GetSysColor.USER32(00000012), ref: 00B7A903
Part of subcall function 00B7A8CA: SetTextColor.GDI32(?,?), ref: 00B7A907
Part of subcall function 00B7A8CA: GetSysColorBrush.USER32(0000000F), ref: 00B7A91D
Part of subcall function 00B7A8CA: GetSysColor.USER32(0000000F), ref: 00B7A928
Part of subcall function 00B7A8CA: GetSysColor.USER32(00000011), ref: 00B7A945
Part of subcall function 00B7A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B7A953
Part of subcall function 00B7A8CA: SelectObject.GDI32(?,00000000), ref: 00B7A964
Part of subcall function 00B7A8CA: SetBkColor.GDI32(?,00000000), ref: 00B7A96D
Part of subcall function 00B7A8CA: SelectObject.GDI32(?,?), ref: 00B7A97A
Part of subcall function 00B7A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00B7A999
Part of subcall function 00B7A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B7A9B0
Part of subcall function 00B7A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00B7A9C5
Part of subcall function 00B7A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B7A9ED

Strings

@U=u, xrefs: 00B7A7B8

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID: @U=u
API String ID: 3521893082-2594219639
Opcode ID: dc059cdf67f474eee4186097334bb26f1f5b1aa5747d632a4b5e1aecf21b9788
Instruction ID: 2ca35a104e901cf0cbfe0864c01a8802f009b4ee245cd535d63365dbae92cedb
Opcode Fuzzy Hash: dc059cdf67f474eee4186097334bb26f1f5b1aa5747d632a4b5e1aecf21b9788
Instruction Fuzzy Hash: 37915E72408302EFC7509F64DC48A6B7BE9FF88321F104A29F56AA71A0DB71D984CB56

Function 00B7356B Relevance: 52.9, APIs: 6, Strings: 24, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00B7F910), ref: 00B73627
IsWindowVisible.USER32(?), ref: 00B7364B

Strings

ISCHECKED, xrefs: 00B73839
DELSTRING, xrefs: 00B73749
GETCURRENTCOL, xrefs: 00B73928
GETCURRENTLINE, xrefs: 00B738ED
ADDSTRING, xrefs: 00B73716
CHECK, xrefs: 00B7386D
FINDSTRING, xrefs: 00B73776
TABRIGHT, xrefs: 00B7369D
HIDEDROPDOWN, xrefs: 00B73700
EDITPASTE, xrefs: 00B7395F
GETLINECOUNT, xrefs: 00B738C6
GETLINE, xrefs: 00B7399B
ISENABLED, xrefs: 00B7366B
ISVISIBLE, xrefs: 00B73637
SELECTSTRING, xrefs: 00B73806
UNCHECK, xrefs: 00B73883
SENDCOMMANDID, xrefs: 00B739DA
CURRENTTAB, xrefs: 00B736BD
TABLEFT, xrefs: 00B73687
SHOWDROPDOWN, xrefs: 00B736E0
SETCURRENTSELECTION, xrefs: 00B737B6
GETSELECTED, xrefs: 00B738A3
GETCURRENTSELECTION, xrefs: 00B737E3
@U=u, xrefs: 00B738E3, 00B7390A, 00B73993

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: @U=u$ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-3469695742
Opcode ID: 281c4532d2dfe172b7fd74cbc394d54cb352dd32e8a6810b2374e00d94edfe99
Instruction ID: 21110d859e766cefce94a7fc7c6d93047a96e8d8d1dcb9f4bb9de8765e31d8e2
Opcode Fuzzy Hash: 281c4532d2dfe172b7fd74cbc394d54cb352dd32e8a6810b2374e00d94edfe99
Instruction Fuzzy Hash: 2ED1A2312183059BCB04EF10C596E6E77E5EF95780F1484E8F89A5B3A2DB31DE4AEB41

Function 00AF2C18 Relevance: 51.2, APIs: 27, Strings: 2, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00AF2CA2
DeleteObject.GDI32(00000000), ref: 00AF2CE8
DeleteObject.GDI32(00000000), ref: 00AF2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00AF2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00AF2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00B2C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00B2C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00B2C89D

Part of subcall function 00AF1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AF2036,?,00000000,?,?,?,?,00AF16CB,00000000,?), ref: 00AF1B9A

SendMessageW.USER32(?,00001053), ref: 00B2C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00B2C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00B2C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00B2C912

Strings

0, xrefs: 00B2C731
@U=u, xrefs: 00B2C43B, 00B2C542, 00B2C81D

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0$@U=u
API String ID: 464785882-975001249
Opcode ID: 934e7edbe8b9b1710605a79b272911d747592201845be3f60bc6e2c363a29196
Instruction ID: c6163349f2a48fb8d28ec04c8289298a0dd6d35e04cbf8021d0e1b454345305d
Opcode Fuzzy Hash: 934e7edbe8b9b1710605a79b272911d747592201845be3f60bc6e2c363a29196
Instruction Fuzzy Hash: BE126A30604216AFDB258F24D895BBDBBE5FF44300F5485A9F599DB262CB31EC82CB91

Function 00B674AB Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00B674DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00B6759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00B675DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00B675ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00B67633
GetClientRect.USER32(00000000,?), ref: 00B6763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00B67683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B67692
GetStockObject.GDI32(00000011), ref: 00B676A2
SelectObject.GDI32(00000000,00000000), ref: 00B676A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00B676B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B676BF
DeleteDC.GDI32(00000000), ref: 00B676C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00B676F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 00B6770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00B67746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00B6775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 00B6776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00B6779B
GetStockObject.GDI32(00000011), ref: 00B677A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00B677B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00B677BB

Strings

AutoIt v3, xrefs: 00B6762B
msctls_progress32, xrefs: 00B6773C
static, xrefs: 00B6767D, 00B67795
DISPLAY, xrefs: 00B67688
@U=u, xrefs: 00B676FA

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-2771358697
Opcode ID: 191a3331b23ee3980b17dd490f31cbc369f2b028cadfbf7b2c3c1ea5b7597f29
Instruction ID: 159ab09901fd6191274da191090e62c6df71dc622167f2f9b5044903e22b78e7
Opcode Fuzzy Hash: 191a3331b23ee3980b17dd490f31cbc369f2b028cadfbf7b2c3c1ea5b7597f29
Instruction Fuzzy Hash: 9DA16E71A40609BFEB14DBA4DD4AFBE7BB9EB04714F004254FA15A72E0DBB4AD40CB64

Function 00B7A8CA Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00B7A903
SetTextColor.GDI32(?,?), ref: 00B7A907
GetSysColorBrush.USER32(0000000F), ref: 00B7A91D
GetSysColor.USER32(0000000F), ref: 00B7A928
CreateSolidBrush.GDI32(?), ref: 00B7A92D
GetSysColor.USER32(00000011), ref: 00B7A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B7A953
SelectObject.GDI32(?,00000000), ref: 00B7A964
SetBkColor.GDI32(?,00000000), ref: 00B7A96D
SelectObject.GDI32(?,?), ref: 00B7A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00B7A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B7A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00B7A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B7A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00B7AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00B7AA32
DrawFocusRect.USER32(?,?), ref: 00B7AA3D
GetSysColor.USER32(00000011), ref: 00B7AA4B
SetTextColor.GDI32(?,00000000), ref: 00B7AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00B7AA67
SelectObject.GDI32(?,00B7A5FA), ref: 00B7AA7E
DeleteObject.GDI32(?), ref: 00B7AA89
SelectObject.GDI32(?,?), ref: 00B7AA8F
DeleteObject.GDI32(?), ref: 00B7AA94
SetTextColor.GDI32(?,?), ref: 00B7AA9A
SetBkColor.GDI32(?,?), ref: 00B7AAA4

Strings

@U=u, xrefs: 00B7A9ED

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: @U=u
API String ID: 1996641542-2594219639
Opcode ID: a35ce038f7b8cb15a4ef46a956eb87ea87f8bda0b31f7a6f66ff3b5dca055189
Instruction ID: bd0ebd5638c6c8ab13f5b2899ecba185cd2d7303a0ad09a9285157e28306b714
Opcode Fuzzy Hash: a35ce038f7b8cb15a4ef46a956eb87ea87f8bda0b31f7a6f66ff3b5dca055189
Instruction Fuzzy Hash: BC514E71900209FFDB109FA4DC48EAE7BB9FF48320F118165F919AB2A1DB719A80DF54

Function 00B5AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B5AD1E
GetDriveTypeW.KERNEL32(?,00B7FAC0,?,\\.\,00B7F910), ref: 00B5ADFB
SetErrorMode.KERNEL32(00000000,00B7FAC0,?,\\.\,00B7F910), ref: 00B5AF59

Strings

\\.\, xrefs: 00B5AD70
ATA, xrefs: 00B5AED4
Removable, xrefs: 00B5AE4D
SATA, xrefs: 00B5AF0C
SAS, xrefs: 00B5AF05
FileBackedVirtual, xrefs: 00B5AF28
iSCSI, xrefs: 00B5AEFE
1394, xrefs: 00B5AEDB
RAID, xrefs: 00B5AEF7
SSA, xrefs: 00B5AEE2
Virtual, xrefs: 00B5AF21
MMC, xrefs: 00B5AF1A
Unknown, xrefs: 00B5AE1B, 00B5AEBF
RAMDisk, xrefs: 00B5AE25
Network, xrefs: 00B5AE39
CDROM, xrefs: 00B5AE2F
Fixed, xrefs: 00B5AE43
SCSI, xrefs: 00B5AEC6
USB, xrefs: 00B5AEF0
ATAPI, xrefs: 00B5AECD
Fibre, xrefs: 00B5AEE9
SSD, xrefs: 00B5AE86
PhysicalDrive, xrefs: 00B5ADA7

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: bcbb013144616b552e92ad67854d21207b5151f1aba7b9ac14441cd80c6e2536
Instruction ID: 7a5d4cba03d2f0053799737e25707f8c53833683c0b0e6c2b7631d02f17ef322
Opcode Fuzzy Hash: bcbb013144616b552e92ad67854d21207b5151f1aba7b9ac14441cd80c6e2536
Instruction Fuzzy Hash: 0C5156B06483099B8B10EB50CD92EBD73E1EF0970276042E6FD07F76A1DA719D49DB62

Function 00B79A1C Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00B79AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00B79B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00B79BA7

Strings

0, xrefs: 00B79BE4
@U=u, xrefs: 00B79B8B, 00B79BA7, 00B79D23, 00B79D56, 00B79DB6, 00B79E00, 00B79E60, 00B79E84, 00B79F40

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0$@U=u
API String ID: 2326795674-975001249
Opcode ID: 425652e5b331b0786a00c0bfa9406e87586483631dd706f1b1b33ab5abbc9ac0
Instruction ID: f49abd9eaa01ee9d28f891cf62d4f4515a65a1dc12ccaa9af896e516f9395895
Opcode Fuzzy Hash: 425652e5b331b0786a00c0bfa9406e87586483631dd706f1b1b33ab5abbc9ac0
Instruction Fuzzy Hash: D202C070108201AFDB25CF24C889BBABBE5FF45314F0485ADF9ADD62A1CB75D944CB52

Function 00AF68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00AF6931
__wcsnicmp.LIBCMT ref: 00AF6949
__wcsnicmp.LIBCMT ref: 00AF6961
__wcsnicmp.LIBCMT ref: 00AF6979
__wcsnicmp.LIBCMT ref: 00AF6991
__wcsnicmp.LIBCMT ref: 00AF69A9
__wcsnicmp.LIBCMT ref: 00AF69C1
__wcsnicmp.LIBCMT ref: 00AF69D5
__wcsnicmp.LIBCMT ref: 00AF6A16
__wcsnicmp.LIBCMT ref: 00AF6A2A
__wcsnicmp.LIBCMT ref: 00AF6A3E
__wcsnicmp.LIBCMT ref: 00AF6A52

Strings

#notrayicon, xrefs: 00AF6943
#comments-end, xrefs: 00AF6A38
#include, xrefs: 00AF69A3
#comments-start, xrefs: 00AF69BB, 00AF6A10
#cs, xrefs: 00AF69CF, 00AF6A24
Bad directive syntax error, xrefs: 00B2E31A
Cannot parse #include, xrefs: 00B2E3F0
#OnAutoItStartRegister, xrefs: 00AF6973
Unterminated group of comments, xrefs: 00B2E403
#requireadmin, xrefs: 00AF695B
#ce, xrefs: 00AF6A4C
#pragma compile, xrefs: 00AF692B
#include-once, xrefs: 00AF698B

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: f09f000ddd465e72e588144d7de4b1b2108f3c69e2f71dc1a18b6fbe82ab288d
Instruction ID: 43a84e77288cbeb5a45d7f6f1d5ad46e95ec705bf0907147a0f87707407adeee
Opcode Fuzzy Hash: f09f000ddd465e72e588144d7de4b1b2108f3c69e2f71dc1a18b6fbe82ab288d
Instruction Fuzzy Hash: 2981077060021A7ACB21BBB1ED82FFE37E8EF15740F044064FA096B196EB70DE51D665

Function 00B789D5 Relevance: 40.7, APIs: 21, Strings: 2, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B78AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B78AD2
CharNextW.USER32(0000014E), ref: 00B78B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B78B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B78B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B78B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00B78B86
SetWindowTextW.USER32(?,0000014E), ref: 00B78BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00B78BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B78C1F
_memset.LIBCMT ref: 00B78C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00B78C8D
_memset.LIBCMT ref: 00B78CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00B78D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00B78D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00B78E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00B78E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B78E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B78EB4
DrawMenuBar.USER32(?), ref: 00B78EC3
SetWindowTextW.USER32(?,0000014E), ref: 00B78EEB

Strings

0, xrefs: 00B78E55
@U=u, xrefs: 00B78AC1, 00B78AD2, 00B78B07, 00B78B86, 00B78BEE, 00B78C1F, 00B78C8D, 00B78D16, 00B78D6E, 00B78E1B

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0$@U=u
API String ID: 1073566785-975001249
Opcode ID: c1f966158f6d64b56f90b5e87c76f8319f900c063ffe126e9fcbfef2ccec611c
Instruction ID: 409576c69176e0f188ed25f5fc36e643d21471e59f50406f0e92460eb38915c9
Opcode Fuzzy Hash: c1f966158f6d64b56f90b5e87c76f8319f900c063ffe126e9fcbfef2ccec611c
Instruction Fuzzy Hash: 12E15171940219ABDB219F65CC88EEE7BF9EF05710F108196F92DAB290DF709980DF61

Function 00B7488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B749CA
GetDesktopWindow.USER32 ref: 00B749DF
GetWindowRect.USER32(00000000), ref: 00B749E6
GetWindowLongW.USER32(?,000000F0), ref: 00B74A48
DestroyWindow.USER32(?), ref: 00B74A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B74A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B74ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00B74AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00B74AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00B74B09
IsWindowVisible.USER32(?), ref: 00B74B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00B74B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00B74B58
GetWindowRect.USER32(?,?), ref: 00B74B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00B74B96
GetMonitorInfoW.USER32(00000000,?), ref: 00B74BB0
CopyRect.USER32(?,?), ref: 00B74BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00B74C32

Strings

0, xrefs: 00B74975
(, xrefs: 00B74BA3
tooltips_class32, xrefs: 00B74A96

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: e47830e04ec051a19892a675836d70734e9f7844cd839f50a95691d18e8ce3ce
Instruction ID: 66e203b04d61b6a2a990d8b55f3f9fa218a1e3234d478efd3edd0f045e02d5fc
Opcode Fuzzy Hash: e47830e04ec051a19892a675836d70734e9f7844cd839f50a95691d18e8ce3ce
Instruction Fuzzy Hash: ECB17871608341AFDB04DF64C988B6ABBE4FF88301F00895CF5A99B2A1DB71EC45CB95

Function 00B5449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00B544AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00B544D2
_wcscpy.LIBCMT ref: 00B54500
_wcscmp.LIBCMT ref: 00B5450B
_wcscat.LIBCMT ref: 00B54521
_wcsstr.LIBCMT ref: 00B5452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00B54548
_wcscat.LIBCMT ref: 00B54591
_wcscat.LIBCMT ref: 00B54598
_wcsncpy.LIBCMT ref: 00B545C3

Strings

04090000, xrefs: 00B5457E
StringFileInfo\, xrefs: 00B5451B
\VarFileInfo\Translation, xrefs: 00B54540
%u.%u.%u.%u, xrefs: 00B54626
DefaultLangCodepage, xrefs: 00B545AB

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 87cc5eaa674c87ccb35f58d1899217a186b81bf816296e517829e041815e49ea
Instruction ID: d69ca50171d3758510d5821b1e9f84f5afe1c629190d6cf9fbba85d621c3288f
Opcode Fuzzy Hash: 87cc5eaa674c87ccb35f58d1899217a186b81bf816296e517829e041815e49ea
Instruction Fuzzy Hash: F741F332A002057AEB14AB74DC47FFF77ECDF46710F5000EAF905A6192FB749A9186A9

Function 00AF27D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AF28BC
GetSystemMetrics.USER32(00000007), ref: 00AF28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AF28EF
GetSystemMetrics.USER32(00000008), ref: 00AF28F7
GetSystemMetrics.USER32(00000004), ref: 00AF291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00AF2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00AF2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00AF297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00AF2990
GetClientRect.USER32(00000000,000000FF), ref: 00AF29AE
GetStockObject.GDI32(00000011), ref: 00AF29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00AF29D5

Part of subcall function 00AF2344: GetCursorPos.USER32(?), ref: 00AF2357
Part of subcall function 00AF2344: ScreenToClient.USER32(00BB57B0,?), ref: 00AF2374
Part of subcall function 00AF2344: GetAsyncKeyState.USER32(00000001), ref: 00AF2399
Part of subcall function 00AF2344: GetAsyncKeyState.USER32(00000002), ref: 00AF23A7

SetTimer.USER32(00000000,00000000,00000028,00AF1256), ref: 00AF29FC

Strings

AutoIt v3 GUI, xrefs: 00AF2974
@U=u, xrefs: 00AF29D5

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: @U=u$AutoIt v3 GUI
API String ID: 1458621304-2077007950
Opcode ID: 25d035a5f62ee6f236385caad211fda7362f6810e4baedaae96837cb0afb99c7
Instruction ID: cb36680ec8adf70a6ff448df83ddafa3e7138bb2d45fe8ea3bcaff82b24de015
Opcode Fuzzy Hash: 25d035a5f62ee6f236385caad211fda7362f6810e4baedaae96837cb0afb99c7
Instruction Fuzzy Hash: 5DB15D71A0020AEFDB24DFA8DC55BBE7BB5FB08311F104229FA19A72A0DB749851CB55

Function 00B7BA33 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00B7BA56
GetFileSize.KERNEL32(00000000,00000000), ref: 00B7BA6D
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00B7BA78
CloseHandle.KERNEL32(00000000), ref: 00B7BA85
GlobalLock.KERNEL32(00000000), ref: 00B7BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00B7BA9D
GlobalUnlock.KERNEL32(00000000), ref: 00B7BAA6
CloseHandle.KERNEL32(00000000), ref: 00B7BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00B7BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00B82CAC,?), ref: 00B7BAD7
GlobalFree.KERNEL32(00000000), ref: 00B7BAE7
GetObjectW.GDI32(?,00000018,000000FF), ref: 00B7BB0B
CopyImage.USER32(?,00000000,?,?,00002000), ref: 00B7BB36
DeleteObject.GDI32(00000000), ref: 00B7BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00B7BB74

Strings

@U=u, xrefs: 00B7BB74

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID: @U=u
API String ID: 3840717409-2594219639
Opcode ID: bac2de6cc78032599e8b5f62e57475f45bb3af3c00d18952375974a57a8afa48
Instruction ID: 90ffc66d91c71e5ff8655ff3288e07cef2e522a98772eb387eba194f086e31d2
Opcode Fuzzy Hash: bac2de6cc78032599e8b5f62e57475f45bb3af3c00d18952375974a57a8afa48
Instruction Fuzzy Hash: 41411875600205EFDB119F65DC88EBA7BF9FB89711F1080A8F91AE7260DB309A41DB64

Function 00B4A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00B4A47A
__swprintf.LIBCMT ref: 00B4A51B
_wcscmp.LIBCMT ref: 00B4A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00B4A583
_wcscmp.LIBCMT ref: 00B4A5BF
GetClassNameW.USER32(?,?,00000400), ref: 00B4A5F6
GetDlgCtrlID.USER32(?), ref: 00B4A648
GetWindowRect.USER32(?,?), ref: 00B4A67E
GetParent.USER32(?), ref: 00B4A69C
ScreenToClient.USER32(00000000), ref: 00B4A6A3
GetClassNameW.USER32(?,?,00000100), ref: 00B4A71D
_wcscmp.LIBCMT ref: 00B4A731
GetWindowTextW.USER32(?,?,00000400), ref: 00B4A757
_wcscmp.LIBCMT ref: 00B4A76B

Part of subcall function 00B1362C: _iswctype.LIBCMT ref: 00B13634

Strings

%s%u, xrefs: 00B4A515

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 22e3359a09b1fc88e9037170f6920488b5b298b59a341e83e8558bf33fcf3e26
Instruction ID: 484d5f7e672985ef8ec4521df2bf20e3a8c79df791419b0cc48f4dbe2a062079
Opcode Fuzzy Hash: 22e3359a09b1fc88e9037170f6920488b5b298b59a341e83e8558bf33fcf3e26
Instruction Fuzzy Hash: 7DA1D071244306BFDB28DF64C884BAAB7E8FF44314F008569F999D2190EB30EE55DB92

Function 00B4AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00B4AF18
_wcscmp.LIBCMT ref: 00B4AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00B4AF51
CharUpperBuffW.USER32(?,00000000), ref: 00B4AF6E
_wcscmp.LIBCMT ref: 00B4AF8C
_wcsstr.LIBCMT ref: 00B4AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00B4AFD5
_wcscmp.LIBCMT ref: 00B4AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00B4B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00B4B055
_wcscmp.LIBCMT ref: 00B4B065
GetClassNameW.USER32(00000010,?,00000400), ref: 00B4B08D
GetWindowRect.USER32(00000004,?), ref: 00B4B0F6

Strings

ThumbnailClass, xrefs: 00B4AFE0, 00B4B060
@, xrefs: 00B4AEF9

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 10f42ebf5bccddd33cecf0cb86c88afa76b37902a2091fdf4ea4dd2e4feb50d2
Instruction ID: 39734f45c2859f500a54a2e5a24562c9ff09eb49b5d146a10bcd994fdfb5d538
Opcode Fuzzy Hash: 10f42ebf5bccddd33cecf0cb86c88afa76b37902a2091fdf4ea4dd2e4feb50d2
Instruction Fuzzy Hash: BC81B1711082069FDB04DF10C881FBA7BE8FF44714F0484AAFE899A092DB30DE89DB61

Function 00B7A1B9 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B7A259
DestroyWindow.USER32(?,?), ref: 00B7A2D3

Part of subcall function 00AF7BCC: _memmove.LIBCMT ref: 00AF7C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B7A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B7A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B7A382
DestroyWindow.USER32(00000000), ref: 00B7A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00AF0000,00000000), ref: 00B7A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B7A3F4
GetDesktopWindow.USER32 ref: 00B7A40D
GetWindowRect.USER32(00000000), ref: 00B7A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B7A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B7A444

Part of subcall function 00AF25DB: GetWindowLongW.USER32(?,000000EB), ref: 00AF25EC

Strings

tooltips_class32, xrefs: 00B7A346, 00B7A3D4
0, xrefs: 00B7A26F
@U=u, xrefs: 00B7A36F, 00B7A382, 00B7A3F4, 00B7A41E

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$@U=u$tooltips_class32
API String ID: 1297703922-1130792468
Opcode ID: 4869cdf96f35f47c84cc794e376f572587758d364a5560db2a7fb7dfb90139de
Instruction ID: 7a773221086298fb6649e5fd0a6ac7ee093cccf3cbe7a04e879a9a04ea628efb
Opcode Fuzzy Hash: 4869cdf96f35f47c84cc794e376f572587758d364a5560db2a7fb7dfb90139de
Instruction Fuzzy Hash: 3771CD70140205AFD725DF68CC49F7A7BE9FB88700F04856DF999872A0CBB1E942CB56

Function 00B7C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF2612: GetWindowLongW.USER32(?,000000EB), ref: 00AF2623

DragQueryPoint.SHELL32(?,?), ref: 00B7C627

Part of subcall function 00B7AB37: ClientToScreen.USER32(?,?), ref: 00B7AB60
Part of subcall function 00B7AB37: GetWindowRect.USER32(?,?), ref: 00B7ABD6
Part of subcall function 00B7AB37: PtInRect.USER32(?,?,00B7C014), ref: 00B7ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00B7C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B7C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B7C6BE
_wcscat.LIBCMT ref: 00B7C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B7C705
SendMessageW.USER32(?,000000B0,?,?), ref: 00B7C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00B7C735
SendMessageW.USER32(?,000000B1,?,?), ref: 00B7C757
DragFinish.SHELL32(?), ref: 00B7C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00B7C851

Strings

@GUI_DROPID, xrefs: 00B7C77E
@GUI_DRAGID, xrefs: 00B7C7C9
@GUI_DRAGFILE, xrefs: 00B7C800
@U=u, xrefs: 00B7C690, 00B7C705, 00B7C71E, 00B7C735, 00B7C757

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
API String ID: 169749273-762882726
Opcode ID: ad25e20210b3d33f8ea1e6279703d4298ca037c9b2038651d24f4fa213ab1215
Instruction ID: 304017ae8f45b4ad437d6d1f56473b6ef0b8ff9368d997ff3e54d875d8daa2cd
Opcode Fuzzy Hash: ad25e20210b3d33f8ea1e6279703d4298ca037c9b2038651d24f4fa213ab1215
Instruction Fuzzy Hash: 19617B71108305AFC701EFA4DC85EAFBBE8EF89710F40496EF695931A1DB709A49CB52

Function 00B4ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00B4AC33

Strings

ALL, xrefs: 00B4ACC7
[CLASS:, xrefs: 00B4AC83
LAST, xrefs: 00B4ABF8
CLASSNAME=, xrefs: 00B4AC70
[HANDLE:, xrefs: 00B4AC3F
[ACTIVE, xrefs: 00B4AC20
ACTIVE, xrefs: 00B4AC0E
[REGEXPTITLE:, xrefs: 00B4AC5B
REGEXP=, xrefs: 00B4AC48
[LAST, xrefs: 00B4ACE0
HANDLE=, xrefs: 00B4AC2C
[ALL, xrefs: 00B4ACD9

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: e5d7aaf6753befde327d18f1af95fcbc5512632e68b1ddf2bc8a7be79fc14d4c
Instruction ID: 47a0e538cd4029c817886abbe8d0a9961088835fa7792e34447186e643c1e9fd
Opcode Fuzzy Hash: e5d7aaf6753befde327d18f1af95fcbc5512632e68b1ddf2bc8a7be79fc14d4c
Instruction Fuzzy Hash: 41315031ACC209BADB14EBA0DE93EFE77E4EB11710F6004A9F542710E2EF616F149652

Function 00B64FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00B65013
LoadCursorW.USER32(00000000,00007F00), ref: 00B6501E
LoadCursorW.USER32(00000000,00007F03), ref: 00B65029
LoadCursorW.USER32(00000000,00007F8B), ref: 00B65034
LoadCursorW.USER32(00000000,00007F01), ref: 00B6503F
LoadCursorW.USER32(00000000,00007F81), ref: 00B6504A
LoadCursorW.USER32(00000000,00007F88), ref: 00B65055
LoadCursorW.USER32(00000000,00007F80), ref: 00B65060
LoadCursorW.USER32(00000000,00007F86), ref: 00B6506B
LoadCursorW.USER32(00000000,00007F83), ref: 00B65076
LoadCursorW.USER32(00000000,00007F85), ref: 00B65081
LoadCursorW.USER32(00000000,00007F82), ref: 00B6508C
LoadCursorW.USER32(00000000,00007F84), ref: 00B65097
LoadCursorW.USER32(00000000,00007F04), ref: 00B650A2
LoadCursorW.USER32(00000000,00007F02), ref: 00B650AD
LoadCursorW.USER32(00000000,00007F89), ref: 00B650B8
GetCursorInfo.USER32(?), ref: 00B650C8

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: be61088ce57455bc1b63318cc9f87e2c7386b9062114a2081f205c1f962d3408
Instruction ID: ddfd47728754cd9959299f61ceef82b84cfc7fb4829d6ae8d0958009e105e548
Opcode Fuzzy Hash: be61088ce57455bc1b63318cc9f87e2c7386b9062114a2081f205c1f962d3408
Instruction Fuzzy Hash: D631F2B1D4831E6ADF209FB68C8996FBFE8FF04750F50456AE50DE7280DA78A5408F91

Function 00B74392 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B74424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B7446F

Strings

GETTEXT, xrefs: 00B745C2
ISCHECKED, xrefs: 00B745F2
SELECT, xrefs: 00B74620
UNCHECK, xrefs: 00B7464B
GETITEMCOUNT, xrefs: 00B74551
EXPAND, xrefs: 00B74521
GETTOTALCOUNT, xrefs: 00B74456
COLLAPSE, xrefs: 00B744B5
CHECK, xrefs: 00B7448F
EXISTS, xrefs: 00B744D8
GETSELECTED, xrefs: 00B7457F
@U=u, xrefs: 00B7446F

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-383632319
Opcode ID: 014ee5588cf5b24d2fbe059138b8f9cb33339d6bb79792ffee1c7886e0a90b33
Instruction ID: 23601d7b81d8e4af58111624e787a698b99e00626600c799973963dd1bc850ea
Opcode Fuzzy Hash: 014ee5588cf5b24d2fbe059138b8f9cb33339d6bb79792ffee1c7886e0a90b33
Instruction Fuzzy Hash: 64916C712147019FCB04EF20C591A7EB7E5AF95350F0588E8F9AA5B3A2CB70ED49DB81

Function 00B7B7FE Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00B7B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00B76B11,?), ref: 00B7B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B7B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00B7B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B7B9C3
FreeLibrary.KERNEL32(?), ref: 00B7B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B7B9DF
DestroyIcon.USER32(?), ref: 00B7B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00B7BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00B7BA17

Part of subcall function 00B12EFD: __wcsicmp_l.LIBCMT ref: 00B12F86

Strings

.exe, xrefs: 00B7B84A
.icl, xrefs: 00B7B82A
.dll, xrefs: 00B7B86D
@U=u, xrefs: 00B7B9F7

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl$@U=u
API String ID: 1212759294-1639919054
Opcode ID: f3496fa26be8075471aae4b95368634dfb34780020dba30d7259e02d57ccdef6
Instruction ID: b44e6997b9459f96c2275514ab9a5e04bc8426931d3c7fe633958f3f0c32d8b9
Opcode Fuzzy Hash: f3496fa26be8075471aae4b95368634dfb34780020dba30d7259e02d57ccdef6
Instruction Fuzzy Hash: 5361AE71900219BAEB14DF64CC86FBE7BECFB08710F108595FA29D61D1DB749990DBA0

Function 00B5A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00AF9837: __itow.LIBCMT ref: 00AF9862
Part of subcall function 00AF9837: __swprintf.LIBCMT ref: 00AF98AC

CharLowerBuffW.USER32(?,?), ref: 00B5A3CB
GetDriveTypeW.KERNEL32 ref: 00B5A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B5A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B5A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B5A4C5

Part of subcall function 00AF7BCC: _memmove.LIBCMT ref: 00AF7C06

Strings

wait, xrefs: 00B5A482
set cd door , xrefs: 00B5A466
open , xrefs: 00B5A427
closed, xrefs: 00B5A3DF, 00B5A3E8
close, xrefs: 00B5A3D1
type cdaudio alias cd wait, xrefs: 00B5A443
close cd wait, xrefs: 00B5A4B0
open, xrefs: 00B5A3F2

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 84e092c093e07f5ac93fbbb32ccc853dd9873ea256cd8403a146f81de894aa4a
Instruction ID: 5ff84fcd65087f05a3f9dead1e0f8bd0eea9a65994b4d8ed302e3d196d90c2f5
Opcode Fuzzy Hash: 84e092c093e07f5ac93fbbb32ccc853dd9873ea256cd8403a146f81de894aa4a
Instruction Fuzzy Hash: 23515C715082099FC700EF60C99197FB3E4FF95758F0089ADF98A57261DB71AD0ACB82

Function 00B4F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00B2E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00B4F8DF
LoadStringW.USER32(00000000,?,00B2E029,00000001), ref: 00B4F8E8

Part of subcall function 00AF7DE1: _memmove.LIBCMT ref: 00AF7E22

GetModuleHandleW.KERNEL32(00000000,00BB5310,?,00000FFF,?,?,00B2E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00B4F90A
LoadStringW.USER32(00000000,?,00B2E029,00000001), ref: 00B4F90D
__swprintf.LIBCMT ref: 00B4F95D
__swprintf.LIBCMT ref: 00B4F96E
_wprintf.LIBCMT ref: 00B4FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B4FA2E

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00B4FA12
Line %d (File "%s"):, xrefs: 00B4F957
Error: , xrefs: 00B4F9E5
Line %d:, xrefs: 00B4F968
^ ERROR, xrefs: 00B4F9C3

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: f0747b43752ec49d43d5d0c851298f604c1c838f7119b7c7e9754c0400693352
Instruction ID: 45d476fe0b1cfdbeb0fdbbc09dc010a2105599392cc3157efc9b12deef706732
Opcode Fuzzy Hash: f0747b43752ec49d43d5d0c851298f604c1c838f7119b7c7e9754c0400693352
Instruction Fuzzy Hash: 8B41207280420DAACF05FBE0DE96EFEB7B8EF14300F5000A5B605760A1EA715F49DB61

Function 00B5D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00B5DA10
_wcscat.LIBCMT ref: 00B5DA28
_wcscat.LIBCMT ref: 00B5DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B5DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00B5DA63
GetFileAttributesW.KERNEL32(?), ref: 00B5DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00B5DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00B5DAA7

Strings

*.*, xrefs: 00B5DAE6

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 23a2e2f87be8203e6a26c044f7814080e22b48d768d4d42d54a24a3eee2b8acb
Instruction ID: ddd78f50637d19d1cc4453047e1bf41469cf94efb990d7d791c993040f92300e
Opcode Fuzzy Hash: 23a2e2f87be8203e6a26c044f7814080e22b48d768d4d42d54a24a3eee2b8acb
Instruction Fuzzy Hash: 5F81A0726042459FCB74DF64C884BABB7E8EF89311F144AEAF889C7211E630D948CB52

Function 00B7C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF2612: GetWindowLongW.USER32(?,000000EB), ref: 00AF2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B7C1FC
GetFocus.USER32 ref: 00B7C20C
GetDlgCtrlID.USER32(00000000), ref: 00B7C217
_memset.LIBCMT ref: 00B7C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00B7C36D
GetMenuItemCount.USER32(?), ref: 00B7C38D
GetMenuItemID.USER32(?,00000000), ref: 00B7C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00B7C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00B7C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B7C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00B7C489

Strings

0, xrefs: 00B7C33A

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 59a219fd078792885bcf544c6594c567e61d4420ffab51f1268266aaac24a484
Instruction ID: 6fd58f914d2afb08604372aa3358ba0174ea7c4cf0fef5fc7a8532bc6f769188
Opcode Fuzzy Hash: 59a219fd078792885bcf544c6594c567e61d4420ffab51f1268266aaac24a484
Instruction Fuzzy Hash: 50818F712083019FD710DF24D894A7BBBE4FB88714F0089ADF9A9A7291DB70D945CB56

Function 00B6731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B6738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00B6739B
CreateCompatibleDC.GDI32(?), ref: 00B673A7
SelectObject.GDI32(00000000,?), ref: 00B673B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00B67408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00B67444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00B67468
SelectObject.GDI32(00000006,?), ref: 00B67470
DeleteObject.GDI32(?), ref: 00B67479
DeleteDC.GDI32(00000006), ref: 00B67480
ReleaseDC.USER32(00000000,?), ref: 00B6748B

Strings

(, xrefs: 00B67410

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 96c4f1e8c512b11a14154f686feb9341c056db23c817a0e1875dea961a44dd5e
Instruction ID: f46121a7f79967277208256cd84d73e526115387b769939baecdddff4416d112
Opcode Fuzzy Hash: 96c4f1e8c512b11a14154f686feb9341c056db23c817a0e1875dea961a44dd5e
Instruction Fuzzy Hash: 29513771904209EFCB14CFA9CC89EAEBBF9EF48310F14846AF95A97310CB75A941CB54

Function 00B54F75 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B54F7A

Part of subcall function 00B1049F: timeGetTime.WINMM(?,753DB400,00B00E7B), ref: 00B104A3

Sleep.KERNEL32(0000000A), ref: 00B54FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00B54FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00B54FEC
SetActiveWindow.USER32 ref: 00B5500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B55019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00B55038
Sleep.KERNEL32(000000FA), ref: 00B55043
IsWindow.USER32 ref: 00B5504F
EndDialog.USER32(00000000), ref: 00B55060

Strings

BUTTON, xrefs: 00B54FDE
@U=u, xrefs: 00B55019, 00B55038

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: @U=u$BUTTON
API String ID: 1194449130-2582809321
Opcode ID: ca74aa21a05c0906c48c0ddc5e338a7c510871c41f0ee8626db7b0e917900099
Instruction ID: a76e2450ad00eff74f6ddea32ce0159f265dadc122f0a150a17a315255c35fa8
Opcode Fuzzy Hash: ca74aa21a05c0906c48c0ddc5e338a7c510871c41f0ee8626db7b0e917900099
Instruction Fuzzy Hash: F221927120460AAFE7205F20EC98B363BE9FB24747F0811A8F909831B1CFA59D94C666

Function 00AF6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00B10957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00AF6B0C,?,00008000), ref: 00B10973

Part of subcall function 00AF4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AF4743,?,?,00AF37AE,?), ref: 00AF4770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00AF6BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00AF6CFA

Part of subcall function 00AF586D: _wcscpy.LIBCMT ref: 00AF58A5

Part of subcall function 00B1363D: _iswctype.LIBCMT ref: 00B13645

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 00B2E421
Error opening the file, xrefs: 00B2E43D, 00B2E4B8
>>>AUTOIT SCRIPT<<<, xrefs: 00B2E496
Bad directive syntax error, xrefs: 00B2E79D
EA06, xrefs: 00B2E452
Unterminated string, xrefs: 00B2E7E4
AU3!, xrefs: 00AF6B61

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 481c27341980faf5220865566d2833e8202646c46618ca1355b313d5a76afcd0
Instruction ID: 8de4b66957ce416738ff034292ebd6f58faba0a9c633696035522d18e4e3a7ec
Opcode Fuzzy Hash: 481c27341980faf5220865566d2833e8202646c46618ca1355b313d5a76afcd0
Instruction Fuzzy Hash: 8E02DB305083459FC724EF60D981ABFBBE5EF99314F00096DF69A972A1DB30D949CB42

Function 00B52D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B52D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00B52DDD
GetMenuItemCount.USER32(00BB5890), ref: 00B52E66
DeleteMenu.USER32(00BB5890,00000005,00000000,000000F5,?,?), ref: 00B52EF6
DeleteMenu.USER32(00BB5890,00000004,00000000), ref: 00B52EFE
DeleteMenu.USER32(00BB5890,00000006,00000000), ref: 00B52F06
DeleteMenu.USER32(00BB5890,00000003,00000000), ref: 00B52F0E
GetMenuItemCount.USER32(00BB5890), ref: 00B52F16
SetMenuItemInfoW.USER32(00BB5890,00000004,00000000,00000030), ref: 00B52F4C
GetCursorPos.USER32(?), ref: 00B52F56
SetForegroundWindow.USER32(00000000), ref: 00B52F5F
TrackPopupMenuEx.USER32(00BB5890,00000000,?,00000000,00000000,00000000), ref: 00B52F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00B52F7E

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: bb2d77bf70b703acc7180a550754ce3af57be75e7410765cd788c52534c8c3cb
Instruction ID: 86ba20d06445a01cb2e6871da3cf44a2ce3dd474dae3071a920d18ceea388dbe
Opcode Fuzzy Hash: bb2d77bf70b703acc7180a550754ce3af57be75e7410765cd788c52534c8c3cb
Instruction Fuzzy Hash: 5A71D770602206BBEB218F54DC86FAABFA4FF06355F1002E5FA19A61E1C7715C58D754

Function 00B477DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF7BCC: _memmove.LIBCMT ref: 00AF7C06

_memset.LIBCMT ref: 00B4786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00B478A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00B478BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00B478D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00B47902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00B4792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B47935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B4793A

Strings

SOFTWARE\Classes\, xrefs: 00B4780C
\IPC$, xrefs: 00B47882
\CLSID, xrefs: 00B47822

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 9f5d3a8a09cd9b435203fc4947e3dd606b6b986fbf0abbbe57c87057ab025847
Instruction ID: fd99e0f9e4204e2b165c16006b37e87087895ed10f6e87e4a6a6399df8f5a5cb
Opcode Fuzzy Hash: 9f5d3a8a09cd9b435203fc4947e3dd606b6b986fbf0abbbe57c87057ab025847
Instruction Fuzzy Hash: 1A41E472C5462DABDB11EBA4DD95DFDB7B8FF08310F404069F905A7261EB305E05CA90

Function 00B70E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B6FDAD,?,?), ref: 00B70E31

Strings

HKEY_CURRENT_USER, xrefs: 00B70F10
HKEY_LOCAL_MACHINE, xrefs: 00B70E9A
HKLM, xrefs: 00B70EAF
HKEY_USERS, xrefs: 00B70F32
HKCU, xrefs: 00B70F21
HKCC, xrefs: 00B70EFF
HKEY_CURRENT_CONFIG, xrefs: 00B70EEE
HKCR, xrefs: 00B70ED9
HKEY_CLASSES_ROOT, xrefs: 00B70EC4
HKU, xrefs: 00B70F43

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: fbc7e58d54c026429271156311ac1a43f6f66c8ee47aa4f6f2f5a5145ca896e8
Instruction ID: 82ef23297c5cd7f8b16019bdd54c20b752b743a6542924652f6747eeae5d1610
Opcode Fuzzy Hash: fbc7e58d54c026429271156311ac1a43f6f66c8ee47aa4f6f2f5a5145ca896e8
Instruction Fuzzy Hash: 6C414D3252424ACBCF20FF50D995AEE37E0EF25304F5484A6FC691B291DB709D9ACB60

Function 00B774BB Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00B7755E
CreateCompatibleDC.GDI32(00000000), ref: 00B77565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00B77578
SelectObject.GDI32(00000000,00000000), ref: 00B77580
GetPixel.GDI32(00000000,00000000,00000000), ref: 00B7758B
DeleteDC.GDI32(00000000), ref: 00B77594
GetWindowLongW.USER32(?,000000EC), ref: 00B7759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00B775B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00B775BE

Strings

static, xrefs: 00B774F6
@U=u, xrefs: 00B77578

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: @U=u$static
API String ID: 2559357485-3553413495
Opcode ID: 41de19faaebb8558b44cac7330d48bbd235a4b9dece9140f6c5b2634f7f14f43
Instruction ID: 39d14091ead0f8adc75fd87d8bab763be8ec581151e0df16cc7cc0844256f06d
Opcode Fuzzy Hash: 41de19faaebb8558b44cac7330d48bbd235a4b9dece9140f6c5b2634f7f14f43
Instruction Fuzzy Hash: 4C317E72144216BBDF119F64DC09FEB3BA9FF19320F114264FA29A61A0CB31D851DBA4

Function 00B4F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00B2E2A0,00000010,?,Bad directive syntax error,00B7F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00B4F7C2
LoadStringW.USER32(00000000,?,00B2E2A0,00000010), ref: 00B4F7C9

Part of subcall function 00AF7DE1: _memmove.LIBCMT ref: 00AF7E22

_wprintf.LIBCMT ref: 00B4F7FC
__swprintf.LIBCMT ref: 00B4F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00B4F88D

Strings

Error: , xrefs: 00B4F85B
%s (%d) : ==> %s.: %s %s, xrefs: 00B4F7F7
Line %d (File "%s"):, xrefs: 00B4F833
Line %d:, xrefs: 00B4F818
., xrefs: 00B4F873

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: c5d5bc4459711b0dbf72c3f66535ed5ff21dfae642eb836d24bee95bdf965718
Instruction ID: 21a59f0ffef2dcfe9490ffea8fb3e44970c2dd5b16684b828c52d49e1a2a0450
Opcode Fuzzy Hash: c5d5bc4459711b0dbf72c3f66535ed5ff21dfae642eb836d24bee95bdf965718
Instruction Fuzzy Hash: 6D213C3290421EEBCF11AFE0CC5AEFE77B9FF18700F4404A5B615660A1EA719A58DB51

Function 00B552C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00AF7BCC: _memmove.LIBCMT ref: 00AF7C06

Part of subcall function 00AF7924: _memmove.LIBCMT ref: 00AF79AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00B55330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00B55346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B55357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00B55369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00B5537A

Strings

status PlayMe mode, xrefs: 00B5532B
play PlayMe, xrefs: 00B55375
play PlayMe wait, xrefs: 00B55364
open , xrefs: 00B552DF
alias PlayMe, xrefs: 00B55309
close PlayMe, xrefs: 00B55341, 00B5536E

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 29df05d836b62eaa9911a3952d8076c2befaef444ee1b4b04d3fbd05a7208bd5
Instruction ID: 173b6a8bf5d4f5350ee1013ee09675e5c6a690b1a31aebfc66c6b425135ff7e5
Opcode Fuzzy Hash: 29df05d836b62eaa9911a3952d8076c2befaef444ee1b4b04d3fbd05a7208bd5
Instruction Fuzzy Hash: DA11B230A5412D79D720B7B5CC5ADFF7BFCEB92B41F0004A9B906A20E1EEA00D09C5A0

Function 00B546B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B546D2
gethostname.WSOCK32(?,00000100), ref: 00B546EC
gethostbyname.WSOCK32(?), ref: 00B546F9
_wcscpy.LIBCMT ref: 00B54721
_memmove.LIBCMT ref: 00B54734
inet_ntoa.WSOCK32(?), ref: 00B5473F
_strcat.LIBCMT ref: 00B5474D
_wcscpy.LIBCMT ref: 00B54764
WSACleanup.WSOCK32 ref: 00B54772
_wcscpy.LIBCMT ref: 00B54780

Strings

0.0.0.0, xrefs: 00B5471B

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 774a487aaff14af30e31f0e779ad0195889bd50a35638df21145f64cc66cadd5
Instruction ID: 3f012aca1e1020fc812a98a5270dc0eac7e8bf9cc722dbb8c2660c072395f547
Opcode Fuzzy Hash: 774a487aaff14af30e31f0e779ad0195889bd50a35638df21145f64cc66cadd5
Instruction Fuzzy Hash: C911C331904115ABDB24AB70AC46EEA77FCEB06716F4401FAF849960A1EFB08DC58A55

Function 00B5D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF9837: __itow.LIBCMT ref: 00AF9862
Part of subcall function 00AF9837: __swprintf.LIBCMT ref: 00AF98AC

CoInitialize.OLE32(00000000), ref: 00B5D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00B5D67D
SHGetDesktopFolder.SHELL32(?), ref: 00B5D691
CoCreateInstance.OLE32(00B82D7C,00000000,00000001,00BA8C1C,?), ref: 00B5D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00B5D74C
CoTaskMemFree.OLE32(?,?), ref: 00B5D7A4
_memset.LIBCMT ref: 00B5D7E1
SHBrowseForFolderW.SHELL32(?), ref: 00B5D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00B5D840
CoTaskMemFree.OLE32(00000000), ref: 00B5D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00B5D87E
CoUninitialize.OLE32(00000001,00000000), ref: 00B5D880

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 5559abf2c939b7305b562ac5148fa0168cb8673f18a1cbf6318da913a8a3837d
Instruction ID: 08b6b703c61ff12c366bdc4784599effafed916ae8be2856c4aebf7e377f8194
Opcode Fuzzy Hash: 5559abf2c939b7305b562ac5148fa0168cb8673f18a1cbf6318da913a8a3837d
Instruction Fuzzy Hash: 86B1EB75A00109AFDB14DFA4C884EAEBBF9EF48315F1485A9F909DB261DB30ED45CB50

Function 00B4C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00B4C283
GetWindowRect.USER32(00000000,?), ref: 00B4C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00B4C2F3
GetDlgItem.USER32(?,00000002), ref: 00B4C2FE
GetWindowRect.USER32(00000000,?), ref: 00B4C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00B4C364
GetDlgItem.USER32(?,000003E9), ref: 00B4C372
GetWindowRect.USER32(00000000,?), ref: 00B4C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00B4C3C6
GetDlgItem.USER32(?,000003EA), ref: 00B4C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00B4C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00B4C3FE

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 025b041ee02e543cec584387fce600f9d85919c337c21b9af36f92d279be6253
Instruction ID: ef9e2dcb12eea6ef525d52afc820c4bdb9c6ac0407eef66a4ab19a5d47590d99
Opcode Fuzzy Hash: 025b041ee02e543cec584387fce600f9d85919c337c21b9af36f92d279be6253
Instruction Fuzzy Hash: 9A513F71B00205ABDB18CFA9DD89AAEBBB6FB88711F14816DF519D7290DB709E40CB14

Function 00AF201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AF2036,?,00000000,?,?,?,?,00AF16CB,00000000,?), ref: 00AF1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00AF20D3
KillTimer.USER32(-00000001,?,?,?,?,00AF16CB,00000000,?,?,00AF1AE2,?,?), ref: 00AF216E
DestroyAcceleratorTable.USER32(00000000), ref: 00B2BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AF16CB,00000000,?,?,00AF1AE2,?,?), ref: 00B2BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AF16CB,00000000,?,?,00AF1AE2,?,?), ref: 00B2BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AF16CB,00000000,?,?,00AF1AE2,?,?), ref: 00B2BD0A
DeleteObject.GDI32(00000000), ref: 00B2BD1C

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 26460ff3a0729f2e5dd15f2a3091db6a43abd53dbf36acc29e9cfe249b7bd656
Instruction ID: 57c3fde41fa6e171715c5e4a566f21f3b65bcb368d0b6e407a3c911857ed56fb
Opcode Fuzzy Hash: 26460ff3a0729f2e5dd15f2a3091db6a43abd53dbf36acc29e9cfe249b7bd656
Instruction Fuzzy Hash: E6616932100A19DFCB35AF54DD48B79B7F1FB44312F108669E64A8BA60CFB1AC81DB55

Function 00AF21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00AF25DB: GetWindowLongW.USER32(?,000000EB), ref: 00AF25EC

GetSysColor.USER32(0000000F), ref: 00AF21D3

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 9a70453036e37f4b516f59cda0fd74c8569ed14da6b5061c4aaa305a0a11ed14
Instruction ID: d342072da62c777df5c93e3a5f1f888220ea2145fa680737dd30a835c4a52395
Opcode Fuzzy Hash: 9a70453036e37f4b516f59cda0fd74c8569ed14da6b5061c4aaa305a0a11ed14
Instruction Fuzzy Hash: 9E41B031000154DBEB215F68EC88BF93BA5EB06331F2442A5FE699B1E5CB318C82DB25

Function 00B5A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00B7F910), ref: 00B5A90B
GetDriveTypeW.KERNEL32(00000061,00BA89A0,00000061), ref: 00B5A9D5
_wcscpy.LIBCMT ref: 00B5A9FF

Strings

network, xrefs: 00B5A969
all, xrefs: 00B5A911
fixed, xrefs: 00B5A953
unknown, xrefs: 00B5A996
ramdisk, xrefs: 00B5A97F
cdrom, xrefs: 00B5A927
removable, xrefs: 00B5A93D

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 7ac6e9c0964e87192d997ceddbb8f885bc895d2ef03edffa1223527a4d1153df
Instruction ID: e3f40a3ac4f7f668acf7db09d709bb4f60488972dd52d1d19b9cd0c01d317316
Opcode Fuzzy Hash: 7ac6e9c0964e87192d997ceddbb8f885bc895d2ef03edffa1223527a4d1153df
Instruction Fuzzy Hash: A051B731118301AFC300EF14C992BAFB7E5EF85701F4049ADFA96672A2DB709949CA93

Function 00B78645 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B786FF

Strings

@U=u, xrefs: 00B78735

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: cb7fa358d1e48a8cb5c01c64517f8224450bd038ae60c851065a5c730c39a1c3
Instruction ID: 3894485a711da37095b0eb7fa6a2c4c82cfd7ec4b701245ce1e0f2b856f19230
Opcode Fuzzy Hash: cb7fa358d1e48a8cb5c01c64517f8224450bd038ae60c851065a5c730c39a1c3
Instruction Fuzzy Hash: B9517130680244BEEB249B249C8DFAD7BE5EB05710F608295F96EE61A1CF71ED80DB51

Function 00AF2B72 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00B2C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B2C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00B2C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00B2C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B2C370
DestroyIcon.USER32(00000000), ref: 00B2C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B2C39C
DestroyIcon.USER32(?), ref: 00B2C3AB

Part of subcall function 00B7A4AF: DeleteObject.GDI32(00000000), ref: 00B7A4E8

Strings

@U=u, xrefs: 00B2C370, 00B2C39C

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID: @U=u
API String ID: 2819616528-2594219639
Opcode ID: c6df1174148e17179373a709d6c415df11763a9096c09e408daa5b1098ee3ab3
Instruction ID: 1cd670bf45b42db2247b5b946818624229f0fe414a80197aefff8253b5b116be
Opcode Fuzzy Hash: c6df1174148e17179373a709d6c415df11763a9096c09e408daa5b1098ee3ab3
Instruction Fuzzy Hash: 06516870A00209AFDB24DFA5DC45BBE7BF5EB48710F104668FA06D7290DBB0AD90DB50

Function 00AF9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00AF9862
__swprintf.LIBCMT ref: 00AF98AC
__i64tow.LIBCMT ref: 00B2F5E6

Strings

%.15g, xrefs: 00AF98A6
True, xrefs: 00B2F5A7
0x%p, xrefs: 00B2F5C8
False, xrefs: 00B2F5AE

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 3be0015005853684f85c10c2a37059916c615062cc4cc73db46a54e4a6ae66db
Instruction ID: 6d94e90f88d2b386a121ba91bba8672dbf89d8a935bc2c3ae569a91ec2ff4c1f
Opcode Fuzzy Hash: 3be0015005853684f85c10c2a37059916c615062cc4cc73db46a54e4a6ae66db
Instruction Fuzzy Hash: 7741D67150420AAEEB24DF74E842FBA77F8EF0A300F6044FEF649D7291EA7199418B51

Function 00B77152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B7716A
CreateMenu.USER32 ref: 00B77185
SetMenu.USER32(?,00000000), ref: 00B77194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B77221
IsMenu.USER32(?), ref: 00B77237
CreatePopupMenu.USER32 ref: 00B77241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B7726E
DrawMenuBar.USER32 ref: 00B77276

Strings

F, xrefs: 00B77262
0, xrefs: 00B77160

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 0ef1814639427a4f59c0efeae99695fbda711aa4de433377b57eece9375297b5
Instruction ID: 3a3d17228ab451bfde0f5720a375db77e83a244a814bad9fe9bd090adba66bf2
Opcode Fuzzy Hash: 0ef1814639427a4f59c0efeae99695fbda711aa4de433377b57eece9375297b5
Instruction Fuzzy Hash: 66416974A01209EFDB20DFA4D884FAA7BF5FF49310F1440A8F929A7361DB31A910CB94

Function 00B48F8F Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF7DE1: _memmove.LIBCMT ref: 00AF7E22

Part of subcall function 00B4AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00B4AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00B49014
GetDlgCtrlID.USER32 ref: 00B4901F
GetParent.USER32 ref: 00B4903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B4903E
GetDlgCtrlID.USER32(?), ref: 00B49047
GetParent.USER32(?), ref: 00B49063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00B49066

Strings

ListBox, xrefs: 00B48FD1
ComboBox, xrefs: 00B48F9C
@U=u, xrefs: 00B49066

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 1536045017-2258501812
Opcode ID: 1d52c2fa34d61d00abecb3dd214344a7c4da80baca270210a47c3daa037187d9
Instruction ID: 5b9bf4840f9c4b2c3e3fe0423e0779681ffb986d82f0eae5ffaf9417f7ec4032
Opcode Fuzzy Hash: 1d52c2fa34d61d00abecb3dd214344a7c4da80baca270210a47c3daa037187d9
Instruction Fuzzy Hash: 1521D670A00109BFDF04ABA0CC85EFEBBB9EF45310F100195B961972B1DF759959EA20

Function 00B4907A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF7DE1: _memmove.LIBCMT ref: 00AF7E22

Part of subcall function 00B4AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00B4AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00B490FD
GetDlgCtrlID.USER32 ref: 00B49108
GetParent.USER32 ref: 00B49124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B49127
GetDlgCtrlID.USER32(?), ref: 00B49130
GetParent.USER32(?), ref: 00B4914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00B4914F

Strings

ListBox, xrefs: 00B490BC
ComboBox, xrefs: 00B49087
@U=u, xrefs: 00B4914F

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 1536045017-2258501812
Opcode ID: 6c3e55c00c54b2bea59e7156a1dcff867bac106548fa0c356e234236627be1f8
Instruction ID: aa3a98e5f17b061e0c461e89b5a9d2939b223b3f46f8f19f9d299ff54ca088c9
Opcode Fuzzy Hash: 6c3e55c00c54b2bea59e7156a1dcff867bac106548fa0c356e234236627be1f8
Instruction Fuzzy Hash: D721F574A40109BFDF00ABA0CC85EFEBBB8EF44300F000055BA15A72A1DB758959EB20

Function 00B49163 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00B4916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00B49184
_wcscmp.LIBCMT ref: 00B49196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00B49211

Strings

smallicons, xrefs: 00B491D9
details, xrefs: 00B491BF
largeicons, xrefs: 00B491A5
SHELLDLL_DefView, xrefs: 00B49190
list, xrefs: 00B491F3
@U=u, xrefs: 00B49211

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-1428604138
Opcode ID: 58e5f441d7f40f2d4cf530b26096836bcbe32a8d7a55b0b0fbd9dabb1b27023c
Instruction ID: 1bc53342628798bcf8d43df0b3d4571601ad9a652c7c3650e7e4a9f5022f1ef9
Opcode Fuzzy Hash: 58e5f441d7f40f2d4cf530b26096836bcbe32a8d7a55b0b0fbd9dabb1b27023c
Instruction Fuzzy Hash: AE118A7728C307BAFA152724DC0BDF777DCDB15720B2000E6F914A54E1FEA269A16554

Function 00B16E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B16E3E

Part of subcall function 00B18B28: __getptd_noexit.LIBCMT ref: 00B18B28

__gmtime64_s.LIBCMT ref: 00B16ED7
__gmtime64_s.LIBCMT ref: 00B16F0D
__gmtime64_s.LIBCMT ref: 00B16F2A
__allrem.LIBCMT ref: 00B16F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B16F9C
__allrem.LIBCMT ref: 00B16FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B16FD1
__allrem.LIBCMT ref: 00B16FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B17006
__invoke_watson.LIBCMT ref: 00B17077

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: f7bbb4f1483f440d9fc3fc0c813480a3247800d6b59ee95e9fddcbe9aba1dfec
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 75710876A40716ABD714AF68DC81BDAB3F4EF04720F5442B9F414D7281EB70DE808B90

Function 00B52527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B52542
GetMenuItemInfoW.USER32(00BB5890,000000FF,00000000,00000030), ref: 00B525A3
SetMenuItemInfoW.USER32(00BB5890,00000004,00000000,00000030), ref: 00B525D9
Sleep.KERNEL32(000001F4), ref: 00B525EB
GetMenuItemCount.USER32(?), ref: 00B5262F
GetMenuItemID.USER32(?,00000000), ref: 00B5264B
GetMenuItemID.USER32(?,-00000001), ref: 00B52675
GetMenuItemID.USER32(?,?), ref: 00B526BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B52700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B52714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B52735

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: ea6fe2a7763f985972c2cf3ff80dd4b4f2d42edbf85477cb8768145d4604279c
Instruction ID: d4700f50954fbf18e8505fb0ea858055fec501d3985b782226aa88eb7db443e4
Opcode Fuzzy Hash: ea6fe2a7763f985972c2cf3ff80dd4b4f2d42edbf85477cb8768145d4604279c
Instruction Fuzzy Hash: 06618D7090224AAFDF21DF64D888ABE7BF8EB06306F1401D9EC41A3251DB71AD49DB61

Function 00B76F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B76FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B76FA8
GetWindowLongW.USER32(?,000000F0), ref: 00B76FCC
_memset.LIBCMT ref: 00B76FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B76FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B77067

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 02901e8c381ec07c0c2df1271db76e028645d9a5b97e2e3b138aec41c247b0bd
Instruction ID: 884144f7c78674fbfd73366419502bcb9fad474d02ad3205e571d601e5d9610a
Opcode Fuzzy Hash: 02901e8c381ec07c0c2df1271db76e028645d9a5b97e2e3b138aec41c247b0bd
Instruction Fuzzy Hash: EC615E75A40208AFDB11DFA4CC81FEE77F8EB09710F144199FA19AB2A1CB71AD45DB50

Function 00B46B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00B46BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00B46C18
VariantInit.OLEAUT32(?), ref: 00B46C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00B46C4A
VariantCopy.OLEAUT32(?,?), ref: 00B46C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00B46CB1
VariantClear.OLEAUT32(?), ref: 00B46CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00B46CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B46CDC
VariantClear.OLEAUT32(?), ref: 00B46CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B46CF9

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 7e06e62d47da4c2b43cf96bc20496903fd100dedab1f71b75313bd16abec38c8
Instruction ID: b7c7b38bf11633141e071c98535251bccd5e98286f05ad57ca42ebd83ccc0a40
Opcode Fuzzy Hash: 7e06e62d47da4c2b43cf96bc20496903fd100dedab1f71b75313bd16abec38c8
Instruction Fuzzy Hash: BA415031A001199FCF14DFA8D8849AEBBF9FF08354F008069E955E7361CB30AA45DFA1

Function 00B7D43E Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF2612: GetWindowLongW.USER32(?,000000EB), ref: 00AF2623

GetSystemMetrics.USER32(0000000F), ref: 00B7D47C
GetSystemMetrics.USER32(0000000F), ref: 00B7D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00B7D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00B7D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00B7D716
ShowWindow.USER32(00000003,00000000), ref: 00B7D735
InvalidateRect.USER32(?,00000000,00000001), ref: 00B7D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 00B7D77D

Strings

@U=u, xrefs: 00B7D6F5, 00B7D716

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID: @U=u
API String ID: 1211466189-2594219639
Opcode ID: 36395f4fb26855718e6747e3b42ac6c8ce1fa909fead5693408cca73c53d15aa
Instruction ID: 23c9bf6480a509cf7ad6d9c8d23cfa5dac1d1f4a7885a5716fe766f0574b4f80
Opcode Fuzzy Hash: 36395f4fb26855718e6747e3b42ac6c8ce1fa909fead5693408cca73c53d15aa
Instruction Fuzzy Hash: 4AB17975600215ABDF18CF68C9C57A97BF1FF04741F08C1A9EC6C9B295DB74A990CB50

Function 00AF2E26 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00AF2EAE

Part of subcall function 00AF1DB3: GetClientRect.USER32(?,?), ref: 00AF1DDC
Part of subcall function 00AF1DB3: GetWindowRect.USER32(?,?), ref: 00AF1E1D
Part of subcall function 00AF1DB3: ScreenToClient.USER32(?,?), ref: 00AF1E45

GetDC.USER32 ref: 00B2CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00B2CD45
SelectObject.GDI32(00000000,00000000), ref: 00B2CD53
SelectObject.GDI32(00000000,00000000), ref: 00B2CD68
ReleaseDC.USER32(?,00000000), ref: 00B2CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00B2CDFB

Strings

@U=u, xrefs: 00B2CD45
U, xrefs: 00B2CCD0

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: @U=u$U
API String ID: 4009187628-4110099822
Opcode ID: 4b6d80bf964ff0ec2868961a6c94e8776ca1239235d4d2ee7aa3ae8d7a88e1da
Instruction ID: 5432efb526b574da35092b5c87f9128dd3a21f09f461cb1157c77be0345e4fb3
Opcode Fuzzy Hash: 4b6d80bf964ff0ec2868961a6c94e8776ca1239235d4d2ee7aa3ae8d7a88e1da
Instruction Fuzzy Hash: 9E718F31500209DFCF219F64D884ABE7FB5FF48350F2442BAFD595A2A6C7319881DB61

Function 00B65732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B65793
inet_addr.WSOCK32(?,?,?), ref: 00B657D8
gethostbyname.WSOCK32(?), ref: 00B657E4
IcmpCreateFile.IPHLPAPI ref: 00B657F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B65862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B65878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00B658ED
WSACleanup.WSOCK32 ref: 00B658F3

Strings

Ping, xrefs: 00B65816

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 4444f622186b1a75b28bfe70209c66903160eb5302c610a511d5fd5e557f1e00
Instruction ID: 923e8698f6d761b64cf013ff9c5bdefb6bf2ea4475ba7eb7cd36ad5a780ea24d
Opcode Fuzzy Hash: 4444f622186b1a75b28bfe70209c66903160eb5302c610a511d5fd5e557f1e00
Instruction Fuzzy Hash: DA519E316047019FD720AF64CC89B6A77E4EF48720F0445A9FA9ADB6A1DB34EC50DF52

Function 00B5B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B5B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00B5B546
GetLastError.KERNEL32 ref: 00B5B550
SetErrorMode.KERNEL32(00000000,READY), ref: 00B5B5BD

Strings

UNKNOWN, xrefs: 00B5B575
NOTREADY, xrefs: 00B5B57C
READONLY, xrefs: 00B5B588
READY, xrefs: 00B5B596
INVALID, xrefs: 00B5B58F

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 563e98a10e6c5c1b707e32331f6c92a72a40ae81f09819d80830654dab42afe7
Instruction ID: 0e4056084e8aa1d1da24bdcf971ebe1b7b9ac29bc826b76780a1afa7d6cc38a1
Opcode Fuzzy Hash: 563e98a10e6c5c1b707e32331f6c92a72a40ae81f09819d80830654dab42afe7
Instruction Fuzzy Hash: F931A135A002099FCB04EBA8D895FBE77F4FF19302F5040E5FA0597291EB719A46CB51

Function 00B761D3 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B761EB
GetDC.USER32(00000000), ref: 00B761F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B761FE
ReleaseDC.USER32(00000000,00000000), ref: 00B7620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00B76246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B76257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B7902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00B76291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B762B1

Strings

@U=u, xrefs: 00B76257, 00B762B1

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID: @U=u
API String ID: 3864802216-2594219639
Opcode ID: f47b06da0d5087f2dcd56c335046bd4c1d987691e68c1c4be50ac23830a01822
Instruction ID: e795a4f4d47bd2e50847e8543db84a873bcd2cf93a1a4a838be936df8648b428
Opcode Fuzzy Hash: f47b06da0d5087f2dcd56c335046bd4c1d987691e68c1c4be50ac23830a01822
Instruction Fuzzy Hash: C3317F72101614BFEB118F54CC8AFFA3BA9EF49765F044065FE0CEA292DA759C81CB64

Function 00B688AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B688D7
CoInitialize.OLE32(00000000), ref: 00B68904
CoUninitialize.OLE32 ref: 00B6890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00B68A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00B68B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00B82C0C), ref: 00B68B6F
CoGetObject.OLE32(?,00000000,00B82C0C,?), ref: 00B68B92
SetErrorMode.KERNEL32(00000000), ref: 00B68BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B68C25
VariantClear.OLEAUT32(?), ref: 00B68C35

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: e7e344477048475b84bd22c808a9cd6a86bf1c1fc15348cb2acddbc1db84366e
Instruction ID: e90da4ea677088db462520d7483a10377c4605320f09a56f1ceda72a38ed9ede
Opcode Fuzzy Hash: e7e344477048475b84bd22c808a9cd6a86bf1c1fc15348cb2acddbc1db84366e
Instruction Fuzzy Hash: 7FC117B1608305AFC700DF68C88492BB7E9FF89348F04499DF98A9B261DB75ED45CB52

Function 00B57990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00B57A6C

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: adec7d331d9a39af63d169965c66f3be6d873822917adbab8e5867c300375073
Instruction ID: 528cf1b793c27d23f6538d69049e17755578e0e29a834db4e24d7863af55227e
Opcode Fuzzy Hash: adec7d331d9a39af63d169965c66f3be6d873822917adbab8e5867c300375073
Instruction Fuzzy Hash: A2B19271A4421A9FDB00DF94E884BBEB7F4FF09322F2044E9E901E7241DB74A949CB90

Function 00B511CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B511F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00B50268,?,00000001), ref: 00B51204
GetWindowThreadProcessId.USER32(00000000), ref: 00B5120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B50268,?,00000001), ref: 00B5121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B5122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B50268,?,00000001), ref: 00B51245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B50268,?,00000001), ref: 00B51257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00B50268,?,00000001), ref: 00B5129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00B50268,?,00000001), ref: 00B512B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00B50268,?,00000001), ref: 00B512BC

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 0c54a6d31c8ff72e15e4c21dd398423702fed284ec5443d5717f38da09d70bca
Instruction ID: a9d92a256c54496f804a390133bdf2e4579d6533a79080d8110562832fbb1527
Opcode Fuzzy Hash: 0c54a6d31c8ff72e15e4c21dd398423702fed284ec5443d5717f38da09d70bca
Instruction Fuzzy Hash: 5B31D075A00204BFDB109F58EC88F7937E9EB55312F1086A9FE05D71A0DBB99D84CB60

Function 00AFFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00AFFAA6
OleUninitialize.OLE32(?,00000000), ref: 00AFFB45
UnregisterHotKey.USER32(?), ref: 00AFFC9C
DestroyWindow.USER32(?), ref: 00B345D6
FreeLibrary.KERNEL32(?), ref: 00B3463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B34668

Strings

close all, xrefs: 00AFFAA1

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 0ef9f721749b945304b4c1c7bb9c1b1c9d66f8df57c0d34213db9a4724130176
Instruction ID: c01049f826cbbbd52c924990acc7141922c92bf322fe7133cd2f43f9d668e9b6
Opcode Fuzzy Hash: 0ef9f721749b945304b4c1c7bb9c1b1c9d66f8df57c0d34213db9a4724130176
Instruction Fuzzy Hash: 31A15930701216CFCB29EF64C595A79F7A4EF05710F6442EDEA0AAB261DB30AD56CF90

Function 00B4A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00B4A439), ref: 00B4A377

Strings

INSTANCE, xrefs: 00B4A285
TEXT, xrefs: 00B4A2AE
REGEXPCLASS, xrefs: 00B4A13C
CLASS, xrefs: 00B4A0F6
CLASSNN, xrefs: 00B4A119
NAME, xrefs: 00B4A1A9

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: e84f42f63644986ef85f866f6d1bcece707d122d2f1725531214f4f9817a75af
Instruction ID: 972ca157662bfec318837c87720d5cd4e42ebda74dcf9a7427fa17fc6873fa2f
Opcode Fuzzy Hash: e84f42f63644986ef85f866f6d1bcece707d122d2f1725531214f4f9817a75af
Instruction Fuzzy Hash: 8091E731644606ABCB08EFA0C881BEEFBF4FF14300F548199E859A7151DF716B99EB91

Function 00B7B351 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(014A5840), ref: 00B7B3EB
IsWindowEnabled.USER32(014A5840), ref: 00B7B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00B7B4DB
SendMessageW.USER32(014A5840,000000B0,?,?), ref: 00B7B512
IsDlgButtonChecked.USER32(?,?), ref: 00B7B54F
GetWindowLongW.USER32(014A5840,000000EC), ref: 00B7B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00B7B589

Strings

@U=u, xrefs: 00B7B4DB, 00B7B512, 00B7B589

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: @U=u
API String ID: 4072528602-2594219639
Opcode ID: 8cdf44211f6e56d0a7229cb0f278d4353ab42638add1f705afb36a6daa8045cb
Instruction ID: 4a95a856cfd80838105dc36816c630b316c1ba60d33c85bab73f15c8a428fa93
Opcode Fuzzy Hash: 8cdf44211f6e56d0a7229cb0f278d4353ab42638add1f705afb36a6daa8045cb
Instruction Fuzzy Hash: D1716A34604605AFDB219F55C8D4FBA7BF9EF09300F148199EA6A973A2CB71A980DF50

Function 00B76D80 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00B76E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00B76E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00B76E52
_wcscat.LIBCMT ref: 00B76EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00B76EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00B76EF2

Strings

SysListView32, xrefs: 00B76DF6
@U=u, xrefs: 00B76E24, 00B76E38

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: @U=u$SysListView32
API String ID: 307300125-1908207174
Opcode ID: 39923e51abec56124fe9641f3d12b9794bb56656f3c6f671911acb33ecf3d612
Instruction ID: 921d32954809bceb4bb4eb08c83cbefabf740418cf477a36704dec327a43b227
Opcode Fuzzy Hash: 39923e51abec56124fe9641f3d12b9794bb56656f3c6f671911acb33ecf3d612
Instruction Fuzzy Hash: 3C41A171A00349AFEB219F64CC85BEE77F8EF08750F1044AAF598E7291D6719D84CB60

Function 00B61A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B61A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00B61A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00B61ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00B61AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B61AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00B61B10
InternetCloseHandle.WININET(00000000), ref: 00B61B57

Part of subcall function 00B62483: GetLastError.KERNEL32(?,?,00B61817,00000000,00000000,00000001), ref: 00B62498
Part of subcall function 00B62483: SetEvent.KERNEL32(?,?,00B61817,00000000,00000000,00000001), ref: 00B624AD

Strings

, xrefs: 00B61B01

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 794a667a21407c8357d5813fa902eae9227322ff3075d8ee82987de019dd7362
Instruction ID: d8259b0abe2c54545050826f665a29b677522a5c5cdc928429343944a1b56355
Opcode Fuzzy Hash: 794a667a21407c8357d5813fa902eae9227322ff3075d8ee82987de019dd7362
Instruction Fuzzy Hash: 404190B1501609BFEB158F54CC85FFB7BECEF08354F084166FA05AA141EB789E408BA4

Function 00B762CD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B762EC
GetWindowLongW.USER32(014A5840,000000F0), ref: 00B7631F
GetWindowLongW.USER32(014A5840,000000F0), ref: 00B76354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00B76386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00B763B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00B763C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00B763DB

Strings

@U=u, xrefs: 00B762EC, 00B76386, 00B763B0

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: @U=u
API String ID: 2178440468-2594219639
Opcode ID: a3a400694f372a5dcaa26996ff055b78c768d1dec7156a964d09521ffbba0001
Instruction ID: 0b486fa2c3498853b2a96947c01cb85ac773cb999567a8096581e42959175f85
Opcode Fuzzy Hash: a3a400694f372a5dcaa26996ff055b78c768d1dec7156a964d09521ffbba0001
Instruction Fuzzy Hash: 10313430600A459FDB21CF19DC84F6437E1FB4A714F1A82A4F5299F2B2CB72E880CB59

Function 00B68C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00B7F910), ref: 00B68D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00B7F910), ref: 00B68D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00B68ED6
SysFreeString.OLEAUT32(?), ref: 00B68F00

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 93189ceaa797e37615cda2c9d4aa685ce6370d06c34d6a0a85eb87b4fa247c75
Instruction ID: a78a46ae9c103791b12de288b321dfd6204b03bd59662bd49be0e748cf91725f
Opcode Fuzzy Hash: 93189ceaa797e37615cda2c9d4aa685ce6370d06c34d6a0a85eb87b4fa247c75
Instruction Fuzzy Hash: DDF15A71A00209EFCF14DF94C884EAEB7B9FF49314F108599F915AB251DB35AE45CBA0

Function 00B6F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B6F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B6F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B6F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B6F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B6F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B6FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00B6FA7C
CloseHandle.KERNEL32(?), ref: 00B6FAAB
CloseHandle.KERNEL32(?), ref: 00B6FB22

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 2904eedbcc99b3119546eadfebbb3c5f03fad798747ca69ad05cea90ae300d98
Instruction ID: 03f7d1771dd25fa0f8a856e97bddfd902a461d7fbb64552c9d860cc3c80270a0
Opcode Fuzzy Hash: 2904eedbcc99b3119546eadfebbb3c5f03fad798747ca69ad05cea90ae300d98
Instruction Fuzzy Hash: 5EE1B0316043029FCB14EF64D881B7ABBE1EF89354F1485ADF8998B2A2CB35DC45CB52

Function 00B54CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B5466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B53697,?), ref: 00B5468B

Part of subcall function 00B5466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B53697,?), ref: 00B546A4

Part of subcall function 00B54A31: GetFileAttributesW.KERNEL32(?,00B5370B), ref: 00B54A32

lstrcmpiW.KERNEL32(?,?), ref: 00B54D40
_wcscmp.LIBCMT ref: 00B54D5A
MoveFileW.KERNEL32(?,?), ref: 00B54D75

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: bd5f3bdf291c141279c208f4a4e29f467a91657cc7d320386f2e8bc5df2cddfa
Instruction ID: d747db03ecd8d3111eb82ed70fcea09a7b95d12335073b0a865d9007c8bd5737
Opcode Fuzzy Hash: bd5f3bdf291c141279c208f4a4e29f467a91657cc7d320386f2e8bc5df2cddfa
Instruction Fuzzy Hash: 505150B20083459BC624DBA4D881AEFB3ECAF84355F4009AEB689D3151EF30A5CCC756

Function 00B4966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B4A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B4A84C
Part of subcall function 00B4A82C: GetCurrentThreadId.KERNEL32 ref: 00B4A853
Part of subcall function 00B4A82C: AttachThreadInput.USER32(00000000,?,00B49683,?,00000001), ref: 00B4A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00B4968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00B496AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00B496AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B496B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00B496D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00B496D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B496E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00B496F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00B496FB

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 8eda26144410f696b0a395b8f0b34d5c343339856eb7fd5ccb2441fb9ab7463f
Instruction ID: 98875327e9267b9b8c8377ef5898b899e6a7296fdf90e52d9e70d4cad688db93
Opcode Fuzzy Hash: 8eda26144410f696b0a395b8f0b34d5c343339856eb7fd5ccb2441fb9ab7463f
Instruction Fuzzy Hash: 8911C271950219BEFA106B609C89F7A3B5DDB4C760F510425F348AB0A0CDF25C50DAA8

Function 00B48921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00B4853C,00000B00,?,?), ref: 00B4892A
HeapAlloc.KERNEL32(00000000,?,00B4853C,00000B00,?,?), ref: 00B48931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B4853C,00000B00,?,?), ref: 00B48946
GetCurrentProcess.KERNEL32(?,00000000,?,00B4853C,00000B00,?,?), ref: 00B4894E
DuplicateHandle.KERNEL32(00000000,?,00B4853C,00000B00,?,?), ref: 00B48951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00B4853C,00000B00,?,?), ref: 00B48961
GetCurrentProcess.KERNEL32(00B4853C,00000000,?,00B4853C,00000B00,?,?), ref: 00B48969
DuplicateHandle.KERNEL32(00000000,?,00B4853C,00000B00,?,?), ref: 00B4896C
CreateThread.KERNEL32(00000000,00000000,00B48992,00000000,00000000,00000000), ref: 00B48986

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 3ba379581cf60083a0202aba796860766fb211ae8de6b168e8cf61fa0f24af92
Instruction ID: 68d7de2ee46d68c9a8991005a94983b55b6029490fa392cec8a69cb57ebfdbbe
Opcode Fuzzy Hash: 3ba379581cf60083a0202aba796860766fb211ae8de6b168e8cf61fa0f24af92
Instruction Fuzzy Hash: 7401AC75240305FFE610ABA5DC49F6B3BACEB89711F404421FA09DB5A1CE7098408A64

Function 00B69B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00B69B7B
NULL Pointer assignment, xrefs: 00B69BA4, 00B69EC8

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 5296cebc1fb4f42ac2979ff5239651f104726b7a4c5101de7316215af146e745
Instruction ID: 46f4945bd3e76b75ded25c4496ff790a79060922721e25e4da04ab8b3396a396
Opcode Fuzzy Hash: 5296cebc1fb4f42ac2979ff5239651f104726b7a4c5101de7316215af146e745
Instruction Fuzzy Hash: 22C1B471A0020AAFDF10DF98D984BAEB7F9FF48314F1484A9E915EB280E7759D45CB90

Function 00B69113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B69167
VariantInit.OLEAUT32(?), ref: 00B69238
VariantInit.OLEAUT32(?), ref: 00B69339
VariantClear.OLEAUT32(?), ref: 00B69343
VariantClear.OLEAUT32(?), ref: 00B693A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00B691C8, 00B692F6, 00B693AE
Incorrect Object type in FOR..IN loop, xrefs: 00B6931C

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: b81f7d155e7313161c7133f8e8aead3a6931177f27041b1b3e1ad4dbb6d0393b
Instruction ID: 1b7851c2215cc9d4f753992b9263e184ea2eab0120f1d79cacdaab94b6797db4
Opcode Fuzzy Hash: b81f7d155e7313161c7133f8e8aead3a6931177f27041b1b3e1ad4dbb6d0393b
Instruction Fuzzy Hash: 3791AE71A00209EBDF24CFA5D888FAEBBF8EF45710F108199F915AB290D7749945CFA0

Function 00B6975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00B4710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B47044,80070057,?,?,?,00B47455), ref: 00B47127
Part of subcall function 00B4710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B47044,80070057,?,?), ref: 00B47142
Part of subcall function 00B4710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B47044,80070057,?,?), ref: 00B47150
Part of subcall function 00B4710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B47044,80070057,?), ref: 00B47160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00B69806
_memset.LIBCMT ref: 00B69813
_memset.LIBCMT ref: 00B69956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00B69982
CoTaskMemFree.OLE32(?), ref: 00B6998D

Strings

NULL Pointer assignment, xrefs: 00B699DB

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 4c017eb26ccb25dd38dcef588feea02b2d2f81bbc7b84dbcbdc40f4e17c3bb8c
Instruction ID: 757fd85dfdf4dac92c076a4fe334ee62452035582d4a5eeca396bde502d52bc6
Opcode Fuzzy Hash: 4c017eb26ccb25dd38dcef588feea02b2d2f81bbc7b84dbcbdc40f4e17c3bb8c
Instruction Fuzzy Hash: C6912771D00219EBDB10DFA4DC81EEEBBB9EF08350F1041AAF519A7291DB715A44CFA0

Function 00B6E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00B53C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00B53C7A
Part of subcall function 00B53C55: Process32FirstW.KERNEL32(00000000,?), ref: 00B53C88
Part of subcall function 00B53C55: CloseHandle.KERNEL32(00000000), ref: 00B53D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B6E9A4
GetLastError.KERNEL32 ref: 00B6E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B6E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 00B6EA63
GetLastError.KERNEL32(00000000), ref: 00B6EA6E
CloseHandle.KERNEL32(00000000), ref: 00B6EAA3

Strings

SeDebugPrivilege, xrefs: 00B6E9C2

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 205e8845a86550c48c159a25b52892a088c3637f1409b2383e3f5c601eddce79
Instruction ID: 61e9ef6761821980ee473d4448c81f8c59ad3ba36a4169ac8e1c7afebe426fd5
Opcode Fuzzy Hash: 205e8845a86550c48c159a25b52892a088c3637f1409b2383e3f5c601eddce79
Instruction Fuzzy Hash: 074197312002059FDB10EFA4C895F7EBBE5AF40350F0884A9F9469B2D2DB74E944CF96

Function 00B7B69E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00BB57B0,00000000,014A5840,?,?,00BB57B0,?,00B7B5A8,?,?), ref: 00B7B712
EnableWindow.USER32(00000000,00000000), ref: 00B7B736
ShowWindow.USER32(00BB57B0,00000000,014A5840,?,?,00BB57B0,?,00B7B5A8,?,?), ref: 00B7B796
ShowWindow.USER32(00000000,00000004,?,00B7B5A8,?,?), ref: 00B7B7A8
EnableWindow.USER32(00000000,00000001), ref: 00B7B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00B7B7EF

Strings

@U=u, xrefs: 00B7B7EF

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: @U=u
API String ID: 642888154-2594219639
Opcode ID: 5b948bc4634713e939aa6865e82f1c79b5af171639335ce21ed71308fb3e1701
Instruction ID: 9e67f32d8dd45d4484ae6791b0a75cb7d4cc7f9eeca09cdc51b784fa51aa4079
Opcode Fuzzy Hash: 5b948bc4634713e939aa6865e82f1c79b5af171639335ce21ed71308fb3e1701
Instruction Fuzzy Hash: F4415B35601241AFDB2ACF24C499FA47BE1FB85310F1881E9E96C8F6A2C731AC56DF51

Function 00B52F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00B53033

Strings

question, xrefs: 00B52FEC
warning, xrefs: 00B5301C
blank, xrefs: 00B52FB5
info, xrefs: 00B52FD4
stop, xrefs: 00B53004

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: d9111b2ee7293dc30838d0c794a387158e03b617c98fa6d1cedef2ac3f3169c8
Instruction ID: c3b3ab1ea079ecae77991b704bff0dac3383c26833df1b4bf7c4fa43854b29ae
Opcode Fuzzy Hash: d9111b2ee7293dc30838d0c794a387158e03b617c98fa6d1cedef2ac3f3169c8
Instruction Fuzzy Hash: CA11083264C346BAE7159B14DC82FAB77DCDF267A1B1400EAFD00A62C1DA715F4855A4

Function 00B542F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00B54312
LoadStringW.USER32(00000000), ref: 00B54319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00B5432F
LoadStringW.USER32(00000000), ref: 00B54336
_wprintf.LIBCMT ref: 00B5435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B5437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00B54357

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 62cf082ab74f4a3ec0eabc63dcbe64f78c483ba63319ba26d46d2450514c352c
Instruction ID: a0ef60636e1f996002c025cc73c3ce1d2a693ca0644ff2d9405e1a4c1da4484b
Opcode Fuzzy Hash: 62cf082ab74f4a3ec0eabc63dcbe64f78c483ba63319ba26d46d2450514c352c
Instruction Fuzzy Hash: 0C012CF2904209BBE75197A09D89EF676ACEB08701F4005F5BB49E3051EA749EC58B78

Function 00AF2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00B2C1C7,00000004,00000000,00000000,00000000), ref: 00AF2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00B2C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00AF2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00B2C1C7,00000004,00000000,00000000,00000000), ref: 00B2C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00B2C1C7,00000004,00000000,00000000,00000000), ref: 00B2C286

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: eefb2dbc44cb33d063a851df9ee365270998cc706cff8e9015ad574797ed51b3
Instruction ID: 0fb1387506c61adf964eaf430c01e9d4db732c866112ce0a7818c93d4839f487
Opcode Fuzzy Hash: eefb2dbc44cb33d063a851df9ee365270998cc706cff8e9015ad574797ed51b3
Instruction Fuzzy Hash: 04410C30208A88DBD739ABB99C98B7F7BE2EB85350F14845DF24B87560CA759881D711

Function 00B570C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00B570DD

Part of subcall function 00B10DB6: std::exception::exception.LIBCMT ref: 00B10DEC
Part of subcall function 00B10DB6: __CxxThrowException@8.LIBCMT ref: 00B10E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00B57114
EnterCriticalSection.KERNEL32(?), ref: 00B57130
_memmove.LIBCMT ref: 00B5717E
_memmove.LIBCMT ref: 00B5719B
LeaveCriticalSection.KERNEL32(?), ref: 00B571AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00B571BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00B571DE

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 5fc4bede363dfd4e87291f9eece1b6b9a9b75023e4b3403c115ef7f8194f0ec4
Instruction ID: 059e3718b84f9049610a63e5b946a9d58bc1b75959ced86a39f362ce3b59c818
Opcode Fuzzy Hash: 5fc4bede363dfd4e87291f9eece1b6b9a9b75023e4b3403c115ef7f8194f0ec4
Instruction Fuzzy Hash: AC316032A00205EBCF00EFA5EC85AAA77B8EF45311F5441F5FD04AB246DB709A94CB64

Function 00B4BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00B4BBC4
_memcmp.LIBCMT ref: 00B4BBE6
_memcmp.LIBCMT ref: 00B4BBFE
_memcmp.LIBCMT ref: 00B4BC11
_memcmp.LIBCMT ref: 00B4BC2B
_memcmp.LIBCMT ref: 00B4BC3E
_memcmp.LIBCMT ref: 00B4BC56
_memcmp.LIBCMT ref: 00B4BC71

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: bf644365df542646de110c5b0a617594aaba88371be7efb5ee9dfff84f35186a
Instruction ID: 831ee0dfa4cc14412ea2cfcfeaf095e1eb9f1019f62ae92027a331cad321aa2d
Opcode Fuzzy Hash: bf644365df542646de110c5b0a617594aaba88371be7efb5ee9dfff84f35186a
Instruction Fuzzy Hash: 2C21DE716012057BA60477259DC2FFB77DDEE10748B1844A4FF0496253EB24DF11EAA1

Function 00B5EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00AF9837: __itow.LIBCMT ref: 00AF9862
Part of subcall function 00AF9837: __swprintf.LIBCMT ref: 00AF98AC

Part of subcall function 00B0FC86: _wcscpy.LIBCMT ref: 00B0FCA9

_wcstok.LIBCMT ref: 00B5EC94
_wcscpy.LIBCMT ref: 00B5ED23
_memset.LIBCMT ref: 00B5ED56

Strings

X, xrefs: 00B5ED93

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 2d41aaf208c42231ed40e4222560f2b590f58e4ecae71954a36b4befb7541c89
Instruction ID: 7ec102bc8641c51d8df5c983728f8864a3c2095e9e6aa0e39042112960914809
Opcode Fuzzy Hash: 2d41aaf208c42231ed40e4222560f2b590f58e4ecae71954a36b4befb7541c89
Instruction Fuzzy Hash: DFC18F315083049FD758EF64C985F6AB7E4EF45310F0049ADF9999B2A2DB70ED49CB82

Function 00B66B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00B66C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00B66C21
WSAGetLastError.WSOCK32(00000000), ref: 00B66C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00B66CEA
inet_ntoa.WSOCK32(?), ref: 00B66CA7

Part of subcall function 00B4A7E9: _strlen.LIBCMT ref: 00B4A7F3
Part of subcall function 00B4A7E9: _memmove.LIBCMT ref: 00B4A815

_strlen.LIBCMT ref: 00B66D44
_memmove.LIBCMT ref: 00B66DAD

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 4380068ca3f6852b74f5f5c99c499c6a402d6e296512b02a5e6399b4d9bcad0a
Instruction ID: 14bb285aaf9c40fe9d9eb7f39b7c0a75bfb0fb112365038b96fce1a44cc4f575
Opcode Fuzzy Hash: 4380068ca3f6852b74f5f5c99c499c6a402d6e296512b02a5e6399b4d9bcad0a
Instruction Fuzzy Hash: 7B81CE72604204ABC710EB64CC86F7BB7E8EF84714F14496CFA559B2A2DA74ED05CB92

Function 00AF1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bcf4f9336c7cfd8b815eef29b457391ddce6d55bf279c8f9f66c5a8a565cb97
Instruction ID: 55146df25621dbfddf853cdacaa78bbaccc69156b65703bccfd43d12b2a6a1e7
Opcode Fuzzy Hash: 9bcf4f9336c7cfd8b815eef29b457391ddce6d55bf279c8f9f66c5a8a565cb97
Instruction Fuzzy Hash: 84714770900119EFCB14CF98CC89EBEBBB9FF85311F148159FA19AB251C734AA51CBA4

Function 00B6F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B6F448
_memset.LIBCMT ref: 00B6F511
ShellExecuteExW.SHELL32(?), ref: 00B6F556

Part of subcall function 00AF9837: __itow.LIBCMT ref: 00AF9862
Part of subcall function 00AF9837: __swprintf.LIBCMT ref: 00AF98AC

Part of subcall function 00B0FC86: _wcscpy.LIBCMT ref: 00B0FCA9

GetProcessId.KERNEL32(00000000), ref: 00B6F5CD
CloseHandle.KERNEL32(00000000), ref: 00B6F5FC

Strings

@, xrefs: 00B6F525

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 4f5a65797349cac6349a24c7efecf4d73ac9ff571b6752bcf6226e5f0966e869
Instruction ID: 201be3c8f2bcb363abf8e7546e8bd9070e52967aa53b8cc51076fe326fd9e2e0
Opcode Fuzzy Hash: 4f5a65797349cac6349a24c7efecf4d73ac9ff571b6752bcf6226e5f0966e869
Instruction Fuzzy Hash: A161AF75A0061A9FCB14DFA4D581ABEBBF5FF48310F1480A9E85AAB751CB34AD41CF90

Function 00B50F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00B50F8C
GetKeyboardState.USER32(?), ref: 00B50FA1
SetKeyboardState.USER32(?), ref: 00B51002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00B51030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00B5104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00B51095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00B510B8

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 832b80e12f5b4acce454aefcb9cece1bcb26d3df02db2fd2d9a216c4354f1155
Instruction ID: 3db6244af5c4f097bad295a4f23d012b1bafbbda7ecacc9d8a8b120442263a0a
Opcode Fuzzy Hash: 832b80e12f5b4acce454aefcb9cece1bcb26d3df02db2fd2d9a216c4354f1155
Instruction Fuzzy Hash: 4D51F1605147D539FB3656388C05BBABEE9DB06306F0C89C9E9D4968C2C2D9DCCCD751

Function 00B50D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00B50DA5
GetKeyboardState.USER32(?), ref: 00B50DBA
SetKeyboardState.USER32(?), ref: 00B50E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00B50E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00B50E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00B50EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00B50EC9

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 59ffb47a16c65ea73c592eb2524eca0b7f793254d1a8b04f0f98c51557c9a2d2
Instruction ID: db1a04cc2fced5bdd3e61a811b6fe34ca07163a86f2b0e57b7f6e78a1292b9f5
Opcode Fuzzy Hash: 59ffb47a16c65ea73c592eb2524eca0b7f793254d1a8b04f0f98c51557c9a2d2
Instruction Fuzzy Hash: 9151F7A09247D67DFB32A7748C46BBA7EE9EB06301F1888C9E9D4464C2C395EC9CD750

Function 00B555FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00B5560A
_wcsncpy.LIBCMT ref: 00B5563F
_wcsncpy.LIBCMT ref: 00B55671
_wcsncpy.LIBCMT ref: 00B556A4
_wcsncpy.LIBCMT ref: 00B556E6
_wcsncpy.LIBCMT ref: 00B55720
_wcsncpy.LIBCMT ref: 00B5574F

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: cc5584fd60e9daf1b4bb5b13fdc96d169e600ea6ab1dca6452f860aa0d25e67c
Instruction ID: 66ac9c8ce4a17035e3e5c400f521bbebdf2d36db7fac0de73f6c3afacd620605
Opcode Fuzzy Hash: cc5584fd60e9daf1b4bb5b13fdc96d169e600ea6ab1dca6452f860aa0d25e67c
Instruction Fuzzy Hash: 6B41D665C1061476CB21EBB58C46ACFB3FD9F04711F9088D6E908E3221FB34A695C7E6

Function 00B7A056 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

@U=u, xrefs: 00B7A14F

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: 27129680b01249e31f1812f37ee2258d9f61e7b8effae3ca493f320aca1936fd
Instruction ID: f83db1906f7c05da4857d530f9ade0b34ecc37bd89d217002a259ef522ff4c53
Opcode Fuzzy Hash: 27129680b01249e31f1812f37ee2258d9f61e7b8effae3ca493f320aca1936fd
Instruction Fuzzy Hash: E541F735904104AFE760DF24CC89FADBBE4EB8A311F5481A5F92DB76E0CB70AD41DA51

Function 00B53671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B5466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B53697,?), ref: 00B5468B

Part of subcall function 00B5466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B53697,?), ref: 00B546A4

lstrcmpiW.KERNEL32(?,?), ref: 00B536B7
_wcscmp.LIBCMT ref: 00B536D3
MoveFileW.KERNEL32(?,?), ref: 00B536EB
_wcscat.LIBCMT ref: 00B53733
SHFileOperationW.SHELL32(?), ref: 00B5379F

Strings

\*.*, xrefs: 00B5372D

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: ecbae3e1b47c56643300cd2cadcdcbf5c808dcc98985fb841d27804b0433f314
Instruction ID: fd0244974a95639f830d01c9be50c510c679a1dd00a88236a593cb9c8045d0ce
Opcode Fuzzy Hash: ecbae3e1b47c56643300cd2cadcdcbf5c808dcc98985fb841d27804b0433f314
Instruction Fuzzy Hash: 44418E7150C344AAC752EF64D481AEFB7E8EF89780F4008EEB889C3251EB34D68D8756

Function 00B77291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B772AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B77351
IsMenu.USER32(?), ref: 00B77369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B773B1
DrawMenuBar.USER32 ref: 00B773C4

Strings

0, xrefs: 00B7729E

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 3c51de57e48c7fd55c4c7a464d6cc6841392eea2c7669bbeb61fa83a73a4a1e5
Instruction ID: 0fba09bf01eed3a2fe0d5c32d19b17c9c92e1b669f5dcbe2a9d6d3ba1829ce65
Opcode Fuzzy Hash: 3c51de57e48c7fd55c4c7a464d6cc6841392eea2c7669bbeb61fa83a73a4a1e5
Instruction Fuzzy Hash: 8E416A71A44209EFDB20DF50D884EAABBF4FB04310F1585A9FD2997290CB30AD51EF54

Function 00B70FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00B70FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B70FFE
FreeLibrary.KERNEL32(00000000), ref: 00B710B5

Part of subcall function 00B70FA5: RegCloseKey.ADVAPI32(?), ref: 00B7101B
Part of subcall function 00B70FA5: FreeLibrary.KERNEL32(?), ref: 00B7106D
Part of subcall function 00B70FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00B71090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00B71058

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: f8100482e4e9bd83f873774aa11783b92e124413bd1ba403efd51da453e52710
Instruction ID: cc203fc7de9ee75ed6ba815942a8ea5ecf8663f6502a4d020373cf1b954fb40f
Opcode Fuzzy Hash: f8100482e4e9bd83f873774aa11783b92e124413bd1ba403efd51da453e52710
Instruction Fuzzy Hash: B9311EB1901109BFDB15DF98DC89EFFB7BCEF08300F0045AAE519A2241DA745E859BB4

Function 00B4DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B4DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B4DB54
SysAllocString.OLEAUT32(00000000), ref: 00B4DB57
SysAllocString.OLEAUT32(?), ref: 00B4DB75
SysFreeString.OLEAUT32(?), ref: 00B4DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 00B4DBA3
SysAllocString.OLEAUT32(?), ref: 00B4DBB1

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b2d0dc8f651c1ef39a6fac93fcea2f7fc448d781c3a1405c1f595024bfa30861
Instruction ID: 48ebedc7c0968ba4f586133072d62a4e6db42525b88c55fc7afa8d8a00e9c536
Opcode Fuzzy Hash: b2d0dc8f651c1ef39a6fac93fcea2f7fc448d781c3a1405c1f595024bfa30861
Instruction Fuzzy Hash: 0121A436600219AFDF10EFA8DC88CBB73ECFB09360B4185A5F918DB251DA70DD819764

Function 00B66173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B67D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B67DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00B661C6
WSAGetLastError.WSOCK32(00000000), ref: 00B661D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00B6620E
connect.WSOCK32(00000000,?,00000010), ref: 00B66217
WSAGetLastError.WSOCK32 ref: 00B66221
closesocket.WSOCK32(00000000), ref: 00B6624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00B66263

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: e39f6bfe307bb45237927c0fbc73eb7f0a707221599fbb1a0ac21c8c782834e1
Instruction ID: 247f35e8bbe386c85b8c075e280c528492c137227bfa61b0eeb7b4a56eababc4
Opcode Fuzzy Hash: e39f6bfe307bb45237927c0fbc73eb7f0a707221599fbb1a0ac21c8c782834e1
Instruction Fuzzy Hash: D431AF71600108ABDF10AF64CC85FBE7BECEF45764F0440A9F909A7291DB78AD449BA2

Function 00B48E90 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF7DE1: _memmove.LIBCMT ref: 00AF7E22

Part of subcall function 00B4AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00B4AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00B48F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00B48F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00B48F57

Part of subcall function 00AF7BCC: _memmove.LIBCMT ref: 00AF7C06

Strings

ListBox, xrefs: 00B48ED3
ComboBox, xrefs: 00B48E9E
@U=u, xrefs: 00B48F14, 00B48F27, 00B48F57

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: @U=u$ComboBox$ListBox
API String ID: 365058703-2258501812
Opcode ID: a40d4de6214cc3d5f68735a85a045615e0a3346d0b1074bb7726327697d69af6
Instruction ID: cbb9065479464e01708fc54a603f74cd10329a6ce3c58c5fcb153967eb1c3e20
Opcode Fuzzy Hash: a40d4de6214cc3d5f68735a85a045615e0a3346d0b1074bb7726327697d69af6
Instruction Fuzzy Hash: 7C210171A44108BEDB14ABB0DC89CFFB7E9DF06320B104969F925A71E0DF394A49E610

Function 00B4F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00B4F671
__wcsnicmp.LIBCMT ref: 00B4F692
__wcsnicmp.LIBCMT ref: 00B4F6AC

Strings

#OnAutoItStartRegister, xrefs: 00B4F6A6
#notrayicon, xrefs: 00B4F669
#requireadmin, xrefs: 00B4F68C

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: aab594ddca976c6f1ab1c7806a38bcacc200610c74eb8ac421e35acd15c09cab
Instruction ID: 44e820a67d8a7c05b54d7d10271b23f1378353f3795aaa50d17ad4ab7d4c01be
Opcode Fuzzy Hash: aab594ddca976c6f1ab1c7806a38bcacc200610c74eb8ac421e35acd15c09cab
Instruction Fuzzy Hash: 4C2146722051136AD630BB34AC42EF773D8EF59740F5540B9F946870A1EBA49F82E3A5

Function 00B4DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B4DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B4DC2F
SysAllocString.OLEAUT32(00000000), ref: 00B4DC32
SysAllocString.OLEAUT32 ref: 00B4DC53
SysFreeString.OLEAUT32 ref: 00B4DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 00B4DC76
SysAllocString.OLEAUT32(?), ref: 00B4DC84

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9f0f92926cf726a3df081955967c1a16618691aee1e2752b7e9f60862f89b34c
Instruction ID: e0126539e192214c465f50ba0f99fe58558e1870d322328d4fad04a57661e15f
Opcode Fuzzy Hash: 9f0f92926cf726a3df081955967c1a16618691aee1e2752b7e9f60862f89b34c
Instruction Fuzzy Hash: F1213035604205BF9F10ABA8DCC9DBB77ECEB09360B508165F918CB261DAB0DD85D764

Function 00B4B1EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00B4B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00B4B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00B4B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00B4B27F
_wcsstr.LIBCMT ref: 00B4B289

Strings

@U=u, xrefs: 00B4B221, 00B4B259

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID: @U=u
API String ID: 3902887630-2594219639
Opcode ID: 8ae059389fcebc22f5a4c5009a1ddf9b4eecbcac3cc6dd4e7e66bf154d2dd92f
Instruction ID: 0a202bb43da0bc8377e46257cdb124cdf03c89602443de08fd64bda3232a3afd
Opcode Fuzzy Hash: 8ae059389fcebc22f5a4c5009a1ddf9b4eecbcac3cc6dd4e7e66bf154d2dd92f
Instruction Fuzzy Hash: 672137322042057BEB155B759C49E7F7FD8DF49720F0041B9F908DA161EFA1CD80E260

Function 00B49307 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B49320

Part of subcall function 00AF7BCC: _memmove.LIBCMT ref: 00AF7C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B49352
__itow.LIBCMT ref: 00B4936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B49392
__itow.LIBCMT ref: 00B493A3

Strings

@U=u, xrefs: 00B49320, 00B49352, 00B49392

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID: @U=u
API String ID: 2983881199-2594219639
Opcode ID: a3a6057699e44305b6d237e9a9cab9f883b4e8522fb37109fe620fd38ffa7142
Instruction ID: c613417e333a6f87970bbdd368d6fa6f1bd57653b68945b51c07ef907652aab5
Opcode Fuzzy Hash: a3a6057699e44305b6d237e9a9cab9f883b4e8522fb37109fe620fd38ffa7142
Instruction Fuzzy Hash: 4621AA317042087BDB109E648C89EFF7BE9EF4AB10F044065FA45E71D1DA70CE45A795

Function 00B775CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AF1D73
Part of subcall function 00AF1D35: GetStockObject.GDI32(00000011), ref: 00AF1D87
Part of subcall function 00AF1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AF1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B77632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B7763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B7764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B77659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B77665

Strings

Msctls_Progress32, xrefs: 00B77603

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: d93ebdbfdf45ef491a043e146e544a5b5356277110371b601e5d3947a4b72a97
Instruction ID: 03bd131cf5060083cca3695d67172dfe889a16729f22b4aceb218632766135a5
Opcode Fuzzy Hash: d93ebdbfdf45ef491a043e146e544a5b5356277110371b601e5d3947a4b72a97
Instruction Fuzzy Hash: E411B6B115011DBFEF118F64CC85EE77F6DEF08798F014114BA18A2060CA72DC21DBA4

Function 00B19AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00B19AE6

Part of subcall function 00B13187: EncodePointer.KERNEL32(00000000), ref: 00B1318A
Part of subcall function 00B13187: __initp_misc_winsig.LIBCMT ref: 00B131A5
Part of subcall function 00B13187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00B19EA0
Part of subcall function 00B13187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00B19EB4
Part of subcall function 00B13187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00B19EC7
Part of subcall function 00B13187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00B19EDA
Part of subcall function 00B13187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00B19EED
Part of subcall function 00B13187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00B19F00
Part of subcall function 00B13187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00B19F13
Part of subcall function 00B13187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00B19F26
Part of subcall function 00B13187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00B19F39
Part of subcall function 00B13187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00B19F4C
Part of subcall function 00B13187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00B19F5F
Part of subcall function 00B13187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00B19F72
Part of subcall function 00B13187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00B19F85
Part of subcall function 00B13187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00B19F98
Part of subcall function 00B13187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00B19FAB
Part of subcall function 00B13187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00B19FBE

__mtinitlocks.LIBCMT ref: 00B19AEB
__mtterm.LIBCMT ref: 00B19AF4

Part of subcall function 00B19B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00B19AF9,00B17CD0,00BAA0B8,00000014), ref: 00B19C56
Part of subcall function 00B19B5C: _free.LIBCMT ref: 00B19C5D
Part of subcall function 00B19B5C: DeleteCriticalSection.KERNEL32(00BAEC00,?,?,00B19AF9,00B17CD0,00BAA0B8,00000014), ref: 00B19C7F

__calloc_crt.LIBCMT ref: 00B19B19
__initptd.LIBCMT ref: 00B19B3B
GetCurrentThreadId.KERNEL32 ref: 00B19B42

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 13a03617be8489abd3b4edd2b5a5930ee77efd8aa5ddff919d16837bf24923e2
Instruction ID: b4bcfa73837157fe15143fd6570604b857da24db4d92e8e933647a3f740decfb
Opcode Fuzzy Hash: 13a03617be8489abd3b4edd2b5a5930ee77efd8aa5ddff919d16837bf24923e2
Instruction Fuzzy Hash: DDF09032A1E7916AE6347774BC236CB26D0EF03730FA00AE9F564D61D2FF2089C141A0

Function 00B1406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00B13F85), ref: 00B14085
GetProcAddress.KERNEL32(00000000), ref: 00B1408C
EncodePointer.KERNEL32(00000000), ref: 00B14097
DecodePointer.KERNEL32(00B13F85), ref: 00B140B2

Strings

RoUninitialize, xrefs: 00B14074
combase.dll, xrefs: 00B14080

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 4528250cf4424027b394bf0b10f409dbe1057b6808bad16a03c17a409bdda3c1
Instruction ID: 6d19980f11df66ef8af05558871eb55d0420ce81e8f6060c7821b748d96147c5
Opcode Fuzzy Hash: 4528250cf4424027b394bf0b10f409dbe1057b6808bad16a03c17a409bdda3c1
Instruction Fuzzy Hash: 4DE09274585211ABEA10AF65EC0DB553AE9FB04B42F504164F105F30B0CFB64684CB18

Function 00B564B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B5660B
_memmove.LIBCMT ref: 00B56546

Part of subcall function 00AF9837: __itow.LIBCMT ref: 00AF9862
Part of subcall function 00AF9837: __swprintf.LIBCMT ref: 00AF98AC

_memmove.LIBCMT ref: 00B565B9
_memmove.LIBCMT ref: 00B566A0
_memmove.LIBCMT ref: 00B566B9
_memmove.LIBCMT ref: 00B566D5

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: c501d2cfef9f23abf16beb4b3eec8b141f75e8ad3671055b0f970422b07e1cb8
Instruction ID: 15aa341e0c7bf59f03bdb9b4ca5242ac6152fd17b3211c5b1d3448b9ad489f76
Opcode Fuzzy Hash: c501d2cfef9f23abf16beb4b3eec8b141f75e8ad3671055b0f970422b07e1cb8
Instruction Fuzzy Hash: 2F619B3190025E9BCF11EFA0CD82FFE3BA9AF09308F844599FD559B192DB74994ACB50

Function 00B701E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF7DE1: _memmove.LIBCMT ref: 00AF7E22

Part of subcall function 00B70E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B6FDAD,?,?), ref: 00B70E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B702BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B702FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00B70320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B70349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B7038C
RegCloseKey.ADVAPI32(00000000), ref: 00B70399

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 94b84643390709afdd6840dc330b9fa57d2729a93ce61728c935008a89d3c947
Instruction ID: f1353ad28ae6d4ad8e58cf965491979475ceef61d41de7bf1e32a48916b53ba8
Opcode Fuzzy Hash: 94b84643390709afdd6840dc330b9fa57d2729a93ce61728c935008a89d3c947
Instruction Fuzzy Hash: 72515831218204AFC714EF64C985E6EBBE8FF89314F04895EF5598B2A2DB31E945CB52

Function 00B75799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00B757FB
GetMenuItemCount.USER32(00000000), ref: 00B75832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B7585A
GetMenuItemID.USER32(?,?), ref: 00B758C9
GetSubMenu.USER32(?,?), ref: 00B758D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00B75928

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: a8390e6c3fd0d9f9debc1d64bdf639c1f5c0cc3d7e237de9c98ff3f31824ca23
Instruction ID: a88e90c219de7be45311abdfa4296fb0d2beb627350bf467d41c59e88bde5858
Opcode Fuzzy Hash: a8390e6c3fd0d9f9debc1d64bdf639c1f5c0cc3d7e237de9c98ff3f31824ca23
Instruction Fuzzy Hash: AE513D31E00619EFCF11EFA4C845AAEB7F4EF48710F1480A9E959AB351CB71AE41CB91

Function 00B4EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B4EF06
VariantClear.OLEAUT32(00000013), ref: 00B4EF78
VariantClear.OLEAUT32(00000000), ref: 00B4EFD3
_memmove.LIBCMT ref: 00B4EFFD
VariantClear.OLEAUT32(?), ref: 00B4F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00B4F078

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 2a973574b90da84dfbe3af52fe58542233e3f543389688bf0c92c6b5e2eac26d
Instruction ID: a116f2740f16f2c230a8336ce336ee39412d8a7e59b0475f21a9c7c7235adc6b
Opcode Fuzzy Hash: 2a973574b90da84dfbe3af52fe58542233e3f543389688bf0c92c6b5e2eac26d
Instruction Fuzzy Hash: 9F514D75A0020ADFDB14CF58C884AAAB7F8FF4C314B158569E959DB301E735EA51CFA0

Function 00B5220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B52258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B522A3
IsMenu.USER32(00000000), ref: 00B522C3
CreatePopupMenu.USER32 ref: 00B522F7
GetMenuItemCount.USER32(000000FF), ref: 00B52355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00B52386

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 8b4cf11f295cf6244fb19bdeffbe491c7030ef2813846caa9a99788c3cbdb06b
Instruction ID: a1a821077e590435c0eda98c4f524e162044397ff758b4c6718c36e08efea65d
Opcode Fuzzy Hash: 8b4cf11f295cf6244fb19bdeffbe491c7030ef2813846caa9a99788c3cbdb06b
Instruction Fuzzy Hash: 5651DF30A0220ADFDF25CF68C888BADBBF4EF56316F1441E9EC1597290D7B48A48CB55

Function 00AF1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00AF2612: GetWindowLongW.USER32(?,000000EB), ref: 00AF2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00AF179A
GetWindowRect.USER32(?,?), ref: 00AF17FE
ScreenToClient.USER32(?,?), ref: 00AF181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00AF182C
EndPaint.USER32(?,?), ref: 00AF1876

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 157d71b82ee0f34f16611e4d800b1ab03eeb2abf37a132dbecd9f1cf33474616
Instruction ID: 92005d4a1fbd3ed6e4bdf5ea0971ebf95a236cd54dc54960cc3a39c535367771
Opcode Fuzzy Hash: 157d71b82ee0f34f16611e4d800b1ab03eeb2abf37a132dbecd9f1cf33474616
Instruction Fuzzy Hash: B941AD31104305EFD721DF64DC84FBA7BF8EB49724F044668FAA88B2A1CB709845DB62

Function 00B6709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00B64E41,?,?,00000000,00000001), ref: 00B670AC

Part of subcall function 00B639A0: GetWindowRect.USER32(?,?), ref: 00B639B3

GetDesktopWindow.USER32 ref: 00B670D6
GetWindowRect.USER32(00000000), ref: 00B670DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00B6710F

Part of subcall function 00B55244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B552BC

GetCursorPos.USER32(?), ref: 00B6713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00B67199

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 6380d3292db561419b85d0567ec8cda9f2a951d2eeccb4834188d07a14ee1736
Instruction ID: 493194746b3be8f5fa42e937da540cd5a0f7851d53b7a04c01e97f63eed3fbd5
Opcode Fuzzy Hash: 6380d3292db561419b85d0567ec8cda9f2a951d2eeccb4834188d07a14ee1736
Instruction Fuzzy Hash: AD310672508306ABC720DF14CC49F5BB7E9FF89314F00055AF489A7191CB34EA49CB96

Function 00B48879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B480A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B480C0
Part of subcall function 00B480A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B480CA
Part of subcall function 00B480A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B480D9
Part of subcall function 00B480A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B480E0
Part of subcall function 00B480A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B480F6

GetLengthSid.ADVAPI32(?,00000000,00B4842F), ref: 00B488CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00B488D6
HeapAlloc.KERNEL32(00000000), ref: 00B488DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00B488F6
GetProcessHeap.KERNEL32(00000000,00000000,00B4842F), ref: 00B4890A
HeapFree.KERNEL32(00000000), ref: 00B48911

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 320b6ee1592fee08f945cf7476ec5b36f84135e0a227e81361f9c1b2349111ee
Instruction ID: 2b8ca1046d81561bb2a2d1cfaeb78e6cec4e7bae90213ae968170e909c6a0212
Opcode Fuzzy Hash: 320b6ee1592fee08f945cf7476ec5b36f84135e0a227e81361f9c1b2349111ee
Instruction Fuzzy Hash: 4311B131501609FFDB159FA4DC09BBE77A8FB45311F5040A8E949A7210CB329E40EB60

Function 00B485B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00B485E2
OpenProcessToken.ADVAPI32(00000000), ref: 00B485E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00B485F8
CloseHandle.KERNEL32(00000004), ref: 00B48603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B48632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00B48646

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 4eff530222814d944050f071d765ee4d1cb26a492e341a817e440400c0c002e7
Instruction ID: 53f2146bc1792fa217cd6f9efc384a270e0010d6b84c36bd3a5fcdf2abf1190a
Opcode Fuzzy Hash: 4eff530222814d944050f071d765ee4d1cb26a492e341a817e440400c0c002e7
Instruction Fuzzy Hash: 54115C7250020AABDF018FA4ED49BEE7BE9FF08304F044064FE09A2161CB718E60EB64

Function 00B4B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B4B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00B4B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B4B7CD
ReleaseDC.USER32(00000000,00000000), ref: 00B4B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00B4B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00B4B7FE

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: d93482f3edfc31c18d0030e372a67f3ca1d52fb502ed8a6f2f3c9103df92fe0b
Instruction ID: 135108e0903d074d32bda14934f0ddcfda5a2553ddb10e12f52ce43fff047d79
Opcode Fuzzy Hash: d93482f3edfc31c18d0030e372a67f3ca1d52fb502ed8a6f2f3c9103df92fe0b
Instruction Fuzzy Hash: 2E018475E00209BBEF109FA69C45E5EBFB8EB48721F0040B5FA08E7291DA309D00CF90

Function 00B10162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B10193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00B1019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B101A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B101B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00B101B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B101C1

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 4f980a505a45f3f0e5aee880e556653236f2ea4fc35e4e6db22503f7dd8a741b
Instruction ID: c185a092c83a4c101324240cbe4d300dab3efc680058593cc28c5d2016bf74ac
Opcode Fuzzy Hash: 4f980a505a45f3f0e5aee880e556653236f2ea4fc35e4e6db22503f7dd8a741b
Instruction Fuzzy Hash: 24016CB090175A7DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5

Function 00B553E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B553F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00B5540F
GetWindowThreadProcessId.USER32(?,?), ref: 00B5541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B5542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B55437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B5543E

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 7114551f49abc05b034ac8dc17b508713727e03abebef6016ea0785f2ba41bd6
Instruction ID: 502b767dc92dfeb06d939791f047a05cbc376a5eb75d83e5e4bf35a31c17cd30
Opcode Fuzzy Hash: 7114551f49abc05b034ac8dc17b508713727e03abebef6016ea0785f2ba41bd6
Instruction Fuzzy Hash: F0F03032241559BBE7215BA2DC0DEFF7B7CEFC6B12F000169FA09D2091DBA15A41C6B9

Function 00B57230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00B57243
EnterCriticalSection.KERNEL32(?,?,00B00EE4,?,?), ref: 00B57254
TerminateThread.KERNEL32(00000000,000001F6,?,00B00EE4,?,?), ref: 00B57261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00B00EE4,?,?), ref: 00B5726E

Part of subcall function 00B56C35: CloseHandle.KERNEL32(00000000,?,00B5727B,?,00B00EE4,?,?), ref: 00B56C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00B57281
LeaveCriticalSection.KERNEL32(?,?,00B00EE4,?,?), ref: 00B57288

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 8da56523e3d05b7ac657ebeb786f68d39b7e24dc44f0e81487a821133c379549
Instruction ID: d80d226b93f5b20117ad9d7f5f999c8dd29b837a5967528d0621c5c8ce1e0b72
Opcode Fuzzy Hash: 8da56523e3d05b7ac657ebeb786f68d39b7e24dc44f0e81487a821133c379549
Instruction Fuzzy Hash: CEF0BE36148203EBDB511B64EC4CAEA3769FF05302F4001B1F607A20A2CF765880CB64

Function 00B48992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B4899D
UnloadUserProfile.USERENV(?,?), ref: 00B489A9
CloseHandle.KERNEL32(?), ref: 00B489B2
CloseHandle.KERNEL32(?), ref: 00B489BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00B489C3
HeapFree.KERNEL32(00000000), ref: 00B489CA

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 5e2956f308243119a479aa698e42786a85ed8ffe12790930bd449835a81ef695
Instruction ID: c73e439a5157fc4e5dd2213d9cf528db74766c8163a6b9d4d3216a041feaf2b3
Opcode Fuzzy Hash: 5e2956f308243119a479aa698e42786a85ed8ffe12790930bd449835a81ef695
Instruction Fuzzy Hash: 3BE05276104506FBDA011FF5EC0C96ABB69FB89762B518631F22D92870CF3294A1DB68

Function 00B685ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B68613
CharUpperBuffW.USER32(?,?), ref: 00B68722
VariantClear.OLEAUT32(?), ref: 00B6889A

Part of subcall function 00B57562: VariantInit.OLEAUT32(00000000), ref: 00B575A2
Part of subcall function 00B57562: VariantCopy.OLEAUT32(00000000,?), ref: 00B575AB
Part of subcall function 00B57562: VariantClear.OLEAUT32(00000000), ref: 00B575B7

Strings

Incorrect Parameter format, xrefs: 00B6864B, 00B6880D
AUTOIT.ERROR, xrefs: 00B68728

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 5f0c5c40b273eddea174dfa7a3dc8ff096ac018a85b5aa5ff62ed8255b3d7e2a
Instruction ID: 2b2a46ab6a5f66761bb1040c4056c00cb10f33c6879f0a943464d3aa257a62a2
Opcode Fuzzy Hash: 5f0c5c40b273eddea174dfa7a3dc8ff096ac018a85b5aa5ff62ed8255b3d7e2a
Instruction Fuzzy Hash: BA918C70608305DFCB10DF64C58496BBBE4EF89714F1489AEF99A8B361DB30E945CB92

Function 00B52A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0FC86: _wcscpy.LIBCMT ref: 00B0FCA9

_memset.LIBCMT ref: 00B52B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B52BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B52C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00B52C97

Strings

0, xrefs: 00B52B73

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 5506855b65f24f78ab1eb2e5d4d166681bdd7d289f739cc46529003350f55cad
Instruction ID: d32a52d7838377b7a8e58cc9d4978dd69b6b0eed04b897585425dec8b383e42d
Opcode Fuzzy Hash: 5506855b65f24f78ab1eb2e5d4d166681bdd7d289f739cc46529003350f55cad
Instruction Fuzzy Hash: 8451BE7160A3019BD724AF28D885B6FB7E8EF5A311F040AEDFC95D7292DB60CD488752

Function 00B797F4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(014AE8E8,?), ref: 00B79863
ScreenToClient.USER32(00000002,00000002), ref: 00B79896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00B79903

Strings

@U=u, xrefs: 00B7995E

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: @U=u
API String ID: 3880355969-2594219639
Opcode ID: 76752fdc542a917303ef0a49f41fe1e97a42eb0c9e1fa399c1db22d6b72d5094
Instruction ID: 38d4c905a4ccfe047bb02b862389c286462ceb834187e25429b67d593ca1f1e2
Opcode Fuzzy Hash: 76752fdc542a917303ef0a49f41fe1e97a42eb0c9e1fa399c1db22d6b72d5094
Instruction Fuzzy Hash: 07513F34A00609EFDF24DF54C880AAE7BF5FF45360F148299F9699B2A0D771AD81CB91

Function 00B49A80 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00B49AD2
__itow.LIBCMT ref: 00B49B03

Part of subcall function 00B49D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00B49DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00B49B6C
__itow.LIBCMT ref: 00B49BC3

Strings

@U=u, xrefs: 00B49AD2, 00B49B6C

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend$__itow
String ID: @U=u
API String ID: 3379773720-2594219639
Opcode ID: 4ede5fc4bd7dc0624d7b0d641a35b190fece32816634159cc50a5e0129cb4946
Instruction ID: 9f003023f9b8c7140384aa52185e85873f75eafcaf017a17e703137fd10edb4c
Opcode Fuzzy Hash: 4ede5fc4bd7dc0624d7b0d641a35b190fece32816634159cc50a5e0129cb4946
Instruction Fuzzy Hash: 52416E70A0020CABDF21EF54D985BFE7BF9EF49710F0000A9FA05A7291DB709A45DB61

Function 00B497F5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B514BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B49296,?,?,00000034,00000800,?,00000034), ref: 00B514E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00B4983F

Part of subcall function 00B51487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B492C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00B514B1

Part of subcall function 00B513DE: GetWindowThreadProcessId.USER32(?,?), ref: 00B51409
Part of subcall function 00B513DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00B4925A,00000034,?,?,00001004,00000000,00000000), ref: 00B51419
Part of subcall function 00B513DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00B4925A,00000034,?,?,00001004,00000000,00000000), ref: 00B5142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B498AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B498F9

Strings

@, xrefs: 00B49911
@U=u, xrefs: 00B4983F, 00B498AC, 00B498F9

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @$@U=u
API String ID: 4150878124-826235744
Opcode ID: 3285eba03c937868a3887698dedce5927330529a65fb244fe10d53a92f43fd36
Instruction ID: 77b9619eda8842b44c6b68414199f0227b5b853d74eb251acee38cef166bc12b
Opcode Fuzzy Hash: 3285eba03c937868a3887698dedce5927330529a65fb244fe10d53a92f43fd36
Instruction Fuzzy Hash: 02413076900118BFDB10DFA4CC41BDEBBB8EB49740F004599FA45B7191DA716E89DBA0

Function 00B4D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B4D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00B4D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00B4D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00B4D69D

Strings

DllGetClassObject, xrefs: 00B4D610

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: cb4e0fecbc276bef4a4a92660ad0dc2f6c68d5a63f241cddc028e0fe3a57f037
Instruction ID: 47a704584b08d05effd1801c28c479a156032f01b377a653aabedeaf71b7b716
Opcode Fuzzy Hash: cb4e0fecbc276bef4a4a92660ad0dc2f6c68d5a63f241cddc028e0fe3a57f037
Instruction Fuzzy Hash: AE416DB1600205EFDF05DF64D884AAA7BF9EF45310F1681E9AD099F205DBB1DE44EBA0

Function 00B52753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B527C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00B527DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00B52822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00BB5890,00000000), ref: 00B5286B

Strings

0, xrefs: 00B527B5

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: bbe8528077cb1799dc3a2982cabe05a7cbf4546c5b600c1ad98f52849c34bd16
Instruction ID: 67066f56bec154438ea1d2714ddf3c85c921246aab74205c2d2678494b98d55f
Opcode Fuzzy Hash: bbe8528077cb1799dc3a2982cabe05a7cbf4546c5b600c1ad98f52849c34bd16
Instruction Fuzzy Hash: 4B41BF702063419FDB24DF64C885B2ABBE8EF86315F0449EDF9A5972D1DB30E809CB52

Function 00B78851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B788DE

Strings

@U=u, xrefs: 00B7892D

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: 87144133cef0026d6ae9ae9ef280b1531a641b1b7169a9066d357b7a81507c5d
Instruction ID: 5b7201036d64fcf897db504e339a37e46e08f819efd3800b5904ba5eb7b1bb9f
Opcode Fuzzy Hash: 87144133cef0026d6ae9ae9ef280b1531a641b1b7169a9066d357b7a81507c5d
Instruction Fuzzy Hash: 1831A134680109BFEB219A68DC8DBB87BE5EB09310F548192FB7DE71A1CE70D9409B57

Function 00B6D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00B6D7C5

Part of subcall function 00AF784B: _memmove.LIBCMT ref: 00AF7899

Strings

stdcall, xrefs: 00B6D847
none, xrefs: 00B6D8A0
winapi, xrefs: 00B6D836
cdecl, xrefs: 00B6D81C

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: b72b624a02f85f2b577a6c92416fba09983c6f91a876b171b1e70fccb0de1847
Instruction ID: 6e85c7a883a2cfcef1074257bd07be62e0dfe63d007ad64522cb2409921360ff
Opcode Fuzzy Hash: b72b624a02f85f2b577a6c92416fba09983c6f91a876b171b1e70fccb0de1847
Instruction Fuzzy Hash: 6431AE71A04619ABCF00EFA4C9959FEB3F4FF15320B0086A9E825972D1DB71A945CB80

Function 00B6182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B6184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B61872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B618A2
InternetCloseHandle.WININET(00000000), ref: 00B618E9

Part of subcall function 00B62483: GetLastError.KERNEL32(?,?,00B61817,00000000,00000000,00000001), ref: 00B62498
Part of subcall function 00B62483: SetEvent.KERNEL32(?,?,00B61817,00000000,00000000,00000001), ref: 00B624AD

Strings

, xrefs: 00B61893

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 9c12ba4a3f4a5c0667a3de51301ad6dafeaf22fe7c5ea08928e0351816f6bd23
Instruction ID: 3657c5ee418c2223c51f2f3553e4c605da7e2d5bbdac613f01d0ac5570a3519d
Opcode Fuzzy Hash: 9c12ba4a3f4a5c0667a3de51301ad6dafeaf22fe7c5ea08928e0351816f6bd23
Instruction Fuzzy Hash: F921BEB1500208BFEB11DB68DC85EBB77EDEB48B44F14456AF905A3240EA288D059BB1

Function 00B763E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AF1D73
Part of subcall function 00AF1D35: GetStockObject.GDI32(00000011), ref: 00AF1D87
Part of subcall function 00AF1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AF1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B76461
LoadLibraryW.KERNEL32(?), ref: 00B76468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B7647D
DestroyWindow.USER32(?), ref: 00B76485

Strings

SysAnimate32, xrefs: 00B7643C

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: d149b3a7e83f1bed767c3af64def5403081f2ade90aee6f5d122895858f3e0ce
Instruction ID: d16c88a0b4f12648ecf240a70c3c52dd33027a42c300d13aaecced392b9c6808
Opcode Fuzzy Hash: d149b3a7e83f1bed767c3af64def5403081f2ade90aee6f5d122895858f3e0ce
Instruction Fuzzy Hash: DC218E71200A06AFEF104F64DC80EBA37E9EB59324F108669FA2893290D771DC819760

Function 00B56D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00B56DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B56DEF
GetStdHandle.KERNEL32(0000000C), ref: 00B56E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00B56E3B

Strings

nul, xrefs: 00B56E36

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 28d56ec1daa3981047653e8227fd02001e0d3eeda46aa8ea7bb1c7e503ee6197
Instruction ID: dd35071e6dee538702d9ba692049f29ac2c0ce8f56959732225e08d7c7a972e3
Opcode Fuzzy Hash: 28d56ec1daa3981047653e8227fd02001e0d3eeda46aa8ea7bb1c7e503ee6197
Instruction Fuzzy Hash: 9521B27460020AABDB209F29DC45B9A7BF4EF44722F604AE9FCA1D72D0DB709C58CB54

Function 00B56E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B56E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B56EBB
GetStdHandle.KERNEL32(000000F6), ref: 00B56ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00B56F06

Strings

nul, xrefs: 00B56F01

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: be88781eaf7655fb0c07ae2690a6250c0ade548c179c245d3fce29c0a1d9d5d5
Instruction ID: 1f4f274643bbcd16d5e906ce0605d5f7035c72454811e4eb7145d32f29d2cc1d
Opcode Fuzzy Hash: be88781eaf7655fb0c07ae2690a6250c0ade548c179c245d3fce29c0a1d9d5d5
Instruction Fuzzy Hash: 6C21D6755013069BDB209F69CC45BAA77E8EF45721F600AD9FCA1D32D0DB709859CB10

Function 00B5AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B5AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00B5ACA8
__swprintf.LIBCMT ref: 00B5ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,00B7F910), ref: 00B5ACFF

Strings

%lu, xrefs: 00B5ACBB

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 5f17ea3c7cc9d1836ef3ba35c93cb1d677e4c0c5c0fba08f5d46fd4677d80939
Instruction ID: ced356cd5b05cced35a56f2e0e7ce8e0b3ad8722088ee63e9246af904c459368
Opcode Fuzzy Hash: 5f17ea3c7cc9d1836ef3ba35c93cb1d677e4c0c5c0fba08f5d46fd4677d80939
Instruction Fuzzy Hash: 00217130A0010DAFCB10EFA4CD85EAE7BF8EF49714B0040A9F909AB251DA31EA45CB61

Function 00B51AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B51B19

Strings

REMOVE, xrefs: 00B51B1F
EXISTS, xrefs: 00B51B41
APPEND, xrefs: 00B51B52
KEYS, xrefs: 00B51B30

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 21f5abd47d7cb408e9f23443e991d79e3c0da518f93fb3636a283b3d3cf9ee9d
Instruction ID: 6445f1eaba572e67c7a00d6e39b5e080be5accd053b7217eae5da56577dd080f
Opcode Fuzzy Hash: 21f5abd47d7cb408e9f23443e991d79e3c0da518f93fb3636a283b3d3cf9ee9d
Instruction Fuzzy Hash: 77113C319201098FCF00EFA8D851AFEB7F4FF26304B5088E5EC1467691EB32594ACB50

Function 00B6EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B6EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00B6EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00B6ED6A
CloseHandle.KERNEL32(?), ref: 00B6EDEB

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 0a4e0d082176b56ae015ac1e779f72defffcd3fae96b763e2c53d775b02d39e1
Instruction ID: b42352c6c839e8326701c18c01a68cfe2d82a46ac1dbea746b7fc124076b360c
Opcode Fuzzy Hash: 0a4e0d082176b56ae015ac1e779f72defffcd3fae96b763e2c53d775b02d39e1
Instruction Fuzzy Hash: 808160756043009FD720EF68C986F2AB7E5EF44750F04885DFAA99B292DB74EC40CB91

Function 00B1541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B1547B
_memcpy_s.LIBCMT ref: 00B154ED
__read_nolock.LIBCMT ref: 00B1554B
__filbuf.LIBCMT ref: 00B1556E
_memset.LIBCMT ref: 00B155B2

Part of subcall function 00B18B28: __getptd_noexit.LIBCMT ref: 00B18B28

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction ID: 2298570a2949906573c18134310f9cd1ebe2b9b8f3fa137303c8986accf4fedd
Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction Fuzzy Hash: 4B51C470A00B05DBCB349F69D8806EE77E7EF91321FA487A9F825962D4D7709DD08B40

Function 00B70037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF7DE1: _memmove.LIBCMT ref: 00AF7E22

Part of subcall function 00B70E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B6FDAD,?,?), ref: 00B70E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B700FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B7013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B70183
RegCloseKey.ADVAPI32(?,?), ref: 00B701AF
RegCloseKey.ADVAPI32(00000000), ref: 00B701BC

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 325e20023a06feb6305973c995da350dc343b835f5a1745ac38a353e2d0d880b
Instruction ID: c01300c610c8bb05847576b89006b870d2e433043f0d1508bb7ea8ea21e4c4eb
Opcode Fuzzy Hash: 325e20023a06feb6305973c995da350dc343b835f5a1745ac38a353e2d0d880b
Instruction Fuzzy Hash: 14514A71218208AFC704EF68C981F7AB7E9FF84314F40895EF559972A1DB31E904CB52

Function 00B6D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF9837: __itow.LIBCMT ref: 00AF9862
Part of subcall function 00AF9837: __swprintf.LIBCMT ref: 00AF98AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B6D927
GetProcAddress.KERNEL32(00000000,?), ref: 00B6D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00B6D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 00B6DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B6DA21

Part of subcall function 00AF5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B57896,?,?,00000000), ref: 00AF5A2C
Part of subcall function 00AF5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B57896,?,?,00000000,?,?), ref: 00AF5A50

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 3a93c80fd995e1f9da5ac20f0ab14f87a1b636b5cbc89adb5ffe937065700bc8
Instruction ID: b07935ec02343d2d1dd021d69c7b9b5406da154e35c37fec464269f3c4bd0c11
Opcode Fuzzy Hash: 3a93c80fd995e1f9da5ac20f0ab14f87a1b636b5cbc89adb5ffe937065700bc8
Instruction Fuzzy Hash: 7F513635E04609DFCB00EFA8C4849ADB7F4FF09320B1580A5EA19AB362DB34AD45CF91

Function 00B5E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00B5E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00B5E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00B5E687

Part of subcall function 00AF9837: __itow.LIBCMT ref: 00AF9862
Part of subcall function 00AF9837: __swprintf.LIBCMT ref: 00AF98AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00B5E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00B5E6B4

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 099adf3ed5ee9464ac9a1b9b1304380f63fba07f0ee831948f078e7c3d3d5804
Instruction ID: e76208320be20c7b0034c033b68f4f4098491bf819e2f4b6be63c762dabcf162
Opcode Fuzzy Hash: 099adf3ed5ee9464ac9a1b9b1304380f63fba07f0ee831948f078e7c3d3d5804
Instruction Fuzzy Hash: D3512A35A00109DFCB05EFA4C981AAEBBF5EF09354B1480A9F959AB362CB31ED51DF50

Function 00AF2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00AF2357
ScreenToClient.USER32(00BB57B0,?), ref: 00AF2374
GetAsyncKeyState.USER32(00000001), ref: 00AF2399
GetAsyncKeyState.USER32(00000002), ref: 00AF23A7

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d8d622587bed432a5ab30500d522674c2605387d58c7104450c308bba0ae6b81
Instruction ID: 95ea342beb8f477f29a9814f11af8253c74061ba2354cebcdaac5ccc2e8487e9
Opcode Fuzzy Hash: d8d622587bed432a5ab30500d522674c2605387d58c7104450c308bba0ae6b81
Instruction Fuzzy Hash: 8941A175604119FBDF158FA8C844BFEBBB4FB05360F204359F82996290CB30A990DB91

Function 00B463AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B463E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00B46433
TranslateMessage.USER32(?), ref: 00B4645C
DispatchMessageW.USER32(?), ref: 00B46466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B46475

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: a9657803427fe3085d81d5a87dd9f70170957b94c8c7b94f23cd66196922df98
Instruction ID: 71190239c88b3f0b32fa0236d96e910934c3ccc1fd4b4511ea020f88056f69fb
Opcode Fuzzy Hash: a9657803427fe3085d81d5a87dd9f70170957b94c8c7b94f23cd66196922df98
Instruction Fuzzy Hash: 4C31A671A016469FDF648F74DC84BF67BE8EB02310F1402A5E425C32A1EB65DA85E763

Function 00B48A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B48A30
PostMessageW.USER32(?,00000201,00000001), ref: 00B48ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00B48AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00B48AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00B48AF8

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: dbebddb4d6a8d5a02808c7fab93931a92812e40a2a8bcbfa079cc40a720db820
Instruction ID: 9ae04e64cdf07d4d5971b1368cf15f033f2cd21449134fd2524c86e958392351
Opcode Fuzzy Hash: dbebddb4d6a8d5a02808c7fab93931a92812e40a2a8bcbfa079cc40a720db820
Instruction Fuzzy Hash: 1231B171500219EBDF14CF68D94CAAE3BB5EB04315F104269F929E71D0CBB09A54EB90

Function 00B7B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00AF2612: GetWindowLongW.USER32(?,000000EB), ref: 00AF2623

GetWindowLongW.USER32(?,000000F0), ref: 00B7B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00B7B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B7B1CF
GetSystemMetrics.USER32(00000004), ref: 00B7B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00B60E90,00000000), ref: 00B7B216

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 44a89cb4514b070b7d81dd1529118d49080e1c3c0eb42767f8c5bc59133837ae
Instruction ID: 39ae4ab3631618d83ee282bbf7b1760596a966351685494aebd5885ffdd95b70
Opcode Fuzzy Hash: 44a89cb4514b070b7d81dd1529118d49080e1c3c0eb42767f8c5bc59133837ae
Instruction Fuzzy Hash: 9A217C71A20256AFCB209F39DC54F6A3BE4EB05321F118768F93AD75E0EB3098509B90

Function 00B65A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00B65A6E
GetForegroundWindow.USER32 ref: 00B65A85
GetDC.USER32(00000000), ref: 00B65AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00B65ACD
ReleaseDC.USER32(00000000,00000003), ref: 00B65B08

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 7a97f799f703e70eabd3ed860eba2d2a4852fc0de35d99f228753b1e6fb1cfcd
Instruction ID: c0082a7511b72b103a1b0f15dd6cbecf73d57f109fa6a34fef73f82834090c59
Opcode Fuzzy Hash: 7a97f799f703e70eabd3ed860eba2d2a4852fc0de35d99f228753b1e6fb1cfcd
Instruction Fuzzy Hash: 95218435A00104AFD714EFA5DD89AAAB7E5EF48750F1484B9F94AD7351CE34ED40CB90

Function 00AF12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AF134D
SelectObject.GDI32(?,00000000), ref: 00AF135C
BeginPath.GDI32(?), ref: 00AF1373
SelectObject.GDI32(?,00000000), ref: 00AF139C

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2c3a39672818e8856cdf2855bf3f0f411fd55ef2a45fe7cbe1f7ecbb1f0ac3b6
Instruction ID: 8926c471eb1ccaaca890d32585fe7c872434763b03b8d78f99e9ab05b24bb526
Opcode Fuzzy Hash: 2c3a39672818e8856cdf2855bf3f0f411fd55ef2a45fe7cbe1f7ecbb1f0ac3b6
Instruction Fuzzy Hash: EE216A31800609EFDB219F65EC04BB97BE8FB00321F14432AF9189B5B0DBB19991DF92

Function 00B54A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B54ABA
__beginthreadex.LIBCMT ref: 00B54AD8
MessageBoxW.USER32(?,?,?,?), ref: 00B54AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00B54B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00B54B0A

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: d88a94106f00b6006988169d17fe1f9f756e60396339a19024bc72b643af0f83
Instruction ID: 514d792eac3fc10122221d179346b2640dd787945ecd7206a99c2b79da51bd7f
Opcode Fuzzy Hash: d88a94106f00b6006988169d17fe1f9f756e60396339a19024bc72b643af0f83
Instruction Fuzzy Hash: B011A576905615BBC7119BA89C04BAE7BECEB45325F1442A9F818D3250DBB1C98487A1

Function 00B48202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B4821E
GetLastError.KERNEL32(?,00B47CE2,?,?,?), ref: 00B48228
GetProcessHeap.KERNEL32(00000008,?,?,00B47CE2,?,?,?), ref: 00B48237
HeapAlloc.KERNEL32(00000000,?,00B47CE2,?,?,?), ref: 00B4823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B48255

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 47ea3e01f19cc27602ca37294534c0c353c9e959359fe33990ae80263ad54c7e
Instruction ID: c18bca6925e1a4946e3ec808f4a720d5c0becd46851f6b5dd8de843850a11b9d
Opcode Fuzzy Hash: 47ea3e01f19cc27602ca37294534c0c353c9e959359fe33990ae80263ad54c7e
Instruction Fuzzy Hash: EA016971604205BFDB204FAADC48D7B7BACEF8A794B500469F909D3220DE718D40DA70

Function 00B4710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B47044,80070057,?,?,?,00B47455), ref: 00B47127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B47044,80070057,?,?), ref: 00B47142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B47044,80070057,?,?), ref: 00B47150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B47044,80070057,?), ref: 00B47160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B47044,80070057,?,?), ref: 00B4716C

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 2d53e6b22835c195cfbf7e7c4cfba661eaba5068fbdc7b2193b4dcfb34466ebe
Instruction ID: cb58fc4d2dcf8a12ad41629dbd8476a74adc4597281d4f1d629c2bd8709c861c
Opcode Fuzzy Hash: 2d53e6b22835c195cfbf7e7c4cfba661eaba5068fbdc7b2193b4dcfb34466ebe
Instruction Fuzzy Hash: A8017C72605205ABDB118F64DC44AAA7BEDEF44791F1440A4FD49E3220DF31DE80EBA0

Function 00B55244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B55260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B5526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B55276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B55280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B552BC

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 6790ac4f859e0b85cac5bff03765ab53f5720989742bcf6ab870ee6c52e523d3
Instruction ID: e6f035d588ff4fe495e8805b88135e4ac0ed9a3baa529bc3868c1bc7a3abc025
Opcode Fuzzy Hash: 6790ac4f859e0b85cac5bff03765ab53f5720989742bcf6ab870ee6c52e523d3
Instruction Fuzzy Hash: A0010931D01A1ADBCF10DFE4E899AEDBBB8FB09712F40419AEA45B3140CF3155548BA5

Function 00B4810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B48121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B4812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B4813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B48141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B48157

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ee50827a40eb86c21ddba51d7519a363bea0cb6dbcbcae5b639728f861bc4326
Instruction ID: 293b6fe94252291f037caf464963fe0164eeb26335098af4ee781625ea0d24e1
Opcode Fuzzy Hash: ee50827a40eb86c21ddba51d7519a363bea0cb6dbcbcae5b639728f861bc4326
Instruction Fuzzy Hash: E2F04F71200305AFEB110FA9EC88E7B3BACFF49754F000066F949E7150CE619981EA60

Function 00B4C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00B4C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00B4C20E
MessageBeep.USER32(00000000), ref: 00B4C226
KillTimer.USER32(?,0000040A), ref: 00B4C242
EndDialog.USER32(?,00000001), ref: 00B4C25C

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 2e2b2c1c013f21e3f05273180b9bfca0696beaa07e208a9cf8a13abab731969f
Instruction ID: ee31dd8b6eb9178d371000923ecfa1c0066c3cc2d4d97d2756402d6930b7aad7
Opcode Fuzzy Hash: 2e2b2c1c013f21e3f05273180b9bfca0696beaa07e208a9cf8a13abab731969f
Instruction Fuzzy Hash: DB01A73050430597EB605B54DD4EFA67BB8FB00B05F0002A9B546914E0DBE0A984DB55

Function 00AF13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00AF13BF
StrokeAndFillPath.GDI32(?,?,00B2B888,00000000,?), ref: 00AF13DB
SelectObject.GDI32(?,00000000), ref: 00AF13EE
DeleteObject.GDI32 ref: 00AF1401
StrokePath.GDI32(?), ref: 00AF141C

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 4cf7f2532aa8e7bf518aaf87d5a9176e2f1375be15dee2b685b3d21a709cbda9
Instruction ID: 2a98e2ddf172a278cb5c37fe8786f21270c953a3a1220ce9b8b29d8d962eed25
Opcode Fuzzy Hash: 4cf7f2532aa8e7bf518aaf87d5a9176e2f1375be15dee2b685b3d21a709cbda9
Instruction Fuzzy Hash: 52F0EC30004B09EBDB225F66EC4C7783FA5A741326F088325F52D9A5F1CB718995DF55

Function 00B5C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B5C432
CoCreateInstance.OLE32(00B82D6C,00000000,00000001,00B82BDC,?), ref: 00B5C44A

Part of subcall function 00AF7DE1: _memmove.LIBCMT ref: 00AF7E22

CoUninitialize.OLE32 ref: 00B5C6B7

Strings

.lnk, xrefs: 00B5C3C6, 00B5C3EE, 00B5C3F8

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 4ecd19d2e6515dd2801d587e6331a1fdb5b41e91aab2341bd4fbb216c7b1e9ce
Instruction ID: 6ec6f7b9ae3017a3f81fee9352b3bcac1a6b7d8a1405a9b9ba5adf27ecaaef1e
Opcode Fuzzy Hash: 4ecd19d2e6515dd2801d587e6331a1fdb5b41e91aab2341bd4fbb216c7b1e9ce
Instruction Fuzzy Hash: D9A13A71104209AFD700EFA4C881EBFB7E8EF85354F00495DF695971A2DB71EA09CB92

Function 00B02CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00B10DB6: std::exception::exception.LIBCMT ref: 00B10DEC
Part of subcall function 00B10DB6: __CxxThrowException@8.LIBCMT ref: 00B10E01

Part of subcall function 00AF7DE1: _memmove.LIBCMT ref: 00AF7E22

Part of subcall function 00AF7A51: _memmove.LIBCMT ref: 00AF7AAB

__swprintf.LIBCMT ref: 00B02ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00B02D66

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 0f9ba341b7bbfed46957a559ab0d8843def60dcfab4cc56a76f88e978c47bb53
Instruction ID: e4698f93e962d27116e605faa240bea34797e1e17dd9aedfdf310df8555756b7
Opcode Fuzzy Hash: 0f9ba341b7bbfed46957a559ab0d8843def60dcfab4cc56a76f88e978c47bb53
Instruction Fuzzy Hash: C6918E71508205AFC714EF64C98AC7FBBE8EF45310F10499DF9459B2A1EA70ED48CB52

Function 00B5B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AF4743,?,?,00AF37AE,?), ref: 00AF4770

CoInitialize.OLE32(00000000), ref: 00B5B9BB
CoCreateInstance.OLE32(00B82D6C,00000000,00000001,00B82BDC,?), ref: 00B5B9D4
CoUninitialize.OLE32 ref: 00B5B9F1

Part of subcall function 00AF9837: __itow.LIBCMT ref: 00AF9862
Part of subcall function 00AF9837: __swprintf.LIBCMT ref: 00AF98AC

Strings

.lnk, xrefs: 00B5B99D, 00B5B9AB

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 85c250495b49a230ba548f4e7961ab55ed5b7256caad008b186b77ee953b6997
Instruction ID: 0ffbddfc8608af0a68ec90904886859a60fdf4ef4edbf0f1942d4ca6f1f702a3
Opcode Fuzzy Hash: 85c250495b49a230ba548f4e7961ab55ed5b7256caad008b186b77ee953b6997
Instruction Fuzzy Hash: 54A189756043059FCB00DF54C984E2ABBE5FF89314F048998F9999B3A1CB31EC4ACB91

Function 00B1501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00B150AD

Part of subcall function 00B200F0: __87except.LIBCMT ref: 00B2012B

Strings

pow, xrefs: 00B15085, 00B150A2

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: a32118bd114d4e73e5a67421d9f2b525f4e990cf94f5ccda9fc1156cea7323ba
Instruction ID: ddc5cc0fe63ad515088ddaaadfddb104eb6cba8992f5cbffc71cb88b9f706436
Opcode Fuzzy Hash: a32118bd114d4e73e5a67421d9f2b525f4e990cf94f5ccda9fc1156cea7323ba
Instruction Fuzzy Hash: D5516A2092C502D6DB217768D8493AE2BD4DB80700F708DDAF4D9872AADE34CDE4DB86

Function 00B06192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B06248
_memmove.LIBCMT ref: 00B062E4
_memset.LIBCMT ref: 00B06308

Strings

ERCP, xrefs: 00B061B3

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 20150299242207e22f3efa1fe3a1ee8e41186c04d64f374c7f7b719938f80ce6
Instruction ID: 733f4b1420fb901165247254fe7bc0fa6da32089f9e51a8f9ba8a8ba701ac64d
Opcode Fuzzy Hash: 20150299242207e22f3efa1fe3a1ee8e41186c04d64f374c7f7b719938f80ce6
Instruction Fuzzy Hash: 4951B671900305DBDB24DF59C9817AABBF4EF04304F2045BEE95ADB291E770EA94DB40

Function 00B77946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B7F910,00000000,?,?,?,?), ref: 00B779DF
GetWindowLongW.USER32 ref: 00B779FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B77A0C

Strings

SysTreeView32, xrefs: 00B779B1

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 427fd184a20ca1a77ce8d02378fe6140aad99c62f1174a0ecea83ce3aa1fff5f
Instruction ID: f4178c620803bbfc9efe92a1d92b93df70db07bf2ec6c771b78b61ac3cfa66d2
Opcode Fuzzy Hash: 427fd184a20ca1a77ce8d02378fe6140aad99c62f1174a0ecea83ce3aa1fff5f
Instruction Fuzzy Hash: 0D31D03124420AAFEB118E38CC45BEA77E9EB05324F208725F979932E0DB30ED508B50

Function 00B773D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00B77461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00B77475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B77499

Strings

SysMonthCal32, xrefs: 00B7742C

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 53e9cdb26d82ae5ab9160325a7b10a049210abc389c8d053fef535fa1935e682
Instruction ID: c2523c6497c021db00e94e572854cbd5c967cd08d66888f16506d5f6afd79f78
Opcode Fuzzy Hash: 53e9cdb26d82ae5ab9160325a7b10a049210abc389c8d053fef535fa1935e682
Instruction Fuzzy Hash: 0A21B132640219ABDF118E54CC46FEA3BB9EF48724F114254FE196B190DA75AC90DBA0

Function 00B77B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00B77C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00B77C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B77C5F

Strings

msctls_updown32, xrefs: 00B77BC4

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: ce64c401d5b54c51372c21c6ef78d24864f4dabeac9e6d285a124fc8f7be3702
Instruction ID: 5e0ae2fff353177cd2b3ecb2dfdf76fe98ae6e15b22d8638f3961ad368cd2c16
Opcode Fuzzy Hash: ce64c401d5b54c51372c21c6ef78d24864f4dabeac9e6d285a124fc8f7be3702
Instruction Fuzzy Hash: 42217CB1204209AFDB11DF24DCC1DB637ECEF4A354B144599FA199B3A1CB71EC418A60

Function 00B76CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00B76D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00B76D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00B76D70

Strings

Listbox, xrefs: 00B76D08

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: e2e98819fe96f449841f1033a4dd4a1816c04703902641c1daf00a8f0ae47560
Instruction ID: 0c149f5b46de3590828ecc6623286ce6ef44f6826a3fa9cb96bd8fabc7540100
Opcode Fuzzy Hash: e2e98819fe96f449841f1033a4dd4a1816c04703902641c1daf00a8f0ae47560
Instruction Fuzzy Hash: 93219232610118BFDF268F64CC45FBB3BBAEF89750F01C164FA599B1A0CA719C519BA0

Function 00B48C4B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00B48C6D
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00B48C84
SendMessageW.USER32(?,0000000D,?,00000000), ref: 00B48CBC

Strings

@U=u, xrefs: 00B48CBC

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 839c57304801d2cc98ed6c1523dc70605cf87c92bb7aa94b59bc519861e6bab4
Instruction ID: b183312f63b67adfc7e3bf18059759243a5f29902849c615546fd51ecac22897
Opcode Fuzzy Hash: 839c57304801d2cc98ed6c1523dc70605cf87c92bb7aa94b59bc519861e6bab4
Instruction Fuzzy Hash: C621A132601119BBDB10DBA8D881DAFB7FDEF44350F10049AF905E32A1DE71AE809BA4

Function 00B7770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B77772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B77787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B77794

Strings

msctls_trackbar32, xrefs: 00B77749

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: ab810cfa883ae6b514139274d760e4efb7f3ac7966170f6bb805f71d58bd3665
Instruction ID: 3d4f343e261aeae18e67144b22aa65e408cac46f76eef2525598a9958776fecf
Opcode Fuzzy Hash: ab810cfa883ae6b514139274d760e4efb7f3ac7966170f6bb805f71d58bd3665
Instruction Fuzzy Hash: 28113A32244208BFEF245F65CC01FEB37A8EF88B54F018118FB55A6090CA71EC11CB20

Function 00B76920 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00B769A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00B769B1

Strings

edit, xrefs: 00B76986
@U=u, xrefs: 00B769B1

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: @U=u$edit
API String ID: 2978978980-590756393
Opcode ID: 3e9d047f21b3251c068c274425b84c0bf9be12d2c8d998cac858cdeef6d24554
Instruction ID: 2e4dcb5873d61af5bdc81c0a641d1359a53480357949eb570ccc4bb8018ef20d
Opcode Fuzzy Hash: 3e9d047f21b3251c068c274425b84c0bf9be12d2c8d998cac858cdeef6d24554
Instruction Fuzzy Hash: 6F116D71100509ABEB108E74DC45AFB37A9EB19374F508764FAB9971E0CA71DC909B60

Function 00B48E05 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF7DE1: _memmove.LIBCMT ref: 00AF7E22

Part of subcall function 00B4AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00B4AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00B48E73

Strings

ListBox, xrefs: 00B48E3D
ComboBox, xrefs: 00B48E12
@U=u, xrefs: 00B48E73

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: 4dd9c46c76c1a01c2cd8cc12b2fa0d967785093d5612f8475bd0bec7b7ea54fd
Instruction ID: a7cc4972981215d1c270098d26d545dad7fb38d3a3c92409b55c236d660b6bd7
Opcode Fuzzy Hash: 4dd9c46c76c1a01c2cd8cc12b2fa0d967785093d5612f8475bd0bec7b7ea54fd
Instruction Fuzzy Hash: 8B012471A85219ABCF14EBF4CC818FE73ECEF02320B400A99F931672E1DE315908E650

Function 00B48CFD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF7DE1: _memmove.LIBCMT ref: 00AF7E22

Part of subcall function 00B4AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00B4AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00B48D6B

Strings

ListBox, xrefs: 00B48D35
ComboBox, xrefs: 00B48D0A
@U=u, xrefs: 00B48D6B

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: efd4f1592df085811691f6fd07b8f459bcfd9a7336995ec574bc0d0c0301a386
Instruction ID: 4ca97cae41b010f76cbce37a5f724a50769a0279d423ee646319a131b1f05af4
Opcode Fuzzy Hash: efd4f1592df085811691f6fd07b8f459bcfd9a7336995ec574bc0d0c0301a386
Instruction Fuzzy Hash: D101D471A45109ABCB14EBE0CA92AFE73ECDF15300F5000A9B905632E1DE145F08E671

Function 00B48D82 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF7DE1: _memmove.LIBCMT ref: 00AF7E22

Part of subcall function 00B4AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00B4AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00B48DEE

Strings

ListBox, xrefs: 00B48DBA
ComboBox, xrefs: 00B48D8F
@U=u, xrefs: 00B48DEE

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: 4f10485f7abf3639ad8c47a30d6b9bdf43be87634ddd5972712dcab93fe9beaf
Instruction ID: 7c9da6876c59039092644ee0a80496cbce150d423b52b2ab9db75d9c4fda8c7a
Opcode Fuzzy Hash: 4f10485f7abf3639ad8c47a30d6b9bdf43be87634ddd5972712dcab93fe9beaf
Instruction Fuzzy Hash: 1C01A771E45109B7DB15E7E4CE82AFE77ECDF11300F500469B90563291DE154F08E671

Function 00B7ACCF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00BB57B0,00B7D809,000000FC,?,00000000,00000000,?,?,?,00B2B969,?,?,?,?,?), ref: 00B7ACD1
GetFocus.USER32 ref: 00B7ACD9

Part of subcall function 00AF2612: GetWindowLongW.USER32(?,000000EB), ref: 00AF2623

Part of subcall function 00AF25DB: GetWindowLongW.USER32(?,000000EB), ref: 00AF25EC

SendMessageW.USER32(014AE8E8,000000B0,000001BC,000001C0), ref: 00B7AD4B

Strings

@U=u, xrefs: 00B7AD4B

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: @U=u
API String ID: 3601265619-2594219639
Opcode ID: 278ecfbedc1f4458ce24f0193b264883149f85329108aea51a3ca8b56fcca8f3
Instruction ID: 0e8f40e400d35f13a4b3667b8c44764feab7569debf6902c6cef90a71c6be27c
Opcode Fuzzy Hash: 278ecfbedc1f4458ce24f0193b264883149f85329108aea51a3ca8b56fcca8f3
Instruction Fuzzy Hash: BB0152312015009FC735AB28DC98BA977E6FF8A325B1842B9F529872B1DF31AC46CB51

Function 00B06063 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0603A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B06051

SendMessageW.USER32(?,0000000C,00000000,?), ref: 00B0607F
GetParent.USER32(?), ref: 00B40D46
InvalidateRect.USER32(00000000,?,00B03A4F,?,00000000,00000001), ref: 00B40D4D

Strings

@U=u, xrefs: 00B0607F

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend$InvalidateParentRectTimeout
String ID: @U=u
API String ID: 3648793173-2594219639
Opcode ID: c5d143fb6d16e05b36b855bea4ba84682064fa4646c39715a9ab2a5b84b8acd1
Instruction ID: e3c7cc193f366d7982b740bcba4ba4e41b70c41d7bdc6edeff9b0069d1fb218e
Opcode Fuzzy Hash: c5d143fb6d16e05b36b855bea4ba84682064fa4646c39715a9ab2a5b84b8acd1
Instruction Fuzzy Hash: 62F0A730240200FBEF212F60DC89F657FD9EB01740F1044A4F5445B0E1DEB2A860AB64

Function 00AF4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AF4B83,?), ref: 00AF4C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00AF4C56

Strings

kernel32.dll, xrefs: 00AF4C3F
Wow64RevertWow64FsRedirection, xrefs: 00AF4C50

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: cde5ebe78b120b5ccd674ddfbc4abd93ddf2604a8ca7edb627479241b6a10b4f
Instruction ID: 70f09902b47ab0de62ad5c58cb6a39658e93b8e5ede44f2ffdf71f0996691a55
Opcode Fuzzy Hash: cde5ebe78b120b5ccd674ddfbc4abd93ddf2604a8ca7edb627479241b6a10b4f
Instruction Fuzzy Hash: A8D01730914713CFD7209F71D90972A77E5AF09352F51C87AA5AAE7670FA70D8C0CA54

Function 00AF4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AF4BD0,?,00AF4DEF,?,00BB52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00AF4C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00AF4C23

Strings

kernel32.dll, xrefs: 00AF4C0C
Wow64DisableWow64FsRedirection, xrefs: 00AF4C1D

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: d9c5db80035c48d6fbf8d165fb78610f7f9096cdcb9f791f9336b634cf0f09b3
Instruction ID: 8000d56043639d305552ac4d3adfe611aef19b7c0ccb424bf72a224cbfa211bf
Opcode Fuzzy Hash: d9c5db80035c48d6fbf8d165fb78610f7f9096cdcb9f791f9336b634cf0f09b3
Instruction Fuzzy Hash: 6ED0C230500713CFC7209FB0C808327B6D5EF09341F00CC39A589D2560EAB0C4C0CA10

Function 00B70DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00B71039), ref: 00B70DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B70E07

Strings

advapi32.dll, xrefs: 00B70DF0
RegDeleteKeyExW, xrefs: 00B70E01

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 6a612c3368a546150df0e169f2e0df9e8cde8df6dd8061a36769e3442ae73303
Instruction ID: df5ce9644a43e1cf3ca89bb06c5146517eb37805f5a8c4e8cd2729ec1b18d3f1
Opcode Fuzzy Hash: 6a612c3368a546150df0e169f2e0df9e8cde8df6dd8061a36769e3442ae73303
Instruction Fuzzy Hash: 05D0C730820323CFC320AF70C80928272E4EF11342F20CCBE949AE6960EBB0D8D0CA04

Function 00B690E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00B68CF4,?,00B7F910), ref: 00B690EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00B69100

Strings

kernel32.dll, xrefs: 00B690E9
GetModuleHandleExW, xrefs: 00B690FA

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 4679c1be4502b3491ecd9a2ec3aba033bea0ec918141f19d7451e3fa28518826
Instruction ID: dc044f8851497d92a5294ef5d2b55d61fafb873fd6a182f53c6e0879b4a17d6f
Opcode Fuzzy Hash: 4679c1be4502b3491ecd9a2ec3aba033bea0ec918141f19d7451e3fa28518826
Instruction Fuzzy Hash: B0D01234514713DFD7209F31D81961676D9EF06351F11CC799499E6960EE74C4C0CA50

Function 00B31714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B31718
__swprintf.LIBCMT ref: 00B31749

Strings

WIN_XPe, xrefs: 00B31788
%.3d, xrefs: 00B31723

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: e8f64b2ef0eef1e8576a5098ea72257e9873d52467efd7cc6cdcb55d5ea7a164
Instruction ID: 09543c7a28387e99e005bb0ba9103221b0d8c7d320eb64cc4e1fcd44fdc5bbb3
Opcode Fuzzy Hash: e8f64b2ef0eef1e8576a5098ea72257e9873d52467efd7cc6cdcb55d5ea7a164
Instruction Fuzzy Hash: 34D017B584810DFACB009A9498C98F977FCAB09311F6808E2B506E2040EA229F94EA21

Function 00B4717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22fcd730a4d1af78d5dbecc5aa8f9c2cc28b82106fd357e94153aeb8062417b6
Instruction ID: a0d664a8d11743350557a4894ce06437a6217865aa6fc48855b6c6eb7848bdde
Opcode Fuzzy Hash: 22fcd730a4d1af78d5dbecc5aa8f9c2cc28b82106fd357e94153aeb8062417b6
Instruction Fuzzy Hash: 9AC12C75A04216EFCB14CFA4C884AAEBBF5FF48714B158598E805EB251DB30DE81EB90

Function 00B6E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00B6E0BE
CharLowerBuffW.USER32(?,?), ref: 00B6E101

Part of subcall function 00B6D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00B6D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00B6E301
_memmove.LIBCMT ref: 00B6E314

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: d17542fa42bdad776111c7328f3121abbc3a31a7b4e315ffe7bc499eef93ffbb
Instruction ID: 8375e95145ffbeff48fe6cc30f4b8eb0601a4a1607765b7a1026ac8a56ce9e6f
Opcode Fuzzy Hash: d17542fa42bdad776111c7328f3121abbc3a31a7b4e315ffe7bc499eef93ffbb
Instruction Fuzzy Hash: DBC16A75A083019FC704DF28C480A6ABBE4FF89714F1489AEF9A99B351D774E945CF82

Function 00B68093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B680C3
CoUninitialize.OLE32 ref: 00B680CE

Part of subcall function 00B4D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B4D5D4

VariantInit.OLEAUT32(?), ref: 00B680D9
VariantClear.OLEAUT32(?), ref: 00B683AA

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 395e6d98e731a276eaa60de192524f9c8af53c3451ba2873002f859248f6d9f9
Instruction ID: d36dac8b2fc0a47215ae6645519c3ff8506244b714a42fc2fef70479309b0dcf
Opcode Fuzzy Hash: 395e6d98e731a276eaa60de192524f9c8af53c3451ba2873002f859248f6d9f9
Instruction Fuzzy Hash: 74A178752047059FCB10DF64C581B2AB7E4FF89354F048598FA9AAB3A1CB34ED45CB86

Function 00B47530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00B82C7C,?), ref: 00B476EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00B82C7C,?), ref: 00B47702
CLSIDFromProgID.OLE32(?,?,00000000,00B7FB80,000000FF,?,00000000,00000800,00000000,?,00B82C7C,?), ref: 00B47727
_memcmp.LIBCMT ref: 00B47748

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: d42306ef2844456b3ddbef34c73313b558a88458a5b4b91a5f41bea832b71d9f
Instruction ID: 3f604aea637371b77b62efcce39f8693260a69d2f1624f02fbd5029f8afb2bc0
Opcode Fuzzy Hash: d42306ef2844456b3ddbef34c73313b558a88458a5b4b91a5f41bea832b71d9f
Instruction Fuzzy Hash: B781EA75A00109EFCB04DFA4C984EEEB7F9FF89315F204598E505AB250DB71AE46DB60

Function 00B4687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B4688E
SysAllocString.OLEAUT32(00000000), ref: 00B46937
VariantCopy.OLEAUT32 ref: 00B46966
VariantClear.OLEAUT32(?), ref: 00B4698D

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 93b48851d246e822d1bee0262453c66f2ff122c3fbb47de5f5b76d898389cba7
Instruction ID: 85b8bb6df1e567db64b9d52b988e3cd964fc1cff074bd53643a8d305b7b9538b
Opcode Fuzzy Hash: 93b48851d246e822d1bee0262453c66f2ff122c3fbb47de5f5b76d898389cba7
Instruction Fuzzy Hash: 1E51C6747007019EDB24AF65D891B7AB3E5EF4A310F20C86FE586DB291DF70D980A712

Function 00B669AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00B669D1
WSAGetLastError.WSOCK32(00000000), ref: 00B669E1

Part of subcall function 00AF9837: __itow.LIBCMT ref: 00AF9862
Part of subcall function 00AF9837: __swprintf.LIBCMT ref: 00AF98AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00B66A45
WSAGetLastError.WSOCK32(00000000), ref: 00B66A51

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 967d5020ae867746b64e1796679082498a7cdd439b8f9876f92c2c0dcba15229
Instruction ID: 23d941b954c1d2cd5911ac37961d963d075b0f7091abf62909c65c004f9312ca
Opcode Fuzzy Hash: 967d5020ae867746b64e1796679082498a7cdd439b8f9876f92c2c0dcba15229
Instruction Fuzzy Hash: E941B175740204AFEB60AFA4CD86F3A77E8DF14B54F048068FA59AF2C2DA749D008B91

Function 00B6641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00B7F910), ref: 00B664A7
_strlen.LIBCMT ref: 00B664D9

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 468c67ce5a69be2444ebeb79e8a60ddb604ab222786e8c8a6674b38c2a250502
Instruction ID: d6320438539f45451e129e4935af0ea61b634ab4d391ba3b5bb628d2e62aff06
Opcode Fuzzy Hash: 468c67ce5a69be2444ebeb79e8a60ddb604ab222786e8c8a6674b38c2a250502
Instruction Fuzzy Hash: 12418531A00108ABCB14EBA4DDD6FBEB7E9EF14310F1481A5F91A97292DB34ED45CB51

Function 00B5B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00B5B89E
GetLastError.KERNEL32(?,00000000), ref: 00B5B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00B5B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00B5B915

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: d8ea8cdd069d4af4864e4612022c3292ef3725226256ac924933d166a3998381
Instruction ID: f39233c9241b0dd8737fdea889b96d0384d50f56820ab10551e5e55403c83d0a
Opcode Fuzzy Hash: d8ea8cdd069d4af4864e4612022c3292ef3725226256ac924933d166a3998381
Instruction Fuzzy Hash: 7341F539600615DFCB10EF55C584E6ABBE5EF8A350F098098FD4AAB362CB30ED45CB91

Function 00B7AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00B7AB60
GetWindowRect.USER32(?,?), ref: 00B7ABD6
PtInRect.USER32(?,?,00B7C014), ref: 00B7ABE6
MessageBeep.USER32(00000000), ref: 00B7AC57

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 1d52e9fff7f715d654fabd75db18def2d3b6bd8fbdc5d4ee544639416b444df4
Instruction ID: c1318e8915d5f03299fd4c4aff4fddf99388f26c927a968fc5cecd9338fdac51
Opcode Fuzzy Hash: 1d52e9fff7f715d654fabd75db18def2d3b6bd8fbdc5d4ee544639416b444df4
Instruction Fuzzy Hash: B2415C30600519EFCB62DF68DC94B6D7BF5FB89310F14C1A9E92D9B260DB30A941CB92

Function 00B50AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00B50B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00B50B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00B50BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00B50BFB

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 7ee334a69a2320bb05fcbd15cced587578d3098a280921cd66bd73cb093db7e9
Instruction ID: dcedd6174c1d1e82f66ce34a94957e59f372656ed721d4203f3eb1ebe8676436
Opcode Fuzzy Hash: 7ee334a69a2320bb05fcbd15cced587578d3098a280921cd66bd73cb093db7e9
Instruction Fuzzy Hash: 10314830D60208AFFF30AB25CC85BFABBE5EB4531AF0842DAED84521D1C77589889755

Function 00B50C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 00B50C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00B50C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00B50CE1
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 00B50D33

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c7302c0ad85247f3345939a8d4284b15e961cd8f0194295d6e5a12a94afc532c
Instruction ID: 14d1129dbae66c015af84a9736af249f4c8bfccb6788272ea8d246f8c63dcfe2
Opcode Fuzzy Hash: c7302c0ad85247f3345939a8d4284b15e961cd8f0194295d6e5a12a94afc532c
Instruction Fuzzy Hash: BE314630910208AEFF31AA64C814BFEBBF6EB4A312F0443EAEC84561D1D3359D9D9751

Function 00B261C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00B261FB
__isleadbyte_l.LIBCMT ref: 00B26229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00B26257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00B2628D

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2fd6c0b10f20ef4d70e5c74d671524b864caf449d1f64798d4968fd5eddc4236
Instruction ID: 03939dfbbab291b9c78df05f1024e9dab04573ebf98b9a851ed83f6f145095eb
Opcode Fuzzy Hash: 2fd6c0b10f20ef4d70e5c74d671524b864caf449d1f64798d4968fd5eddc4236
Instruction Fuzzy Hash: 4131D231604266EFDF218F64EC44BBA7BE9FF41310F1540A8E82897191D731ED91DB90

Function 00B74EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00B74F02

Part of subcall function 00B53641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B5365B
Part of subcall function 00B53641: GetCurrentThreadId.KERNEL32 ref: 00B53662
Part of subcall function 00B53641: AttachThreadInput.USER32(00000000,?,00B55005), ref: 00B53669

GetCaretPos.USER32(?), ref: 00B74F13
ClientToScreen.USER32(00000000,?), ref: 00B74F4E
GetForegroundWindow.USER32 ref: 00B74F54

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 9990387130be7a8dceb6ddb5510a26f4a26e0aa8ad32e77e167040c8fa907482
Instruction ID: 8a81206a2a1eb6914811501ed4f4d82a77f33370262db496822ea72658f876d2
Opcode Fuzzy Hash: 9990387130be7a8dceb6ddb5510a26f4a26e0aa8ad32e77e167040c8fa907482
Instruction Fuzzy Hash: 4D312C72D00108AFDB00EFA5C985AEFB7F9EF98300F1040AAF555E7241DA759E458BA1

Function 00B7C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF2612: GetWindowLongW.USER32(?,000000EB), ref: 00AF2623

GetCursorPos.USER32(?), ref: 00B7C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00B2B9AB,?,?,?,?,?), ref: 00B7C4E7
GetCursorPos.USER32(?), ref: 00B7C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00B2B9AB,?,?,?), ref: 00B7C56E

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: e19299161eb8d5a83cc85f13f9c02bc926662d688f23082eca210e33b27d822f
Instruction ID: f2b1a8b28ec776115584d48d00b9e0a7f56d0266dfef501ea88a8e2d625e9b5e
Opcode Fuzzy Hash: e19299161eb8d5a83cc85f13f9c02bc926662d688f23082eca210e33b27d822f
Instruction Fuzzy Hash: 4B319535500418AFCB258F58D855EFE7FF6EB09310F4481ADF91987261CB326D50DB94

Function 00B48656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B4810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B48121
Part of subcall function 00B4810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B4812B
Part of subcall function 00B4810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B4813A
Part of subcall function 00B4810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B48141
Part of subcall function 00B4810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B48157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00B486A3
_memcmp.LIBCMT ref: 00B486C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B486FC
HeapFree.KERNEL32(00000000), ref: 00B48703

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 523794f7eb27f09ef145703427a085241eaccd5798ae0e92e538960eb0c91ec4
Instruction ID: 3fe69e2a7cfb59bceaed7c7f348f6033533114e435dea59cf08a3f00b68b7a92
Opcode Fuzzy Hash: 523794f7eb27f09ef145703427a085241eaccd5798ae0e92e538960eb0c91ec4
Instruction Fuzzy Hash: AB217A71E00109EFDB10DFA8C949BEEB7F9EF45304F164099E944AB241DB30AE45EBA4

Function 00B1098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00B109AE

Part of subcall function 00AF5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B57896,?,?,00000000), ref: 00AF5A2C
Part of subcall function 00AF5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B57896,?,?,00000000,?,?), ref: 00AF5A50

_fprintf.LIBCMT ref: 00B109E5
OutputDebugStringW.KERNEL32(?), ref: 00B45DBB

Part of subcall function 00B14AAA: _flsall.LIBCMT ref: 00B14AC3

__setmode.LIBCMT ref: 00B10A1A

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 219844d86b39620b61734b11494fd4b9da35613d95cef8ea3c4ac4421f0b5630
Instruction ID: 0c5d5c3612c2d508f04fcbdce0ba08cc529dc028584650bfd8c3501cb84dea2b
Opcode Fuzzy Hash: 219844d86b39620b61734b11494fd4b9da35613d95cef8ea3c4ac4421f0b5630
Instruction Fuzzy Hash: E1110231904608ABDB04B6F89C86AFE7BE89F46360FA001E5F20467192EF605DC697A1

Function 00B61767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B617A3

Part of subcall function 00B6182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B6184C
Part of subcall function 00B6182D: InternetCloseHandle.WININET(00000000), ref: 00B618E9

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: feca21e9869f261044048f540cd5352add47abca36668c2991af4728cac6a88c
Instruction ID: c48ec195984bf3d25cfd6d4eeead377328dc22d44e38ee68440eb126cfd810e1
Opcode Fuzzy Hash: feca21e9869f261044048f540cd5352add47abca36668c2991af4728cac6a88c
Instruction Fuzzy Hash: 5421F371200602BFEB169F68CC41FBABBE9FF48711F18446AFA0597650DB79D810A7A0

Function 00B53A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00B7FAC0), ref: 00B53A64
GetLastError.KERNEL32 ref: 00B53A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B53A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00B7FAC0), ref: 00B53ADF

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 82a3ad907c6eb6df757a90c5178e22fdaa828cc6dd5894c28e8d57fa444fd509
Instruction ID: cf27470dafa01afe699088646d0ec94c798f549c21d9632946ad12a3f0f30152
Opcode Fuzzy Hash: 82a3ad907c6eb6df757a90c5178e22fdaa828cc6dd5894c28e8d57fa444fd509
Instruction Fuzzy Hash: 222194345082059F8300DF24C98197E77E4EE557A5F104AA9F899C73A2DB319E49CB52

Function 00B250E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B25101

Part of subcall function 00B1571C: __FF_MSGBANNER.LIBCMT ref: 00B15733
Part of subcall function 00B1571C: __NMSG_WRITE.LIBCMT ref: 00B1573A
Part of subcall function 00B1571C: RtlAllocateHeap.NTDLL(01490000,00000000,00000001,00000000,?,?,?,00B10DD3,?), ref: 00B1575F

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 91af9d475e883367fd4b87bbadc5042eb2aa3435f894ad1f056ba8d01163eba8
Instruction ID: 1d37c352cc7179d8d60d52b288ddb5627d2c7a2e098236c71350963a6864d082
Opcode Fuzzy Hash: 91af9d475e883367fd4b87bbadc5042eb2aa3435f894ad1f056ba8d01163eba8
Instruction Fuzzy Hash: 5C11C672904A22AFCF312F74FC457AE37D8AF043A2B5045A9F90DAB150DE3189918794

Function 00AF44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AF44CF

Part of subcall function 00AF407C: _memset.LIBCMT ref: 00AF40FC
Part of subcall function 00AF407C: _wcscpy.LIBCMT ref: 00AF4150
Part of subcall function 00AF407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00AF4160

KillTimer.USER32(?,00000001,?,?), ref: 00AF4524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AF4533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B2D4B9

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 95a034e042e5766a60ba577b38420f0ae9c5ff734ccc95f8af753c9cc4f45e70
Instruction ID: e490585b0b3661f0d84648208f47d27a8031395884305cfdc95000ac5325b0fe
Opcode Fuzzy Hash: 95a034e042e5766a60ba577b38420f0ae9c5ff734ccc95f8af753c9cc4f45e70
Instruction Fuzzy Hash: 1021B070904798AFE732AB649895BF7BBECAF05314F04009EF79E57281C7746E848B51

Function 00B66369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B57896,?,?,00000000), ref: 00AF5A2C
Part of subcall function 00AF5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B57896,?,?,00000000,?,?), ref: 00AF5A50

gethostbyname.WSOCK32(?,?,?), ref: 00B66399
WSAGetLastError.WSOCK32(00000000), ref: 00B663A4
_memmove.LIBCMT ref: 00B663D1
inet_ntoa.WSOCK32(?), ref: 00B663DC

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 77a5ad1e2e7879794880c8fc95385bbc3ad684b79d7315427e5ef08a2cc639b9
Instruction ID: f0d784014590acc83ba6a6adffc46ad46a967b43ded4460b748dc8a99640da02
Opcode Fuzzy Hash: 77a5ad1e2e7879794880c8fc95385bbc3ad684b79d7315427e5ef08a2cc639b9
Instruction Fuzzy Hash: 5E111C32900109AFCB04FBE4DA86DBEB7B8AF08310B5440A5F605A7261DF31AE54DB62

Function 00B48B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00B48B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B48B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B48B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B48BA4

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 13fed39b8a7c9f49f2e959f00728d418324931863077af41a4f8cabb0e44419c
Instruction ID: 8579182b8d2d51083ddc957223cff2f86901f3656aefeca22a057bb1fe7b8e88
Opcode Fuzzy Hash: 13fed39b8a7c9f49f2e959f00728d418324931863077af41a4f8cabb0e44419c
Instruction Fuzzy Hash: 8B114C79900218FFDB10DF95CC84FADBBB4FB48710F204095E900B7250DA716E10EB94

Function 00AF1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00AF2612: GetWindowLongW.USER32(?,000000EB), ref: 00AF2623

DefDlgProcW.USER32(?,00000020,?), ref: 00AF12D8
GetClientRect.USER32(?,?), ref: 00B2B5FB
GetCursorPos.USER32(?), ref: 00B2B605
ScreenToClient.USER32(?,?), ref: 00B2B610

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: e13d6de9ac368f02d7a5d99169240a8c1296219484d3d9d4d00b3801678350b1
Instruction ID: f368960af67e19f4b07489fa5c5d96cb9f3d249226659bf0603605c64ed11269
Opcode Fuzzy Hash: e13d6de9ac368f02d7a5d99169240a8c1296219484d3d9d4d00b3801678350b1
Instruction Fuzzy Hash: 9111163560001EEBCB10EFE8D9859FE77B8EB05310F500465FA45E7140CB30AA928BA9

Function 00B51142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00B4FCED,?,00B50D40,?,00008000), ref: 00B5115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00B4FCED,?,00B50D40,?,00008000), ref: 00B51184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00B4FCED,?,00B50D40,?,00008000), ref: 00B5118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00B4FCED,?,00B50D40,?,00008000), ref: 00B511C1

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 1f6e5ea14c68964754dffc8464e5aa65c4448abe2cea95ef25640fda29e5897c
Instruction ID: b3d4187ec7226f3eeaca379ff479235b11ae30833a89b2ff0e90a8898d7c7bc0
Opcode Fuzzy Hash: 1f6e5ea14c68964754dffc8464e5aa65c4448abe2cea95ef25640fda29e5897c
Instruction Fuzzy Hash: D2111831D00919E7CF00AFA9D889BEEBBB8FB09752F4144D5EE45B6240CB709594CBA5

Function 00B4D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00B4D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00B4D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00B4D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00B4D897

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 05a6ec851d676ad12628c964ac176d552a5e9b3d1324e7a6608324a10e62e7d6
Instruction ID: f4c374ae75c5736fcc93e475e9013294f058b0f6fbc00c0e64346d52b24b4bf4
Opcode Fuzzy Hash: 05a6ec851d676ad12628c964ac176d552a5e9b3d1324e7a6608324a10e62e7d6
Instruction Fuzzy Hash: A3115E75605305DBEB208F50EC48FA2BBFCEF00B00F5085A9A51AD7590D7B0E649ABA1

Function 00B26FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00B26FDB

Part of subcall function 00B276C2: __fltout2.LIBCMT ref: 00B276EB

__cftog_l.LIBCMT ref: 00B27001
__cftoe_l.LIBCMT ref: 00B27033

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: a5d8dab9887ae2fb91ff4b1774ecfa0816dd9e58bcb51e01d347102701a891c5
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 58014E7248415ABBCF165E84EC46CEE3FA2FB18350B588495FA1C58031DA36C9B5AB89

Function 00B7B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B7B2E4
ScreenToClient.USER32(?,?), ref: 00B7B2FC
ScreenToClient.USER32(?,?), ref: 00B7B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B7B33B

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 5dd81eefe85f219f653f63d257525addc2336ca5714c50abf1b87c7985f7a764
Instruction ID: 6507914917ef14ce3dcef967e4a61e522a4856b76152a0d7b77f4b8552c68037
Opcode Fuzzy Hash: 5dd81eefe85f219f653f63d257525addc2336ca5714c50abf1b87c7985f7a764
Instruction Fuzzy Hash: F1114675D0020AEFDB41DF99C844AEEBBF5FB08310F108166E914E3220D735AA55CF54

Function 00B7B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B7B644
_memset.LIBCMT ref: 00B7B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00BB6F20,00BB6F64), ref: 00B7B682
CloseHandle.KERNEL32 ref: 00B7B694

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 33f3260196ba4fbb2a4086879fe136e5711ba9c899e7ee659f3df761dbde1238
Instruction ID: 89da537b4d87572c011aa57299e405ec4b3d154b8ee2a6b52e2e4577940070fc
Opcode Fuzzy Hash: 33f3260196ba4fbb2a4086879fe136e5711ba9c899e7ee659f3df761dbde1238
Instruction Fuzzy Hash: 5AF0DAB25403047BE2102B65BC46FBB7B9CEB19795F404171BA0CE6192DBB99C508BA8

Function 00B56BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00B56BE6

Part of subcall function 00B576C4: _memset.LIBCMT ref: 00B576F9

_memmove.LIBCMT ref: 00B56C09
_memset.LIBCMT ref: 00B56C16
LeaveCriticalSection.KERNEL32(?), ref: 00B56C26

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 33eb07520a1ce59dc5bc0a4f41500fb802594f9408fc76bc6ecc2827eb3f9d11
Instruction ID: b1c669ca42197c0993df5b0e2c86002c061786f37c7d230402e91ee24182f828
Opcode Fuzzy Hash: 33eb07520a1ce59dc5bc0a4f41500fb802594f9408fc76bc6ecc2827eb3f9d11
Instruction Fuzzy Hash: B1F0543A200100ABCF016F95EC85A8ABF69EF45321F0480A1FE099F227CB31E851CBB4

Function 00AF2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00AF2231
SetTextColor.GDI32(?,000000FF), ref: 00AF223B
SetBkMode.GDI32(?,00000001), ref: 00AF2250
GetStockObject.GDI32(00000005), ref: 00AF2258
GetWindowDC.USER32(?,00000000), ref: 00B2BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00B2BE90
GetPixel.GDI32(00000000,?,00000000), ref: 00B2BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00B2BEC2
GetPixel.GDI32(00000000,?,?), ref: 00B2BEE2
ReleaseDC.USER32(?,00000000), ref: 00B2BEED

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: dcd3430695d26099fd97a75529bd0f09d96a5f959606a3c5fb005706e45849f3
Instruction ID: 38df977106c41850b30dff9a747843d85e25ca2a66e65b7f45791783291a9bc8
Opcode Fuzzy Hash: dcd3430695d26099fd97a75529bd0f09d96a5f959606a3c5fb005706e45849f3
Instruction Fuzzy Hash: 77E03932104245AADF215FA4FC0DBE83B20EB15332F0083A6FA6DA80E18B714AC0DB12

Function 00B48712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00B4871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00B482E6), ref: 00B48722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00B482E6), ref: 00B4872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00B482E6), ref: 00B48736

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 630ecaf908c1e7ceca89fe1a3ebf5314182c088680478d4aa2a6c058a7d8edcb
Instruction ID: 3588e9f5e0b8fa010e9dc5f28e63b8955133c3bae9d2e14f44edd1bf71882330
Opcode Fuzzy Hash: 630ecaf908c1e7ceca89fe1a3ebf5314182c088680478d4aa2a6c058a7d8edcb
Instruction Fuzzy Hash: 0DE086366152229BD7205FB05D0CB6A3BACEF50B91F154868F24DCB040DE348881D758

Function 00B4B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00B4B4BE

Strings

AutoIt3GUI, xrefs: 00B4B436
Container, xrefs: 00B4B43B

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 314b99382020f64caf407cd990ff17c7bacf8107e9d20842ecc53a21f60eca56
Instruction ID: 664e5893a6ce4d7b4107d4cf87a8adac453809c29701e8199000a234c7a9316e
Opcode Fuzzy Hash: 314b99382020f64caf407cd990ff17c7bacf8107e9d20842ecc53a21f60eca56
Instruction Fuzzy Hash: 61915A71200601AFDB14DF68C894F6ABBE5FF49710F2085ADEA4ACB3A1DB70E941CB50

Function 00B5AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0FC86: _wcscpy.LIBCMT ref: 00B0FCA9

Part of subcall function 00AF9837: __itow.LIBCMT ref: 00AF9862
Part of subcall function 00AF9837: __swprintf.LIBCMT ref: 00AF98AC

__wcsnicmp.LIBCMT ref: 00B5B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00B5B0F6

Strings

LPT, xrefs: 00B5B027

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 28287bee2fd18feceaf42ad44fe46a9e0645ce15379056fe13e954f9e89b528c
Instruction ID: e134322a048e86855a64ca0a71a9afb5e4f80f548b188d7224274d782ce0564d
Opcode Fuzzy Hash: 28287bee2fd18feceaf42ad44fe46a9e0645ce15379056fe13e954f9e89b528c
Instruction Fuzzy Hash: 69616C75A10219AFCB14DF94C891FBEB7F4EB08350F1440E9F916AB291DB70AE85CB91

Function 00B02957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00B02968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00B02981

Strings

@, xrefs: 00B02975

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 8454eae3679a7f0b30601d31a4ff3f668273a9db08ae1e59d04f76474e9f00a9
Instruction ID: 7e91f49cd89ff7c21c441f086a71129010868ae2e5a58c0cfc9ae06dc95d7d63
Opcode Fuzzy Hash: 8454eae3679a7f0b30601d31a4ff3f668273a9db08ae1e59d04f76474e9f00a9
Instruction Fuzzy Hash: 205148724087489BD720EF50D986BAFBBE8FF85344F42885DF2D8410A1DF318569CB66

Function 00B59734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00AF4F0B: __fread_nolock.LIBCMT ref: 00AF4F29

_wcscmp.LIBCMT ref: 00B59824
_wcscmp.LIBCMT ref: 00B59837

Strings

FILE, xrefs: 00B59770

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 18110ed38acd79c72c945dbf3b65badc849c9d357dac91bc487b70c332a7d5b1
Instruction ID: 0910410ff516336533fb660f9aebaa177fb28182271eb0dd348f095aafcd72dd
Opcode Fuzzy Hash: 18110ed38acd79c72c945dbf3b65badc849c9d357dac91bc487b70c332a7d5b1
Instruction Fuzzy Hash: C8419871A00219BADF219BE4CC46FEFBBFDDF89B10F4004A9F905B7181DA7199048B61

Function 00B6258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B6259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00B625D4

Strings

|, xrefs: 00B625A5

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 824634dd32ec70665ddaba2c554a675a3d108858f7c51fe562e18dd3c3a07171
Instruction ID: 7a91d20a7e422772494e421d24aa0fac999da34f76f7e665fdc4a4e543a892b5
Opcode Fuzzy Hash: 824634dd32ec70665ddaba2c554a675a3d108858f7c51fe562e18dd3c3a07171
Instruction Fuzzy Hash: BF310571814119EBDF11EFA0CD85EEEBFB8FF08310F1000A9FA15A6162EB355A56DB60

Function 00B77A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00B77B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B77B76

Strings

', xrefs: 00B77ACA

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 9f761f2a4ff4c71d44f112b1eefd557344c5184aae7a18bf08b9498055012507
Instruction ID: c5d866c808212a41be3f985454d2dd5bd999db689fc67ee48277933cb6ed0e53
Opcode Fuzzy Hash: 9f761f2a4ff4c71d44f112b1eefd557344c5184aae7a18bf08b9498055012507
Instruction Fuzzy Hash: 10410774A4530A9FDB14CF64D991BEABBF5FB08300F1041AAE918AB391DB70A951CF90

Function 00B76A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00B76B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B76B53

Strings

static, xrefs: 00B76AB3

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 57a581540716aa4f020369d3ca8f18f2089bc7b2aa2461c4fa1ab0e2251e1c6f
Instruction ID: bce70586dd5a5e7eba8c68c467ecf57d34dc0fc83b82e16c6017fb7940786b68
Opcode Fuzzy Hash: 57a581540716aa4f020369d3ca8f18f2089bc7b2aa2461c4fa1ab0e2251e1c6f
Instruction Fuzzy Hash: 5E316B71200608AEDB149F68CC81BFB77E9FF49760F10C619F9A9D7190DA31AC91CB64

Function 00B4994C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00B49965
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00B4999F

Strings

@U=u, xrefs: 00B49965, 00B4999F

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 6bb9cf5b28404214aa2a3fa56d20f3c1e3ce2f476af004db1829f41eb73c5a6f
Instruction ID: 25cfa1c7f0fb0720c955227f948fb4d1edb10b381b09e02210adb9782fda0316
Opcode Fuzzy Hash: 6bb9cf5b28404214aa2a3fa56d20f3c1e3ce2f476af004db1829f41eb73c5a6f
Instruction Fuzzy Hash: CD21A731D00219ABCF14EFA4C8C1DBFB7B9EF88710F1140A9FA15A7290EA719D41D750

Function 00B528A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B52911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B5294C

Strings

0, xrefs: 00B5290A

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: b09e9dec893c8e162832540e8b2330dd25b2c7979cc22e305d1b2b15f6aa62df
Instruction ID: 552599f140a6a92bd7446df7822ce8120cca6b812469a6d267b565cd3298f08f
Opcode Fuzzy Hash: b09e9dec893c8e162832540e8b2330dd25b2c7979cc22e305d1b2b15f6aa62df
Instruction Fuzzy Hash: 8B31D771A013059BEB24DF98CD85BEEBBF4EF46351F1400F9ED85A62A0D7709948CB51

Function 00B639E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00B63A66

Part of subcall function 00AF7DE1: _memmove.LIBCMT ref: 00AF7E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 00B63A58
, $, xrefs: 00B63AA6

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 136867b49d162e44a023558e4a831e75badc9f50a4d5b3dedce0595f1b53a747
Instruction ID: dfa46f52a53da19eabcab80c29b796ca3136b1a604ac83495d7730be0d036e89
Opcode Fuzzy Hash: 136867b49d162e44a023558e4a831e75badc9f50a4d5b3dedce0595f1b53a747
Instruction Fuzzy Hash: 8C218F31A0421DAACF10EFE4CC82AAEB7F5EF49700F404494F645A7291DB34EA46DBA1

Function 00B4A9B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0603A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B06051

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00B4AA10
_strlen.LIBCMT ref: 00B4AA1B

Strings

@U=u, xrefs: 00B4AA10

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID: @U=u
API String ID: 2777139624-2594219639
Opcode ID: 6f94843e4d6f636701bc2000c61dd0a92b4ee9ca1da862c76b0532d5f9d43b15
Instruction ID: 476ad8f1836cbd64c778c0c83c73b78eccf0424b5d862aa6a842ecad9aa6994f
Opcode Fuzzy Hash: 6f94843e4d6f636701bc2000c61dd0a92b4ee9ca1da862c76b0532d5f9d43b15
Instruction Fuzzy Hash: 6D1127322401056ACB14BEB8DDC2DFF7BE99F49700F0010BDFA06CB193DD249A85E652

Function 00B76865 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B555FD: GetLocalTime.KERNEL32 ref: 00B5560A
Part of subcall function 00B555FD: _wcsncpy.LIBCMT ref: 00B5563F
Part of subcall function 00B555FD: _wcsncpy.LIBCMT ref: 00B55671
Part of subcall function 00B555FD: _wcsncpy.LIBCMT ref: 00B556A4
Part of subcall function 00B555FD: _wcsncpy.LIBCMT ref: 00B556E6

SendMessageW.USER32(?,00001002,00000000,?), ref: 00B768FF

Strings

SysDateTimePick32, xrefs: 00B768BD
@U=u, xrefs: 00B768FF

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: _wcsncpy$LocalMessageSendTime
String ID: @U=u$SysDateTimePick32
API String ID: 2466184910-2530228043
Opcode ID: 585a1ed83daa8216493244d43865e2caf60aaaba3b1c7dd250aa986c7e71c6e7
Instruction ID: dbfc888e779361cb72f8e078c28ac91b423b40d9cb2cdf0ae2643cb264fedc48
Opcode Fuzzy Hash: 585a1ed83daa8216493244d43865e2caf60aaaba3b1c7dd250aa986c7e71c6e7
Instruction Fuzzy Hash: 7F2106713402196FEF219E54DC82FEE73E9EB54750F20855AFD68AB1D0DAB1EC809B60

Function 00B49225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B4923E

Part of subcall function 00B513DE: GetWindowThreadProcessId.USER32(?,?), ref: 00B51409
Part of subcall function 00B513DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00B4925A,00000034,?,?,00001004,00000000,00000000), ref: 00B51419
Part of subcall function 00B513DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00B4925A,00000034,?,?,00001004,00000000,00000000), ref: 00B5142F

Part of subcall function 00B514BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B49296,?,?,00000034,00000800,?,00000034), ref: 00B514E6

SendMessageW.USER32(?,00001073,00000000,?), ref: 00B492A5

Part of subcall function 00B51487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B492C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00B514B1

Strings

@U=u, xrefs: 00B4923E, 00B492A5

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
String ID: @U=u
API String ID: 1045663743-2594219639
Opcode ID: 568c4588a89942df235397188cfec4b3bf26386045ef4405b39fb6ff3e3d3122
Instruction ID: c88fb6f0d47c2eca414f5be23244801ae8bccd8799cc5924fc31628da7fd3d65
Opcode Fuzzy Hash: 568c4588a89942df235397188cfec4b3bf26386045ef4405b39fb6ff3e3d3122
Instruction Fuzzy Hash: 10215C31901119BBEF21ABA8CC81FDEBBB8FF09750F1001E5F948A7190DA705A98DB94

Function 00B766D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B76761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B7676C

Strings

Combobox, xrefs: 00B7672E

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: f15901382a8448212572ab9d4f06f4b018c6a41e955008d29fbf7895e70eb087
Instruction ID: 6388b20a1fbaa24f023366d0d14dd9125ffc3898c5717fa36cc6628154c98445
Opcode Fuzzy Hash: f15901382a8448212572ab9d4f06f4b018c6a41e955008d29fbf7895e70eb087
Instruction Fuzzy Hash: 9E118675300609AFEF159F54CC81EBB37AAEB983A8F108165F92897290D671DC5187A0

Function 00B796F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

@U=u, xrefs: 00B79778, 00B797A1

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: 3d86f1132aab3026ac9d06cf270418f624422e592abadd475dee3079d7cd9eb6
Instruction ID: 677244b76eaa1a22b5e171ecc0e742cf095972072ba2a7202dca304fba589cb5
Opcode Fuzzy Hash: 3d86f1132aab3026ac9d06cf270418f624422e592abadd475dee3079d7cd9eb6
Instruction Fuzzy Hash: C9216035128508BFDB189E68CC85FBA37E4EB05311F408195FA6ADB1E0D772ED50DB60

Function 00B76C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00AF1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AF1D73
Part of subcall function 00AF1D35: GetStockObject.GDI32(00000011), ref: 00AF1D87
Part of subcall function 00AF1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AF1D91

GetWindowRect.USER32(00000000,?), ref: 00B76C71
GetSysColor.USER32(00000012), ref: 00B76C8B

Strings

static, xrefs: 00B76C4E

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: c292b26ba1f049ed2a8b11f31c43d10bb7ac58f64f5b20469806d8b37a0f88b1
Instruction ID: bc7cd5e52d636130fe2ccc1c5c19f5cfe179884227f2d0f823b9eb76dfc63fd5
Opcode Fuzzy Hash: c292b26ba1f049ed2a8b11f31c43d10bb7ac58f64f5b20469806d8b37a0f88b1
Instruction Fuzzy Hash: 37211A7251020AAFDB05DFB8CC45AFA7BE8FB08314F004669F999D3250D635E850DB60

Function 00B529AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B52A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00B52A41

Strings

0, xrefs: 00B52A18

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 7dba65a078d13596b1a8381fa2143a12f7b4b7bd0974b7497e64af0d2bbebd99
Instruction ID: d91a3642e5a6e9c6fd2e48da485afdcd6c7a0b0a1e79be643e8bae02c8f54e9f
Opcode Fuzzy Hash: 7dba65a078d13596b1a8381fa2143a12f7b4b7bd0974b7497e64af0d2bbebd99
Instruction Fuzzy Hash: 31119032A02114ABDF39DB98EC44BAA77E8EB46311F1441E1EC55E7290D770AD0ECB91

Function 00B621D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00B6222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00B62255

Strings

<local>, xrefs: 00B6221D

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: fa2d8be9b94d04c88c293581f9369c192cbf9d416643986bd5ba1e93b8c20ae1
Instruction ID: 5e8d6add5a061d74c402d31a5080369926f85dcc253f3a64652c2a9d8ee5af63
Opcode Fuzzy Hash: fa2d8be9b94d04c88c293581f9369c192cbf9d416643986bd5ba1e93b8c20ae1
Instruction Fuzzy Hash: 01110270501A26BAEB298F11CCE8EBBFBE8FF06351F1082AAF91856000D2745D90D6F0

Function 00B784E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 00B78530

Strings

@U=u, xrefs: 00B78530, 00B7856C

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: d22615ec60ce75ebb099bda6aa8cd43c39ebf5fa81ef24fc67121aab129f8f8a
Instruction ID: d73af1fbb4278d346da639bea499fbed6b35a588def294c19aaf2bb4b64a2ae0
Opcode Fuzzy Hash: d22615ec60ce75ebb099bda6aa8cd43c39ebf5fa81ef24fc67121aab129f8f8a
Instruction Fuzzy Hash: D021B67560020AEFCB15DF94D8848EA7BF5FB5C350B008195FD1AA7360DA31ED61DB90

Function 00B765B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 00B7662C

Strings

button, xrefs: 00B76603
@U=u, xrefs: 00B7662C

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$button
API String ID: 3850602802-1762282863
Opcode ID: 8fd74ea6510aa382fc096cfded983b2348f67812d053096e31513bdf1284427f
Instruction ID: 5e3b26c162b328bb127fd52110c40eddf2310b7724336cdb957596d3e1d02ad8
Opcode Fuzzy Hash: 8fd74ea6510aa382fc096cfded983b2348f67812d053096e31513bdf1284427f
Instruction Fuzzy Hash: 6F11A172250209ABDF118F60CC51FEA3BAAFF18314F158658FA69A7190C776EC51AB50

Function 00B7788C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133E,00000000,?), ref: 00B778D8

Strings

@U=u, xrefs: 00B778D8

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 7786d1a71e124e3bd883bd6fd3556fb56fb0522d5e9f7b0b77e0a6eb4668c5c5
Instruction ID: 213950dd28ac731aeec01faa114f96ae6b7e913daf2f61daabb110baa090319e
Opcode Fuzzy Hash: 7786d1a71e124e3bd883bd6fd3556fb56fb0522d5e9f7b0b77e0a6eb4668c5c5
Instruction Fuzzy Hash: B911AC30509744AFDB21CF24C891AE6BBE9FF05310F10859DE9AA97291DB716941DBA0

Function 00B494A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B514BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B49296,?,?,00000034,00000800,?,00000034), ref: 00B514E6

SendMessageW.USER32(?,0000102B,?,00000000), ref: 00B49509
SendMessageW.USER32(?,0000102B,?,00000000), ref: 00B4952E

Strings

@U=u, xrefs: 00B49509, 00B4952E

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend$MemoryProcessWrite
String ID: @U=u
API String ID: 1195347164-2594219639
Opcode ID: ed40bef8a41f9a0937de6ac940cbb34c474b816d8800c079ebd1ff799f1a813a
Instruction ID: 4a363f64b6446351113418f5996a738bdcfc94afecbebd909ae3a52417d6138f
Opcode Fuzzy Hash: ed40bef8a41f9a0937de6ac940cbb34c474b816d8800c079ebd1ff799f1a813a
Instruction Fuzzy Hash: 4701DF31500219ABEB11AF54DC45FEABBB8DB14310F1041AAF915671D1DB705D95DB60

Function 00B58D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B58DAC
__fread_nolock.LIBCMT ref: 00B58DC1

Strings

EA06, xrefs: 00B58DF3

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: f298e1dd7f60bc1341b9f1d4e44324232c46ca075c51cb7c13c03f4ec5b3290a
Instruction ID: aa3d66de2f006f6dc5202b075d39698cb72aa36b8cc34f5023f1527a5aefe955
Opcode Fuzzy Hash: f298e1dd7f60bc1341b9f1d4e44324232c46ca075c51cb7c13c03f4ec5b3290a
Instruction Fuzzy Hash: BD01B972D042187EDB28DAA8C856FEEBBF8DB15311F0045EEF552D21C1E975A6488BA0

Function 00B495D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00B495FB
SendMessageW.USER32(?,0000040D,?,00000000), ref: 00B4962E

Part of subcall function 00B51487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B492C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00B514B1

Part of subcall function 00AF7BCC: _memmove.LIBCMT ref: 00AF7C06

Strings

@U=u, xrefs: 00B495FB, 00B4962E

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend$MemoryProcessRead_memmove
String ID: @U=u
API String ID: 339422723-2594219639
Opcode ID: d5d20678e692eed0d6a84831a899aa0b3347e9e162683754e9714dc922f18e10
Instruction ID: 50da919b4e8fae0238762630e006dbd73a36896b5dc6cf677dddd0c7ceaa5e9b
Opcode Fuzzy Hash: d5d20678e692eed0d6a84831a899aa0b3347e9e162683754e9714dc922f18e10
Instruction Fuzzy Hash: 90015B71800118AFDB50AE94DC81EEA77ACFB18340F8080AABA49A6150DE314E99CB90

Function 00B7C57D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF2612: GetWindowLongW.USER32(?,000000EB), ref: 00AF2623

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,00B2B93A,?,?,?), ref: 00B7C5F1

Part of subcall function 00AF25DB: GetWindowLongW.USER32(?,000000EB), ref: 00AF25EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00B7C5D7

Strings

@U=u, xrefs: 00B7C5D7

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: @U=u
API String ID: 982171247-2594219639
Opcode ID: cb4ad758e61613bd9e6881c317664cadfc59c98f5530340894761ebc30805180
Instruction ID: 91732c78ef19e5313545734ccb73682f50b9fa7b0faae46278149ddef69272d9
Opcode Fuzzy Hash: cb4ad758e61613bd9e6881c317664cadfc59c98f5530340894761ebc30805180
Instruction Fuzzy Hash: 8A01B131200204ABCB215F14CC95F7A3FE6FB99364F1441ACFA691B2E0CB72A841EB91

Function 00B4953C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B4954C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B49564

Strings

@U=u, xrefs: 00B4954C, 00B49564

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 5893c4ba74c8bd182d41b1a417fa8f3cb7f38d8bcfc52e59093bb5e52c90bbb2
Instruction ID: 78c80cea7f26593833be77b3404d717bac87127840780a24d04008281d48f73c
Opcode Fuzzy Hash: 5893c4ba74c8bd182d41b1a417fa8f3cb7f38d8bcfc52e59093bb5e52c90bbb2
Instruction Fuzzy Hash: 0DE02B3534231276F23115268C8AFD71E89DB98F61F200074B705EA1D1C9D24E81A2A0

Function 00B54F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00B54F46
_wcscmp.LIBCMT ref: 00B54F58

Strings

#32770, xrefs: 00B54F52

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 1f80151a3f24c65d2da1da9df84870a6eb376d351dbd8702b8df65909a35a633
Instruction ID: ca22159a17242c4028167eb99e2087a0ef24764197eb00957d2d00357099a1fd
Opcode Fuzzy Hash: 1f80151a3f24c65d2da1da9df84870a6eb376d351dbd8702b8df65909a35a633
Instruction Fuzzy Hash: FCE09B3290422927D72096599C49BA7F7ECEB55B61F000196FD04D3051E9609A5587D0

Function 00B2B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B2B314: _memset.LIBCMT ref: 00B2B321

Part of subcall function 00B10940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00B2B2F0,?,?,?,00AF100A), ref: 00B10945

IsDebuggerPresent.KERNEL32(?,?,?,00AF100A), ref: 00B2B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00AF100A), ref: 00B2B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B2B2FE

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 2891d0592e03922998e914669e543c2011eca06a522188543fb917b89c18f7c9
Instruction ID: 2501200eca16cbbd175318a91bd82f7d08062866b2fc1421d28c73873a51b31e
Opcode Fuzzy Hash: 2891d0592e03922998e914669e543c2011eca06a522188543fb917b89c18f7c9
Instruction Fuzzy Hash: 84E06D706107118BDB20DF28E904B527BE4AF04314F008ABCE44AC7251EFB4D484CBA5

Function 00B31935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00B31775

Part of subcall function 00B6BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00B3195E,?), ref: 00B6BFFE
Part of subcall function 00B6BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00B6C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00B3196D

Strings

WIN_XPe, xrefs: 00B31788

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 4a1b04d3b901258aca58c5f56a53ec4400619e43f6a7e269c2b33304b462feb8
Instruction ID: d37746fa9b837b421dc7bcea9ba30b5d04cb0b4541336980caba775404873a99
Opcode Fuzzy Hash: 4a1b04d3b901258aca58c5f56a53ec4400619e43f6a7e269c2b33304b462feb8
Instruction Fuzzy Hash: 41F0AEB0804109DBDB15DBA9CA88AFCBBF8AB08301F6804D5E106A71A0DB759E84DF64

Function 00B75998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B759AE
PostMessageW.USER32(00000000), ref: 00B759B5

Part of subcall function 00B55244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B552BC

Strings

Shell_TrayWnd, xrefs: 00B759A7

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 83921f69c2f935243e9f1015667c287d2d88465d1a2c0de881eabccabebe72e0
Instruction ID: faa40ec3f3276e2d4ce4bf79a1f89dcf4c67296cbbd2185a1ffe2f17f6e1d6b9
Opcode Fuzzy Hash: 83921f69c2f935243e9f1015667c287d2d88465d1a2c0de881eabccabebe72e0
Instruction Fuzzy Hash: DED0C931784312BAE664BB709C1BFA66655BB15B51F000869B649AB1E0DDE0A840C758

Function 00B75964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B7596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00B75981

Part of subcall function 00B55244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B552BC

Strings

Shell_TrayWnd, xrefs: 00B75967

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 22f4917178a59be2a24cdaf78423388aaa3af86e5a4379bb0d0d6ba0087f6403
Instruction ID: 23cf42e397762a558fdb4a652209fd0f0fa862dc0a3bfeb898967c7307a3fe0b
Opcode Fuzzy Hash: 22f4917178a59be2a24cdaf78423388aaa3af86e5a4379bb0d0d6ba0087f6403
Instruction Fuzzy Hash: 4CD0C931784312BAE664BB709C1BFA66A55BB10B51F000869B649AB1E0DDE0A840C758

Function 00B493DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B493E9
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 00B493F7

Strings

@U=u, xrefs: 00B493E9, 00B493F7

Memory Dump Source

Source File: 00000000.00000002.1358776567.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1358750276.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358840145.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358919292.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1358953306.0000000000BB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_5n2U8ZZZbc.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 5fb48fc4da7290cffc15da4ccb81df064d021e55604803bb99ba7531f3278e99
Instruction ID: 28dbc1afd377d434af7bb8d80b8f43143526386678148c6ff8e04662e2668e8e
Opcode Fuzzy Hash: 5fb48fc4da7290cffc15da4ccb81df064d021e55604803bb99ba7531f3278e99
Instruction Fuzzy Hash: F8C00231141181BAEA211B77AC0DD973E3DE7CAF52711016CB215A60B58A654095D628

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 5n2U8ZZZbc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut579.tmp

C:\Users\user\AppData\Local\Temp\gobioid

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
5n2U8ZZZbc.exe