Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1524414
MD5:	af6318576fae069a7dfb65a405a76a67
SHA1:	6c11eba1c56fd659b19fd33adaa9f66ea939c088
SHA256:	9607cf90365ce5353cbcc5e0562bd45fdec2c3c4dc36626549b8d952dda468b8
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of debugger detection

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7708 cmdline: "C:\Users\user\Desktop\file.exe" MD5: AF6318576FAE069A7DFB65A405A76A67)

taskkill.exe (PID: 7800 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 7880 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 8092 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1952,i,17460202329421668459,1853673212435691532,262144 /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7708	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 6_2_000CEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

6_2_000CEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_000CED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

6_2_000CED6A

Source: C:\Users\user\Desktop\file.exe

6_2_000CEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_000BAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

6_2_000BAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_000E9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

6_2_000E9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_09899a42-9
Source: file.exe, 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ab629b65-4
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_da47d0d3-a
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_53fa39c0-0

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_000BD5EB: CreateFileW,DeviceIoControl,CloseHandle,

6_2_000BD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_000B1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

6_2_000B1201

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_000BE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

6_2_000BE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_000C2046	6_2_000C2046
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_00058060	6_2_00058060
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_000B8298	6_2_000B8298
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_0008E4FF	6_2_0008E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_0008676B	6_2_0008676B
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_000E4873	6_2_000E4873
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_0007CAA0	6_2_0007CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_0005CAF0	6_2_0005CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_0006CC39	6_2_0006CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_00086DD9	6_2_00086DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_0006B119	6_2_0006B119
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_000591C0	6_2_000591C0
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_00071394	6_2_00071394
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_00071706	6_2_00071706
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_0007781B	6_2_0007781B
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_00057920	6_2_00057920
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_0006997D	6_2_0006997D
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_000719B0	6_2_000719B0
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_00077A4A	6_2_00077A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_00071C77	6_2_00071C77
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_00077CA7	6_2_00077CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_000DBE44	6_2_000DBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_0006BE70	6_2_0006BE70
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_00089EEE	6_2_00089EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_00071F32	6_2_00071F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00059CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0006F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00070A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.troj.evad.winEXE@35/14@6/5

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_000C37B5 GetLastError,FormatMessageW,

6_2_000C37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_000B10BF AdjustTokenPrivileges,CloseHandle,		6_2_000B10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_000B16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		6_2_000B16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_000C51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

6_2_000C51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_000DA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

6_2_000DA67C

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_000C648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

6_2_000C648E

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_000542A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

6_2_000542A2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1952,i,17460202329421668459,1853673212435691532,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1952,i,17460202329421668459,1853673212435691532,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Google Drive.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_000542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

6_2_000542DE

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_00070A76 push ecx; ret

6_2_00070A89

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_0006F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		6_2_0006F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_000E1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		6_2_000E1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_6-95563

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.8 %

Source: C:\Users\user\Desktop\file.exe TID: 7712	Thread sleep count: 122 > 30			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7712	Thread sleep count: 184 > 30			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_000BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	6_2_000BDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_0008C2A2 FindFirstFileExW,	6_2_0008C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_000C68EE FindFirstFileW,FindClose,	6_2_000C68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_000C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	6_2_000C698F
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_000BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_000BD076
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_000BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_000BD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_000C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_000C9642
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_000C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_000C979D
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_000C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	6_2_000C9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_000C5C97 FindFirstFileW,FindNextFileW,FindClose,	6_2_000C5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_000542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

6_2_000542DE

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\file.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_6-95707

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_000CEAA2 BlockInput,

6_2_000CEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_00082622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_00082622

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_000542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

6_2_000542DE

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_00074CE8 mov eax, dword ptr fs:[00000030h]

6_2_00074CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_000B0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

6_2_000B0B62

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_00082622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00082622
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_0007083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0007083F
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_000709D5 SetUnhandledExceptionFilter,	6_2_000709D5
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_00070C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00070C21

Source: C:\Users\user\Desktop\file.exe

6_2_000B1201

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_00092BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

6_2_00092BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_0006F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

6_2_0006F98E

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_000D22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

6_2_000D22DA

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

6_2_000B0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_000B1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

6_2_000B1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_00070698 cpuid

6_2_00070698

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_000C8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

6_2_000C8195

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_000AD27A GetUserNameW,

6_2_000AD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_0008B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

6_2_0008B952

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_000542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

6_2_000542DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7708, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7708, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_000D1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		6_2_000D1204
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_000D1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		6_2_000D1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 Masquerading	LSA Secrets	22 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	18%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
youtube-ui.l.google.com	142.250.186.142	true	false	unknown
www.google.com	142.250.184.228	true	false	unknown
youtube.com	216.58.206.46	true	false	unknown
www.youtube.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.google.com/favicon.ico	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://apis.google.com/js/api.js	chromecache_94.12.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_94.12.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
216.58.206.46	youtube.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.186.142	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
142.250.184.228	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.10

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524414
Start date and time:	2024-10-02 19:04:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@35/14@6/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 45 Number of non-executed functions: 306
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.67, 142.250.185.142, 142.251.168.84, 34.104.35.123, 142.250.186.42, 142.250.185.170, 172.217.18.106, 216.58.206.74, 142.250.74.202, 142.250.185.74, 142.250.186.138, 142.250.185.138, 172.217.23.106, 142.250.186.74, 142.250.185.106, 172.217.16.202, 172.217.16.138, 216.58.206.42, 172.217.18.10, 142.250.186.106, 172.217.18.3, 142.250.184.195, 216.58.212.138, 216.58.212.170, 199.232.210.172, 142.250.181.227, 142.250.186.174
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	27987136e29b3032ad40982c8b7c2e168112c9601e08da806119dcba615524b5.html	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	27987136e29b3032ad40982c8b7c2e168112c9601e08da806119dcba615524b5.html	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	New_Statement-8723107.js	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 16:05:15 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9911203334878254
Encrypted:	false
SSDEEP:	48:8IMbdaVTTkJH5idAKZdA1uehwiZUklqeh+y+3:8I10q9y
MD5:	847748E73F221B7D12FB4D9680694057
SHA1:	A833BF66219E5ECC8834023FA5167A58BEE4E264
SHA-256:	12DC9275AACE799C35358C1773AA8A60BED0FB37F87580A2249B661B2533F1D9
SHA-512:	D2C479D2592F1E738517E9D824F1A264F16BA9231B8251800E82944A88043F361A11F03ED99FFC43DE157D67A0B812D8D3BE37105F9DE86BCAC8ABCBE97B72F0
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......0@........y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.IBY......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY......L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.VBY......M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.VBY.............................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VBY......N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........I.]......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 16:05:15 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	4.008238356483973
Encrypted:	false
SSDEEP:	48:8d3QMbdaVTTkJH5idAKZdA1Heh/iZUkAQkqehty+2:8dg1009QAy
MD5:	B34C4F9E9059884E26D4985EE99F93E8
SHA1:	60C58A8EEAD79ABA73A82B100C5AD38ED6EC4DD0
SHA-256:	DD4BBFEEE807E73D83107B285FB1CB2AC7AAF2B95A5169CDA4090C3FC196E268
SHA-512:	3F8553771560179CB869C46211FCD5CF13F8D605A1A9250E05EFCB7FF20FED68F76C34D93023DED12DE2E9A7B6B52BD08FACEB77B5DE1BE9B12A868111CA06A9
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....U.&@........y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.IBY......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY......L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.VBY......M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.VBY.............................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VBY......N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........I.]......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 5 08:59:33 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.016483821997974
Encrypted:	false
SSDEEP:	48:8FMbdaVTTkbH5idAKZdA149eh7sFiZUkmgqeh7sHy+BX:8F10mnBy
MD5:	1AF0034ED3890498C5F301433EEBD6D8
SHA1:	F29D3D59219073E47C25B0B20FD9C4D845DB6F49
SHA-256:	79705A60E76CBDC360FEF45D6B17257CBFBD05541F8B4A6DDCC2EF0742C7F71A
SHA-512:	77E790D7BDEA0E575284C63F05985A0C2700F4259ACEEDB715285A0EE964BB6E51804FAFA5B70390453E4FF9DB2590D309E8714ECF04C4B4E07F83471C09EBEC
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....K..r.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.IBY......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY......L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.VBY......M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.VBY.............................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VEW.L....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........I.]......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 16:05:15 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	4.004429462063221
Encrypted:	false
SSDEEP:	48:8mMbdaVTTkJH5idAKZdA14ehDiZUkwqehZy+R:8m10vfy
MD5:	EEB9E45ED77D3DAE0CAAEF3321A360B8
SHA1:	AD76329ACA419B2D9152609E02CBC687DD0BC212
SHA-256:	791639657B0F037CCBC9A5F284EA07F3BC9FADEDE83898D7E9CCB76A5B172808
SHA-512:	DCFA288DF9209ED1B0BC35D678C862CBB103A41616AA64074C6A536ED286DD54C9044331BC36C21D271A600E6B4A7CEE57AA5E477F990961B5E040016ED0FBCE
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....E`.@........y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.IBY......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY......L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.VBY......M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.VBY.............................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VBY......N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........I.]......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 16:05:15 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9935894366740503
Encrypted:	false
SSDEEP:	48:86MbdaVTTkJH5idAKZdA1mehBiZUk1W1qehLy+C:8610/9ry
MD5:	13C02C679CB1A10DFB390969898ECBBC
SHA1:	3A808ACC01F712887775973896AF260C478F334D
SHA-256:	F1C5FBEFF11ABBC74B35CB73681422906429C1E7D58DB6BD10E874D60FAFF51D
SHA-512:	ADDD8EA932829BBE9BB6087B2FBC5C5B4E3CF86EE0C850F3CC3E7C7F90AA306C54492D2700B1B9ECE43B76144300DF8DD41C686E4DFBC43A0271C4A00DE0F5C7
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....L+@........y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.IBY......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY......L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.VBY......M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.VBY.............................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VBY......N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........I.]......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 16:05:15 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.003491988596631
Encrypted:	false
SSDEEP:	48:85XMbdaVTTkJH5idAKZdA1duT1ehOuTbbiZUk5OjqehOuTbBy+yT+:85X10eTyTbxWOvTbBy7T
MD5:	F2B6CFB8C74E66DC21B1CD81971B81CF
SHA1:	08B54A318C04B47F38A48F4067FF6324902EFAC0
SHA-256:	2F3847C8F34436FA7DEE075F9AD5064229FE238A025AD4EDD463DBEF4AEC2C29
SHA-512:	846FD4E735CFCA0AEAEB006438B0BEC97B11A395FFED69A4F8DF5755E80B3C2E324B1618408500E6697B95E31D79220E0B48C76814BB8ED9279C72A580875BB4
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....H9.@........y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.IBY......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY......L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.VBY......M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.VBY.............................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VBY......N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........I.]......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 91

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xNDkSHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Chrome Cache Entry: 92

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 93

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 94

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	730420
Entropy (8bit):	5.789286883995489
Encrypted:	false
SSDEEP:	6144:YVXWBQkPdzg5pTX1ROv/duPzd8C3s891/n:Nfd8j91/n
MD5:	357718969443B75B5F34BC9FC66406DC
SHA1:	9F2CDD892D13E376E931E3311E0B9F19118EC08D
SHA-256:	0E4E57D426BC17E03C7C2EF1481CD0114BE028FAB97C78510449CF858FCEFDBE
SHA-512:	968E272710B6D29C803ABFAB89CA5642710BC72F16D01AB6015E09764F7E5817EFE1BF70347328C1CE93E34E7DFA1C8C5F26C316E1854C8ED4E1CD4CBF916469
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlE6O04h0gj7Nu50q-nmaRKM6WWcJw/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081c4, 0x2046d860, 0x39e13c40, 0x14501e80, 0xe420, 0x0, 0x1a000000, 0x1d000003, 0xc, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Ma,Sa,gaa,iaa,jb,qaa,waa,Caa,Haa,Kaa,Jb,Laa,Ob,Qb,Rb,Maa,Naa,Sb,Oaa,Paa,Qaa,Yb,Vaa,Xaa,ec,fc,gc,bba,cba,gba,jba,lba,mba,qba,tba,nba,sba,rba,pba,oba,uba,yba,Cba,Dba,Aba,Hc,Ic,Gba,Iba,Mba,Nba,Oba,Pba,Lba,Qba,Sba,dd,Uba,Vba,Xba,Zba,Yba,aca,bca,cca,dca,fca,eca,hca,ica,jca,kca,nca,

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.582342144287593
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	918'528 bytes
MD5:	af6318576fae069a7dfb65a405a76a67
SHA1:	6c11eba1c56fd659b19fd33adaa9f66ea939c088
SHA256:	9607cf90365ce5353cbcc5e0562bd45fdec2c3c4dc36626549b8d952dda468b8
SHA512:	e11be0b44beb7590f9d59eab8f0c2e8f303e37b0be2a8c4d1f96332b4b1e91b71a3dccfe2e96bebd93c797622d056d11e26df221849e8806b565a2f798448dba
SSDEEP:	12288:QqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga2Tr:QqDEvCTbMWu7rQYlBQcBiT6rprG8aOr
TLSH:	37159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FD761B [Wed Oct 2 16:34:35 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F9954D654B3h
jmp 00007F9954D64DBFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F9954D64F9Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F9954D64F6Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F9954D67B5Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F9954D67BA8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F9954D67B91h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x991c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x991c	0x9a00	2bf80a72855824b327f174746abaec62	False	0.3026582792207792	data	5.279976954155754	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xbe2	data			1.0036160420775806
RT_GROUP_ICON	0xdd39c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd414	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd428	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd43c	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd450	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd52c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 19:05:03.490725040 CEST	49671	443	192.168.2.10	204.79.197.203
Oct 2, 2024 19:05:04.506409883 CEST	49674	443	192.168.2.10	173.222.162.55
Oct 2, 2024 19:05:04.509702921 CEST	49675	443	192.168.2.10	173.222.162.55
Oct 2, 2024 19:05:07.225641012 CEST	49677	443	192.168.2.10	20.42.65.85
Oct 2, 2024 19:05:07.537575006 CEST	49677	443	192.168.2.10	20.42.65.85
Oct 2, 2024 19:05:08.146905899 CEST	49677	443	192.168.2.10	20.42.65.85
Oct 2, 2024 19:05:08.303265095 CEST	49671	443	192.168.2.10	204.79.197.203
Oct 2, 2024 19:05:09.355808973 CEST	49677	443	192.168.2.10	20.42.65.85
Oct 2, 2024 19:05:11.757834911 CEST	49677	443	192.168.2.10	20.42.65.85
Oct 2, 2024 19:05:13.393647909 CEST	49707	443	192.168.2.10	216.58.206.46
Oct 2, 2024 19:05:13.393682957 CEST	443	49707	216.58.206.46	192.168.2.10
Oct 2, 2024 19:05:13.393769026 CEST	49707	443	192.168.2.10	216.58.206.46
Oct 2, 2024 19:05:13.394443035 CEST	49707	443	192.168.2.10	216.58.206.46
Oct 2, 2024 19:05:13.394457102 CEST	443	49707	216.58.206.46	192.168.2.10
Oct 2, 2024 19:05:14.051536083 CEST	443	49707	216.58.206.46	192.168.2.10
Oct 2, 2024 19:05:14.052104950 CEST	49707	443	192.168.2.10	216.58.206.46
Oct 2, 2024 19:05:14.052131891 CEST	443	49707	216.58.206.46	192.168.2.10
Oct 2, 2024 19:05:14.052536964 CEST	443	49707	216.58.206.46	192.168.2.10
Oct 2, 2024 19:05:14.052664995 CEST	49707	443	192.168.2.10	216.58.206.46
Oct 2, 2024 19:05:14.053236961 CEST	443	49707	216.58.206.46	192.168.2.10
Oct 2, 2024 19:05:14.053297043 CEST	49707	443	192.168.2.10	216.58.206.46
Oct 2, 2024 19:05:14.054279089 CEST	49707	443	192.168.2.10	216.58.206.46
Oct 2, 2024 19:05:14.054346085 CEST	443	49707	216.58.206.46	192.168.2.10
Oct 2, 2024 19:05:14.054480076 CEST	49707	443	192.168.2.10	216.58.206.46
Oct 2, 2024 19:05:14.098747015 CEST	49707	443	192.168.2.10	216.58.206.46
Oct 2, 2024 19:05:14.098772049 CEST	443	49707	216.58.206.46	192.168.2.10
Oct 2, 2024 19:05:14.114381075 CEST	49674	443	192.168.2.10	173.222.162.55
Oct 2, 2024 19:05:14.114396095 CEST	49675	443	192.168.2.10	173.222.162.55
Oct 2, 2024 19:05:14.148507118 CEST	49707	443	192.168.2.10	216.58.206.46
Oct 2, 2024 19:05:14.341264963 CEST	443	49707	216.58.206.46	192.168.2.10
Oct 2, 2024 19:05:14.341350079 CEST	443	49707	216.58.206.46	192.168.2.10
Oct 2, 2024 19:05:14.341355085 CEST	49707	443	192.168.2.10	216.58.206.46
Oct 2, 2024 19:05:14.341406107 CEST	49707	443	192.168.2.10	216.58.206.46
Oct 2, 2024 19:05:14.342371941 CEST	49707	443	192.168.2.10	216.58.206.46
Oct 2, 2024 19:05:14.342391968 CEST	443	49707	216.58.206.46	192.168.2.10
Oct 2, 2024 19:05:14.352659941 CEST	49712	443	192.168.2.10	142.250.186.142
Oct 2, 2024 19:05:14.352679968 CEST	443	49712	142.250.186.142	192.168.2.10
Oct 2, 2024 19:05:14.352822065 CEST	49712	443	192.168.2.10	142.250.186.142
Oct 2, 2024 19:05:14.353764057 CEST	49712	443	192.168.2.10	142.250.186.142
Oct 2, 2024 19:05:14.353775024 CEST	443	49712	142.250.186.142	192.168.2.10
Oct 2, 2024 19:05:15.002315998 CEST	443	49712	142.250.186.142	192.168.2.10
Oct 2, 2024 19:05:15.002639055 CEST	49712	443	192.168.2.10	142.250.186.142
Oct 2, 2024 19:05:15.002650023 CEST	443	49712	142.250.186.142	192.168.2.10
Oct 2, 2024 19:05:15.003048897 CEST	443	49712	142.250.186.142	192.168.2.10
Oct 2, 2024 19:05:15.003117085 CEST	49712	443	192.168.2.10	142.250.186.142
Oct 2, 2024 19:05:15.003740072 CEST	443	49712	142.250.186.142	192.168.2.10
Oct 2, 2024 19:05:15.003786087 CEST	49712	443	192.168.2.10	142.250.186.142
Oct 2, 2024 19:05:15.004935980 CEST	49712	443	192.168.2.10	142.250.186.142
Oct 2, 2024 19:05:15.005017996 CEST	443	49712	142.250.186.142	192.168.2.10
Oct 2, 2024 19:05:15.005105019 CEST	49712	443	192.168.2.10	142.250.186.142
Oct 2, 2024 19:05:15.005120039 CEST	443	49712	142.250.186.142	192.168.2.10
Oct 2, 2024 19:05:15.051882982 CEST	49712	443	192.168.2.10	142.250.186.142
Oct 2, 2024 19:05:15.307104111 CEST	443	49712	142.250.186.142	192.168.2.10
Oct 2, 2024 19:05:15.307128906 CEST	443	49712	142.250.186.142	192.168.2.10
Oct 2, 2024 19:05:15.307193995 CEST	443	49712	142.250.186.142	192.168.2.10
Oct 2, 2024 19:05:15.307215929 CEST	49712	443	192.168.2.10	142.250.186.142
Oct 2, 2024 19:05:15.307320118 CEST	49712	443	192.168.2.10	142.250.186.142
Oct 2, 2024 19:05:15.309659958 CEST	49712	443	192.168.2.10	142.250.186.142
Oct 2, 2024 19:05:15.309684038 CEST	443	49712	142.250.186.142	192.168.2.10
Oct 2, 2024 19:05:16.570570946 CEST	49677	443	192.168.2.10	20.42.65.85
Oct 2, 2024 19:05:17.050628901 CEST	49716	443	192.168.2.10	142.250.184.228
Oct 2, 2024 19:05:17.050699949 CEST	443	49716	142.250.184.228	192.168.2.10
Oct 2, 2024 19:05:17.051429033 CEST	49716	443	192.168.2.10	142.250.184.228
Oct 2, 2024 19:05:17.051578045 CEST	49716	443	192.168.2.10	142.250.184.228
Oct 2, 2024 19:05:17.051597118 CEST	443	49716	142.250.184.228	192.168.2.10
Oct 2, 2024 19:05:17.912086010 CEST	49671	443	192.168.2.10	204.79.197.203
Oct 2, 2024 19:05:18.513859034 CEST	443	49716	142.250.184.228	192.168.2.10
Oct 2, 2024 19:05:18.514697075 CEST	49716	443	192.168.2.10	142.250.184.228
Oct 2, 2024 19:05:18.514728069 CEST	443	49716	142.250.184.228	192.168.2.10
Oct 2, 2024 19:05:18.515845060 CEST	443	49716	142.250.184.228	192.168.2.10
Oct 2, 2024 19:05:18.515911102 CEST	49716	443	192.168.2.10	142.250.184.228
Oct 2, 2024 19:05:18.516999006 CEST	49716	443	192.168.2.10	142.250.184.228
Oct 2, 2024 19:05:18.517077923 CEST	443	49716	142.250.184.228	192.168.2.10
Oct 2, 2024 19:05:18.517801046 CEST	49720	443	192.168.2.10	184.28.90.27
Oct 2, 2024 19:05:18.517822027 CEST	443	49720	184.28.90.27	192.168.2.10
Oct 2, 2024 19:05:18.517895937 CEST	49720	443	192.168.2.10	184.28.90.27
Oct 2, 2024 19:05:18.519828081 CEST	49720	443	192.168.2.10	184.28.90.27
Oct 2, 2024 19:05:18.519850016 CEST	443	49720	184.28.90.27	192.168.2.10
Oct 2, 2024 19:05:18.568224907 CEST	49716	443	192.168.2.10	142.250.184.228
Oct 2, 2024 19:05:18.568255901 CEST	443	49716	142.250.184.228	192.168.2.10
Oct 2, 2024 19:05:18.615065098 CEST	49716	443	192.168.2.10	142.250.184.228
Oct 2, 2024 19:05:19.186304092 CEST	443	49720	184.28.90.27	192.168.2.10
Oct 2, 2024 19:05:19.186366081 CEST	49720	443	192.168.2.10	184.28.90.27
Oct 2, 2024 19:05:19.190854073 CEST	49720	443	192.168.2.10	184.28.90.27
Oct 2, 2024 19:05:19.190862894 CEST	443	49720	184.28.90.27	192.168.2.10
Oct 2, 2024 19:05:19.191150904 CEST	443	49720	184.28.90.27	192.168.2.10
Oct 2, 2024 19:05:19.231661081 CEST	49720	443	192.168.2.10	184.28.90.27
Oct 2, 2024 19:05:19.279397964 CEST	443	49720	184.28.90.27	192.168.2.10
Oct 2, 2024 19:05:20.514744997 CEST	443	49720	184.28.90.27	192.168.2.10
Oct 2, 2024 19:05:20.514839888 CEST	443	49720	184.28.90.27	192.168.2.10
Oct 2, 2024 19:05:20.515003920 CEST	49720	443	192.168.2.10	184.28.90.27
Oct 2, 2024 19:05:20.515335083 CEST	49720	443	192.168.2.10	184.28.90.27
Oct 2, 2024 19:05:20.515355110 CEST	443	49720	184.28.90.27	192.168.2.10
Oct 2, 2024 19:05:20.515412092 CEST	49720	443	192.168.2.10	184.28.90.27
Oct 2, 2024 19:05:20.515418053 CEST	443	49720	184.28.90.27	192.168.2.10
Oct 2, 2024 19:05:20.567405939 CEST	49723	443	192.168.2.10	184.28.90.27
Oct 2, 2024 19:05:20.567440033 CEST	443	49723	184.28.90.27	192.168.2.10
Oct 2, 2024 19:05:20.567918062 CEST	49723	443	192.168.2.10	184.28.90.27
Oct 2, 2024 19:05:20.567918062 CEST	49723	443	192.168.2.10	184.28.90.27
Oct 2, 2024 19:05:20.567948103 CEST	443	49723	184.28.90.27	192.168.2.10
Oct 2, 2024 19:05:21.864634991 CEST	443	49723	184.28.90.27	192.168.2.10
Oct 2, 2024 19:05:21.864706993 CEST	49723	443	192.168.2.10	184.28.90.27
Oct 2, 2024 19:05:21.895095110 CEST	49723	443	192.168.2.10	184.28.90.27
Oct 2, 2024 19:05:21.895127058 CEST	443	49723	184.28.90.27	192.168.2.10
Oct 2, 2024 19:05:21.895489931 CEST	443	49723	184.28.90.27	192.168.2.10
Oct 2, 2024 19:05:21.899293900 CEST	49723	443	192.168.2.10	184.28.90.27
Oct 2, 2024 19:05:21.943401098 CEST	443	49723	184.28.90.27	192.168.2.10
Oct 2, 2024 19:05:22.142644882 CEST	443	49723	184.28.90.27	192.168.2.10
Oct 2, 2024 19:05:22.142716885 CEST	443	49723	184.28.90.27	192.168.2.10
Oct 2, 2024 19:05:22.142801046 CEST	49723	443	192.168.2.10	184.28.90.27
Oct 2, 2024 19:05:22.143829107 CEST	49723	443	192.168.2.10	184.28.90.27
Oct 2, 2024 19:05:22.143847942 CEST	443	49723	184.28.90.27	192.168.2.10
Oct 2, 2024 19:05:22.143866062 CEST	49723	443	192.168.2.10	184.28.90.27
Oct 2, 2024 19:05:22.143872023 CEST	443	49723	184.28.90.27	192.168.2.10
Oct 2, 2024 19:05:23.060165882 CEST	49716	443	192.168.2.10	142.250.184.228
Oct 2, 2024 19:05:23.107402086 CEST	443	49716	142.250.184.228	192.168.2.10
Oct 2, 2024 19:05:23.327588081 CEST	443	49716	142.250.184.228	192.168.2.10
Oct 2, 2024 19:05:23.327631950 CEST	443	49716	142.250.184.228	192.168.2.10
Oct 2, 2024 19:05:23.327845097 CEST	49716	443	192.168.2.10	142.250.184.228
Oct 2, 2024 19:05:23.327922106 CEST	443	49716	142.250.184.228	192.168.2.10
Oct 2, 2024 19:05:23.339848995 CEST	443	49716	142.250.184.228	192.168.2.10
Oct 2, 2024 19:05:23.339873075 CEST	443	49716	142.250.184.228	192.168.2.10
Oct 2, 2024 19:05:23.340044975 CEST	49716	443	192.168.2.10	142.250.184.228
Oct 2, 2024 19:05:23.340128899 CEST	443	49716	142.250.184.228	192.168.2.10
Oct 2, 2024 19:05:23.340312004 CEST	49716	443	192.168.2.10	142.250.184.228
Oct 2, 2024 19:05:23.340329885 CEST	443	49716	142.250.184.228	192.168.2.10
Oct 2, 2024 19:05:23.340353966 CEST	443	49716	142.250.184.228	192.168.2.10
Oct 2, 2024 19:05:23.340414047 CEST	49716	443	192.168.2.10	142.250.184.228
Oct 2, 2024 19:05:23.340970993 CEST	49716	443	192.168.2.10	142.250.184.228
Oct 2, 2024 19:05:23.341005087 CEST	443	49716	142.250.184.228	192.168.2.10
Oct 2, 2024 19:05:24.707427025 CEST	49729	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:05:24.707463026 CEST	443	49729	20.114.59.183	192.168.2.10
Oct 2, 2024 19:05:24.709062099 CEST	49729	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:05:24.710030079 CEST	49729	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:05:24.710046053 CEST	443	49729	20.114.59.183	192.168.2.10
Oct 2, 2024 19:05:25.526791096 CEST	443	49729	20.114.59.183	192.168.2.10
Oct 2, 2024 19:05:25.526854992 CEST	49729	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:05:25.529361010 CEST	49729	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:05:25.529372931 CEST	443	49729	20.114.59.183	192.168.2.10
Oct 2, 2024 19:05:25.529628992 CEST	443	49729	20.114.59.183	192.168.2.10
Oct 2, 2024 19:05:25.583220005 CEST	49729	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:05:26.119395971 CEST	49729	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:05:26.167397976 CEST	443	49729	20.114.59.183	192.168.2.10
Oct 2, 2024 19:05:26.177654982 CEST	49677	443	192.168.2.10	20.42.65.85
Oct 2, 2024 19:05:26.385915041 CEST	443	49729	20.114.59.183	192.168.2.10
Oct 2, 2024 19:05:26.385941982 CEST	443	49729	20.114.59.183	192.168.2.10
Oct 2, 2024 19:05:26.385950089 CEST	443	49729	20.114.59.183	192.168.2.10
Oct 2, 2024 19:05:26.385965109 CEST	443	49729	20.114.59.183	192.168.2.10
Oct 2, 2024 19:05:26.385972023 CEST	443	49729	20.114.59.183	192.168.2.10
Oct 2, 2024 19:05:26.385977030 CEST	443	49729	20.114.59.183	192.168.2.10
Oct 2, 2024 19:05:26.385996103 CEST	49729	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:05:26.386018038 CEST	443	49729	20.114.59.183	192.168.2.10
Oct 2, 2024 19:05:26.386035919 CEST	49729	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:05:26.386070967 CEST	49729	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:05:26.386641979 CEST	443	49729	20.114.59.183	192.168.2.10
Oct 2, 2024 19:05:26.386714935 CEST	49729	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:05:26.386725903 CEST	443	49729	20.114.59.183	192.168.2.10
Oct 2, 2024 19:05:26.386940956 CEST	443	49729	20.114.59.183	192.168.2.10
Oct 2, 2024 19:05:26.386998892 CEST	49729	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:05:26.871490955 CEST	49729	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:05:26.871514082 CEST	443	49729	20.114.59.183	192.168.2.10
Oct 2, 2024 19:05:26.871540070 CEST	49729	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:05:26.871546030 CEST	443	49729	20.114.59.183	192.168.2.10
Oct 2, 2024 19:06:03.360691071 CEST	49738	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:06:03.360766888 CEST	443	49738	20.114.59.183	192.168.2.10
Oct 2, 2024 19:06:03.360841990 CEST	49738	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:06:03.361248970 CEST	49738	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:06:03.361275911 CEST	443	49738	20.114.59.183	192.168.2.10
Oct 2, 2024 19:06:04.214385986 CEST	443	49738	20.114.59.183	192.168.2.10
Oct 2, 2024 19:06:04.214497089 CEST	49738	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:06:04.217302084 CEST	49738	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:06:04.217350960 CEST	443	49738	20.114.59.183	192.168.2.10
Oct 2, 2024 19:06:04.217684984 CEST	443	49738	20.114.59.183	192.168.2.10
Oct 2, 2024 19:06:04.223360062 CEST	49738	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:06:04.271414042 CEST	443	49738	20.114.59.183	192.168.2.10
Oct 2, 2024 19:06:04.545075893 CEST	443	49738	20.114.59.183	192.168.2.10
Oct 2, 2024 19:06:04.545130968 CEST	443	49738	20.114.59.183	192.168.2.10
Oct 2, 2024 19:06:04.545172930 CEST	443	49738	20.114.59.183	192.168.2.10
Oct 2, 2024 19:06:04.545300961 CEST	49738	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:06:04.545355082 CEST	443	49738	20.114.59.183	192.168.2.10
Oct 2, 2024 19:06:04.545380116 CEST	443	49738	20.114.59.183	192.168.2.10
Oct 2, 2024 19:06:04.545418024 CEST	49738	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:06:04.545419931 CEST	443	49738	20.114.59.183	192.168.2.10
Oct 2, 2024 19:06:04.545437098 CEST	49738	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:06:04.545449972 CEST	443	49738	20.114.59.183	192.168.2.10
Oct 2, 2024 19:06:04.545476913 CEST	49738	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:06:04.545491934 CEST	49738	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:06:04.545536041 CEST	443	49738	20.114.59.183	192.168.2.10
Oct 2, 2024 19:06:04.545660973 CEST	443	49738	20.114.59.183	192.168.2.10
Oct 2, 2024 19:06:04.545708895 CEST	49738	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:06:04.547785997 CEST	49738	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:06:04.547832012 CEST	443	49738	20.114.59.183	192.168.2.10
Oct 2, 2024 19:06:04.547849894 CEST	49738	443	192.168.2.10	20.114.59.183
Oct 2, 2024 19:06:04.547858000 CEST	443	49738	20.114.59.183	192.168.2.10
Oct 2, 2024 19:06:17.101136923 CEST	49740	443	192.168.2.10	142.250.184.228
Oct 2, 2024 19:06:17.101193905 CEST	443	49740	142.250.184.228	192.168.2.10
Oct 2, 2024 19:06:17.101387024 CEST	49740	443	192.168.2.10	142.250.184.228
Oct 2, 2024 19:06:17.101526022 CEST	49740	443	192.168.2.10	142.250.184.228
Oct 2, 2024 19:06:17.101536989 CEST	443	49740	142.250.184.228	192.168.2.10
Oct 2, 2024 19:06:17.786577940 CEST	443	49740	142.250.184.228	192.168.2.10
Oct 2, 2024 19:06:17.786993027 CEST	49740	443	192.168.2.10	142.250.184.228
Oct 2, 2024 19:06:17.787043095 CEST	443	49740	142.250.184.228	192.168.2.10
Oct 2, 2024 19:06:17.788184881 CEST	443	49740	142.250.184.228	192.168.2.10
Oct 2, 2024 19:06:17.788592100 CEST	49740	443	192.168.2.10	142.250.184.228
Oct 2, 2024 19:06:17.788788080 CEST	443	49740	142.250.184.228	192.168.2.10
Oct 2, 2024 19:06:17.834346056 CEST	49740	443	192.168.2.10	142.250.184.228
Oct 2, 2024 19:06:27.685813904 CEST	443	49740	142.250.184.228	192.168.2.10
Oct 2, 2024 19:06:27.685892105 CEST	443	49740	142.250.184.228	192.168.2.10
Oct 2, 2024 19:06:27.686024904 CEST	49740	443	192.168.2.10	142.250.184.228
Oct 2, 2024 19:06:40.466950893 CEST	49740	443	192.168.2.10	142.250.184.228
Oct 2, 2024 19:06:40.466998100 CEST	443	49740	142.250.184.228	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 19:05:13.333065987 CEST	53	49441	1.1.1.1	192.168.2.10
Oct 2, 2024 19:05:13.386018991 CEST	49701	53	192.168.2.10	1.1.1.1
Oct 2, 2024 19:05:13.386166096 CEST	52074	53	192.168.2.10	1.1.1.1
Oct 2, 2024 19:05:13.393028021 CEST	53	49701	1.1.1.1	192.168.2.10
Oct 2, 2024 19:05:13.393101931 CEST	53	52074	1.1.1.1	192.168.2.10
Oct 2, 2024 19:05:13.393544912 CEST	53	59548	1.1.1.1	192.168.2.10
Oct 2, 2024 19:05:14.344871998 CEST	63405	53	192.168.2.10	1.1.1.1
Oct 2, 2024 19:05:14.345012903 CEST	51592	53	192.168.2.10	1.1.1.1
Oct 2, 2024 19:05:14.351617098 CEST	53	63405	1.1.1.1	192.168.2.10
Oct 2, 2024 19:05:14.352127075 CEST	53	51592	1.1.1.1	192.168.2.10
Oct 2, 2024 19:05:14.360924006 CEST	53	51904	1.1.1.1	192.168.2.10
Oct 2, 2024 19:05:17.042860031 CEST	56501	53	192.168.2.10	1.1.1.1
Oct 2, 2024 19:05:17.042860031 CEST	65139	53	192.168.2.10	1.1.1.1
Oct 2, 2024 19:05:17.049797058 CEST	53	56501	1.1.1.1	192.168.2.10
Oct 2, 2024 19:05:17.049993038 CEST	53	65139	1.1.1.1	192.168.2.10
Oct 2, 2024 19:05:18.513381004 CEST	53	65121	1.1.1.1	192.168.2.10
Oct 2, 2024 19:05:21.966259956 CEST	53	50452	1.1.1.1	192.168.2.10
Oct 2, 2024 19:05:31.468395948 CEST	53	52110	1.1.1.1	192.168.2.10
Oct 2, 2024 19:05:50.561278105 CEST	53	59160	1.1.1.1	192.168.2.10
Oct 2, 2024 19:06:06.317084074 CEST	138	138	192.168.2.10	192.168.2.255
Oct 2, 2024 19:06:12.375422955 CEST	53	54186	1.1.1.1	192.168.2.10
Oct 2, 2024 19:06:13.275652885 CEST	53	59114	1.1.1.1	192.168.2.10
Oct 2, 2024 19:06:40.474180937 CEST	53	51369	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 19:05:13.386018991 CEST	192.168.2.10	1.1.1.1	0x7b1f	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:05:13.386166096 CEST	192.168.2.10	1.1.1.1	0x4e48	Standard query (0)	youtube.com	65	IN (0x0001)	false
Oct 2, 2024 19:05:14.344871998 CEST	192.168.2.10	1.1.1.1	0x507d	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:05:14.345012903 CEST	192.168.2.10	1.1.1.1	0x5fda	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 19:05:17.042860031 CEST	192.168.2.10	1.1.1.1	0xd71b	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:05:17.042860031 CEST	192.168.2.10	1.1.1.1	0xd946	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 19:05:13.393028021 CEST	1.1.1.1	192.168.2.10	0x7b1f	No error (0)	youtube.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:05:13.393101931 CEST	1.1.1.1	192.168.2.10	0x4e48	No error (0)	youtube.com			65	IN (0x0001)	false
Oct 2, 2024 19:05:14.351617098 CEST	1.1.1.1	192.168.2.10	0x507d	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 19:05:14.351617098 CEST	1.1.1.1	192.168.2.10	0x507d	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:05:14.351617098 CEST	1.1.1.1	192.168.2.10	0x507d	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:05:14.351617098 CEST	1.1.1.1	192.168.2.10	0x507d	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:05:14.351617098 CEST	1.1.1.1	192.168.2.10	0x507d	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:05:14.351617098 CEST	1.1.1.1	192.168.2.10	0x507d	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:05:14.351617098 CEST	1.1.1.1	192.168.2.10	0x507d	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:05:14.351617098 CEST	1.1.1.1	192.168.2.10	0x507d	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:05:14.351617098 CEST	1.1.1.1	192.168.2.10	0x507d	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:05:14.351617098 CEST	1.1.1.1	192.168.2.10	0x507d	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:05:14.351617098 CEST	1.1.1.1	192.168.2.10	0x507d	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:05:14.351617098 CEST	1.1.1.1	192.168.2.10	0x507d	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:05:14.351617098 CEST	1.1.1.1	192.168.2.10	0x507d	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:05:14.351617098 CEST	1.1.1.1	192.168.2.10	0x507d	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:05:14.351617098 CEST	1.1.1.1	192.168.2.10	0x507d	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:05:14.351617098 CEST	1.1.1.1	192.168.2.10	0x507d	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:05:14.351617098 CEST	1.1.1.1	192.168.2.10	0x507d	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:05:14.352127075 CEST	1.1.1.1	192.168.2.10	0x5fda	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 19:05:14.352127075 CEST	1.1.1.1	192.168.2.10	0x5fda	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Oct 2, 2024 19:05:17.049797058 CEST	1.1.1.1	192.168.2.10	0xd71b	No error (0)	www.google.com		142.250.184.228	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:05:17.049993038 CEST	1.1.1.1	192.168.2.10	0xd946	No error (0)	www.google.com			65	IN (0x0001)	false

HTTP Request Dependency Graph

youtube.com

www.youtube.com

fs.microsoft.com

https:

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49707	216.58.206.46	443	8092	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:05:14 UTC	847	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIlKHLAQiFoM0BCNy9zQEIucrNAQi/0M0BCMbRzQEIutTNAQjK1s0BCKfYzQEI+cDUFRjymM0BGLnSzQEY642lFw== Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:05:14 UTC	1704	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Wed, 02 Oct 2024 17:05:14 GMT Date: Wed, 02 Oct 2024 17:05:14 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Frame-Options: SAMEORIGIN Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Content-Security-Policy: require-trusted-types-for 'script' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Server: ESF Content-Length: 0 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49712	142.250.186.142	443	8092	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:05:15 UTC	865	OUT	GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1 Host: www.youtube.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIlKHLAQiFoM0BCNy9zQEIucrNAQi/0M0BCMbRzQEIutTNAQjK1s0BCKfYzQEI+cDUFRjymM0BGLnSzQEY642lFw== Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:05:15 UTC	2634	IN	HTTP/1.1 303 See Other Content-Type: application/binary X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 02 Oct 2024 17:05:15 GMT Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000 Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Content-Security-Policy: require-trusted-types-for 'script' P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Wed, 02-Oct-2024 17:35:15 GMT; Path=/; Secure; HttpOnly Set-Cookie: YSC=-6D1zDGpdA4; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_INFO1_LIVE=ESFhup0NA2s; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 17:05:15 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgYg%3D%3D; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 17:05:15 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49720	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:05:19 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 17:05:20 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=85231 Date: Wed, 02 Oct 2024 17:05:19 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49723	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:05:21 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 17:05:22 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=85172 Date: Wed, 02 Oct 2024 17:05:22 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-02 17:05:22 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49716	142.250.184.228	443	8092	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:05:23 UTC	1013	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.149" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.149", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.149" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIlKHLAQiFoM0BCNy9zQEIucrNAQi/0M0BCMbRzQEIutTNAQjK1s0BCKfYzQEI+cDUFRjymM0BGLnSzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:05:23 UTC	705	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Wed, 02 Oct 2024 15:37:10 GMT Expires: Thu, 10 Oct 2024 15:37:10 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 5293 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-02 17:05:23 UTC	685	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-10-02 17:05:23 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-10-02 17:05:23 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-10-02 17:05:23 UTC	1390	IN	Data Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-10-02 17:05:23 UTC	575	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49729	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:05:26 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=GVna8EtnwkDwSKO&MD=6LkcCrH8 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 17:05:26 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: f868ac6e-32b0-40fc-8619-58d068425e29 MS-RequestId: 51b1f514-7336-4044-8033-369f4a04ecce MS-CV: ubxnc79NZkCMibZf.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 17:05:25 GMT Connection: close Content-Length: 24490
2024-10-02 17:05:26 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-02 17:05:26 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49738	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:06:04 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=GVna8EtnwkDwSKO&MD=6LkcCrH8 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 17:06:04 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 3ed51556-701d-4123-a97c-eff5ecb99419 MS-RequestId: 929dfc49-ff48-4acd-b7c1-d6a8fa356e55 MS-CV: w7W4hOh+h0ufnMot.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 17:06:03 GMT Connection: close Content-Length: 30005
2024-10-02 17:06:04 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-02 17:06:04 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Target ID:	6
Start time:	13:05:08
Start date:	02/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x50000
File size:	918'528 bytes
MD5 hash:	AF6318576FAE069A7DFB65A405A76A67
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:05:09
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x490000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:05:09
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:05:11
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Imagebase:	0x7ff6c5c30000
File size:	3'242'272 bytes
MD5 hash:	83395EAB5B03DEA9720F8D7AC0D15CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	13:05:11
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1952,i,17460202329421668459,1853673212435691532,262144 /prefetch:8
Imagebase:	0x7ff6c5c30000
File size:	3'242'272 bytes
MD5 hash:	83395EAB5B03DEA9720F8D7AC0D15CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.5%
Total number of Nodes:	1663
Total number of Limit Nodes:	68

Executed Functions

Function 0006F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130
keyboardthreadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0006F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000AF474
IsIconic.USER32(00000000), ref: 000AF47D
ShowWindow.USER32(00000000,00000009), ref: 000AF48A
SetForegroundWindow.USER32(00000000), ref: 000AF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000AF4AA
GetCurrentThreadId.KERNEL32 ref: 000AF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000AF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 000AF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 000AF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 000AF4DE
SetForegroundWindow.USER32(00000000), ref: 000AF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 000AF4F6
keybd_event.USER32(00000012,00000000), ref: 000AF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 000AF50B
keybd_event.USER32(00000012,00000000), ref: 000AF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 000AF519
keybd_event.USER32(00000012,00000000), ref: 000AF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 000AF528
keybd_event.USER32(00000012,00000000), ref: 000AF52D
SetForegroundWindow.USER32(00000000), ref: 000AF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 000AF557

Strings

Shell_TrayWnd, xrefs: 000AF46F

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 90b9ba7e571c6f9dd1475ed695a97298ee810ab27508db2bb8651cd47e1f295f
Instruction ID: 2f084e5d65e86715b15490d672b3009b27745e8e482316d4b3c8e6a356c62c66
Opcode Fuzzy Hash: 90b9ba7e571c6f9dd1475ed695a97298ee810ab27508db2bb8651cd47e1f295f
Instruction Fuzzy Hash: 4C314F72A40258BFFB206BF55C8AFBF7E6DEB45F50F100065FA00FA1D1C6B55941AA60

Function 000542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0005430D

Part of subcall function 00056B57: _wcslen.LIBCMT ref: 00056B6A

GetCurrentProcess.KERNEL32(?,000ECB64,00000000,?,?), ref: 00054422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00054429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00054454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00054466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00054474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0005447B
GetSystemInfo.KERNEL32(?,?,?), ref: 000544A0

Strings

GetNativeSystemInfo, xrefs: 00054460
|O, xrefs: 000936F8
kernel32.dll, xrefs: 0005444F

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 6d282d0bf0f8dafb7c2860c2c84291320b9d8b878e70105928f59d38c2de132f
Instruction ID: d34e74fcb450b87fa8fe0519028750030eb758e96bf0e1757d859adc27c14c03
Opcode Fuzzy Hash: 6d282d0bf0f8dafb7c2860c2c84291320b9d8b878e70105928f59d38c2de132f
Instruction Fuzzy Hash: 5BA1C46290A2C0FFCB31CB6A7C845DA7FE67B76724B045899D44197E22D23046EBDF21

Function 000542A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,000550AA,?,?,00000000,00000000), ref: 000542B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,000550AA,?,?,00000000,00000000), ref: 000542C9
LoadResource.KERNEL32(?,00000000,?,?,000550AA,?,?,00000000,00000000,?,?,?,?,?,?,00054F20), ref: 000935BE
SizeofResource.KERNEL32(?,00000000,?,?,000550AA,?,?,00000000,00000000,?,?,?,?,?,?,00054F20), ref: 000935D3
LockResource.KERNEL32(000550AA,?,?,000550AA,?,?,00000000,00000000,?,?,?,?,?,?,00054F20,?), ref: 000935E6

Strings

SCRIPT, xrefs: 000542BF

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 6f5f22472770a983dfccbbb414e885dca94e74ef2415eeb2bd4d96c82d25b890
Instruction ID: a4015af56dd7c519e90d5eb04f834ebfcc8f0dd1229f985d41b4f898d0cb72b7
Opcode Fuzzy Hash: 6f5f22472770a983dfccbbb414e885dca94e74ef2415eeb2bd4d96c82d25b890
Instruction Fuzzy Hash: 65117C70600741BFEB218B65DC88F677BB9EBC5B56F14416DB902AA250DB72DC468A20

Function 00092BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00052B6B

Part of subcall function 00053A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00121418,?,00052E7F,?,?,?,00000000), ref: 00053A78

Part of subcall function 00059CB3: _wcslen.LIBCMT ref: 00059CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00112224), ref: 00092C10
ShellExecuteW.SHELL32(00000000,?,?,00112224), ref: 00092C17

Strings

runas, xrefs: 00092C0B

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 9f6b011011c202702a34293e06121243d17687c88c8362bcc3a8d83ae9a4dcb2
Instruction ID: ae13c4dd13373efa189c3d775642d93276c997f2667dd2a30b7574b6dc4cbc80
Opcode Fuzzy Hash: 9f6b011011c202702a34293e06121243d17687c88c8362bcc3a8d83ae9a4dcb2
Instruction Fuzzy Hash: 6D11B431208385AADB18FF60D8519FF7BA59FA5742F44142DF886660A3DF218A4EC712

Function 000BDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00095222), ref: 000BDBCE
GetFileAttributesW.KERNELBASE(?), ref: 000BDBDD
FindFirstFileW.KERNEL32(?,?), ref: 000BDBEE
FindClose.KERNEL32(00000000), ref: 000BDBFA

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 6b54a1f30c8cd4dca2aa540e4afa0b9072dc3169923f0a412c2d1943e7c72216
Instruction ID: 809eaf6855366c35ed61f6be34c09bfff044c8f1008c6ee51b2d6a9cc72dcf77
Opcode Fuzzy Hash: 6b54a1f30c8cd4dca2aa540e4afa0b9072dc3169923f0a412c2d1943e7c72216
Instruction Fuzzy Hash: 8BF0E53081091197A2206B7CAC4ECEABBAC9F02334B104707F936D20F0FBB55D56C6D5

Function 00074CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000828E9,?,00074CBE,000828E9,001188B8,0000000C,00074E15,000828E9,00000002,00000000,?,000828E9), ref: 00074D09
TerminateProcess.KERNEL32(00000000,?,00074CBE,000828E9,001188B8,0000000C,00074E15,000828E9,00000002,00000000,?,000828E9), ref: 00074D10
ExitProcess.KERNEL32 ref: 00074D22

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 0c5962fd7ad03bf906b26ed480983e8037f325f9a5bec456256232284c01f3d8
Instruction ID: e1753ff37af13f0c754f2810130b1c443f59c44396198de6c431be1d456bd6ca
Opcode Fuzzy Hash: 0c5962fd7ad03bf906b26ed480983e8037f325f9a5bec456256232284c01f3d8
Instruction Fuzzy Hash: 98E0BF31400588AFEF21AF64DD59E583B69FB41B81B118014FC599A123DB3ADE52CB44

Function 000DAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 000DB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000DB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000DB1D4
_wcslen.LIBCMT ref: 000DB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000DB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000DB236
_wcslen.LIBCMT ref: 000DB332

Part of subcall function 000C05A7: GetStdHandle.KERNEL32(000000F6), ref: 000C05C6

_wcslen.LIBCMT ref: 000DB34B
_wcslen.LIBCMT ref: 000DB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000DB3B6
GetLastError.KERNEL32(00000000), ref: 000DB407
CloseHandle.KERNEL32(?), ref: 000DB439
CloseHandle.KERNEL32(00000000), ref: 000DB44A
CloseHandle.KERNEL32(00000000), ref: 000DB45C
CloseHandle.KERNEL32(00000000), ref: 000DB46E
CloseHandle.KERNEL32(?), ref: 000DB4E3

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: c707b08c17228d946c2a50bf3a2c4efd59db256da77aa3383255b30fc2152463
Instruction ID: 112915c1a7c0f4db8253242a710d8e538f75ce8b77801281f3fd704e89930322
Opcode Fuzzy Hash: c707b08c17228d946c2a50bf3a2c4efd59db256da77aa3383255b30fc2152463
Instruction Fuzzy Hash: 71F17831508340DFD724EF24C891BAEBBE1AF85314F15855EF8999B2A2DB31EC05CB62

Function 0005D730 Relevance: 21.6, APIs: 14, Instructions: 621windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0005D807
timeGetTime.WINMM ref: 0005DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0005DB28
TranslateMessage.USER32(?), ref: 0005DB7B
DispatchMessageW.USER32(?), ref: 0005DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0005DB9F
Sleep.KERNELBASE(0000000A), ref: 0005DBB1

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 2e2d974f1f984222d3ec3d6bb6f717ff835397a4e0ae3fceb6a554fbdb2f8473
Instruction ID: 9372797beb786b6304abc593c2cd05d7d83ee3e85c924a4dcf9124f31416148d
Opcode Fuzzy Hash: 2e2d974f1f984222d3ec3d6bb6f717ff835397a4e0ae3fceb6a554fbdb2f8473
Instruction Fuzzy Hash: E042C030608341EFE779CF24C884BABB7E1BF46315F14856BE85587292D771E889CB92

Function 00052CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00052D07
RegisterClassExW.USER32(00000030), ref: 00052D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00052D42
InitCommonControlsEx.COMCTL32(?), ref: 00052D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00052D6F
LoadIconW.USER32(000000A9), ref: 00052D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00052D94

Strings

TaskbarCreated, xrefs: 00052D37
0, xrefs: 00052CE9
+, xrefs: 00052CF0
AutoIt v3 GUI, xrefs: 00052D23

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: c0884143b82b087a92ab1b686ff0ef92d28de4283458c2ea9a1ccc05da6bb17e
Instruction ID: 83df9bbe471df4d1d8090490e76ec6b9b83043dd4d14f645babb9474efc2df1c
Opcode Fuzzy Hash: c0884143b82b087a92ab1b686ff0ef92d28de4283458c2ea9a1ccc05da6bb17e
Instruction Fuzzy Hash: FB21E5B1901348BFEB10DFA4E889BDDBBB4FB08B04F00411AF551BA6A0D7B60592CF91

Function 0009065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0009039A: CreateFileW.KERNELBASE(00000000,00000000,?,00090704,?,?,00000000,?,00090704,00000000,0000000C), ref: 000903B7

GetLastError.KERNEL32 ref: 0009076F
__dosmaperr.LIBCMT ref: 00090776
GetFileType.KERNELBASE(00000000), ref: 00090782
GetLastError.KERNEL32 ref: 0009078C
__dosmaperr.LIBCMT ref: 00090795
CloseHandle.KERNEL32(00000000), ref: 000907B5
CloseHandle.KERNEL32(?), ref: 000908FF
GetLastError.KERNEL32 ref: 00090931
__dosmaperr.LIBCMT ref: 00090938

Strings

H, xrefs: 000908BD

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 7219dbb42cd0fc293f35ff4f39d60a403fae59b5f5157dafd4ab09e752b078a2
Instruction ID: 4315eea929461613c9aa4b75af48de8f761c115bf9be3aadc26e6f47821e566d
Opcode Fuzzy Hash: 7219dbb42cd0fc293f35ff4f39d60a403fae59b5f5157dafd4ab09e752b078a2
Instruction Fuzzy Hash: CEA13432A041449FDF29EF78DC91BAE7BE0AB0A320F144159F815AF292CB359D13DB91

Function 0005344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00053A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00121418,?,00052E7F,?,?,?,00000000), ref: 00053A78

Part of subcall function 00053357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00053379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0005356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0009318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 000931CE
RegCloseKey.ADVAPI32(?), ref: 00093210
_wcslen.LIBCMT ref: 00093277
_wcslen.LIBCMT ref: 00093286

Strings

\, xrefs: 0009328C
\Include\, xrefs: 00053527
Include, xrefs: 00093184, 000931C5
Software\AutoIt v3\AutoIt, xrefs: 00053560

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 049291b176b89b82655f8e096c7c9a579e452a2b452732f27455d34d3c18ae44
Instruction ID: 81b6e313b01bec55499ffa87868f4ca9a41f13f37d216e9107065725b655cb82
Opcode Fuzzy Hash: 049291b176b89b82655f8e096c7c9a579e452a2b452732f27455d34d3c18ae44
Instruction Fuzzy Hash: F171B371504301BEC724DF65EC818AFBBE8FF89740F80042EF94597162EB359A8ACB52

Function 00052B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00052B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00052B9D
LoadIconW.USER32(00000063), ref: 00052BB3
LoadIconW.USER32(000000A4), ref: 00052BC5
LoadIconW.USER32(000000A2), ref: 00052BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00052BEF
RegisterClassExW.USER32(?), ref: 00052C40

Part of subcall function 00052CD4: GetSysColorBrush.USER32(0000000F), ref: 00052D07
Part of subcall function 00052CD4: RegisterClassExW.USER32(00000030), ref: 00052D31
Part of subcall function 00052CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00052D42
Part of subcall function 00052CD4: InitCommonControlsEx.COMCTL32(?), ref: 00052D5F
Part of subcall function 00052CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00052D6F
Part of subcall function 00052CD4: LoadIconW.USER32(000000A9), ref: 00052D85
Part of subcall function 00052CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00052D94

Strings

#, xrefs: 00052C16
AutoIt v3, xrefs: 00052C2F
0, xrefs: 00052C0F

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: b91ec18fe676a935fdba5e254629f1690d2bd02879a52ef10f8b69adbe35b5ed
Instruction ID: 0d54730961edf96a497bd3a3210f9544fe68ebac402cff7b411418ada5e983cb
Opcode Fuzzy Hash: b91ec18fe676a935fdba5e254629f1690d2bd02879a52ef10f8b69adbe35b5ed
Instruction Fuzzy Hash: A0211D71E00354BBEB20DFA5EC95A997FB6FB58B60F00002AE500A6AA0D7B50592DF94

Function 00053170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0005316A,?,?), ref: 000531D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0005316A,?,?), ref: 00053204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00053227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0005316A,?,?), ref: 00053232
CreatePopupMenu.USER32 ref: 00053246
PostQuitMessage.USER32(00000000), ref: 00053267

Strings

TaskbarCreated, xrefs: 0005322D

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: f442f71819f02a35f4f6ad10d749b074e7d43f47a46d100ec8ed385df11aba3d
Instruction ID: b58f46dac278578ef528758c4ddd75abde9df06ca4b3f7599058172e4c6cfe98
Opcode Fuzzy Hash: f442f71819f02a35f4f6ad10d749b074e7d43f47a46d100ec8ed385df11aba3d
Instruction Fuzzy Hash: BD418B30204644BBEF349B389D4DBBF3A9AF7153C6F040125FD02965A2CB718E99D7A5

Function 00051410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00051459
CoUninitialize.COMBASE ref: 000514F8
UnregisterHotKey.USER32(?), ref: 000516DD
DestroyWindow.USER32(?), ref: 000924B9
FreeLibrary.KERNEL32(?), ref: 0009251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0009254B

Strings

close all, xrefs: 00051454

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: c0a25e92dc579591cbdb9e113273f9d3f75974e01d196e3048587e67f776338e
Instruction ID: 2b09ac6c7cbda8583beabeac516107db4bfb68d277bccdb15c2d425fa832e712
Opcode Fuzzy Hash: c0a25e92dc579591cbdb9e113273f9d3f75974e01d196e3048587e67f776338e
Instruction Fuzzy Hash: 49D19B31702212DFDB29EF14C899FAAF7A1BF04701F1541ADE84A6B252DB31AD16CF90

Function 00052C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00052C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00052CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00051CAD,?), ref: 00052CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00051CAD,?), ref: 00052CCF

Strings

edit, xrefs: 00052CAC
AutoIt v3, xrefs: 00052C89, 00052C8E, 00052C8F

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: a99f39d03dd29daa69f5f4a55ad8de897e28489c7a1031fc8bbd4919afb619ad
Instruction ID: 1c6ab7aa84ee0ca820de518a3031af0a219f2b867ba14a2cf1a1510003538c4c
Opcode Fuzzy Hash: a99f39d03dd29daa69f5f4a55ad8de897e28489c7a1031fc8bbd4919afb619ad
Instruction Fuzzy Hash: ECF0D0755403D47AF7319717AC4CE776E7EE7DAF60B010069F900A6960C67618A2DA70

Function 000BE97B Relevance: 7.5, APIs: 5, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 000BE997
QueryPerformanceFrequency.KERNEL32(?), ref: 000BE9A5
Sleep.KERNEL32(00000000), ref: 000BE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 000BE9B7
Sleep.KERNELBASE ref: 000BE9F3

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 58163fc2bc9fc106dae03e232eedbb68179a5f27e353c5ea75246761789976cd
Instruction ID: 36d05a37f06686e49765bfc6e36a2aae393c90bcc61e5d71dac04f06bb91b71e
Opcode Fuzzy Hash: 58163fc2bc9fc106dae03e232eedbb68179a5f27e353c5ea75246761789976cd
Instruction Fuzzy Hash: 16016931C01669DBEF40AFE5DC99AEDBBB8FF0A701F000556E502B2241CB39A559CBA1

Function 00053B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00053B0F,SwapMouseButtons,00000004,?), ref: 00053B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00053B0F,SwapMouseButtons,00000004,?), ref: 00053B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00053B0F,SwapMouseButtons,00000004,?), ref: 00053B83

Strings

Control Panel\Mouse, xrefs: 00053B3E

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: e36aab4fa5b0e1386b77573f957a84237e6b2af83d0904a74c2165d3458c0f66
Instruction ID: 83664c9d7e302a896dd3a3da506d99d99de9448a61273a070b87569f1a9837bf
Opcode Fuzzy Hash: e36aab4fa5b0e1386b77573f957a84237e6b2af83d0904a74c2165d3458c0f66
Instruction Fuzzy Hash: 541118B5511218FEEB608FA5DC84EAFB7A8EF44785B104459EA05E7110D3319E459760

Function 00053923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 000933A2

Part of subcall function 00056B57: _wcslen.LIBCMT ref: 00056B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00053A04

Strings

Line: , xrefs: 000933EB

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 90793e92d4b17f11aa8c1b687d7bcded081b3c0fa426624a5181a5ee50893e29
Instruction ID: 429c82becc26c90e8c563fea7c5a8d2e6b8cc24ebdc36c083d0affa6ffb291e1
Opcode Fuzzy Hash: 90793e92d4b17f11aa8c1b687d7bcded081b3c0fa426624a5181a5ee50893e29
Instruction Fuzzy Hash: E331C2B1408304BAD721EB20DC45BEFB7D8AB50761F00492EF99993092DB749B5DCBD2

Function 0006FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00070668

Part of subcall function 000732A4: RaiseException.KERNEL32(?,?,?,0007068A,?,00121444,?,?,?,?,?,?,0007068A,00051129,00118738,00051129), ref: 00073304

__CxxThrowException@8.LIBVCRUNTIME ref: 00070685

Strings

Unknown exception, xrefs: 00070692

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: d5084ba249c0b2174b1c44475e036d057a60295029abad5150fd0310e14a76f2
Instruction ID: 41b9678d9c3a3944136266e66d42b9a4d4c7fa05124a5a0e013b81ff4b864fa6
Opcode Fuzzy Hash: d5084ba249c0b2174b1c44475e036d057a60295029abad5150fd0310e14a76f2
Instruction Fuzzy Hash: 12F0C834D0020EB7CB04B664EC56CEE77AE5F40350B60C231B81C955D3EF75EA65C588

Function 000E2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000E232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 000E233F

Part of subcall function 000BE97B: Sleep.KERNELBASE ref: 000BE9F3

Strings

Shell_TrayWnd, xrefs: 000E2325

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 560a1af674a93b78926892cb040e5c6e2df080e96e0ae7ace04ee4c3e728a555
Instruction ID: 4552b281ef3b1badfaf0fd0810eac8bd37b491fa620b0b44912b06723a2635ef
Opcode Fuzzy Hash: 560a1af674a93b78926892cb040e5c6e2df080e96e0ae7ace04ee4c3e728a555
Instruction Fuzzy Hash: 03D0C936395390BAF668A770DC4FFC67A149B40B10F004916B645AA1D1CAB5A8468A54

Function 000510F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00051BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00051BF4
Part of subcall function 00051BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00051BFC
Part of subcall function 00051BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00051C07
Part of subcall function 00051BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00051C12
Part of subcall function 00051BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00051C1A
Part of subcall function 00051BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00051C22

Part of subcall function 00051B4A: RegisterWindowMessageW.USER32(00000004,?,000512C4), ref: 00051BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0005136A
OleInitialize.OLE32 ref: 00051388
CloseHandle.KERNEL32(00000000,00000000), ref: 000924AB

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: e5b4e7cdc1f3d3c0b263ef79245e30960481667e4da0f6f2511718b3f71234c7
Instruction ID: f4c3eb401348d2952ab0ccc93f3d846484d76692267838ec596624f144ac3e49
Opcode Fuzzy Hash: e5b4e7cdc1f3d3c0b263ef79245e30960481667e4da0f6f2511718b3f71234c7
Instruction Fuzzy Hash: FF71F3B4901344BFD7A4EF39ED856953AE1FBAA34031482BAD40AD7B62E73444A7CF40

Function 000BC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00053923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00053A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000BC259
KillTimer.USER32(?,00000001,?,?), ref: 000BC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000BC270

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 02100eb2a7e7bcb988b8e826ce1ba27e4d46865ee2766d60c10c15ffd728dcb1
Instruction ID: 2f5327f25e720267402cc7ec177b3f8d7ba3449c546cf29e0734a9708e1ad927
Opcode Fuzzy Hash: 02100eb2a7e7bcb988b8e826ce1ba27e4d46865ee2766d60c10c15ffd728dcb1
Instruction Fuzzy Hash: 0331C370904384AFFB72DF648895FEBBBECAB16704F04049ED5DAA7241C3745A85CB51

Function 000886AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,000885CC,?,00118CC8,0000000C), ref: 00088704
GetLastError.KERNEL32(?,000885CC,?,00118CC8,0000000C), ref: 0008870E
__dosmaperr.LIBCMT ref: 00088739

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: a247300fc0a2be2d1e540b2d943b0d7ef4ce18c9994fcef8f5c88897f49e5c50
Instruction ID: 1aa3b7c30f8aa04ad4a763ea876272e1d419355362bc7a6e242fe3188467f3eb
Opcode Fuzzy Hash: a247300fc0a2be2d1e540b2d943b0d7ef4ce18c9994fcef8f5c88897f49e5c50
Instruction Fuzzy Hash: AA018E36A0426027D2B173346C45BBE27D96B81B75F788219F8D49B1D3EEA5DD828350

Function 0005DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0005DB7B
DispatchMessageW.USER32(?), ref: 0005DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0005DB9F
Sleep.KERNELBASE(0000000A), ref: 0005DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 000A1CC9

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: dba3af6bd275c6215cd552fd26ff7dea93ec5195f86c3978cb6683945219e0dc
Instruction ID: 87e9f3688f2537e13a999107a1a7de0daae12a3939b1976f9605aeb47223eb46
Opcode Fuzzy Hash: dba3af6bd275c6215cd552fd26ff7dea93ec5195f86c3978cb6683945219e0dc
Instruction Fuzzy Hash: CCF03A31604380AAFB74CBA08C89FEA73A9AB45711F10452AEA5A970C0DB3494898B15

Function 00061310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 000617F6

Strings

CALL, xrefs: 000617C6

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: b0c556f2585bf6fcfee9b12d81772d57894050330d2c4da9e5c120fb2c7cc542
Instruction ID: e94642495e525767a8fc372086a8797a46492929ecf1e0ddb9b39908151fdb14
Opcode Fuzzy Hash: b0c556f2585bf6fcfee9b12d81772d57894050330d2c4da9e5c120fb2c7cc542
Instruction Fuzzy Hash: A9227C70608741DFC724DF24C490AAABBF2BF86314F18895DF4968B362D772E945CB92

Function 000E1EDA Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 00056B57: _wcslen.LIBCMT ref: 00056B6A

GetWindowTextW.USER32(?,?,00007FFF), ref: 000E2043

Part of subcall function 00059CB3: _wcslen.LIBCMT ref: 00059CBD

Strings

all, xrefs: 000E1F09

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _wcslen$TextWindow
String ID: all
API String ID: 4161112387-991457757
Opcode ID: a69efc412e6622872f52540e5d41f08dcc77ed52966f3cfe7fe5038563921942
Instruction ID: 7a71db1884129614e46f4330adec5d6478c4fbf8ebae85437c1f08b962090198
Opcode Fuzzy Hash: a69efc412e6622872f52540e5d41f08dcc77ed52966f3cfe7fe5038563921942
Instruction Fuzzy Hash: 33518B70204241AFD704EF25C882EABBBE5BF48304F40452DF95A9B292DB72E948CB91

Function 00052DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00092C8C

Part of subcall function 00053AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00053A97,?,?,00052E7F,?,?,?,00000000), ref: 00053AC2

Part of subcall function 00052DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00052DC4

Strings

X, xrefs: 00092C5A

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: bf756324d6844749d6d062ed12b1a3657184425f0d038c5ec57d58c2655749a5
Instruction ID: 0dbd78224a02eb1ed3a8f56f8c952eff169a4da11f0b837fff9c2addf436900e
Opcode Fuzzy Hash: bf756324d6844749d6d062ed12b1a3657184425f0d038c5ec57d58c2655749a5
Instruction Fuzzy Hash: 6D21A871A00298AFDF45EF94C845BEE7BF9AF49315F004059E805B7241DBB45A8DCF61

Function 00053837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00053908

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 36656884af372e19cda9dd573ab7090e8d2682a37b3b1868eea1cfea7089a0e9
Instruction ID: b14fbc15b5482753f54aac03bc05e3d0f7360e5e819d70a842d3236a1af3fdf2
Opcode Fuzzy Hash: 36656884af372e19cda9dd573ab7090e8d2682a37b3b1868eea1cfea7089a0e9
Instruction Fuzzy Hash: 0C31D5B0504301AFE761DF24D8847E7BBE8FF49759F00092EF99A87240E771AA58CB52

Function 0006F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0006F661

Part of subcall function 0005D730: GetInputState.USER32 ref: 0005D807

Sleep.KERNEL32(00000000), ref: 000AF2DE

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 1d62033f21feff7e58bc09f45f50caa0fdc19cfb27b9f3722949e4bb653d0239
Instruction ID: c0a1c93bba8c26d80433cba3eb99f868392e78fe6ea5dd2c63bca887e9b8bfb2
Opcode Fuzzy Hash: 1d62033f21feff7e58bc09f45f50caa0fdc19cfb27b9f3722949e4bb653d0239
Instruction Fuzzy Hash: 6CF082312446059FE314EF75D445FAAB7E4EF4A761F00002AE859D7261EB70B804CB90

Function 0005B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0005BB4E

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 6180f3e1099fd2ad84db9988a36b23ccefa1c9fddac418136736f5f0b85c90fc
Instruction ID: 4e807ec70b578d94c8406c4830c944d325ac313309500a5063252b446795f4a5
Opcode Fuzzy Hash: 6180f3e1099fd2ad84db9988a36b23ccefa1c9fddac418136736f5f0b85c90fc
Instruction Fuzzy Hash: 16328C35A00209EFDB24CF94C894ABEB7F9EF49311F148059ED05AB252C7B5BE85CB91

Function 000E13B7 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000001,?), ref: 000E1420

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: b8e0343c148ed4516d1d5b5dd1006f066be13a5103c789e8354a49999cd3b2c7
Instruction ID: 5f7ef77ca024e32ea102340390b6ed01c0abd650222f22bfd6e9cc792feb8c5a
Opcode Fuzzy Hash: b8e0343c148ed4516d1d5b5dd1006f066be13a5103c789e8354a49999cd3b2c7
Instruction Fuzzy Hash: A031B470204242AFD714EF26C491BAAB7E2FF45324F048168E8295F392DB31EC45CBD1

Function 00054ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00054E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00054EDD,?,00121418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00054E9C
Part of subcall function 00054E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00054EAE
Part of subcall function 00054E90: FreeLibrary.KERNEL32(00000000,?,?,00054EDD,?,00121418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00054EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00121418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00054EFD

Part of subcall function 00054E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00093CDE,?,00121418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00054E62
Part of subcall function 00054E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00054E74
Part of subcall function 00054E59: FreeLibrary.KERNEL32(00000000,?,?,00093CDE,?,00121418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00054E87

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 865391775e1f96bc309a01de2da562120c0c03f89043fd4d67cc312d0b7b9886
Instruction ID: d86310d75002e10d234265e5638aaf64a35a81cb4fd111b2b1cace776a319b54
Opcode Fuzzy Hash: 865391775e1f96bc309a01de2da562120c0c03f89043fd4d67cc312d0b7b9886
Instruction Fuzzy Hash: 0C11E731600605ABDF24AF64DC13FEE77A59F40716F10882DF942BA1C2DE759A899B50

Function 00088402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00088440

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 3513bc9a111af7596daebe7159561c447ef9fb39f2a561bef7028df3eb1a1a5f
Instruction ID: 9620a4b911a2d3ad04803f2c3a077f318df2e6de826ee94391ec9f08ad137e94
Opcode Fuzzy Hash: 3513bc9a111af7596daebe7159561c447ef9fb39f2a561bef7028df3eb1a1a5f
Instruction Fuzzy Hash: 1D11067690410AAFCF15DF58E94199A7BF9FF48314F148069F808AB312DB31DA218BA5

Function 00085000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00084C7D: RtlAllocateHeap.NTDLL(00000008,00051129,00000000,?,00082E29,00000001,00000364,?,?,?,0007F2DE,00083863,00121444,?,0006FDF5,?), ref: 00084CBE

_free.LIBCMT ref: 0008506C

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 5a4ec2e7448758882fb2790618e741b14581dd69e8b2e84d70ec48d8fdcd1dcd
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 540149722047056BE3319F69DC85A9AFBECFB89370F25051DE1C4832C0EA30A805CBB4

Function 000E29BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,?,?,000E14B5,?), ref: 000E2A01

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 4d6c215df6bd50ef110c1597f1d163345e75870584249176ec2c2f05afa41d0d
Instruction ID: 5579f90ecb2e332e1779c2c59d07e4cd470f31ed7bee7c2c11c94e63000371e3
Opcode Fuzzy Hash: 4d6c215df6bd50ef110c1597f1d163345e75870584249176ec2c2f05afa41d0d
Instruction Fuzzy Hash: EA019E36300AC19FE364CA2EC454B2637DAEB85314F2D8468D057AB252DB32EC42C7A1

Function 0007E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 252bbd677653e24dd73df16cc6b9757e80e2c15ad7697b1143caed79b622f85c
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 6EF02832D12A10A6C7323A69DC05BDA339CAF563B4F108755F969931D3DB7CD80287AD

Function 00084C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00051129,00000000,?,00082E29,00000001,00000364,?,?,?,0007F2DE,00083863,00121444,?,0006FDF5,?), ref: 00084CBE

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a35dd2def2cdc49e349367942cd3f4ade7f599443e1c35ce93fa3c9ac21cb65a
Instruction ID: 6213530407193eacbbbe032b408ee34a01b8811fe59f170fa0d55c8cffb37f18
Opcode Fuzzy Hash: a35dd2def2cdc49e349367942cd3f4ade7f599443e1c35ce93fa3c9ac21cb65a
Instruction Fuzzy Hash: 81F0E931A0222677DBF17F629C09F9A77CCBF417B0B148125F89DAA181CB34D80147E0

Function 00083820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00121444,?,0006FDF5,?,?,0005A976,00000010,00121440,000513FC,?,000513C6,?,00051129), ref: 00083852

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4a4e4037cd3c5c634691999413280d627ae07592676cc8c799d08a34fb3ba466
Instruction ID: 2746e84e2ac35de62923f6f7d33c7949d656ba08e36fa103a8e2d8f16e9c71f1
Opcode Fuzzy Hash: 4a4e4037cd3c5c634691999413280d627ae07592676cc8c799d08a34fb3ba466
Instruction Fuzzy Hash: 08E0E531601325E7E63137669C06BDA3689BBC2FB0F154021BC98A6582DF25DD0283E4

Function 00054F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00121418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00054F6D

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9d8ca3ac23b3e6ab46c8e8e6bc333faf27437fb155b6d2f99eebe24e0036c07e
Instruction ID: d464524b24da5b1d48c514d23a88e7ff108070e54978449a47c21dc430dda4b4
Opcode Fuzzy Hash: 9d8ca3ac23b3e6ab46c8e8e6bc333faf27437fb155b6d2f99eebe24e0036c07e
Instruction Fuzzy Hash: 12F03071505751CFDB349F68D490897B7F4AF1431E320897EE5DA86511C7319888DF10

Function 000E2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 000E2A66

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: a572a131c78adc8ba3855db233808b34812deaec705f06440d90918086c3b01d
Instruction ID: 331907bc5bda8021281b6b54eea0a6a37cdecaf3efe05360b385ecde2d126a98
Opcode Fuzzy Hash: a572a131c78adc8ba3855db233808b34812deaec705f06440d90918086c3b01d
Instruction Fuzzy Hash: 36E02632340156AFD720EB31EC808FE734CEF50394718043AFC16E2102DB308E8182E0

Function 000530F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0005314E

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 9037bf9e375e369132e3b4f3a8a4a8e3403cd89c8b40a505241637098f5c8636
Instruction ID: 4968e0a7b2de6b14c91a44b1093b394bee97f71b76340f4f63ee4c308a3b324a
Opcode Fuzzy Hash: 9037bf9e375e369132e3b4f3a8a4a8e3403cd89c8b40a505241637098f5c8636
Instruction Fuzzy Hash: FEF0A770900348AFE762DB24DC457D67BFCB701708F0000E5A54896182D77447D9CF45

Function 00052DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00052DC4

Part of subcall function 00056B57: _wcslen.LIBCMT ref: 00056B6A

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: dc827abac051272d368c6027ad0dc0e1babc7302346bfde8cce4c26b568bad42
Instruction ID: 96407ec0baf33a8c065e00e372599ca7db93529ca70c773e27b17933cc79bfac
Opcode Fuzzy Hash: dc827abac051272d368c6027ad0dc0e1babc7302346bfde8cce4c26b568bad42
Instruction Fuzzy Hash: DBE0C272A002285BDB20A2989C06FEA77EDDFC8790F0400B5FD09E7249EA74AD848690

Function 00052B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00053837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00053908

Part of subcall function 0005D730: GetInputState.USER32 ref: 0005D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00052B6B

Part of subcall function 000530F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0005314E

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: c6adc96eec889020c4ee57f260d78c1e9e6871062a6801d3a8e70fecac89d8e4
Instruction ID: a0f0bbcbf3dbc48100ffb4b831bbdebb026d02b15cb6c94cd9f493ac088c7c73
Opcode Fuzzy Hash: c6adc96eec889020c4ee57f260d78c1e9e6871062a6801d3a8e70fecac89d8e4
Instruction Fuzzy Hash: 3EE0262270438412C618BB30A8524FFA7598BE1393F40183EF846831A3DF24868E8211

Function 0009039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00090704,?,?,00000000,?,00090704,00000000,0000000C), ref: 000903B7

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 66e930ef7ea0d2ef122d8715f2e4dba01bfbe79fa30086c1bd999434f9755a1c
Instruction ID: 47c87e98a49ed03b6bc33704b4877dabb97cea957d73b479e459ae8f86d671e8
Opcode Fuzzy Hash: 66e930ef7ea0d2ef122d8715f2e4dba01bfbe79fa30086c1bd999434f9755a1c
Instruction Fuzzy Hash: 9FD06C3204014DBBEF028F84DD46EDA3FAAFB48714F014040BE1866020C736E822AB91

Function 00051CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00051CBC

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: eaf0652238f1251fd14c516cdbccec7c16e3c360fbc54eb5515561905666fa1a
Instruction ID: 9f234425133b40dd36afc1ba3082d4c042e2b6297d42a5e220a0c37f80807bae
Opcode Fuzzy Hash: eaf0652238f1251fd14c516cdbccec7c16e3c360fbc54eb5515561905666fa1a
Instruction Fuzzy Hash: 02C09236380348BFF224CB80BC8AF547765B35CF10F048001F609A99E3C3B228B2EA90

Non-executed Functions

Function 000E9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00069BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00069BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 000E961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000E965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 000E969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000E96C9
SendMessageW.USER32 ref: 000E96F2
GetKeyState.USER32(00000011), ref: 000E978B
GetKeyState.USER32(00000009), ref: 000E9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000E97AE
GetKeyState.USER32(00000010), ref: 000E97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000E97E9
SendMessageW.USER32 ref: 000E9810
SendMessageW.USER32(?,00001030,?,000E7E95), ref: 000E9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 000E992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 000E9941
SetCapture.USER32(?), ref: 000E994A
ClientToScreen.USER32(?,?), ref: 000E99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 000E99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 000E99D6
ReleaseCapture.USER32 ref: 000E99E1
GetCursorPos.USER32(?), ref: 000E9A19
ScreenToClient.USER32(?,?), ref: 000E9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 000E9A80
SendMessageW.USER32 ref: 000E9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 000E9AEB
SendMessageW.USER32 ref: 000E9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 000E9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 000E9B4A
GetCursorPos.USER32(?), ref: 000E9B68
ScreenToClient.USER32(?,?), ref: 000E9B75
GetParent.USER32(?), ref: 000E9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 000E9BFA
SendMessageW.USER32 ref: 000E9C2B
ClientToScreen.USER32(?,?), ref: 000E9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 000E9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 000E9CDE
SendMessageW.USER32 ref: 000E9D01
ClientToScreen.USER32(?,?), ref: 000E9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 000E9D82

Part of subcall function 00069944: GetWindowLongW.USER32(?,000000EB), ref: 00069952

GetWindowLongW.USER32(?,000000F0), ref: 000E9E05

Strings

@GUI_DRAGID, xrefs: 000E997D
F, xrefs: 000E9D07

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: cefeb804ffa47ef6c5112b6574ada4d3307857039c2a8f94c4b281d18bad1b45
Instruction ID: bcc20511e79b73c4ad691fa531facf489bda1bba15b7d9fab954c344594ea1a7
Opcode Fuzzy Hash: cefeb804ffa47ef6c5112b6574ada4d3307857039c2a8f94c4b281d18bad1b45
Instruction Fuzzy Hash: 82429F30205281AFEB24CF25CC84EAABBF5FF49714F10061AFA99A72A1D7319C65CF51

Function 000E4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 000E48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 000E4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 000E4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 000E494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 000E495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 000E497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 000E49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 000E49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 000E4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 000E4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 000E4A7E
IsMenu.USER32(?), ref: 000E4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000E4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000E4B20
GetWindowLongW.USER32(?,000000F0), ref: 000E4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 000E4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 000E4C82
wsprintfW.USER32 ref: 000E4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000E4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 000E4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 000E4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000E4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 000E4D5A

Strings

%d/%02d/%02d, xrefs: 000E4CA8

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: bf095ca6187e484f1395a32cd5a8f6b3735ae2a03d94154cde2d2b9fe1c14185
Instruction ID: 3ee2b9c26be678eaa4425b1bcab79a8abfdc454c31625f79de29ee7659551d79
Opcode Fuzzy Hash: bf095ca6187e484f1395a32cd5a8f6b3735ae2a03d94154cde2d2b9fe1c14185
Instruction Fuzzy Hash: 0D12CF71A00294AFEB248F26CC49FAF7BF8AF85710F144129F915FA2A1DB789941CB50

Function 000B1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 000B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000B170D
Part of subcall function 000B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000B173A
Part of subcall function 000B16C3: GetLastError.KERNEL32 ref: 000B174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 000B1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 000B12A8
CloseHandle.KERNEL32(?), ref: 000B12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 000B12D1
GetProcessWindowStation.USER32 ref: 000B12EA
SetProcessWindowStation.USER32(00000000), ref: 000B12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 000B1310

Part of subcall function 000B10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000B11FC), ref: 000B10D4
Part of subcall function 000B10BF: CloseHandle.KERNEL32(?,?,000B11FC), ref: 000B10E9

Strings

default, xrefs: 000B130B
winsta0, xrefs: 000B12CC
, xrefs: 000B125A

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: ced3cc515fa6157255dd89a20db103d5a51f79bc3b4358a73d39ec4ec8cca572
Instruction ID: e4c6ba6bd7eaa7f3f7953b4d78f794e2002224d7da493569b6852809c7bda538
Opcode Fuzzy Hash: ced3cc515fa6157255dd89a20db103d5a51f79bc3b4358a73d39ec4ec8cca572
Instruction Fuzzy Hash: F8818D71900249AFEF219FA4DC99FEF7BB9EF04704F144129F910B62A1DB758A45CB60

Function 000B0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000B1114
Part of subcall function 000B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,000B0B9B,?,?,?), ref: 000B1120
Part of subcall function 000B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,000B0B9B,?,?,?), ref: 000B112F
Part of subcall function 000B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,000B0B9B,?,?,?), ref: 000B1136
Part of subcall function 000B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000B114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000B0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000B0C00
GetLengthSid.ADVAPI32(?), ref: 000B0C17
GetAce.ADVAPI32(?,00000000,?), ref: 000B0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000B0C6D
GetLengthSid.ADVAPI32(?), ref: 000B0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 000B0C8C
HeapAlloc.KERNEL32(00000000), ref: 000B0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 000B0CB4
CopySid.ADVAPI32(00000000), ref: 000B0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000B0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000B0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 000B0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000B0D45
HeapFree.KERNEL32(00000000), ref: 000B0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000B0D55
HeapFree.KERNEL32(00000000), ref: 000B0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000B0D65
HeapFree.KERNEL32(00000000), ref: 000B0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 000B0D78
HeapFree.KERNEL32(00000000), ref: 000B0D7F

Part of subcall function 000B1193: GetProcessHeap.KERNEL32(00000008,000B0BB1,?,00000000,?,000B0BB1,?), ref: 000B11A1
Part of subcall function 000B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,000B0BB1,?), ref: 000B11A8
Part of subcall function 000B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,000B0BB1,?), ref: 000B11B7

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: ad97c165e24a60a4910a139a5ccf37274a854b9efae7c047811974321c47dc6b
Instruction ID: febd3fce0a40e41080c0d6a99b8492c484628527831f25f77fed3aaf101d55b2
Opcode Fuzzy Hash: ad97c165e24a60a4910a139a5ccf37274a854b9efae7c047811974321c47dc6b
Instruction Fuzzy Hash: 8C716B7290020AABEF50DFA4DC84FEFBBB8BF05700F044555E915BB2A1D775AA06CB60

Function 000CEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(000ECC08), ref: 000CEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 000CEB37
GetClipboardData.USER32(0000000D), ref: 000CEB43
CloseClipboard.USER32 ref: 000CEB4F
GlobalLock.KERNEL32(00000000), ref: 000CEB87
CloseClipboard.USER32 ref: 000CEB91
GlobalUnlock.KERNEL32(00000000), ref: 000CEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 000CEBC9
GetClipboardData.USER32(00000001), ref: 000CEBD1
GlobalLock.KERNEL32(00000000), ref: 000CEBE2
GlobalUnlock.KERNEL32(00000000), ref: 000CEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 000CEC38
GetClipboardData.USER32(0000000F), ref: 000CEC44
GlobalLock.KERNEL32(00000000), ref: 000CEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 000CEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 000CEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 000CECD2
GlobalUnlock.KERNEL32(00000000), ref: 000CECF3
CountClipboardFormats.USER32 ref: 000CED14
CloseClipboard.USER32 ref: 000CED59

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: e06ac982645b9835d31da98383a722153b03ea4df6bc2aa36cc57983418692d5
Instruction ID: f17c9ed26ab2e9e9e344aa13fb1c7987be2ee5e5f6fa5951cd6aa4244aaddefc
Opcode Fuzzy Hash: e06ac982645b9835d31da98383a722153b03ea4df6bc2aa36cc57983418692d5
Instruction Fuzzy Hash: DF618C342042819FE310EF24D885F7E7BE4AF84B14F14451DF956AB2A2DB36DD0ACB62

Function 000C698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000C69BE
FindClose.KERNEL32(00000000), ref: 000C6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000C6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000C6A75

Part of subcall function 00059CB3: _wcslen.LIBCMT ref: 00059CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 000C6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 000C6ADF

Strings

%4d, xrefs: 000C6BB1
%03d, xrefs: 000C6DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 000C6B32
%4d%02d%02d%02d%02d%02d, xrefs: 000C6B6A
%02d, xrefs: 000C6C00, 000C6C0A, 000C6C5A, 000C6CAA, 000C6CFA, 000C6D4A

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 41cbf325efbdb2cbfb7ebf83544aa16ae57b61b4b297b75eb391ea5e6886d6e8
Instruction ID: abbac8d7aeedd281b1d4db1f69d5e8f0c202a20e8639b03a8dd8f59b4fdb1b72
Opcode Fuzzy Hash: 41cbf325efbdb2cbfb7ebf83544aa16ae57b61b4b297b75eb391ea5e6886d6e8
Instruction Fuzzy Hash: A8D15171508340AEC314EBA4D881EBFB7ECAF88705F44491DF989D7192EB75DA48CB62

Function 000C9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 000C9663
GetFileAttributesW.KERNEL32(?), ref: 000C96A1
SetFileAttributesW.KERNEL32(?,?), ref: 000C96BB
FindNextFileW.KERNEL32(00000000,?), ref: 000C96D3
FindClose.KERNEL32(00000000), ref: 000C96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 000C96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 000C974A
SetCurrentDirectoryW.KERNEL32(00116B7C), ref: 000C9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 000C9772
FindClose.KERNEL32(00000000), ref: 000C977F
FindClose.KERNEL32(00000000), ref: 000C978F

Strings

*.*, xrefs: 000C96F5

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 823ff8f44aaf34e217474914cbd127de126de9526a601d74bf4f25ec346351d8
Instruction ID: 5b64fd338b59d82222cef78d5ecdc7b2b187a54966fa705e201257f4e430b422
Opcode Fuzzy Hash: 823ff8f44aaf34e217474914cbd127de126de9526a601d74bf4f25ec346351d8
Instruction Fuzzy Hash: 1931FF326456496AEB24AFB4DC4DEDE33ECAF09320F144169F914E20E0DB7ADE818A14

Function 000C979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 000C97BE
FindNextFileW.KERNEL32(00000000,?), ref: 000C9819
FindClose.KERNEL32(00000000), ref: 000C9824
FindFirstFileW.KERNEL32(*.*,?), ref: 000C9840
SetCurrentDirectoryW.KERNEL32(?), ref: 000C9890
SetCurrentDirectoryW.KERNEL32(00116B7C), ref: 000C98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 000C98B8
FindClose.KERNEL32(00000000), ref: 000C98C5
FindClose.KERNEL32(00000000), ref: 000C98D5

Part of subcall function 000BDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 000BDB00

Strings

*.*, xrefs: 000C983B

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 42c9668e5df8a10594e3f7910bef210c084d90d718de2abcd1dfc004858672d9
Instruction ID: bbf18ae2a1abdfd0e3da227e5f4ee1b9128cc24d5b8ba76b8bae764291aa4342
Opcode Fuzzy Hash: 42c9668e5df8a10594e3f7910bef210c084d90d718de2abcd1dfc004858672d9
Instruction Fuzzy Hash: A031E5316006596EEB14AFB4DC4DFDE77AC9F06320F144169E914A30D1DB7ADE8A8A24

Function 000DBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000DB6AE,?,?), ref: 000DC9B5
Part of subcall function 000DC998: _wcslen.LIBCMT ref: 000DC9F1
Part of subcall function 000DC998: _wcslen.LIBCMT ref: 000DCA68
Part of subcall function 000DC998: _wcslen.LIBCMT ref: 000DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000DBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 000DBFA9
RegCloseKey.ADVAPI32(00000000), ref: 000DBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 000DC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 000DC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 000DC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 000DC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 000DC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 000DC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 000DC382
RegCloseKey.ADVAPI32(00000000), ref: 000DC38F

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: daee25ca304050baf20519f6f3cf01cd537c40139c14a5206a635dc4470e6f35
Instruction ID: b5bdfb6d33526715123e04d505aab2a0e17128b6d3dabf912b705d07e73f0869
Opcode Fuzzy Hash: daee25ca304050baf20519f6f3cf01cd537c40139c14a5206a635dc4470e6f35
Instruction Fuzzy Hash: 62025C716043019FD754CF28C895E2ABBE5AF49318F18849DF84ADB3A2DB31ED46CB61

Function 000C8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 000C8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 000C8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 000C8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000C8310
SetCurrentDirectoryW.KERNEL32(?), ref: 000C8324
SetCurrentDirectoryW.KERNEL32(?), ref: 000C8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 000C838C
SetCurrentDirectoryW.KERNEL32(?), ref: 000C8395

Strings

*.*, xrefs: 000C839B

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 0758e7c6c3b2da62c4d431ae70c5a0b9a77c602a414df38ec8ed7efb8517e649
Instruction ID: c5404943f947cd138c251ed16bd681e9bdd8ea1bd12f84ce670938b1fc13f9b6
Opcode Fuzzy Hash: 0758e7c6c3b2da62c4d431ae70c5a0b9a77c602a414df38ec8ed7efb8517e649
Instruction Fuzzy Hash: E2614A715047459FD710DF60C844E9FB3E8BF89310F04891EF98997252EB35E949CB96

Function 000BD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00053AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00053A97,?,?,00052E7F,?,?,?,00000000), ref: 00053AC2

Part of subcall function 000BE199: GetFileAttributesW.KERNEL32(?,000BCF95), ref: 000BE19A

FindFirstFileW.KERNEL32(?,?), ref: 000BD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 000BD1DD
MoveFileW.KERNEL32(?,?), ref: 000BD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 000BD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 000BD237

Part of subcall function 000BD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,000BD21C,?,?), ref: 000BD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 000BD253
FindClose.KERNEL32(00000000), ref: 000BD264

Strings

\*.*, xrefs: 000BD0CD, 000BD0D6, 000BD0EB

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 62d33495efa9f6220e76a5159629272cc72347e1e3164656c6e83cf469340aa9
Instruction ID: d9148d20de77b7ba94910c003255fd77cf7cf7bd583c8e5978da40b6e5e3382c
Opcode Fuzzy Hash: 62d33495efa9f6220e76a5159629272cc72347e1e3164656c6e83cf469340aa9
Instruction Fuzzy Hash: 04616E3180114DABDF05EBE0D9929FEB7B5AF25301F64456AE80177192EF319F09CB60

Function 000CED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 000CED91
EmptyClipboard.USER32 ref: 000CED97
GlobalAlloc.KERNEL32(00000002,?), ref: 000CEDAC
CloseClipboard.USER32 ref: 000CEEA3

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: ddb6d46db1b7a70714e1fe158a97740ad8247f8dac111f48f018383d5bc2bbe8
Instruction ID: eb01b70dc54ebd51294da2037bf3d9eac06d3eee2d88e6e0e7cfbaf23001a37c
Opcode Fuzzy Hash: ddb6d46db1b7a70714e1fe158a97740ad8247f8dac111f48f018383d5bc2bbe8
Instruction Fuzzy Hash: AF41BD35204691AFE720DF15D888F5ABBE5EF44368F14C09DE81A9F662C736EC42CB90

Function 000BE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 000B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000B170D
Part of subcall function 000B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000B173A
Part of subcall function 000B16C3: GetLastError.KERNEL32 ref: 000B174A

ExitWindowsEx.USER32(?,00000000), ref: 000BE932

Strings

@, xrefs: 000BE925
, xrefs: 000BE920
SeShutdownPrivilege, xrefs: 000BE902
, xrefs: 000BE95C

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: f7f1ce4fb2e0b5af38ffc47f76a2c68ba30ff6faed6babf1beeeed63762c97d1
Instruction ID: d07bcb670df4132bdcd3b1a041b19bb0296d40d4ae8469b970bfe76c166ee8a5
Opcode Fuzzy Hash: f7f1ce4fb2e0b5af38ffc47f76a2c68ba30ff6faed6babf1beeeed63762c97d1
Instruction Fuzzy Hash: 1C01D673610351AFFB6826B4DC86FFF729C9714B50F150522F913F61D2D6A55C488194

Function 000D1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 000D1276
WSAGetLastError.WSOCK32 ref: 000D1283
bind.WSOCK32(00000000,?,00000010), ref: 000D12BA
WSAGetLastError.WSOCK32 ref: 000D12C5
closesocket.WSOCK32(00000000), ref: 000D12F4
listen.WSOCK32(00000000,00000005), ref: 000D1303
WSAGetLastError.WSOCK32 ref: 000D130D
closesocket.WSOCK32(00000000), ref: 000D133C

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 37eca7baec79737bdd80e91b7d69f7cecd33e83be21d3d122a6daf7b516e970c
Instruction ID: b5ebfd1d515445d09c7bc3614dacc9059431d6c06a490e8fbfc41353dcfb194c
Opcode Fuzzy Hash: 37eca7baec79737bdd80e91b7d69f7cecd33e83be21d3d122a6daf7b516e970c
Instruction Fuzzy Hash: 8241A431600240AFE714DF64C5C4B6ABBE5AF46314F188099E8569F392CB76ED86CBF1

Function 0008B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0008B9D4
_free.LIBCMT ref: 0008B9F8
_free.LIBCMT ref: 0008BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,000F3700), ref: 0008BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0012121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0008BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00121270,000000FF,?,0000003F,00000000,?), ref: 0008BC36
_free.LIBCMT ref: 0008BD4B

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 230566afadd1c90af8dc0b3e739ae993be12c5496f09c8d90f6dc4edbaf108c8
Instruction ID: 865734d44e9fdf207caa057f678014159bba0062d899f768220be8068b1fe649
Opcode Fuzzy Hash: 230566afadd1c90af8dc0b3e739ae993be12c5496f09c8d90f6dc4edbaf108c8
Instruction Fuzzy Hash: E4C1F471904205AFDB24FF689C51AEE7BE9FF51310F2841AAE4D5D7252EB309E42C750

Function 000BD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00053AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00053A97,?,?,00052E7F,?,?,?,00000000), ref: 00053AC2

Part of subcall function 000BE199: GetFileAttributesW.KERNEL32(?,000BCF95), ref: 000BE19A

FindFirstFileW.KERNEL32(?,?), ref: 000BD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 000BD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 000BD481
FindClose.KERNEL32(00000000), ref: 000BD498
FindClose.KERNEL32(00000000), ref: 000BD4A1

Strings

\*.*, xrefs: 000BD3F2

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: e139977c2cd1a1d8f549d2aabe5fbf20d0bca653d8aa60f9d6ec3b8304fa5b81
Instruction ID: 16f69a0ed4c567ae2090f8a2c6da0846972815de1bd4f4b198369f43671b7356
Opcode Fuzzy Hash: e139977c2cd1a1d8f549d2aabe5fbf20d0bca653d8aa60f9d6ec3b8304fa5b81
Instruction Fuzzy Hash: 9F3150710083859BD304EF64D8918EFB7E8AF92315F444E2EF8D553192EB25AA0DC763

Function 0008E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0008E645

Strings

1#SNAN, xrefs: 0008F844
1#INF, xrefs: 0008F852
1#QNAN, xrefs: 0008F84B
1#IND, xrefs: 0008F83D

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2573ab2531192b928f2d764d9ead826b12eb83dc5c4e1559b66bc988143f2519
Instruction ID: 12ff9bda44405d1fbe33c578f6e2d91877e8b25bc136bb365eca184ca596ac44
Opcode Fuzzy Hash: 2573ab2531192b928f2d764d9ead826b12eb83dc5c4e1559b66bc988143f2519
Instruction Fuzzy Hash: 1EC22871E086298FDB65EE28DD407EAB7B5FB48305F1441EAD48DE7241E778AE818F40

Function 000C648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000C64DC
CoInitialize.OLE32(00000000), ref: 000C6639
CoCreateInstance.OLE32(000EFCF8,00000000,00000001,000EFB68,?), ref: 000C6650
CoUninitialize.OLE32 ref: 000C68D4

Strings

.lnk, xrefs: 000C64BA, 000C6524, 000C65E0

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 322eac94c2aec119ae8ac502acf1713d59405e7eb4ba8e3bb59ebd8e83f8af75
Instruction ID: 2ba119c31bff2dfc3ba68b8b7c17d42777d8d7ea12b6f4ac9fbdb20874d3d5e2
Opcode Fuzzy Hash: 322eac94c2aec119ae8ac502acf1713d59405e7eb4ba8e3bb59ebd8e83f8af75
Instruction Fuzzy Hash: 3ED15971508301AFD314EF24C881EABB7E8FF94705F50496DF5998B292EB31E909CB92

Function 000D22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 000D22E8

Part of subcall function 000CE4EC: GetWindowRect.USER32(?,?), ref: 000CE504

GetDesktopWindow.USER32 ref: 000D2312
GetWindowRect.USER32(00000000), ref: 000D2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 000D2355
GetCursorPos.USER32(?), ref: 000D2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 000D23DF

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 3f56ea3b8223ff19421bdb8acab49276fff0b1872d4d6ec2a8a4550becfbce0b
Instruction ID: 323ca0d2678fd2741c1950e664ded8d77c2eb64f52b78e03cd8aed5defc29758
Opcode Fuzzy Hash: 3f56ea3b8223ff19421bdb8acab49276fff0b1872d4d6ec2a8a4550becfbce0b
Instruction Fuzzy Hash: 8B31E472504355AFE720DF14C845F9BB7E9FF84710F00091AF995A7281DB35EA09CBA1

Function 000C9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00059CB3: _wcslen.LIBCMT ref: 00059CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 000C9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 000C9C8B

Part of subcall function 000C3874: GetInputState.USER32 ref: 000C38CB
Part of subcall function 000C3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000C3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 000C9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 000C9C75

Strings

*.*, xrefs: 000C9B5D

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: b5d971ff793d0a1046b71069c249e4b992ba42ab9c0671584d06fe6d2f2e8bab
Instruction ID: ea02dbcee79614146a0f7bfa53fff4114dbebbd47a2eea66f35a603f8bb66e20
Opcode Fuzzy Hash: b5d971ff793d0a1046b71069c249e4b992ba42ab9c0671584d06fe6d2f2e8bab
Instruction Fuzzy Hash: 10417C7190420AAFDF54DF64C989FEEBBF8EF05311F24405AE805A6192EB319E85CB64

Function 0006997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00069BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00069BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00069A4E
GetSysColor.USER32(0000000F), ref: 00069B23
SetBkColor.GDI32(?,00000000), ref: 00069B36

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 29f083a37f771c7c13aefb2933e1bfbe2de57ed675bdc33235896aa542b8b13c
Instruction ID: d30e5a31abffc9a83bfb57287754bde51a830eed974f922e3f987c43296c038e
Opcode Fuzzy Hash: 29f083a37f771c7c13aefb2933e1bfbe2de57ed675bdc33235896aa542b8b13c
Instruction Fuzzy Hash: A5A10770208444BEE778DABD8C98EBF26DFEF43340B15811AF506D6E92CA359D41C6B2

Function 000D1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000D304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 000D307A
Part of subcall function 000D304E: _wcslen.LIBCMT ref: 000D309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 000D185D
WSAGetLastError.WSOCK32 ref: 000D1884
bind.WSOCK32(00000000,?,00000010), ref: 000D18DB
WSAGetLastError.WSOCK32 ref: 000D18E6
closesocket.WSOCK32(00000000), ref: 000D1915

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 8186306d8e8aeb424a7c1f7f2230f9f912b98229e9cda78fd0e5b93e19695bde
Instruction ID: 15da4632c758d9c572ab70ab500ebd18227fda252f910a962dd4ad59279368d0
Opcode Fuzzy Hash: 8186306d8e8aeb424a7c1f7f2230f9f912b98229e9cda78fd0e5b93e19695bde
Instruction Fuzzy Hash: 5851A471A00200AFE720EF24C886FAA77E59B44718F448059F9496F3D3DB75AD42CBA1

Function 000E1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 000E1CC0
IsWindowEnabled.USER32 ref: 000E1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 000E1CDB
IsIconic.USER32 ref: 000E1CE9
IsZoomed.USER32 ref: 000E1CF7

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 43538a31273aee7e1b09bbadb9fbef6513e3dd4a2085fb69acb0b091e9929384
Instruction ID: 0777bddea986774a3e0ce3ba5b702f9e65f49b2ed6d2dd7a4eceb5a945d9ffd5
Opcode Fuzzy Hash: 43538a31273aee7e1b09bbadb9fbef6513e3dd4a2085fb69acb0b091e9929384
Instruction Fuzzy Hash: 5521A6317402905FE7208F1BD884FAA7BE5EF85715F298068E849EB352C776EC42CB90

Function 00058060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 000583E8
VUUU, xrefs: 0005843C
VUUU, xrefs: 000583FA
ERCP, xrefs: 0005813C
VUUU, xrefs: 00095DF0

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: c8c14dc240ec8322d40cd08e68b9a2dc4afb285a048cb15a667146e5fc8101e0
Instruction ID: aab3e9c671aa474e8bc147e7b3f254b550911ccbe32dc589f386d35af4700301
Opcode Fuzzy Hash: c8c14dc240ec8322d40cd08e68b9a2dc4afb285a048cb15a667146e5fc8101e0
Instruction Fuzzy Hash: 7FA27C70E0061ACBDF75CF58C8847AEB7B1BB54311F2481AAEC15A7285EB319E85DF90

Function 000DA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000DA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 000DA6BA

Part of subcall function 00059CB3: _wcslen.LIBCMT ref: 00059CBD

Process32NextW.KERNEL32(00000000,?), ref: 000DA79C
CloseHandle.KERNEL32(00000000), ref: 000DA7AB

Part of subcall function 0006CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00093303,?), ref: 0006CE8A

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: fddb9330271986bbec1874f5ed7905473fd9f7dd14de890d1d3e2988e61b3395
Instruction ID: 4625ec6f25aaf006cdc4e8161254216abd67c507f8bed18113dd9c7a36ba87ee
Opcode Fuzzy Hash: fddb9330271986bbec1874f5ed7905473fd9f7dd14de890d1d3e2988e61b3395
Instruction Fuzzy Hash: D55151716083419FD710DF24C886EABBBE8FF89754F40491DF98597252EB35D908CB92

Function 000BAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 000BAAAC
SetKeyboardState.USER32(00000080), ref: 000BAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 000BAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 000BAB88

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3be868b878c0e0776544ca954a6ce9440ba76c36dd0d5a47ea506d49a44502ba
Instruction ID: 0cf07399d033382d9e48725f1a49f088324a6b1cf30d95d27c6e77a0310920ae
Opcode Fuzzy Hash: 3be868b878c0e0776544ca954a6ce9440ba76c36dd0d5a47ea506d49a44502ba
Instruction Fuzzy Hash: 22311630B40248AEFF358B648C05FFE7BEAAB46310F04421AF5A1A61D2D3798985C766

Function 000CCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 000CCE89
GetLastError.KERNEL32(?,00000000), ref: 000CCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 000CCEFE

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 849b2ac7c8809edcdf68cf559d6d99c1d6f86db696e583a618c08b67ffa5cb27
Instruction ID: 7bbfe527c87d5984653e8a66d80e36a6103b6b324840b11f644914026d5e039c
Opcode Fuzzy Hash: 849b2ac7c8809edcdf68cf559d6d99c1d6f86db696e583a618c08b67ffa5cb27
Instruction Fuzzy Hash: 4D21BDB19003059BF730DF65C988FAE77F8EB01754F10842EE64AE6152E774EE458B54

Function 000B8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 000B82AA

Strings

(, xrefs: 000B82F0
|, xrefs: 000B82DA

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: daf08933bad3fa15ea72725ef66ddc9c7db94d05e7f2e3d8b2ec669127bb9e3c
Instruction ID: deeac9f1911f03dbf0e8130d51db770ecb6f9a562e5715c14ab30f9fd43e17b2
Opcode Fuzzy Hash: daf08933bad3fa15ea72725ef66ddc9c7db94d05e7f2e3d8b2ec669127bb9e3c
Instruction Fuzzy Hash: 1B322474A00605DFCB28CF59C481AAAB7F4FF48710B15C56EE59ADB3A1EB70E981CB44

Function 000C5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000C5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 000C5D17
FindClose.KERNEL32(?), ref: 000C5D5F

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 0dba1b46b2bbfdc76b9cf1db61330400769afc02a4780e99139b1b7e12b3da75
Instruction ID: b35f8deb587108cf5c29b955752413c5afe5352c83e7d573a958e8bec40b3b63
Opcode Fuzzy Hash: 0dba1b46b2bbfdc76b9cf1db61330400769afc02a4780e99139b1b7e12b3da75
Instruction Fuzzy Hash: 09518638604B019FD724CF28C894E9AB7E4FF09315F14855DE99A8B3A2CB31F985CB91

Function 00082622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0008271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00082724
UnhandledExceptionFilter.KERNEL32(?), ref: 00082731

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 447e5926f8c7264eb6aefbfca89bb2cf8acc559117654898b0b35abc604f8d2e
Instruction ID: 9fea76b02088b0aa0fc0258085f79a0306402d74f68b01c2794bc22863df4712
Opcode Fuzzy Hash: 447e5926f8c7264eb6aefbfca89bb2cf8acc559117654898b0b35abc604f8d2e
Instruction Fuzzy Hash: 0B31B674911218ABCB61EF64DD897D9B7B8BF08710F5081DAE41CA6261E7349F818F45

Function 000C51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000C51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 000C5238
SetErrorMode.KERNEL32(00000000), ref: 000C52A1

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 0941290316221bf0afa6393bd33817f35eef8984d091c4069d4debc0795ec446
Instruction ID: 09caaf96f0da7f3f36c7a54cbc9d082030269fb99833362f2387e3d1a11d98df
Opcode Fuzzy Hash: 0941290316221bf0afa6393bd33817f35eef8984d091c4069d4debc0795ec446
Instruction Fuzzy Hash: B9310B75A006189FEB00DF54D884EAEBBF4FF49315F048099E805AB252DB35E856CB50

Function 000B16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0006FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00070668
Part of subcall function 0006FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00070685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000B170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000B173A
GetLastError.KERNEL32 ref: 000B174A

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: c8cceebb054baec5345a7a6b42c35b64bc24d8463b7558948f1cecf8f57ea8c2
Instruction ID: 3567799f6428d9f542bfaa9655e64fcc4648dc52b870784796820a7a6318058d
Opcode Fuzzy Hash: c8cceebb054baec5345a7a6b42c35b64bc24d8463b7558948f1cecf8f57ea8c2
Instruction Fuzzy Hash: F61191B2404305AFE7189F54ECC6DAAB7FEEF45714B20852EE45657241EB71BC428B60

Function 000BD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 000BD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 000BD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 000BD650

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 6b045b4e4f742a0cafbef2d0f400c882c15752364c968a68c6826a5f9d30b924
Instruction ID: 61d2c56981f10caac7edcd4c53b17fc09029c4178426063002260ce1ff5fe3c4
Opcode Fuzzy Hash: 6b045b4e4f742a0cafbef2d0f400c882c15752364c968a68c6826a5f9d30b924
Instruction Fuzzy Hash: 3F113C75E05228BBEB208FA59C85FEFBFBCEB45B50F108156F914E7290D6704A058BA1

Function 000B1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 000B168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 000B16A1
FreeSid.ADVAPI32(?), ref: 000B16B1

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 61efff1e2c22c7de22cb6f8f4d502b36f0c3a5138cfd4e8167808c2e1c5497a9
Instruction ID: 446cbb266c1183b67ef051f88be86eeb7cc67cf499fac06a258866f24838f0bd
Opcode Fuzzy Hash: 61efff1e2c22c7de22cb6f8f4d502b36f0c3a5138cfd4e8167808c2e1c5497a9
Instruction Fuzzy Hash: BDF0F471950309FBEB00DFE49C89EAEBBBCEB08604F504565E501E6181E775AA448A50

Function 0008C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0008C36C

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 96096dc8cfb2c4dad540ce24a184187cdba442b6dc5ce247fa106e4cc723741f
Instruction ID: 8b72eb0547fbb61b053eab7fbe0c4258de0a9f452c5a3ba8c263aafae307bcf1
Opcode Fuzzy Hash: 96096dc8cfb2c4dad540ce24a184187cdba442b6dc5ce247fa106e4cc723741f
Instruction Fuzzy Hash: 5E414972900219AFDB20AFB9DC48DBB77B8FB84314F104269F945D7181E6709E818B60

Function 000AD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 000AD28C

Strings

X64, xrefs: 000AD2A8

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 1151e82cb6431a01f396978ff2018b2196f4a946e2c1e1b7fc5eb4b8f0838ca1
Instruction ID: 2a32e3cb12a885cef53558441dbf598cbd2342398c0c7b83e3c83e2f8172c995
Opcode Fuzzy Hash: 1151e82cb6431a01f396978ff2018b2196f4a946e2c1e1b7fc5eb4b8f0838ca1
Instruction Fuzzy Hash: 95D0C9B480111DEADBA0DB90DCC8EDDB37CBB14345F100152F506A2000D73495498F10

Function 0007CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: fcb2c657b18e1fd937275245d741ec0407f0f95173110ad315d239d76163803b
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 51021C71E002199FEF24CFA9C880AADBBF1EF48314F25816DD919E7385D735AE418B94

Function 000C68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000C6918
FindClose.KERNEL32(00000000), ref: 000C6961

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ce222196ca8ade8912cd89bc7f1e7fb2b719fe5090d88fb720b1c06531ca3b0d
Instruction ID: d85249354b346e24217579e6838ee4a27d8621f62043b691213b9c40950d4092
Opcode Fuzzy Hash: ce222196ca8ade8912cd89bc7f1e7fb2b719fe5090d88fb720b1c06531ca3b0d
Instruction Fuzzy Hash: 211181716046009FD710DF29D885E1ABBE5EF85329F14C6ADE8698F2A2C735EC05CB91

Function 000C37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,000D4891,?,?,00000035,?), ref: 000C37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,000D4891,?,?,00000035,?), ref: 000C37F4

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 9aacde6ec4057a9f5733f57ef6816ddaf78da5ba0bf77fc46be7b6d88efa39ca
Instruction ID: d0e9fde3ac40f09ff28b7ce8ae390c979f6eaa105554fcc0c10158af1d9b4cc3
Opcode Fuzzy Hash: 9aacde6ec4057a9f5733f57ef6816ddaf78da5ba0bf77fc46be7b6d88efa39ca
Instruction Fuzzy Hash: B7F0E5B17043296AFB2017768C8DFEF3AAEEFC5B61F000279F509E2281D9609904C6B0

Function 000B10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000B11FC), ref: 000B10D4
CloseHandle.KERNEL32(?,?,000B11FC), ref: 000B10E9

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 8aa0fd22de8a66d6bb370fbdbfc0a230b7ea7834333d2dd3cdcd1248a8ad4212
Instruction ID: 175f1cd5d7ef5d417156741ab43439e3d326d883b2b54d3cfe365604a1d3fc28
Opcode Fuzzy Hash: 8aa0fd22de8a66d6bb370fbdbfc0a230b7ea7834333d2dd3cdcd1248a8ad4212
Instruction Fuzzy Hash: 87E04F32014641AEF7252B21FC05EB37BEAEB04710B10882EF4A5844B1DB636C90DB10

Function 0006BE70 Relevance: 2.3, Strings: 1, Instructions: 1067COMMON

Download Yara Rule

Strings

________________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{, xrefs: 000AAE3A, 000AB5ED

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID: ________________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{
API String ID: 0-1797318591
Opcode ID: f3685700403b6a8ef9252b6b33e4cbb1fa3dd9ed01956ec4f29a41c8cc467ea0
Instruction ID: 01345b133c38c263e07fdb7d55586e9145f583cb2f412e8c6c869786cbc24fb9
Opcode Fuzzy Hash: f3685700403b6a8ef9252b6b33e4cbb1fa3dd9ed01956ec4f29a41c8cc467ea0
Instruction Fuzzy Hash: 52828D72E002199FDF24CFA8C841BEDB7F1AF4A710F24856AE555EB282E7749D81CB50

Function 0005CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 000A0C40

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 9841674893c849cfbf32905a5f7d8f9cee25b659d7c8497a8496c0dc214d2256
Instruction ID: 519050dd1a89152ec43e90a0df3655cb4fd94b82f8e0d1bed4bd73c95c3b8eca
Opcode Fuzzy Hash: 9841674893c849cfbf32905a5f7d8f9cee25b659d7c8497a8496c0dc214d2256
Instruction Fuzzy Hash: C0326A70900318DFEF24DF94C991EEEB7B5BF06305F148069E806AB292D775AE49CB61

Function 0008676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00086766,?,?,00000008,?,?,0008FEFE,00000000), ref: 00086998

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6be3502c5591845fd1ada3a2f317e13db25180b511bdeb081a3ca30cad2b9b9f
Instruction ID: 0add3a3af2ef39f082a0f77200edb6921a905e3203380ea07036de76c9a0c23e
Opcode Fuzzy Hash: 6be3502c5591845fd1ada3a2f317e13db25180b511bdeb081a3ca30cad2b9b9f
Instruction Fuzzy Hash: 4EB16D31510608DFD759DF28C48AB657BE0FF05364F268658E8DACF2A2C736D981CB40

Function 0006B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 000A851F

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: af823268600ad2b9ae8c2910be43b9c478de987aaa874eed3246d4eb2b2026bf
Instruction ID: fb44861249a2af7b834b610d0163fbfcab0e3903354bd92c3d27d0e20b5fb295
Opcode Fuzzy Hash: af823268600ad2b9ae8c2910be43b9c478de987aaa874eed3246d4eb2b2026bf
Instruction Fuzzy Hash: 5A1232B1E002299FDB64CF98C8816EEB7F5FF49710F14815AE849EB255DB349E81CB90

Function 000CEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 000CEABD

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: e533ffc814ea43e7d2565aa6a4274fbf7a5e76367a3e85c6944164fe4db33683
Instruction ID: 30076a2920ce0a976c9204214b8a891d80906011c55fb926a9e0418a30ce4a66
Opcode Fuzzy Hash: e533ffc814ea43e7d2565aa6a4274fbf7a5e76367a3e85c6944164fe4db33683
Instruction Fuzzy Hash: 67E01A352002049FD710EF69D844E9BB7E9AF98760F00842AFC49DB251DA70B8458B91

Function 000709D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,000703EE), ref: 000709DA

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ddbdfb6a0c671419c3ef38c6d1e43ded16b577962ad9941ed9b1427dcca9b614
Instruction ID: 746a0bc139b0f296e2c63248966b4e521d605a0e9b9762b01343b11dce4bba18
Opcode Fuzzy Hash: ddbdfb6a0c671419c3ef38c6d1e43ded16b577962ad9941ed9b1427dcca9b614
Instruction Fuzzy Hash:

Function 0007781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0007798B

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: cec67272f59344e5dc312a97642a49996ce12b082a459175985ebe0e792fda26
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: C1510261E8C645A6DBF84568C8597BE23D59B423C0F18C919D98EC7282CA1DEE01D39F

Function 00086DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dee6aacc6ab98dac1d083e38bf1a8ec386a4c351112f0cb2d0bb7b8bc95c7096
Instruction ID: e85900f70f42253d6ca884e38e08bad335247a16545ad558320ddc9e467d1b42
Opcode Fuzzy Hash: dee6aacc6ab98dac1d083e38bf1a8ec386a4c351112f0cb2d0bb7b8bc95c7096
Instruction Fuzzy Hash: 93322921D29F014DE723A634DC22335A689BFB73C5F25D737E85AB5DA9EB29C4835200

Function 0006CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b17f0485c565dd8db9ea140e8eab967b3de73b4ae4d60779449bf3bbb1f9cc
Instruction ID: 747c0f93c8c974916b26074e468630cc62c8d2e1a18cdc06fb2e0abae6b294de
Opcode Fuzzy Hash: 73b17f0485c565dd8db9ea140e8eab967b3de73b4ae4d60779449bf3bbb1f9cc
Instruction Fuzzy Hash: 06324731A041558BFF78CFA8C494EBD77E2EB46324F2A816AD49ACB291D330DD81DB51

Function 00057920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0137ecaba412761312c6eee7808d71c55fa3c0739c087d23fa7bd4056f7fbb
Instruction ID: 838b10f302af25e87c7912f7a5408fcdd23d5cacfda9fb39b3680356f241c682
Opcode Fuzzy Hash: 3a0137ecaba412761312c6eee7808d71c55fa3c0739c087d23fa7bd4056f7fbb
Instruction Fuzzy Hash: EB22C2B0A0460ADFDF14CF65D881AEEB7F6FF44301F108629E816A7291EB369E54DB50

Function 000591C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a6ce81bce71a2db24a8cae09a5c1ee5adb21cfab5001d9d6c6848f10f7609c
Instruction ID: 6c3d974ed5e1c3962dc78fab94e544f49ed50f81b58d449e1845c4443aadb9bd
Opcode Fuzzy Hash: 94a6ce81bce71a2db24a8cae09a5c1ee5adb21cfab5001d9d6c6848f10f7609c
Instruction Fuzzy Hash: 6202C6B0E00206EBDF14DF54D881AEEBBB5FF44300F108169E8569B291EB31EE65DB95

Function 00089EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5abd17dd97c22e9abfeffb2ced9880314f9b13f5d3a76f9868a15be24bad2afd
Instruction ID: 63ee78f06a69402acffeee12c934e6cc28184f177de46395b0d17d6dada1f18f
Opcode Fuzzy Hash: 5abd17dd97c22e9abfeffb2ced9880314f9b13f5d3a76f9868a15be24bad2afd
Instruction Fuzzy Hash: 34B12420E2AF414DE72396398835336B65CBFBB2D5F91D31BFC5674D22EB2586839140

Function 00071C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: f8659aa8faa657b90b33f2239b8d8b554b2d054e2510564fa6cd0fe7ec4dfaa5
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: E691B972A080A34ADB79463E85340BDFFE15F523A131A879DD4FACB1C1FE28D954D624

Function 00071F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 538a5b070367e39ac3f59baecb82bb0aad131fc622a9aff0a400046f4853a8fd
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 5A919972A090E34DDBAD423D847407DFFE15B923A131A87ADD4FACB1C6EE28C564D624

Function 000719B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: be9d3065dd00a8d7e28d33a7ae8242753b15fe59b9829d8be7e0fca4b7a5b237
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: AF91B772A090E30EDB6D427E85740BDFFE15B923A131A879DD4FACA1C1FE28C654D624

Function 00077A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d0199c24ab8e2e84cba7209c4238d326bd2b5c4fa8157b9251f9627696fdd1
Instruction ID: 8fb76db1162b4942c77be7d9c92f58a72a524977ed6090d6a6ab5ffd286c24e2
Opcode Fuzzy Hash: 77d0199c24ab8e2e84cba7209c4238d326bd2b5c4fa8157b9251f9627696fdd1
Instruction Fuzzy Hash: 88616A61F48709A6EAB459288895BFE23D4DF813C0F10C91DE94ECB282D71DAE41C75E

Function 00077CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0ac64c1cbf1efa34b851897617847ada095a17319d122ccc638031a9938cc86
Instruction ID: f218d9a6a469b55794e940541e30c03bee7248ae6a50209b2419104c6036ed9e
Opcode Fuzzy Hash: a0ac64c1cbf1efa34b851897617847ada095a17319d122ccc638031a9938cc86
Instruction Fuzzy Hash: 4A618C31F4870962DEB849684855BFF23E8AF467C4F10C959E94FCB282EA1E9D42C35D

Function 00071706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: d1c9325674feeedf0c58423f90b88c81f6800cf69d77d5101c71f194748f405f
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 7981867290C0A309DBAD463D85340BEFFE15F923A131A879DD4FACB1C1EE28D559E624

Function 000C2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b425ebb2b3c7660f1fe3bc7168c815ab825f1807ae475f65ac2d9322d9b268a
Instruction ID: b3fa73f84073171ec7fb47c6a152166f1877363dc856099f46231fed12435cf1
Opcode Fuzzy Hash: 2b425ebb2b3c7660f1fe3bc7168c815ab825f1807ae475f65ac2d9322d9b268a
Instruction Fuzzy Hash: 5E21E7326206119BD728CF79C823A7E73E5B754310F24862EE4A7C3BD1DE39A944CB80

Function 000E70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 000E712F
GetSysColorBrush.USER32(0000000F), ref: 000E7160
GetSysColor.USER32(0000000F), ref: 000E716C
SetBkColor.GDI32(?,000000FF), ref: 000E7186
SelectObject.GDI32(?,?), ref: 000E7195
InflateRect.USER32(?,000000FF,000000FF), ref: 000E71C0
GetSysColor.USER32(00000010), ref: 000E71C8
CreateSolidBrush.GDI32(00000000), ref: 000E71CF
FrameRect.USER32(?,?,00000000), ref: 000E71DE
DeleteObject.GDI32(00000000), ref: 000E71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 000E7230
FillRect.USER32(?,?,?), ref: 000E7262
GetWindowLongW.USER32(?,000000F0), ref: 000E7284

Part of subcall function 000E73E8: GetSysColor.USER32(00000012), ref: 000E7421
Part of subcall function 000E73E8: SetTextColor.GDI32(?,?), ref: 000E7425
Part of subcall function 000E73E8: GetSysColorBrush.USER32(0000000F), ref: 000E743B
Part of subcall function 000E73E8: GetSysColor.USER32(0000000F), ref: 000E7446
Part of subcall function 000E73E8: GetSysColor.USER32(00000011), ref: 000E7463
Part of subcall function 000E73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 000E7471
Part of subcall function 000E73E8: SelectObject.GDI32(?,00000000), ref: 000E7482
Part of subcall function 000E73E8: SetBkColor.GDI32(?,00000000), ref: 000E748B
Part of subcall function 000E73E8: SelectObject.GDI32(?,?), ref: 000E7498
Part of subcall function 000E73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 000E74B7
Part of subcall function 000E73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000E74CE
Part of subcall function 000E73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 000E74DB

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: faab630f40328349658df58e71b8dcb95cc6aad92523ab4b29027e278dda6ed0
Instruction ID: b3aac8707f52ab65bfbda37c93c1c96a496eacbb7ebd8e1b3c1fdf3ff635f083
Opcode Fuzzy Hash: faab630f40328349658df58e71b8dcb95cc6aad92523ab4b29027e278dda6ed0
Instruction Fuzzy Hash: BDA1D472008381BFE7109F64DC88E5B7BE9FF49720F100A19FA66AA1E1D736E941CB51

Function 00068D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00068E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 000A6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 000A6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 000A6F43

Part of subcall function 00068F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00068BE8,?,00000000,?,?,?,?,00068BBA,00000000,?), ref: 00068FC5

SendMessageW.USER32(?,00001053), ref: 000A6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 000A6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 000A6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 000A6FB7

Strings

0, xrefs: 000A6DCF

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: d4e24c8723c813a8bd6b99e33352bc907eb41ecff1c6981bcdc64cc5257c9cb7
Instruction ID: adf905d29ea98d294903f64194d910adc810f63da41f1cfd8a46231e78a45eb3
Opcode Fuzzy Hash: d4e24c8723c813a8bd6b99e33352bc907eb41ecff1c6981bcdc64cc5257c9cb7
Instruction Fuzzy Hash: 8F12BF30600241EFDB65CF54C888BAAB7F6FB5A700F188569F4959B661CB33EC92CB51

Function 000D2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 000D273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 000D286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 000D28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 000D28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 000D2900
GetClientRect.USER32(00000000,?), ref: 000D290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 000D2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 000D2964
GetStockObject.GDI32(00000011), ref: 000D2974
SelectObject.GDI32(00000000,00000000), ref: 000D2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 000D2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000D2991
DeleteDC.GDI32(00000000), ref: 000D299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 000D29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 000D29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 000D2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 000D2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 000D2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 000D2A77
GetStockObject.GDI32(00000011), ref: 000D2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 000D2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 000D2A97

Strings

static, xrefs: 000D294F, 000D2A71
DISPLAY, xrefs: 000D295A
AutoIt v3, xrefs: 000D28F8
msctls_progress32, xrefs: 000D2A13

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: a45fd37295bebeb98db18a1f51dcca4856e28b7c9a56d5e1ba3a9f74f507c959
Instruction ID: 6788235a4bf3a4cc2a17550590264dc378bc8a8066ab88386cf1e05d14401d5f
Opcode Fuzzy Hash: a45fd37295bebeb98db18a1f51dcca4856e28b7c9a56d5e1ba3a9f74f507c959
Instruction Fuzzy Hash: 4CB15971A00205BFEB24DFA8DC89FAE7BA9FB18711F004115F915EB291DB74AD41CBA0

Function 000C4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000C4AED
GetDriveTypeW.KERNEL32(?,000ECB68,?,\\.\,000ECC08), ref: 000C4BCA
SetErrorMode.KERNEL32(00000000,000ECB68,?,\\.\,000ECC08), ref: 000C4D36

Strings

SCSI, xrefs: 000C4C8A
PhysicalDrive, xrefs: 000C4B76
Fixed, xrefs: 000C4C09
SAS, xrefs: 000C4CC9
SATA, xrefs: 000C4CD0
Fibre, xrefs: 000C4CAD
MMC, xrefs: 000C4CDE
ATA, xrefs: 000C4C98
SSA, xrefs: 000C4CA6
1394, xrefs: 000C4C9F
RAID, xrefs: 000C4CBB
SSD, xrefs: 000C4C4A
Unknown, xrefs: 000C4BED, 000C4C83
iSCSI, xrefs: 000C4CC2
Virtual, xrefs: 000C4CE5
\\.\, xrefs: 000C4B3F
Network, xrefs: 000C4C02
USB, xrefs: 000C4CB4
CDROM, xrefs: 000C4BFB
FileBackedVirtual, xrefs: 000C4CEC
RAMDisk, xrefs: 000C4BF4
Removable, xrefs: 000C4C10, 000C4C15
ATAPI, xrefs: 000C4C91

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: f431eb271d54824f3d9077c86f78c922d77581626d3836f36b2a1dbddbbc0a9a
Instruction ID: cb0ef82025fcfaa212d0cacb84d9ce87a7034d32d79628cd9f14118beaffe742
Opcode Fuzzy Hash: f431eb271d54824f3d9077c86f78c922d77581626d3836f36b2a1dbddbbc0a9a
Instruction Fuzzy Hash: 4061C630605105DBDB68DFA4CAE2FEDB7B1BB04340B20442DF846AB262DB76DD85DB41

Function 000E73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 000E7421
SetTextColor.GDI32(?,?), ref: 000E7425
GetSysColorBrush.USER32(0000000F), ref: 000E743B
GetSysColor.USER32(0000000F), ref: 000E7446
CreateSolidBrush.GDI32(?), ref: 000E744B
GetSysColor.USER32(00000011), ref: 000E7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 000E7471
SelectObject.GDI32(?,00000000), ref: 000E7482
SetBkColor.GDI32(?,00000000), ref: 000E748B
SelectObject.GDI32(?,?), ref: 000E7498
InflateRect.USER32(?,000000FF,000000FF), ref: 000E74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000E74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 000E74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000E752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 000E7554
InflateRect.USER32(?,000000FD,000000FD), ref: 000E7572
DrawFocusRect.USER32(?,?), ref: 000E757D
GetSysColor.USER32(00000011), ref: 000E758E
SetTextColor.GDI32(?,00000000), ref: 000E7596
DrawTextW.USER32(?,000E70F5,000000FF,?,00000000), ref: 000E75A8
SelectObject.GDI32(?,?), ref: 000E75BF
DeleteObject.GDI32(?), ref: 000E75CA
SelectObject.GDI32(?,?), ref: 000E75D0
DeleteObject.GDI32(?), ref: 000E75D5
SetTextColor.GDI32(?,?), ref: 000E75DB
SetBkColor.GDI32(?,?), ref: 000E75E5

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 5df106607388f8f9d81b76dbb9688f98b69cde47efba64d8d3eb839014f145e6
Instruction ID: 47c04d8e266d9141e8b54f376a7c7cd41ab760602c13abd5abc4832f495e0c76
Opcode Fuzzy Hash: 5df106607388f8f9d81b76dbb9688f98b69cde47efba64d8d3eb839014f145e6
Instruction Fuzzy Hash: 24618D72900658AFEF009FA4DC88EEEBFB9EB09720F104115FA15BB2A1D7759941DF90

Function 000E0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 000E1128
GetDesktopWindow.USER32 ref: 000E113D
GetWindowRect.USER32(00000000), ref: 000E1144
GetWindowLongW.USER32(?,000000F0), ref: 000E1199
DestroyWindow.USER32(?), ref: 000E11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 000E11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000E120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 000E121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 000E1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 000E1245
IsWindowVisible.USER32(00000000), ref: 000E12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 000E12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 000E12D0
GetWindowRect.USER32(00000000,?), ref: 000E12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 000E130E
GetMonitorInfoW.USER32(00000000,?), ref: 000E1328
CopyRect.USER32(?,?), ref: 000E133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 000E13AA

Strings

tooltips_class32, xrefs: 000E11E6
(, xrefs: 000E131B
0, xrefs: 000E10D3

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: ca038a86be8f3a6723ad3ee3ef0ff81a56225d0ab640354cf9cf9b048a8529c6
Instruction ID: 722fbc775a00b1b202823a7e41e319e48cc7dfce5ac80e47367610c303eb5801
Opcode Fuzzy Hash: ca038a86be8f3a6723ad3ee3ef0ff81a56225d0ab640354cf9cf9b048a8529c6
Instruction Fuzzy Hash: 45B19E71604380AFE754DF65C884BABBBE4FF84710F00891CF999AB2A2C771E845CB91

Function 000E0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 000E02E5
_wcslen.LIBCMT ref: 000E031F
_wcslen.LIBCMT ref: 000E0389
_wcslen.LIBCMT ref: 000E03F1
_wcslen.LIBCMT ref: 000E0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 000E04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000E0504

Part of subcall function 0006F9F2: _wcslen.LIBCMT ref: 0006F9FD

Part of subcall function 000B223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000B2258
Part of subcall function 000B223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000B228A

Strings

SELECTINVERT, xrefs: 000E057E
ISSELECTED, xrefs: 000E04DD
DESELECT, xrefs: 000E059C
GETSUBITEMCOUNT, xrefs: 000E0384, 000E039F
VIEWCHANGE, xrefs: 000E0675
FINDITEM, xrefs: 000E0627
SELECTCLEAR, xrefs: 000E052D
GETITEMCOUNT, xrefs: 000E0316, 000E0337
SELECTALL, xrefs: 000E0515
GETTEXT, xrefs: 000E03EC, 000E0407
GETSELECTED, xrefs: 000E05E1
GETSELECTEDCOUNT, xrefs: 000E0470, 000E048B
SELECT, xrefs: 000E0548

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: e82e4ba5023f5d9bf157eb324b6e71b714276d7cd10b81567d39fa953c7a267d
Instruction ID: a55d0a181ccd74bf9e7c9dc017ba9a73358e1ba29a7ed5c1aff7077c613be57e
Opcode Fuzzy Hash: e82e4ba5023f5d9bf157eb324b6e71b714276d7cd10b81567d39fa953c7a267d
Instruction Fuzzy Hash: 56E1C0712086818FC718DF25C5509BFB3E6BF88314B14496DF896AB3A2DB70ED85CB91

Function 00068891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00068968
GetSystemMetrics.USER32(00000007), ref: 00068970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0006899B
GetSystemMetrics.USER32(00000008), ref: 000689A3
GetSystemMetrics.USER32(00000004), ref: 000689C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000689E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 000689F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00068A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00068A3C
GetClientRect.USER32(00000000,000000FF), ref: 00068A5A
GetStockObject.GDI32(00000011), ref: 00068A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00068A81

Part of subcall function 0006912D: GetCursorPos.USER32(?), ref: 00069141
Part of subcall function 0006912D: ScreenToClient.USER32(00000000,?), ref: 0006915E
Part of subcall function 0006912D: GetAsyncKeyState.USER32(00000001), ref: 00069183
Part of subcall function 0006912D: GetAsyncKeyState.USER32(00000002), ref: 0006919D

SetTimer.USER32(00000000,00000000,00000028,000690FC), ref: 00068AA8

Strings

AutoIt v3 GUI, xrefs: 00068A20

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 9895673346b4932c896dfaff8baab0de13aa2a087676812ee04641c12f105093
Instruction ID: 3ecfc43fba852251352ba6e006b06aa8eea6707c1db2af9f9bb401aabfbfa900
Opcode Fuzzy Hash: 9895673346b4932c896dfaff8baab0de13aa2a087676812ee04641c12f105093
Instruction Fuzzy Hash: 0BB17F71A00209AFEF14DFA8DD85FAE3BB5FB48714F144219FA15AB290DB35A881CF51

Function 000B0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000B1114
Part of subcall function 000B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,000B0B9B,?,?,?), ref: 000B1120
Part of subcall function 000B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,000B0B9B,?,?,?), ref: 000B112F
Part of subcall function 000B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,000B0B9B,?,?,?), ref: 000B1136
Part of subcall function 000B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000B114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000B0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000B0E29
GetLengthSid.ADVAPI32(?), ref: 000B0E40
GetAce.ADVAPI32(?,00000000,?), ref: 000B0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000B0E96
GetLengthSid.ADVAPI32(?), ref: 000B0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 000B0EB5
HeapAlloc.KERNEL32(00000000), ref: 000B0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 000B0EDD
CopySid.ADVAPI32(00000000), ref: 000B0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000B0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000B0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 000B0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000B0F6E
HeapFree.KERNEL32(00000000), ref: 000B0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000B0F7E
HeapFree.KERNEL32(00000000), ref: 000B0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000B0F8E
HeapFree.KERNEL32(00000000), ref: 000B0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 000B0FA1
HeapFree.KERNEL32(00000000), ref: 000B0FA8

Part of subcall function 000B1193: GetProcessHeap.KERNEL32(00000008,000B0BB1,?,00000000,?,000B0BB1,?), ref: 000B11A1
Part of subcall function 000B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,000B0BB1,?), ref: 000B11A8
Part of subcall function 000B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,000B0BB1,?), ref: 000B11B7

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 7dcdabb90b7adcf23605d6cce08fbab11abb0281214a70e15100fe78dc5bdc9f
Instruction ID: 05db420dee1de1859cbff446ebd2cee7a436fe262beb788134505ba42cedc110
Opcode Fuzzy Hash: 7dcdabb90b7adcf23605d6cce08fbab11abb0281214a70e15100fe78dc5bdc9f
Instruction Fuzzy Hash: 33715D72A0020AABEF609FA4DC44FEFBBB8BF05700F048165F919BA191D7759A05CB60

Function 000DC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000DC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,000ECC08,00000000,?,00000000,?,?), ref: 000DC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 000DC5A4
_wcslen.LIBCMT ref: 000DC5F4
_wcslen.LIBCMT ref: 000DC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 000DC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 000DC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 000DC84D
RegCloseKey.ADVAPI32(?), ref: 000DC881
RegCloseKey.ADVAPI32(00000000), ref: 000DC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 000DC960

Strings

REG_BINARY, xrefs: 000DC913
REG_QWORD, xrefs: 000DC8C3
REG_EXPAND_SZ, xrefs: 000DC5CD
REG_DWORD, xrefs: 000DC804
REG_SZ, xrefs: 000DC644
REG_MULTI_SZ, xrefs: 000DC6F5

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 3cd67c521aeab89ed0983c55353e63e68ce44daa9950cecd92f4923b271d84c5
Instruction ID: e3ede979397f2e834cfac5704abcb1f4bd24f851c400f2226b572fdd52ee063c
Opcode Fuzzy Hash: 3cd67c521aeab89ed0983c55353e63e68ce44daa9950cecd92f4923b271d84c5
Instruction Fuzzy Hash: 0E1266356047019FEB14DF14C881E6AB7E5EF88724F14885DF88A9B3A2DB31ED45CB91

Function 000E091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 000E09C6
_wcslen.LIBCMT ref: 000E0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000E0A54
_wcslen.LIBCMT ref: 000E0A8A
_wcslen.LIBCMT ref: 000E0B06
_wcslen.LIBCMT ref: 000E0B81

Part of subcall function 0006F9F2: _wcslen.LIBCMT ref: 0006F9FD

Part of subcall function 000B2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000B2BFA

Strings

COLLAPSE, xrefs: 000E0B01, 000E0B1C
EXPAND, xrefs: 000E0BF8
EXISTS, xrefs: 000E0B7C, 000E0B97
GETITEMCOUNT, xrefs: 000E0C1E
ISCHECKED, xrefs: 000E0CE1
GETTEXT, xrefs: 000E0C97
GETSELECTED, xrefs: 000E0C4E
UNCHECK, xrefs: 000E0D3E
GETTOTALCOUNT, xrefs: 000E09F2, 000E0A17
SELECT, xrefs: 000E0D11
CHECK, xrefs: 000E0A85, 000E0AA0

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: fe7cf56089775ff4c124d3ee7ee9572ae308d62754bb531d6ee507c288ac6007
Instruction ID: 5796cb1e7139d1572339fb353ad6e1bfedeaba582bfe902660f902ba3c57ddf3
Opcode Fuzzy Hash: fe7cf56089775ff4c124d3ee7ee9572ae308d62754bb531d6ee507c288ac6007
Instruction Fuzzy Hash: 5AE190312087818FC714DF25C4509AEB7E1BF98314F54896DF89AAB3A2D771ED85CB82

Function 000DC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,000DB6AE,?,?), ref: 000DC9B5
_wcslen.LIBCMT ref: 000DC9F1
_wcslen.LIBCMT ref: 000DCA68
_wcslen.LIBCMT ref: 000DCA9E
_wcslen.LIBCMT ref: 000DCAF9
_wcslen.LIBCMT ref: 000DCB2F
_wcslen.LIBCMT ref: 000DCB7F

Strings

HKEY_CURRENT_CONFIG, xrefs: 000DCB79, 000DCB7E
HKU, xrefs: 000DCBF0
HKCC, xrefs: 000DCBAC
HKLM, xrefs: 000DCA98, 000DCA9D
HKEY_USERS, xrefs: 000DCBDF
HKCU, xrefs: 000DCBCE
HKEY_CLASSES_ROOT, xrefs: 000DCAF3, 000DCAF8
HKCR, xrefs: 000DCB29, 000DCB2E
HKEY_CURRENT_USER, xrefs: 000DCBBD
HKEY_LOCAL_MACHINE, xrefs: 000DCA62, 000DCA67

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 8ec45b67e2e1bfbef94521dee7dbb92ec7bd73415247ce92e5bc3206c093ee8a
Instruction ID: 4ea46720852b59595199ddf519deba728a249bed2ae099874b835c2b1cf2759b
Opcode Fuzzy Hash: 8ec45b67e2e1bfbef94521dee7dbb92ec7bd73415247ce92e5bc3206c093ee8a
Instruction Fuzzy Hash: E771B23261036B8BEB20DE6C89519FE33E1AB60764F150526F856AB385E735CD85C3B1

Function 000E833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000E835A
_wcslen.LIBCMT ref: 000E836E
_wcslen.LIBCMT ref: 000E8391
_wcslen.LIBCMT ref: 000E83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 000E83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,000E5BF2), ref: 000E844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000E8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 000E84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000E8501
FreeLibrary.KERNEL32(?), ref: 000E850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 000E851D
DestroyIcon.USER32(?,?,?,?,?,000E5BF2), ref: 000E852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 000E8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 000E8555

Strings

.exe, xrefs: 000E8388
.icl, xrefs: 000E8368
.dll, xrefs: 000E83AB

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: f093bfa81f99d13d4b91471969ae31810393ba967edab1b9d60585396e377ec3
Instruction ID: 0c99d0b74f05e0842481f9f5e0770d41390c2ef25db9e495f9d8938eb19cf99f
Opcode Fuzzy Hash: f093bfa81f99d13d4b91471969ae31810393ba967edab1b9d60585396e377ec3
Instruction Fuzzy Hash: 7761BF72940645BEEB149F65CC81FFE77A8FB04B11F108609F919EA1D1DF75AA80C7A0

Function 00057778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#cs, xrefs: 00057873, 000578C5
#include-once, xrefs: 0005782F
Cannot parse #include, xrefs: 00095279
', xrefs: 00095169
Bad directive syntax error, xrefs: 0009519A
#requireadmin, xrefs: 000577FF
#pragma compile, xrefs: 000577D3
Unterminated group of comments, xrefs: 0009528C
#comments-start, xrefs: 0005785F, 000578B1
", xrefs: 00095153
#include, xrefs: 00057847
#notrayicon, xrefs: 000577E7
#ce, xrefs: 000578ED
#OnAutoItStartRegister, xrefs: 00057817
#comments-end, xrefs: 000578D9

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 6e6bdea4d0ddb817c0c570ae005054f26f63078d835ed25a3e244393ece607d9
Instruction ID: f119803166a726d737b6957840a16f2356708bb83236fb05930b4d7cde39658e
Opcode Fuzzy Hash: 6e6bdea4d0ddb817c0c570ae005054f26f63078d835ed25a3e244393ece607d9
Instruction Fuzzy Hash: DE81E471A44605BBDB21AF61EC42FFF37A9AF15301F148025FD08AA193EB71DA05E7A1

Function 000C3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 000C3EF8
_wcslen.LIBCMT ref: 000C3F03
_wcslen.LIBCMT ref: 000C3F5A
_wcslen.LIBCMT ref: 000C3F98
GetDriveTypeW.KERNEL32(?), ref: 000C3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000C401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000C4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000C4087

Strings

close cd wait, xrefs: 000C4072
type cdaudio alias cd wait, xrefs: 000C4001
set cd door , xrefs: 000C4028
close, xrefs: 000C3EFE, 000C3F18
closed, xrefs: 000C3F08, 000C3F2D, 000C3F46, 000C3F7E, 000C3F97
wait, xrefs: 000C4044
open, xrefs: 000C3F54, 000C3F59
open , xrefs: 000C3FE5

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 1be03355d97e4c1f8d5d3e41e5ed085a424791062e8efc9edcb7be9fca1c4a2c
Instruction ID: cd9446538a9cab968e9baabac2ec3cebd7217df15808eb630d88931840d912c7
Opcode Fuzzy Hash: 1be03355d97e4c1f8d5d3e41e5ed085a424791062e8efc9edcb7be9fca1c4a2c
Instruction Fuzzy Hash: 0B719F32A042119FC310DF24C891AAFB7E4EF94754F50892DF99697252EB31DE4ACB91

Function 000B5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 000B5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 000B5A40
SetWindowTextW.USER32(?,?), ref: 000B5A57
GetDlgItem.USER32(?,000003EA), ref: 000B5A6C
SetWindowTextW.USER32(00000000,?), ref: 000B5A72
GetDlgItem.USER32(?,000003E9), ref: 000B5A82
SetWindowTextW.USER32(00000000,?), ref: 000B5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 000B5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 000B5AC3
GetWindowRect.USER32(?,?), ref: 000B5ACC
_wcslen.LIBCMT ref: 000B5B33
SetWindowTextW.USER32(?,?), ref: 000B5B6F
GetDesktopWindow.USER32 ref: 000B5B75
GetWindowRect.USER32(00000000), ref: 000B5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 000B5BD3
GetClientRect.USER32(?,?), ref: 000B5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 000B5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 000B5C2F

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 5dc1ade4a3b5811b354bfdaf3667447dee5833a70f7c1e5a6dc250032b0e3938
Instruction ID: 084b6d5350fa5d06d97133dec2aa5d4b3c9cd414e50988f15876765b8278f4b3
Opcode Fuzzy Hash: 5dc1ade4a3b5811b354bfdaf3667447dee5833a70f7c1e5a6dc250032b0e3938
Instruction Fuzzy Hash: 19716B31900B09AFEB20DFA8CE85FAEBBF5FF48B05F104558E582A65A0D775A941CB50

Function 000CFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 000CFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 000CFE32
LoadCursorW.USER32(00000000,00007F00), ref: 000CFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 000CFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 000CFE53
LoadCursorW.USER32(00000000,00007F01), ref: 000CFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 000CFE69
LoadCursorW.USER32(00000000,00007F88), ref: 000CFE74
LoadCursorW.USER32(00000000,00007F80), ref: 000CFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 000CFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 000CFE95
LoadCursorW.USER32(00000000,00007F85), ref: 000CFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 000CFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 000CFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 000CFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 000CFECC
GetCursorInfo.USER32(?), ref: 000CFEDC
GetLastError.KERNEL32 ref: 000CFF1E

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: a20d66de95925a6ad41f7c2c314788ef7e8ecd8660ff302ba5083d1ee85ac22f
Instruction ID: f108286ac0d693888156089b84835aa044c7d02d5dd9e1aa9a26706a62ccb2df
Opcode Fuzzy Hash: a20d66de95925a6ad41f7c2c314788ef7e8ecd8660ff302ba5083d1ee85ac22f
Instruction Fuzzy Hash: 5F4183B0D0431A6ADB109FBA8C89D6EBFE9FF04714B50413AE11CEB281DB789901CF91

Function 000700C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 000700C6

Part of subcall function 000700ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0012070C,00000FA0,CFDA181C,?,?,?,?,000923B3,000000FF), ref: 0007011C
Part of subcall function 000700ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,000923B3,000000FF), ref: 00070127
Part of subcall function 000700ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,000923B3,000000FF), ref: 00070138
Part of subcall function 000700ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0007014E
Part of subcall function 000700ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0007015C
Part of subcall function 000700ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0007016A
Part of subcall function 000700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00070195
Part of subcall function 000700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 000701A0

___scrt_fastfail.LIBCMT ref: 000700E7

Part of subcall function 000700A3: __onexit.LIBCMT ref: 000700A9

Strings

InitializeConditionVariable, xrefs: 00070148
WakeAllConditionVariable, xrefs: 00070162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00070122
SleepConditionVariableCS, xrefs: 00070154
kernel32.dll, xrefs: 00070133

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 5e478334a180940cf568453b95731c8b89e37a22b23201c3813935028a43979f
Instruction ID: 8d4ecac9e407edbf8b7860e705a1cb4dde1c69d686e685078c9b8538f076ddf4
Opcode Fuzzy Hash: 5e478334a180940cf568453b95731c8b89e37a22b23201c3813935028a43979f
Instruction Fuzzy Hash: 12216732E45341EFF7216B64AC45F7A37D5DB05F60F008239F905BA692CBB98C008A94

Function 000B30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000B318D
_wcslen.LIBCMT ref: 000B31F8

Strings

TEXT, xrefs: 000B347C
CLASS, xrefs: 000B3188, 000B31A5
NAME, xrefs: 000B3335, 000B3346
INSTANCE, xrefs: 000B3453
CLASSNN, xrefs: 000B31F3, 000B3204
REGEXPCLASS, xrefs: 000B3255, 000B3266

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 991fa35ecfb6f90513d9e2f2ad1fd57f88044ac32cff86f5fe54a80e7d63e882
Instruction ID: 2caaffccda4022200e34ce2d9e8ad217b6986e119304fba8bf24e928da867d42
Opcode Fuzzy Hash: 991fa35ecfb6f90513d9e2f2ad1fd57f88044ac32cff86f5fe54a80e7d63e882
Instruction Fuzzy Hash: 4EE1A432A00516EBCB689F78C4517EEBBF5BF54710F748129E456B7241DB30AF898790

Function 000C44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,000ECC08), ref: 000C4527
_wcslen.LIBCMT ref: 000C453B
_wcslen.LIBCMT ref: 000C4599
_wcslen.LIBCMT ref: 000C45F4
_wcslen.LIBCMT ref: 000C463F
_wcslen.LIBCMT ref: 000C46A7

Part of subcall function 0006F9F2: _wcslen.LIBCMT ref: 0006F9FD

GetDriveTypeW.KERNEL32(?,00116BF0,00000061), ref: 000C4743

Strings

removable, xrefs: 000C45EA, 000C45EF
cdrom, xrefs: 000C458F, 000C4594
fixed, xrefs: 000C4635, 000C463A
network, xrefs: 000C469D, 000C46A2
all, xrefs: 000C4531, 000C4536
ramdisk, xrefs: 000C46F1
unknown, xrefs: 000C4708

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: a111a257bd01b6fb11b61792baf65ee2f281a09a88b53f4a6c83dd2d9470aa79
Instruction ID: ca3942c9b3e0173c3af6d37d9251e0788e172d92f1cb32056245bd6d679537de
Opcode Fuzzy Hash: a111a257bd01b6fb11b61792baf65ee2f281a09a88b53f4a6c83dd2d9470aa79
Instruction Fuzzy Hash: 4CB1E1316083029FC720DF28C8A0EAEB7E5BFA5720F504A1DF496C7296DB31D848CB52

Function 0005326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00121990), ref: 00092F8D
GetMenuItemCount.USER32(00121990), ref: 0009303D
GetCursorPos.USER32(?), ref: 00093081
SetForegroundWindow.USER32(00000000), ref: 0009308A
TrackPopupMenuEx.USER32(00121990,00000000,?,00000000,00000000,00000000), ref: 0009309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 000930A9

Strings

0, xrefs: 0005327D

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: d6e98287c67dc5f97c078f3ec2ebd232c1e6d065142727e037dc6c4a9fd66a5d
Instruction ID: f2884bb1c750e4ff4746504eb4dbe0979a3dd3e3ec6d8664df282d8ebe1173ba
Opcode Fuzzy Hash: d6e98287c67dc5f97c078f3ec2ebd232c1e6d065142727e037dc6c4a9fd66a5d
Instruction Fuzzy Hash: F8710431640205BEFB319F24CC99FAABFA4FF00364F204226F9156A1E1C7B1A954EB90

Function 000E6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 000E6DEB

Part of subcall function 00056B57: _wcslen.LIBCMT ref: 00056B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 000E6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 000E6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000E6E94
DestroyWindow.USER32(?), ref: 000E6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00050000,00000000), ref: 000E6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000E6EFD
GetDesktopWindow.USER32 ref: 000E6F16
GetWindowRect.USER32(00000000), ref: 000E6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 000E6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 000E6F4D

Part of subcall function 00069944: GetWindowLongW.USER32(?,000000EB), ref: 00069952

Strings

tooltips_class32, xrefs: 000E6E58, 000E6EDD
0, xrefs: 000E6D98

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 954b7e1cb1a08db82f8e8bc81a95fb020d43885ce2e62bcf44931a022ab8dc86
Instruction ID: 79b39e9d8195a1f53ccfc7c3383113540fe1547cd79f67e22e04d870d4f77ef1
Opcode Fuzzy Hash: 954b7e1cb1a08db82f8e8bc81a95fb020d43885ce2e62bcf44931a022ab8dc86
Instruction Fuzzy Hash: 6B716C70104284AFEB21CF19E844EABBBE9FB99744F04042DF999A7261C772AD46CB11

Function 000E911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00069BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00069BB2

DragQueryPoint.SHELL32(?,?), ref: 000E9147

Part of subcall function 000E7674: ClientToScreen.USER32(?,?), ref: 000E769A
Part of subcall function 000E7674: GetWindowRect.USER32(?,?), ref: 000E7710
Part of subcall function 000E7674: PtInRect.USER32(?,?,000E8B89), ref: 000E7720

SendMessageW.USER32(?,000000B0,?,?), ref: 000E91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 000E91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 000E91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 000E9225
SendMessageW.USER32(?,000000B0,?,?), ref: 000E923E
SendMessageW.USER32(?,000000B1,?,?), ref: 000E9255
SendMessageW.USER32(?,000000B1,?,?), ref: 000E9277
DragFinish.SHELL32(?), ref: 000E927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 000E9371

Strings

@GUI_DRAGID, xrefs: 000E92E9
@GUI_DRAGFILE, xrefs: 000E9320
@GUI_DROPID, xrefs: 000E929E

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 1a3ddcb0171492e270bba79d23530d55a67bb8df5cf5d3a29265fec7862c6edd
Instruction ID: eb5673d4241e5d7e0de42f9fce75c7099a771a2b78cc6393eb7e30732cafe276
Opcode Fuzzy Hash: 1a3ddcb0171492e270bba79d23530d55a67bb8df5cf5d3a29265fec7862c6edd
Instruction Fuzzy Hash: 55619A71108341AFE701DF60DC85DAFBBE8EF89750F40092EF995A71A2DB309A49CB52

Function 000CC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000CC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 000CC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 000CC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 000CC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 000CC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 000CC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000CC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 000CC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 000CC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 000CC5F0
InternetCloseHandle.WININET(00000000), ref: 000CC5FB

Strings

, xrefs: 000CC575

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 110d6bcca04a1946c0ac905febb26a93fd2d435f5b780452763df79306c4f97f
Instruction ID: ab9cf44bb57751b813fc0e5a962a1825b6846cd236a444615266ce1aca27125c
Opcode Fuzzy Hash: 110d6bcca04a1946c0ac905febb26a93fd2d435f5b780452763df79306c4f97f
Instruction Fuzzy Hash: F0513AB1500644AFFB218F64C988FAE7BFCEB08754F00841DF94A96251DB35E9459B60

Function 000E856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 000E8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000E85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000E85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000E85BA
GlobalLock.KERNEL32(00000000), ref: 000E85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000E85D7
GlobalUnlock.KERNEL32(00000000), ref: 000E85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000E85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000E85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,000EFC38,?), ref: 000E8611
GlobalFree.KERNEL32(00000000), ref: 000E8621
GetObjectW.GDI32(?,00000018,?), ref: 000E8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 000E8671
DeleteObject.GDI32(?), ref: 000E8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 000E86AF

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 18a6223df757af1b3c9520022bcba47aeb196fdf3ef8b46fd7b52ed2c8bc3f13
Instruction ID: 651093b65fa7d9850fa491ed29c2ff7dc046614239fa2f64ff5f8c02416efd71
Opcode Fuzzy Hash: 18a6223df757af1b3c9520022bcba47aeb196fdf3ef8b46fd7b52ed2c8bc3f13
Instruction Fuzzy Hash: 65411C75600244AFEB11DFA5CC88EAEBBB8EF89B15F108058F919FB250DB359901DB60

Function 000C14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 000C1502
VariantCopy.OLEAUT32(?,?), ref: 000C150B
VariantClear.OLEAUT32(?), ref: 000C1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 000C15FB
VarR8FromDec.OLEAUT32(?,?), ref: 000C1657
VariantInit.OLEAUT32(?), ref: 000C1708
SysFreeString.OLEAUT32(?), ref: 000C178C
VariantClear.OLEAUT32(?), ref: 000C17D8
VariantClear.OLEAUT32(?), ref: 000C17E7
VariantInit.OLEAUT32(00000000), ref: 000C1823

Strings

Default, xrefs: 000C16AF
%4d%02d%02d%02d%02d%02d, xrefs: 000C1625

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 71b7fb85de9a4ec407ca845c4a929dfc99de407d738578919b29ce8fee782a36
Instruction ID: 17758b272aa04bdde0106d5debe935e45709297792c8a53709ae0e63b3a29165
Opcode Fuzzy Hash: 71b7fb85de9a4ec407ca845c4a929dfc99de407d738578919b29ce8fee782a36
Instruction Fuzzy Hash: 64D11271A00A01DBDB10AF64E885FFDB7B2BF46700F50809AF816AB192DB31EC45DB61

Function 000DB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00059CB3: _wcslen.LIBCMT ref: 00059CBD

Part of subcall function 000DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000DB6AE,?,?), ref: 000DC9B5
Part of subcall function 000DC998: _wcslen.LIBCMT ref: 000DC9F1
Part of subcall function 000DC998: _wcslen.LIBCMT ref: 000DCA68
Part of subcall function 000DC998: _wcslen.LIBCMT ref: 000DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000DB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000DB772
RegDeleteValueW.ADVAPI32(?,?), ref: 000DB80A
RegCloseKey.ADVAPI32(?), ref: 000DB87E
RegCloseKey.ADVAPI32(?), ref: 000DB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 000DB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 000DB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 000DB922
FreeLibrary.KERNEL32(00000000), ref: 000DB983
RegCloseKey.ADVAPI32(00000000), ref: 000DB994

Strings

advapi32.dll, xrefs: 000DB8ED
RegDeleteKeyExW, xrefs: 000DB8FE

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 048fefaf30915b9f112f39ca6ce72373791d7fa6c6a4f578039f7360e6d15b08
Instruction ID: d3ebb7dfeaf0df583adea0fd8a0cdb4a4d7983c4ee206117b078bc95de5fecb1
Opcode Fuzzy Hash: 048fefaf30915b9f112f39ca6ce72373791d7fa6c6a4f578039f7360e6d15b08
Instruction Fuzzy Hash: E6C18C34208341EFD710DF24C494F6ABBE1BF84318F55859DE89A4B3A2CB35E946CBA1

Function 000E541D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 000E5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000E5515
CharNextW.USER32(00000158), ref: 000E5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 000E5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 000E559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000E55AC

Strings

Latn, xrefs: 000E5620

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID: Latn
API String ID: 1350042424-1489660195
Opcode ID: 480a2859e805c8d16e2aaf2300c9e578dd827eef61247c5c6a379d17eb8b3b4d
Instruction ID: 4a16bd796e729f67e881c7a6468a427582aa1ae5158298c2e1946211d30f8f88
Opcode Fuzzy Hash: 480a2859e805c8d16e2aaf2300c9e578dd827eef61247c5c6a379d17eb8b3b4d
Instruction Fuzzy Hash: 5661BF71900689AFEF208F52CC84DFF3BB9EB4572AF104945F925BB291D7748A81DB60

Function 000D255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 000D25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 000D25E8
CreateCompatibleDC.GDI32(?), ref: 000D25F4
SelectObject.GDI32(00000000,?), ref: 000D2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 000D266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 000D26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 000D26D0
SelectObject.GDI32(?,?), ref: 000D26D8
DeleteObject.GDI32(?), ref: 000D26E1
DeleteDC.GDI32(?), ref: 000D26E8
ReleaseDC.USER32(00000000,?), ref: 000D26F3

Strings

(, xrefs: 000D268D

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 204b75eecc891c2a380d32cfa76c5d0a47f01629149b71a41e9eee198fcfd89f
Instruction ID: b9e7d212ff2cb7bd95f5cbaa73b623decc97db458e5c33f1fc126d627eb8a1a4
Opcode Fuzzy Hash: 204b75eecc891c2a380d32cfa76c5d0a47f01629149b71a41e9eee198fcfd89f
Instruction Fuzzy Hash: 2E610075D00209EFDF14CFA8D884EAEBBB6FF48710F20852AE955A7250D775A9418FA0

Function 0008DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0008DAA1

Part of subcall function 0008D63C: _free.LIBCMT ref: 0008D659
Part of subcall function 0008D63C: _free.LIBCMT ref: 0008D66B
Part of subcall function 0008D63C: _free.LIBCMT ref: 0008D67D
Part of subcall function 0008D63C: _free.LIBCMT ref: 0008D68F
Part of subcall function 0008D63C: _free.LIBCMT ref: 0008D6A1
Part of subcall function 0008D63C: _free.LIBCMT ref: 0008D6B3
Part of subcall function 0008D63C: _free.LIBCMT ref: 0008D6C5
Part of subcall function 0008D63C: _free.LIBCMT ref: 0008D6D7
Part of subcall function 0008D63C: _free.LIBCMT ref: 0008D6E9
Part of subcall function 0008D63C: _free.LIBCMT ref: 0008D6FB
Part of subcall function 0008D63C: _free.LIBCMT ref: 0008D70D
Part of subcall function 0008D63C: _free.LIBCMT ref: 0008D71F
Part of subcall function 0008D63C: _free.LIBCMT ref: 0008D731

_free.LIBCMT ref: 0008DA96

Part of subcall function 000829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0008D7D1,00000000,00000000,00000000,00000000,?,0008D7F8,00000000,00000007,00000000,?,0008DBF5,00000000), ref: 000829DE
Part of subcall function 000829C8: GetLastError.KERNEL32(00000000,?,0008D7D1,00000000,00000000,00000000,00000000,?,0008D7F8,00000000,00000007,00000000,?,0008DBF5,00000000,00000000), ref: 000829F0

_free.LIBCMT ref: 0008DAB8
_free.LIBCMT ref: 0008DACD
_free.LIBCMT ref: 0008DAD8
_free.LIBCMT ref: 0008DAFA
_free.LIBCMT ref: 0008DB0D
_free.LIBCMT ref: 0008DB1B
_free.LIBCMT ref: 0008DB26
_free.LIBCMT ref: 0008DB5E
_free.LIBCMT ref: 0008DB65
_free.LIBCMT ref: 0008DB82
_free.LIBCMT ref: 0008DB9A

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 6b6256f48708e383422f676e3ab07eaee99a2a5c15eac0f514ca41cbf6ec80d0
Instruction ID: 1d2be481fcfacd14f3a0dc85cafdad7781087a1b852d060f5dec8aeaeab26cae
Opcode Fuzzy Hash: 6b6256f48708e383422f676e3ab07eaee99a2a5c15eac0f514ca41cbf6ec80d0
Instruction Fuzzy Hash: D1313931644205DFEB65BA39E845B9A77E9FF10320F26462AE4C9D7192DF35EC808721

Function 000B365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 000B369C
_wcslen.LIBCMT ref: 000B36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 000B3797
GetClassNameW.USER32(?,?,00000400), ref: 000B380C
GetDlgCtrlID.USER32(?), ref: 000B385D
GetWindowRect.USER32(?,?), ref: 000B3882
GetParent.USER32(?), ref: 000B38A0
ScreenToClient.USER32(00000000), ref: 000B38A7
GetClassNameW.USER32(?,?,00000100), ref: 000B3921
GetWindowTextW.USER32(?,?,00000400), ref: 000B395D

Strings

%s%u, xrefs: 000B3734

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 2c5dc2b3f70b76c3f6e2721f54399a76db4f99c30f4daef2440791a0745bf018
Instruction ID: 0d04572860849a5a85b5b6038158d997a7cd164010f86a1ebea8c86e0daa8f00
Opcode Fuzzy Hash: 2c5dc2b3f70b76c3f6e2721f54399a76db4f99c30f4daef2440791a0745bf018
Instruction Fuzzy Hash: 4991BD71204706AFD718DF24C885FEAF7E8FF44340F208629F999D2191EB35AA46CB91

Function 000B4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 000B4994
GetWindowTextW.USER32(?,?,00000400), ref: 000B49DA
_wcslen.LIBCMT ref: 000B49EB
CharUpperBuffW.USER32(?,00000000), ref: 000B49F7
_wcsstr.LIBVCRUNTIME ref: 000B4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 000B4A64
GetWindowTextW.USER32(?,?,00000400), ref: 000B4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 000B4AE6
GetClassNameW.USER32(?,?,00000400), ref: 000B4B20
GetWindowRect.USER32(?,?), ref: 000B4B8B

Strings

ThumbnailClass, xrefs: 000B4A6F, 000B4AF1

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: fe0e78eb6ef105307c110241d30d2d1c36bbcece50301d122ac88dbd78fb2a3f
Instruction ID: 731b925f4e0fe848ce566770320239601ea0f4096b313d493a5770e856bc89a1
Opcode Fuzzy Hash: fe0e78eb6ef105307c110241d30d2d1c36bbcece50301d122ac88dbd78fb2a3f
Instruction Fuzzy Hash: 0491AC720042059BDB44DF14C981FEA7BE8FF84714F04846AFE859A197DB35EE46CBA2

Function 000E8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00069BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00069BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 000E8D5A
GetFocus.USER32 ref: 000E8D6A
GetDlgCtrlID.USER32(00000000), ref: 000E8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 000E8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 000E8ECF
GetMenuItemCount.USER32(?), ref: 000E8EEC
GetMenuItemID.USER32(?,00000000), ref: 000E8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 000E8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 000E8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000E8FA1

Strings

0, xrefs: 000E8E9F

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 8ad290c1e8cfb3cd188147e5444e270eb9d4eaa35330963e7be4c3eb77be5f32
Instruction ID: be768f4e16174546aa1d6d5ac4db204855f0e242077326fff9298b80101ad034
Opcode Fuzzy Hash: 8ad290c1e8cfb3cd188147e5444e270eb9d4eaa35330963e7be4c3eb77be5f32
Instruction Fuzzy Hash: 7C81B271508381AFEB20CF15C884EAB7BE9FB88714F048529F999A72A1DB71D941CB61

Function 000BBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00121990,000000FF,00000000,00000030), ref: 000BBFAC
SetMenuItemInfoW.USER32(00121990,00000004,00000000,00000030), ref: 000BBFE1
Sleep.KERNEL32(000001F4), ref: 000BBFF3
GetMenuItemCount.USER32(?), ref: 000BC039
GetMenuItemID.USER32(?,00000000), ref: 000BC056
GetMenuItemID.USER32(?,-00000001), ref: 000BC082
GetMenuItemID.USER32(?,?), ref: 000BC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000BC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000BC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000BC145

Strings

0, xrefs: 000BBF3D

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 5ad4cc1ca06e9b63a2c4ac1d729f392891856bb91ba4fd6469de1b595463fb3c
Instruction ID: 5017d9b3218bccda79eedcd1b554bdd6d2e4824359bac388dc6f071fee3d9782
Opcode Fuzzy Hash: 5ad4cc1ca06e9b63a2c4ac1d729f392891856bb91ba4fd6469de1b595463fb3c
Instruction Fuzzy Hash: 29619DB190028AAFFF21DF68CC88EFE7BB8EB46344F004455E911A7292C775AD55CB60

Function 000BDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 000BDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 000BDC46
_wcslen.LIBCMT ref: 000BDC50
_wcsstr.LIBVCRUNTIME ref: 000BDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 000BDCBC

Strings

%u.%u.%u.%u, xrefs: 000BDD9A
04090000, xrefs: 000BDCF2
DefaultLangCodepage, xrefs: 000BDD1F
StringFileInfo\, xrefs: 000BDC8F
\VarFileInfo\Translation, xrefs: 000BDCB4

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: a0d7c7563f19f937d555aeccdbe9c459427826339cdf5a50063a97a20b30348d
Instruction ID: 7bb9d33c1351cccc97989a19769582c0a760a21bb681a7b7b47546642970f006
Opcode Fuzzy Hash: a0d7c7563f19f937d555aeccdbe9c459427826339cdf5a50063a97a20b30348d
Instruction Fuzzy Hash: D041F5329403057AEB14A774DC47EFF7BACEF52710F14406AF904B6183FB7A990296A9

Function 000DCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 000DCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 000DCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 000DCD48

Part of subcall function 000DCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 000DCCAA
Part of subcall function 000DCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 000DCCBD
Part of subcall function 000DCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 000DCCCF
Part of subcall function 000DCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 000DCD05
Part of subcall function 000DCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 000DCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 000DCCF3

Strings

advapi32.dll, xrefs: 000DCCB8
RegDeleteKeyExW, xrefs: 000DCCC9

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: fb70a763808b9987fd9845a0efd3231d502a5196be8917b74f80783287f0eb65
Instruction ID: f6bc8630ede37b39703d2415fc631ddf73b620a7db10f29c406e73e5c8119ab9
Opcode Fuzzy Hash: fb70a763808b9987fd9845a0efd3231d502a5196be8917b74f80783287f0eb65
Instruction Fuzzy Hash: 6C316171901229BBFB208B54DC88EFFBBBDEF45750F000166F905E6240D7349A46DAB0

Function 000C3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 000C3D40
_wcslen.LIBCMT ref: 000C3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 000C3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 000C3DBE
RemoveDirectoryW.KERNEL32(?), ref: 000C3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 000C3E55
CloseHandle.KERNEL32(00000000), ref: 000C3E60
CloseHandle.KERNEL32(00000000), ref: 000C3E6B

Strings

:, xrefs: 000C3D82
\, xrefs: 000C3D77
\??\%s, xrefs: 000C3D5B

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: f568c2cd048520b5ebd4c7ac5c128f75aa8c41908a9747fee9e016de90f14b55
Instruction ID: 691758fee07cbbf29408d90cc72fa0ccc0813bc01736ceb7888cd34061715ec0
Opcode Fuzzy Hash: f568c2cd048520b5ebd4c7ac5c128f75aa8c41908a9747fee9e016de90f14b55
Instruction Fuzzy Hash: C83198719102496BEB21DBA0EC85FEF37BDEF85700F1081B9F505E6051D77597458B24

Function 000BE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 000BE6B4

Part of subcall function 0006E551: timeGetTime.WINMM(?,?,000BE6D4), ref: 0006E555

Sleep.KERNEL32(0000000A), ref: 000BE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 000BE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 000BE727
SetActiveWindow.USER32 ref: 000BE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 000BE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 000BE773
Sleep.KERNEL32(000000FA), ref: 000BE77E
IsWindow.USER32 ref: 000BE78A
EndDialog.USER32(00000000), ref: 000BE79B

Strings

BUTTON, xrefs: 000BE719

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 3afd7306d89ea486397ab95ef1f0508fdc411a8bce412e94e49b3f058c01cede
Instruction ID: 1d143e2055a219d964f16b7eacc8f30990936c0db6010e0fe236c0cb42f39095
Opcode Fuzzy Hash: 3afd7306d89ea486397ab95ef1f0508fdc411a8bce412e94e49b3f058c01cede
Instruction Fuzzy Hash: A221C9712402C4BFFB205F20ECC9EEA3BA9FB55748F201435F801A56A1DB769C528A14

Function 000BE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00059CB3: _wcslen.LIBCMT ref: 00059CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 000BEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 000BEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000BEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 000BEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 000BEAA7

Strings

alias PlayMe, xrefs: 000BEA36
status PlayMe mode, xrefs: 000BEA58
play PlayMe, xrefs: 000BEAA2
play PlayMe wait, xrefs: 000BEA91
close PlayMe, xrefs: 000BEA6E, 000BEA9B
open , xrefs: 000BEA0C

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 8652a84fac9d38101bd6de4a388b483d870390c8ee3697a28dc553afdee19e0a
Instruction ID: 376a2d04bfad03152a7dab91d8e3b134bd22fb4e486e64edd90ec1163264dc27
Opcode Fuzzy Hash: 8652a84fac9d38101bd6de4a388b483d870390c8ee3697a28dc553afdee19e0a
Instruction Fuzzy Hash: 7E114F21A5025D7ED724A7A1DC4ADFF6ABCEBD1B44F4004397811A20D1EF711E89C5B1

Function 000B9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 000BA012
SetKeyboardState.USER32(?), ref: 000BA07D
GetAsyncKeyState.USER32(000000A0), ref: 000BA09D
GetKeyState.USER32(000000A0), ref: 000BA0B4
GetAsyncKeyState.USER32(000000A1), ref: 000BA0E3
GetKeyState.USER32(000000A1), ref: 000BA0F4
GetAsyncKeyState.USER32(00000011), ref: 000BA120
GetKeyState.USER32(00000011), ref: 000BA12E
GetAsyncKeyState.USER32(00000012), ref: 000BA157
GetKeyState.USER32(00000012), ref: 000BA165
GetAsyncKeyState.USER32(0000005B), ref: 000BA18E
GetKeyState.USER32(0000005B), ref: 000BA19C

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 3b6e5030482ce292d571f8d4e710bc67997cdf12e12452d1d7c309cd39d48d7f
Instruction ID: 80c9c5909c79b4cd89b4341da61c1f2bb68e3ac82b872d8526a1a4b4cdbb132a
Opcode Fuzzy Hash: 3b6e5030482ce292d571f8d4e710bc67997cdf12e12452d1d7c309cd39d48d7f
Instruction Fuzzy Hash: 8851BA20B047882AFB75EBA48851BEBBFF59F13390F084599D5C25B1C3DA54AA4CC762

Function 000B5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 000B5CE2
GetWindowRect.USER32(00000000,?), ref: 000B5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 000B5D59
GetDlgItem.USER32(?,00000002), ref: 000B5D69
GetWindowRect.USER32(00000000,?), ref: 000B5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 000B5DCF
GetDlgItem.USER32(?,000003E9), ref: 000B5DDD
GetWindowRect.USER32(00000000,?), ref: 000B5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 000B5E31
GetDlgItem.USER32(?,000003EA), ref: 000B5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 000B5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 000B5E67

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 2ee70721e939678a49320b910adf738eae1b253fbd8c4043ea627eaea2f120e1
Instruction ID: ae9c00cd53c392ce9f5d05b87be262c5334e284cc0a4cbffa350adb495759409
Opcode Fuzzy Hash: 2ee70721e939678a49320b910adf738eae1b253fbd8c4043ea627eaea2f120e1
Instruction Fuzzy Hash: 61512D70A00605AFEF18CF68CD89EAEBBB5FB48701F148269F915E7290D7749E01CB50

Function 00068BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00068F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00068BE8,?,00000000,?,?,?,?,00068BBA,00000000,?), ref: 00068FC5

DestroyWindow.USER32(?), ref: 00068C81
KillTimer.USER32(00000000,?,?,?,?,00068BBA,00000000,?), ref: 00068D1B
DestroyAcceleratorTable.USER32(00000000), ref: 000A6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00068BBA,00000000,?), ref: 000A69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00068BBA,00000000,?), ref: 000A69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00068BBA,00000000), ref: 000A69D4
DeleteObject.GDI32(00000000), ref: 000A69E6

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: b903c6a6c43f75b81e379e1dc27d19866f483b7d90e1b47458a7c1c7d30dff89
Instruction ID: 587a7d6ba8f72dbe23217ee370d51b0abda9713d7342134912f50209ee07c20e
Opcode Fuzzy Hash: b903c6a6c43f75b81e379e1dc27d19866f483b7d90e1b47458a7c1c7d30dff89
Instruction Fuzzy Hash: 40619E31101700EFEB75DF14D958B2A77F2FB65326F14861CE042AA960CB36A9E2CF51

Function 00069838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00069944: GetWindowLongW.USER32(?,000000EB), ref: 00069952

GetSysColor.USER32(0000000F), ref: 00069862

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 3d5c9a0cf18ce995d423e471a1d055378364afe0afc4aa61274ca166f2ea7793
Instruction ID: 9c54365b344c1d9477d3f864304fe011dfbe98daac6c0c9d657d57c443c4dc3d
Opcode Fuzzy Hash: 3d5c9a0cf18ce995d423e471a1d055378364afe0afc4aa61274ca166f2ea7793
Instruction Fuzzy Hash: F241BF31504640EFEB205F389C84BBA3BAABB47730F144659F9B29B1E1DB759C42DB20

Function 000B96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0009F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 000B9717
LoadStringW.USER32(00000000,?,0009F7F8,00000001), ref: 000B9720

Part of subcall function 00059CB3: _wcslen.LIBCMT ref: 00059CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0009F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 000B9742
LoadStringW.USER32(00000000,?,0009F7F8,00000001), ref: 000B9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 000B9866

Strings

^ ERROR, xrefs: 000B97FB
Error: , xrefs: 000B981D
Line %d (File "%s"):, xrefs: 000B978F
Line %d:, xrefs: 000B97A0
%s (%d) : ==> %s: %s %s, xrefs: 000B984A

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 057442d090046acf4b3c6374a8947a666acc8b6c38f8e68b546107c0b7cee903
Instruction ID: 4eef6473d24c6c8164c8d12a1cd56dc135e7daa9b7f21aa3cd0a17e3fd73a422
Opcode Fuzzy Hash: 057442d090046acf4b3c6374a8947a666acc8b6c38f8e68b546107c0b7cee903
Instruction Fuzzy Hash: 70413772900219AADB04EBE0DE86DEFB779AF15341F600065FA0572093EF366F49CB61

Function 000E3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 000E403B
CreateCompatibleDC.GDI32(00000000), ref: 000E4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 000E4055
SelectObject.GDI32(00000000,00000000), ref: 000E405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 000E4068
DeleteDC.GDI32(00000000), ref: 000E4072
GetWindowLongW.USER32(?,000000EC), ref: 000E407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 000E4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 000E409E

Strings

static, xrefs: 000E3FD3

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 43fc1062a39454c315622d82bb2790ea66d603a11dff48b5ba4423283bfaee62
Instruction ID: d25d3d80216e8ce3d0f61c98ed424be2e48c94ef1d21e75260174703c2e0d327
Opcode Fuzzy Hash: 43fc1062a39454c315622d82bb2790ea66d603a11dff48b5ba4423283bfaee62
Instruction Fuzzy Hash: 63315C32501295AFEF219FA5CC49FDA3BA9FF0D720F110225FA28B61A1C776D851DB50

Function 000D3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000D3C5C
CoInitialize.OLE32(00000000), ref: 000D3C8A
CoUninitialize.OLE32 ref: 000D3C94
_wcslen.LIBCMT ref: 000D3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 000D3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 000D3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 000D3F0E
CoGetObject.OLE32(?,00000000,000EFB98,?), ref: 000D3F2D
SetErrorMode.KERNEL32(00000000), ref: 000D3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 000D3FC4
VariantClear.OLEAUT32(?), ref: 000D3FD8

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: e3411f46eb580fe593d3660abec892732cb82c2df70cd144c5a6b48d28517b0c
Instruction ID: 314a3be8de65f8091f50863b50290f7e74e2dffa2ab26e26ee6b98080f0cd9b8
Opcode Fuzzy Hash: e3411f46eb580fe593d3660abec892732cb82c2df70cd144c5a6b48d28517b0c
Instruction Fuzzy Hash: 99C134716083059FD700DF68C88496BB7E9FF89744F10492EF98A9B251DB71EE05CB62

Function 000C7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 000C7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 000C7B8F
SHGetDesktopFolder.SHELL32(?), ref: 000C7BA3
CoCreateInstance.OLE32(000EFD08,00000000,00000001,00116E6C,?), ref: 000C7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 000C7C74
CoTaskMemFree.OLE32(?,?), ref: 000C7CCC
SHBrowseForFolderW.SHELL32(?), ref: 000C7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 000C7D7A
CoTaskMemFree.OLE32(00000000), ref: 000C7D81
CoTaskMemFree.OLE32(00000000), ref: 000C7DD6
CoUninitialize.OLE32 ref: 000C7DDC

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 1b0a51bdcb16f08381f69097fbed16e4cab9e7017b29dc1d73b5ac7feee7c2f9
Instruction ID: 70f4104739860686086bbf2296845c4b8e6f98354da60e262f465be267c03a98
Opcode Fuzzy Hash: 1b0a51bdcb16f08381f69097fbed16e4cab9e7017b29dc1d73b5ac7feee7c2f9
Instruction Fuzzy Hash: 98C1FC75A04105AFDB14DFA4C884EAEBBF9FF48304B148499E81A9B262D731ED45CF90

Function 000AFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 000AFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 000AFB08
VariantInit.OLEAUT32(?), ref: 000AFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 000AFB3A
VariantCopy.OLEAUT32(?,?), ref: 000AFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 000AFBA1
VariantClear.OLEAUT32(?), ref: 000AFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 000AFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000AFBCC
VariantClear.OLEAUT32(?), ref: 000AFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000AFBE9

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 7afd1f4acd514790e4a617409103c2af8a718f3b718d46c387f9cfa30ac15d26
Instruction ID: 063aa5b315b83113156ffc70414e686ebb3d4c2d183605f64cb2a87cac93fe90
Opcode Fuzzy Hash: 7afd1f4acd514790e4a617409103c2af8a718f3b718d46c387f9cfa30ac15d26
Instruction Fuzzy Hash: 54415275A0021A9FEB04DFA4C894DFEBBB9FF49744F008065F915AB261C735A946CBA0

Function 000B9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 000B9CA1
GetAsyncKeyState.USER32(000000A0), ref: 000B9D22
GetKeyState.USER32(000000A0), ref: 000B9D3D
GetAsyncKeyState.USER32(000000A1), ref: 000B9D57
GetKeyState.USER32(000000A1), ref: 000B9D6C
GetAsyncKeyState.USER32(00000011), ref: 000B9D84
GetKeyState.USER32(00000011), ref: 000B9D96
GetAsyncKeyState.USER32(00000012), ref: 000B9DAE
GetKeyState.USER32(00000012), ref: 000B9DC0
GetAsyncKeyState.USER32(0000005B), ref: 000B9DD8
GetKeyState.USER32(0000005B), ref: 000B9DEA

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 1412d7c9c2263a72726ccb1051b0fde67bb397c839d32a9dfbe1b733158ca7fd
Instruction ID: 413e0157134a7de89f7f8287ef8a043c6b3487ffa46f5ca0493d3f42a112c417
Opcode Fuzzy Hash: 1412d7c9c2263a72726ccb1051b0fde67bb397c839d32a9dfbe1b733158ca7fd
Instruction Fuzzy Hash: DB41F834604BC96DFFB1876188447F5BEE0AF11344F44805EDBC65A6C2DBE5A9C8CBA2

Function 000D055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 000D05BC
inet_addr.WSOCK32(?), ref: 000D061C
gethostbyname.WSOCK32(?), ref: 000D0628
IcmpCreateFile.IPHLPAPI ref: 000D0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 000D06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 000D06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 000D07B9
WSACleanup.WSOCK32 ref: 000D07BF

Strings

Ping, xrefs: 000D0676

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: c00d82156b5d9469713791ef12a28cb8561ffbbaf72282a6225241991cd36d9d
Instruction ID: 5c7e1ac7e7b5afb0d1ecb962da8bb8ac8a28a5d032044b904f7d6ef2938ed9e4
Opcode Fuzzy Hash: c00d82156b5d9469713791ef12a28cb8561ffbbaf72282a6225241991cd36d9d
Instruction Fuzzy Hash: 15916C35A083419FD360CF15D888F1ABBE0AF84318F1485AAE4699F7A2C731ED45CFA1

Function 000D8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 000D8CF3

Part of subcall function 000B8E54: _wcslen.LIBCMT ref: 000B8E77

_wcslen.LIBCMT ref: 000D8D4E
_wcslen.LIBCMT ref: 000D8D9C
_wcslen.LIBCMT ref: 000D8DDC
_wcslen.LIBCMT ref: 000D8E6E

Strings

none, xrefs: 000D8E65, 000D8E6A
stdcall, xrefs: 000D8DD6, 000D8DDB
winapi, xrefs: 000D8D96, 000D8D9B
cdecl, xrefs: 000D8D48, 000D8D4D

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 06fa283af54924c95fc229f77e2c827565e9fc5238e59c3eb95e9888494ff850
Instruction ID: 7581073f7597b0d31f77e3dc898e13e3f9f58f279516019f606abba86ed18442
Opcode Fuzzy Hash: 06fa283af54924c95fc229f77e2c827565e9fc5238e59c3eb95e9888494ff850
Instruction Fuzzy Hash: AC519631A002169BCB14DF68C9519FEB7E6BF64714721822AE925E73C5DF31DD40CBA0

Function 000D372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 000D3774
CoUninitialize.OLE32 ref: 000D377F
CoCreateInstance.OLE32(?,00000000,00000017,000EFB78,?), ref: 000D37D9
IIDFromString.OLE32(?,?), ref: 000D384C
VariantInit.OLEAUT32(?), ref: 000D38E4
VariantClear.OLEAUT32(?), ref: 000D3936

Strings

Failed to create object, xrefs: 000D37E4, 000D389A
Invalid parameter, xrefs: 000D3865
NULL Pointer assignment, xrefs: 000D381E

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 92b615aa4088a766036859f4eb9911944b08b0058c780630db240153aba6e1bb
Instruction ID: 32c5b6a05c5f4c4c2cee93e2234c77eefd9d7cdb5ebbf8ca09f84386e524b674
Opcode Fuzzy Hash: 92b615aa4088a766036859f4eb9911944b08b0058c780630db240153aba6e1bb
Instruction Fuzzy Hash: AF618E71608701AFD320DF54C889FAAB7E4AF49710F10081AF9859B391DB70EE49DBA2

Function 000C3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 000C33CF

Part of subcall function 00059CB3: _wcslen.LIBCMT ref: 00059CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 000C33F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 000C3504
Error: , xrefs: 000C34D1
Incorrect parameters to object property !, xrefs: 000C34AB
"%s" (%d) : ==> %s:, xrefs: 000C3522
Line %d (File "%s"):, xrefs: 000C3443, 000C345C
^ ERROR , xrefs: 000C349E

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 7ef0c13999a7382cae12ecece72a18248a8616cdd3ad905e623ce559f1f8014c
Instruction ID: 6eed6570585944f4bd334e883c94450195ffc46fa8ebce0992e690ca8201fc21
Opcode Fuzzy Hash: 7ef0c13999a7382cae12ecece72a18248a8616cdd3ad905e623ce559f1f8014c
Instruction Fuzzy Hash: A7519172900209BADF19EBA0DD42EEEB7B9EF14341F504165F90572063EB322F99DB60

Function 000BB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 000BB5FC
_wcslen.LIBCMT ref: 000BB608
_wcslen.LIBCMT ref: 000BB64D
_wcslen.LIBCMT ref: 000BB68C
_wcslen.LIBCMT ref: 000BB6C7

Strings

KEYS, xrefs: 000BB647, 000BB64C
REMOVE, xrefs: 000BB602, 000BB607
EXISTS, xrefs: 000BB686, 000BB68B
APPEND, xrefs: 000BB6C1, 000BB6C6

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 162a9042b8a9a5868ae6d359c18905ea18753f8e2abc0064bdffad32a2a970c8
Instruction ID: 5ce1cedc9c86edd5b211ca231ae478a0fab31709b48621ee1fd4cb6ad34c0b02
Opcode Fuzzy Hash: 162a9042b8a9a5868ae6d359c18905ea18753f8e2abc0064bdffad32a2a970c8
Instruction Fuzzy Hash: E441E732E000279BCB606F7DCD905FE77E5AFA0754B254229E425DB284E779CD81C790

Function 000C5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000C53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 000C5416
GetLastError.KERNEL32 ref: 000C5420
SetErrorMode.KERNEL32(00000000,READY), ref: 000C54A7

Strings

READONLY, xrefs: 000C5452
NOTREADY, xrefs: 000C544B
READY, xrefs: 000C5460, 000C5468
INVALID, xrefs: 000C5459
UNKNOWN, xrefs: 000C5444

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 44afb6cedb05a7e86bd9df50551bbd38e2a56211e9032c1f21963d860440bada
Instruction ID: e8ace981b1673baee34022d624de5f90a990de23431e0280618db8ddc65e49d1
Opcode Fuzzy Hash: 44afb6cedb05a7e86bd9df50551bbd38e2a56211e9032c1f21963d860440bada
Instruction Fuzzy Hash: 06315E39A005049FD758DF68C984FEE7BE4EB4530AF148069E8059B292DB71EDC6CB90

Function 000E3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 000E3C79
SetMenu.USER32(?,00000000), ref: 000E3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000E3D10
IsMenu.USER32(?), ref: 000E3D24
CreatePopupMenu.USER32 ref: 000E3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 000E3D5B
DrawMenuBar.USER32 ref: 000E3D63

Strings

F, xrefs: 000E3D4E
0, xrefs: 000E3C54

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 8e1038ac44c6b33dca05774eb1fa1755fb4db8770416f6cca2294844387fc00d
Instruction ID: b824bda2fe1b2cb1787abd0c79f0f85dc48ce66cdc91e9ed8aa4257121e8c629
Opcode Fuzzy Hash: 8e1038ac44c6b33dca05774eb1fa1755fb4db8770416f6cca2294844387fc00d
Instruction Fuzzy Hash: D1418D75A05249AFEB14CF55E888EDA7BF5FF49300F140029E946A7360D731AA51CF50

Function 000B1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00059CB3: _wcslen.LIBCMT ref: 00059CBD

Part of subcall function 000B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000B3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 000B1F64
GetDlgCtrlID.USER32 ref: 000B1F6F
GetParent.USER32 ref: 000B1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 000B1F8E
GetDlgCtrlID.USER32(?), ref: 000B1F97
GetParent.USER32(?), ref: 000B1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 000B1FAE

Strings

ComboBox, xrefs: 000B1EEC
ListBox, xrefs: 000B1F21

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 8d4dae018e490f780c23d0bd6b84b1f153513b183034bc54b685f75ac4741992
Instruction ID: abcfac8c2136acc8326f9a6871cb3960a70312cbb9b8d4d5e1c9a076e24858fa
Opcode Fuzzy Hash: 8d4dae018e490f780c23d0bd6b84b1f153513b183034bc54b685f75ac4741992
Instruction Fuzzy Hash: 7821CF74900218FBEF04AFA0CC95DFFBBB9EF49350B500125F961A72A2CB395909DB60

Function 000E3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 000E3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 000E3AA0
GetWindowLongW.USER32(?,000000F0), ref: 000E3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000E3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 000E3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 000E3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 000E3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 000E3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 000E3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 000E3C13

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 3d7c297700b4b26ae1d9a6a44e6df59707174f5393dba67ecf9b732bd4bf235b
Instruction ID: b3520e2d97cf53ddc69190e67f19aebe99b030626f7733b77f94135ac33a6bfc
Opcode Fuzzy Hash: 3d7c297700b4b26ae1d9a6a44e6df59707174f5393dba67ecf9b732bd4bf235b
Instruction Fuzzy Hash: 93618D75A00248AFDB20DF68CC85EEE77F8EB49704F100199FA15B72A2C774AE81DB50

Function 000BB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000BB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,000BA1E1,?,00000001), ref: 000BB165
GetWindowThreadProcessId.USER32(00000000), ref: 000BB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000BA1E1,?,00000001), ref: 000BB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 000BB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,000BA1E1,?,00000001), ref: 000BB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000BA1E1,?,00000001), ref: 000BB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,000BA1E1,?,00000001), ref: 000BB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,000BA1E1,?,00000001), ref: 000BB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,000BA1E1,?,00000001), ref: 000BB21D

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 33d831f85c8c25ea38a6e8c62f88cbc8d08bd1c63a1e414300740f8af3fc3757
Instruction ID: 217fd501ed7f2313376ad13bac54b0ad2390220d13813a936fed4fd03dfa339c
Opcode Fuzzy Hash: 33d831f85c8c25ea38a6e8c62f88cbc8d08bd1c63a1e414300740f8af3fc3757
Instruction Fuzzy Hash: 2231A571600204BFEB209F28DC84FAEBBA9FB51715F104405F921EA190D7F89D428F74

Function 00082C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00082C94

Part of subcall function 000829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0008D7D1,00000000,00000000,00000000,00000000,?,0008D7F8,00000000,00000007,00000000,?,0008DBF5,00000000), ref: 000829DE
Part of subcall function 000829C8: GetLastError.KERNEL32(00000000,?,0008D7D1,00000000,00000000,00000000,00000000,?,0008D7F8,00000000,00000007,00000000,?,0008DBF5,00000000,00000000), ref: 000829F0

_free.LIBCMT ref: 00082CA0
_free.LIBCMT ref: 00082CAB
_free.LIBCMT ref: 00082CB6
_free.LIBCMT ref: 00082CC1
_free.LIBCMT ref: 00082CCC
_free.LIBCMT ref: 00082CD7
_free.LIBCMT ref: 00082CE2
_free.LIBCMT ref: 00082CED
_free.LIBCMT ref: 00082CFB

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c9ddb2e3fbfea7d335dbf45468f4a60a7f3e153fcba72b7cf48d9f92f11cd30a
Instruction ID: 0492412f658ad2ea0a3fca5dd7d00ae6fcb6100fe2678537b9bb1bb0fb90a433
Opcode Fuzzy Hash: c9ddb2e3fbfea7d335dbf45468f4a60a7f3e153fcba72b7cf48d9f92f11cd30a
Instruction Fuzzy Hash: 64116076500108AFCB02FF94D982CDD3BA9FF05350F9245A5FA889B223DA35EA509B90

Function 000C7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000C7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 000C7FC1
GetFileAttributesW.KERNEL32(?), ref: 000C7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 000C8005
SetCurrentDirectoryW.KERNEL32(?), ref: 000C8017
SetCurrentDirectoryW.KERNEL32(?), ref: 000C8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 000C80B0

Strings

*.*, xrefs: 000C8066

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 988c46ace4bbc7322b4789a37bc5edb14e6919f5658597200313140e1354ca55
Instruction ID: e1066873b6c7cce511a7f2845eed034a7c97eaf7f99fe85f4e2321ecc48c7581
Opcode Fuzzy Hash: 988c46ace4bbc7322b4789a37bc5edb14e6919f5658597200313140e1354ca55
Instruction Fuzzy Hash: 9081AF725082419BDB64DF54C884EAEB3E8BF89310F14886EF889D7251EB35ED49CF52

Function 00055BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00055C7A

Part of subcall function 00055D0A: GetClientRect.USER32(?,?), ref: 00055D30
Part of subcall function 00055D0A: GetWindowRect.USER32(?,?), ref: 00055D71
Part of subcall function 00055D0A: ScreenToClient.USER32(?,?), ref: 00055D99

GetDC.USER32 ref: 000946F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00094708
SelectObject.GDI32(00000000,00000000), ref: 00094716
SelectObject.GDI32(00000000,00000000), ref: 0009472B
ReleaseDC.USER32(?,00000000), ref: 00094733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 000947C4

Strings

U, xrefs: 00094693

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: f4b5f596f7ad46130052a5efcec97288e19dc9d873cbaf33ca05710fef0a4081
Instruction ID: 47266ab10e5d5d32f262deb6cab03c697b14b043b32da8ebae2e384bf6bdf108
Opcode Fuzzy Hash: f4b5f596f7ad46130052a5efcec97288e19dc9d873cbaf33ca05710fef0a4081
Instruction Fuzzy Hash: 7971DF31404209EFCF218FA4CD84EEE7BB5FF4A366F144269ED555A166C7319882EF50

Function 000C359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 000C35E4

Part of subcall function 00059CB3: _wcslen.LIBCMT ref: 00059CBD

LoadStringW.USER32(00122390,?,00000FFF,?), ref: 000C360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 000C3724
^ ERROR, xrefs: 000C36C9
Error: , xrefs: 000C36EF
"%s" (%d) : ==> %s:, xrefs: 000C3742
Line %d (File "%s"):, xrefs: 000C366B

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 5f2c0c1e3318d2f5620ef905220566a5b3e9027f1cdec5dd0f6eaabc4f5bdc6b
Instruction ID: b6674cf4c4344c7aaaf54449beb6f96e9799c0cd68a9f3846e57c6c6e79cae55
Opcode Fuzzy Hash: 5f2c0c1e3318d2f5620ef905220566a5b3e9027f1cdec5dd0f6eaabc4f5bdc6b
Instruction Fuzzy Hash: 63516F72900209FADF24EBA0DC42EEEBB79EF14341F544129F505721A2EB311B99DFA1

Function 000E8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00069BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00069BB2

Part of subcall function 0006912D: GetCursorPos.USER32(?), ref: 00069141
Part of subcall function 0006912D: ScreenToClient.USER32(00000000,?), ref: 0006915E
Part of subcall function 0006912D: GetAsyncKeyState.USER32(00000001), ref: 00069183
Part of subcall function 0006912D: GetAsyncKeyState.USER32(00000002), ref: 0006919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 000E8B6B
ImageList_EndDrag.COMCTL32 ref: 000E8B71
ReleaseCapture.USER32 ref: 000E8B77
SetWindowTextW.USER32(?,00000000), ref: 000E8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 000E8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 000E8CFF

Strings

@GUI_DRAGFILE, xrefs: 000E8C9A
@GUI_DROPID, xrefs: 000E8C51

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 6b12c2a396338ce0ab95f1a9c3cab5c429a1075ba8513c3f80aeeed0063a1e56
Instruction ID: 2a020758dc3e6f2709ef4b6402fd2fed6ec873e1b34013d0f88c005fcb6e75d5
Opcode Fuzzy Hash: 6b12c2a396338ce0ab95f1a9c3cab5c429a1075ba8513c3f80aeeed0063a1e56
Instruction Fuzzy Hash: 0151BA30104340AFE704DF10DC96FAA77E4FB88714F100A2DF956A72E2CB319959CB62

Function 000CC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000CC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000CC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 000CC2CA
GetLastError.KERNEL32 ref: 000CC322
SetEvent.KERNEL32(?), ref: 000CC336
InternetCloseHandle.WININET(00000000), ref: 000CC341

Strings

, xrefs: 000CC2BB

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 26194e995867c6d14c16c8deb095d2e4f39cb1f776f875da5308637fc02c151b
Instruction ID: b13acb8b44c8da8e792c8a6418bd9eff3589ac4b94d53dd54642d736ff82e9c3
Opcode Fuzzy Hash: 26194e995867c6d14c16c8deb095d2e4f39cb1f776f875da5308637fc02c151b
Instruction Fuzzy Hash: 3931BFB1500284AFF7219FA4DC88FAF7BFCEB49740B14851EF48AA6211DB35DE058B60

Function 000B989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00093AAF,?,?,Bad directive syntax error,000ECC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 000B98BC
LoadStringW.USER32(00000000,?,00093AAF,?), ref: 000B98C3

Part of subcall function 00059CB3: _wcslen.LIBCMT ref: 00059CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 000B9987

Strings

., xrefs: 000B996D
Error: , xrefs: 000B9955
%s (%d) : ==> %s.: %s %s, xrefs: 000B98F1
Line %d (File "%s"):, xrefs: 000B992D
Line %d:, xrefs: 000B9912

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: fb50725058a9890ec16f36f9af4039f04f7ccc9f5df8771d68390c5343bb1571
Instruction ID: 12be8e36944f7ace5e56eb6f4da36806665182abacbfcc19bf59920a9b55f4da
Opcode Fuzzy Hash: fb50725058a9890ec16f36f9af4039f04f7ccc9f5df8771d68390c5343bb1571
Instruction Fuzzy Hash: BE217C3290021EEBDF15AF90CC06EEE7775FF18701F044469FA15760A2EB729A58DB11

Function 000B209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000B20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 000B20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 000B214D

Strings

details, xrefs: 000B20FB
largeicons, xrefs: 000B20E1
list, xrefs: 000B212F
SHELLDLL_DefView, xrefs: 000B20CC
smallicons, xrefs: 000B2115

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 50515449bb434140a8ac2a4138a55cbcf2f2dd747ad1d5f240cd153509b182e9
Instruction ID: 64215ea0e3478c3951ffc71b6f0599250da87558b4b5375bc55c29ba54c1d7c2
Opcode Fuzzy Hash: 50515449bb434140a8ac2a4138a55cbcf2f2dd747ad1d5f240cd153509b182e9
Instruction Fuzzy Hash: A7110676A88706B9F7152224DC06DEB379DDB65724B204426FB08F50D2FBAA68425A18

Function 00088D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b0024df1d93ea9e2f3d7620002613301f46196b1cf0d37b88e258eecf9b0ed
Instruction ID: 26a1be68d3c0dc5bab23d93c565b46f0c155935c2ec65f17e930797d9a068a12
Opcode Fuzzy Hash: 52b0024df1d93ea9e2f3d7620002613301f46196b1cf0d37b88e258eecf9b0ed
Instruction Fuzzy Hash: 13C1B174E04249AFDB61BFA8C845BBDBBF0BF09310F188159E598A7293C7349942CF61

Function 0008CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0008CEB7
_free.LIBCMT ref: 0008CF22
_free.LIBCMT ref: 0008CF48
_free.LIBCMT ref: 0008CF71
_free.LIBCMT ref: 0008CFA9
_free.LIBCMT ref: 0008CFDA
_free.LIBCMT ref: 0008D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0008D09C
_free.LIBCMT ref: 0008D0B5

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 4681847298bf1bc33a04d77df4577e9b28ae78f4ecf61c5060f96eee7b3eb56c
Instruction ID: a16b043d6791587ecc1255ecbd2b96ae901f421b20677ab07cb40ca5bd0a9e98
Opcode Fuzzy Hash: 4681847298bf1bc33a04d77df4577e9b28ae78f4ecf61c5060f96eee7b3eb56c
Instruction Fuzzy Hash: 89610771905205ABFB32BFB49885EA97BE5FF05310F14427EFAC497283DA3599428B60

Function 000E50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 000E5186
ShowWindow.USER32(?,00000000), ref: 000E51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 000E51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 000E51D1

Part of subcall function 000E6FBA: DeleteObject.GDI32(00000000), ref: 000E6FE6

GetWindowLongW.USER32(?,000000F0), ref: 000E520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 000E521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 000E524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 000E5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 000E5296

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: d084e93eddc4a3844cf773db3fe22137d5b7aa5c29f85c2a9030716ce4cb6618
Instruction ID: e9a39e6c828a6cbd906aadcebb5470e61ed497abbc5e5656b498a5ea1ad4bc17
Opcode Fuzzy Hash: d084e93eddc4a3844cf773db3fe22137d5b7aa5c29f85c2a9030716ce4cb6618
Instruction Fuzzy Hash: A551E730A40A88BFEF309F26CC45FD93BA5FB4672AF148855F614BA2E1D3759990DB40

Function 00068B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 000A6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 000A68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 000A68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 000A68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 000A68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00068874,00000000,00000000,00000000,000000FF,00000000), ref: 000A6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 000A691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00068874,00000000,00000000,00000000,000000FF,00000000), ref: 000A692D

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: ab51edcc22ed7681996548d3db6a18e31c7a8c75e36838f5865d62e344260ec8
Instruction ID: 7c521fcc674cef8fe271625b3651328fe03963827b85987fbc975baf9594d831
Opcode Fuzzy Hash: ab51edcc22ed7681996548d3db6a18e31c7a8c75e36838f5865d62e344260ec8
Instruction Fuzzy Hash: 73519C70600209EFEB20CF64CC95FAA77FAFB54750F144618F912A72A0DB71E991DB40

Function 000CC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000CC182
GetLastError.KERNEL32 ref: 000CC195
SetEvent.KERNEL32(?), ref: 000CC1A9

Part of subcall function 000CC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000CC272
Part of subcall function 000CC253: GetLastError.KERNEL32 ref: 000CC322
Part of subcall function 000CC253: SetEvent.KERNEL32(?), ref: 000CC336
Part of subcall function 000CC253: InternetCloseHandle.WININET(00000000), ref: 000CC341

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 508a1ad8480221e30ef10d87b32bb3b8f64e2cd89927f3f8a1620d0b98690e80
Instruction ID: a1eedb8050908c7706fe769a69bc473322a3ba52749a63d69e763251a04abd45
Opcode Fuzzy Hash: 508a1ad8480221e30ef10d87b32bb3b8f64e2cd89927f3f8a1620d0b98690e80
Instruction Fuzzy Hash: D431AD71600681AFFB219FA5DC44F6EBBF9FF18700B04442DF95A96620C735E811ABA0

Function 000B25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 000B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000B3A57
Part of subcall function 000B3A3D: GetCurrentThreadId.KERNEL32 ref: 000B3A5E
Part of subcall function 000B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000B25B3), ref: 000B3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 000B25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 000B25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 000B25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 000B25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 000B2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 000B2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 000B260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 000B2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 000B2627

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: cd1c54eccac4b264870805e80d4c1d05ed2fb223c52e08614a656262782f72da
Instruction ID: 5d2ceaf9a494575e51089612ca8aa9eace0ab4d59cb1d83e4c94da976544c5b1
Opcode Fuzzy Hash: cd1c54eccac4b264870805e80d4c1d05ed2fb223c52e08614a656262782f72da
Instruction Fuzzy Hash: 5901D830390650BBFB2067699CCAF993F59DB4FF12F200012F314BE0D1C9F214458A6A

Function 000B1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,000B1449,?,?,00000000), ref: 000B180C
HeapAlloc.KERNEL32(00000000,?,000B1449,?,?,00000000), ref: 000B1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,000B1449,?,?,00000000), ref: 000B1828
GetCurrentProcess.KERNEL32(?,00000000,?,000B1449,?,?,00000000), ref: 000B1830
DuplicateHandle.KERNEL32(00000000,?,000B1449,?,?,00000000), ref: 000B1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,000B1449,?,?,00000000), ref: 000B1843
GetCurrentProcess.KERNEL32(000B1449,00000000,?,000B1449,?,?,00000000), ref: 000B184B
DuplicateHandle.KERNEL32(00000000,?,000B1449,?,?,00000000), ref: 000B184E
CreateThread.KERNEL32(00000000,00000000,000B1874,00000000,00000000,00000000), ref: 000B1868

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: be53509cf6346f07eca5b1f825918ae63f3f3d9dcd06732e5e97d30dd474b16f
Instruction ID: 24229d2a0c43a7c4ac6f91993c3874c0aa5363f6d20bda3bc5e9dfa75b22a291
Opcode Fuzzy Hash: be53509cf6346f07eca5b1f825918ae63f3f3d9dcd06732e5e97d30dd474b16f
Instruction Fuzzy Hash: 2E01A8B5240348BFF610ABA5DC89F6B3BACEB8AB11F404451FA05EF1A1CA7598018B20

Function 000DA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 000BD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 000BD501
Part of subcall function 000BD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 000BD50F
Part of subcall function 000BD4DC: CloseHandle.KERNEL32(00000000), ref: 000BD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 000DA16D
GetLastError.KERNEL32 ref: 000DA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 000DA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 000DA268
GetLastError.KERNEL32(00000000), ref: 000DA273
CloseHandle.KERNEL32(00000000), ref: 000DA2C4

Strings

SeDebugPrivilege, xrefs: 000DA18F

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 1f454d39d72e035bf2c0dd972d3fdc89a89374f36364e21119bd18fc71a1629d
Instruction ID: 7786eda31d0e6963de131f359d0991b1e73b4fdde9c4b194bb975c3daccce215
Opcode Fuzzy Hash: 1f454d39d72e035bf2c0dd972d3fdc89a89374f36364e21119bd18fc71a1629d
Instruction Fuzzy Hash: 1C61AF302043429FE720DF19C494F6ABBE1AF45318F54849DE8664B7A3C776ED49CBA2

Function 000E3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 000E3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 000E393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 000E3954
_wcslen.LIBCMT ref: 000E3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 000E39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 000E39F4

Strings

SysListView32, xrefs: 000E38F7

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: e416476681c55de9db61cea468fad79363ce86072ae568843464da4672e7bb2b
Instruction ID: 11f03828051707a4d5992c52d3c84ad0b1e337a278c6f1b6f15f0a43ae7774e2
Opcode Fuzzy Hash: e416476681c55de9db61cea468fad79363ce86072ae568843464da4672e7bb2b
Instruction Fuzzy Hash: 2641A171A00359AFEB219F65CC49FEA7BA9EF48350F100526F958F7282D7759A80CB90

Function 000BBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000BBCFD
IsMenu.USER32(00000000), ref: 000BBD1D
CreatePopupMenu.USER32 ref: 000BBD53
GetMenuItemCount.USER32(00C868E8), ref: 000BBDA4
InsertMenuItemW.USER32(00C868E8,?,00000001,00000030), ref: 000BBDCC

Strings

2, xrefs: 000BBD37
0, xrefs: 000BBCA8

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 85de3fcf8465e40e1abaf7902f440eadb3e771c2b088dcc65eedb4eabb771698
Instruction ID: 8efa2390743c3830447653f76d2c9770226ec8ceb12b8c85d00f87dccce4e2c5
Opcode Fuzzy Hash: 85de3fcf8465e40e1abaf7902f440eadb3e771c2b088dcc65eedb4eabb771698
Instruction Fuzzy Hash: 5551AD70A04205DBEF20CFA8D8C4BEEBBF4EF45314F144219E412AB291E7B89941CB61

Function 000BC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 000BC913

Strings

blank, xrefs: 000BC895
info, xrefs: 000BC8B4
question, xrefs: 000BC8CC
stop, xrefs: 000BC8E4
warning, xrefs: 000BC8FC

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 37af5d17850afbf6d255f72bae483bc9e7ad6d078fc33fd623f7fd4bcb25cc9e
Instruction ID: d1cb942d71854364fbca1ded63543bed885e167552ef43e01a36190f194a898d
Opcode Fuzzy Hash: 37af5d17850afbf6d255f72bae483bc9e7ad6d078fc33fd623f7fd4bcb25cc9e
Instruction Fuzzy Hash: 98112432A89347BAF7049B549C82CEE77DCDF15724B20403AF504F62C2EBA5AE405269

Function 000BDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 000BDE42
gethostname.WSOCK32(?,00000100), ref: 000BDE5C
gethostbyname.WSOCK32(?), ref: 000BDE69
inet_ntoa.WSOCK32(?), ref: 000BDEAB
_strcat.LIBCMT ref: 000BDEB9
WSACleanup.WSOCK32 ref: 000BDEDE

Strings

0.0.0.0, xrefs: 000BDE87

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 17bb38cc652751168466c255e228bc17ab36cdebd84e1af2716b553966f5eace
Instruction ID: 012c44ae12a0d9f02da3862b218035b53868a79790bffa417fa39d41034c5947
Opcode Fuzzy Hash: 17bb38cc652751168466c255e228bc17ab36cdebd84e1af2716b553966f5eace
Instruction Fuzzy Hash: A2110A31904214AFEB64BB20DC4ADEE77ACDF11710F00016AF555AA092FF7ACA818A50

Function 000E9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00069BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00069BB2

GetSystemMetrics.USER32(0000000F), ref: 000E9FC7
GetSystemMetrics.USER32(0000000F), ref: 000E9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 000EA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 000EA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 000EA263
ShowWindow.USER32(00000003,00000000), ref: 000EA282
InvalidateRect.USER32(?,00000000,00000001), ref: 000EA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 000EA2CA

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 0c9b06d5dae5e5c4c2c4f1d3685f67000c567bc4d865b7519c2756350cd22e22
Instruction ID: 1f8dac08810380f3bccb15b564de49355b598865d95560e9626b124647fe2319
Opcode Fuzzy Hash: 0c9b06d5dae5e5c4c2c4f1d3685f67000c567bc4d865b7519c2756350cd22e22
Instruction Fuzzy Hash: B7B1B931600255AFDF14CF69C984BAE7BF2BF49701F0880A9ED45AB295D731A980CB61

Function 000BED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 000BED2A
_wcslen.LIBCMT ref: 000BED3B
_wcslen.LIBCMT ref: 000BED79
_wcslen.LIBCMT ref: 000BEDAF
_wcslen.LIBCMT ref: 000BEDDF
_wcslen.LIBCMT ref: 000BEDEF
_wcslen.LIBCMT ref: 000BEE2B
_wcslen.LIBCMT ref: 000BEE5A

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 52d893abe23571569c2afa85438a82442d3fc067e7c2fbcabad99bf591e410eb
Instruction ID: a9cc840c51b1f5b529be210c11655b476d7d7400aa1fd7452614a8a8505a6519
Opcode Fuzzy Hash: 52d893abe23571569c2afa85438a82442d3fc067e7c2fbcabad99bf591e410eb
Instruction Fuzzy Hash: 6E41B365D1061876CB11EBF4C88A9CFB7B8AF45710F50C566E518E3123FB38E246C3AA

Function 0006F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,000A682C,00000004,00000000,00000000), ref: 0006F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,000A682C,00000004,00000000,00000000), ref: 000AF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,000A682C,00000004,00000000,00000000), ref: 000AF454

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 6097035f18f643c9763610f2588bf821bba51644a4fcf4a54d8cc2a2beeefdb4
Instruction ID: b9b945e3d3833481357d8847855e8c9c5489a331c4155030fca88bd4d2cfafae
Opcode Fuzzy Hash: 6097035f18f643c9763610f2588bf821bba51644a4fcf4a54d8cc2a2beeefdb4
Instruction Fuzzy Hash: 81414E31208782BEEB789B69E8C8B7E7BD3AB57314F14443CE097A6561C6329981C730

Function 000E2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 000E2D1B
GetDC.USER32(00000000), ref: 000E2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000E2D2E
ReleaseDC.USER32(00000000,00000000), ref: 000E2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 000E2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 000E2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,000E5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 000E2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 000E2DE1

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: d69a493451f3f7e4be9b58d3c8508d2994e4d0f1746df2f382aabbc6f9ea380e
Instruction ID: 9c83c44686b43001c8b6828c34f2e7bf38790b81aa1c3dd033f38c46360b99f1
Opcode Fuzzy Hash: d69a493451f3f7e4be9b58d3c8508d2994e4d0f1746df2f382aabbc6f9ea380e
Instruction Fuzzy Hash: 3A316D72201294BFFB118F558C8AFEB3BADEB49B15F044055FE08AE291C6799C51C7A4

Function 000B5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 000B5637
_memcmp.LIBVCRUNTIME ref: 000B5659
_memcmp.LIBVCRUNTIME ref: 000B5671
_memcmp.LIBVCRUNTIME ref: 000B5684
_memcmp.LIBVCRUNTIME ref: 000B569E
_memcmp.LIBVCRUNTIME ref: 000B56B1
_memcmp.LIBVCRUNTIME ref: 000B56C9
_memcmp.LIBVCRUNTIME ref: 000B56E4

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 11f20fb0385fe790c8901eea5899a17ab47ae5efaf118a64bd8dd6d96253690d
Instruction ID: 572e7b0e5f95ab81d565ea2b65e2f79a0e1c50caf384ae2353755e962ba973af
Opcode Fuzzy Hash: 11f20fb0385fe790c8901eea5899a17ab47ae5efaf118a64bd8dd6d96253690d
Instruction Fuzzy Hash: 4321CC71B449097BE21455255E82FFE339CAF20386F644060FE08AF6C2FB64FF1181A9

Function 000D4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 000D502E, 000D5383
Not an Object type, xrefs: 000D5007

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 3b782d47c82509e9e8597a24a8072071ecfc0ab082e886e17fb303631c7dc9d4
Instruction ID: 2e42f69a629a914a90e463d5231ae204b3acd3ff18b4eb685d8a5ab50e44c50a
Opcode Fuzzy Hash: 3b782d47c82509e9e8597a24a8072071ecfc0ab082e886e17fb303631c7dc9d4
Instruction Fuzzy Hash: 20D17E75A0070A9FDB10CF98CC81BAEB7F5BF48345F14806AE915AB381E7719D45CBA0

Function 00091522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,000917FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 000915CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,000917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00091651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,000917FB,?,000917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000916E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,000917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000916FB

Part of subcall function 00083820: RtlAllocateHeap.NTDLL(00000000,?,00121444,?,0006FDF5,?,?,0005A976,00000010,00121440,000513FC,?,000513C6,?,00051129), ref: 00083852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,000917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00091777
__freea.LIBCMT ref: 000917A2
__freea.LIBCMT ref: 000917AE

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: f9b9912cd2baba29ee51f38650c8d16c6a6358de473adbdeb2820aefc685ce45
Instruction ID: 8aa4bb1880fe9e5cd71036c5e784e990d02ee84982102e460112632a36ec8bd0
Opcode Fuzzy Hash: f9b9912cd2baba29ee51f38650c8d16c6a6358de473adbdeb2820aefc685ce45
Instruction Fuzzy Hash: 8791D272F046179ADF209EB4C881EEEBBF5AF49710F194659E901E7191DB35CC40EBA0

Function 000D4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000D4648
VariantInit.OLEAUT32(?), ref: 000D4749
VariantClear.OLEAUT32(?), ref: 000D4753
VariantClear.OLEAUT32(?), ref: 000D47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 000D472C
Null Object assignment in FOR..IN loop, xrefs: 000D45D8, 000D4706, 000D47BE

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 803dd3cc0a3ecbad195fb6bb45e043ee2381d684c55de2e66654cb3467306d3d
Instruction ID: c5f0faeeee3f984e2365a3344afca06832a9c84e9ef9ece5f5d32166d6ab07ad
Opcode Fuzzy Hash: 803dd3cc0a3ecbad195fb6bb45e043ee2381d684c55de2e66654cb3467306d3d
Instruction Fuzzy Hash: 46919E71A04319ABDF24CFA5D888FAEBBB8EF46710F10855AF505AB281D7709941CFA0

Function 000C1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 000C125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 000C1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 000C12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000C12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000C135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000C13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000C1430

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 9993a78803a857ff9e25dbc1db237569c28e77c6440f7b39f407f31f7c70a128
Instruction ID: d1f592995ce5575a12fc5920823b8c3a2e9d82b3eedb7d3101dd028ee2c5769f
Opcode Fuzzy Hash: 9993a78803a857ff9e25dbc1db237569c28e77c6440f7b39f407f31f7c70a128
Instruction Fuzzy Hash: E991DC75A00219AFEB04DFA8C884FFEB7B5FF46715F104029E950EB292D779A941CB90

Function 0006948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d93813669e38783d4a06c4ef2caf978126fa61f40628d32126e16429ad4c7d7b
Instruction ID: f030d8e058b2d6aacc105440a5fa1bd9e257803b145066ad497f9a00de805a99
Opcode Fuzzy Hash: d93813669e38783d4a06c4ef2caf978126fa61f40628d32126e16429ad4c7d7b
Instruction Fuzzy Hash: C3914871D00219EFCB10CFA9CC84AEEBBB9FF49320F148559E516B7251D779AA42CB60

Function 000D3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000D396B
CharUpperBuffW.USER32(?,?), ref: 000D3A7A
_wcslen.LIBCMT ref: 000D3A8A
VariantClear.OLEAUT32(?), ref: 000D3C1F

Part of subcall function 000C0CDF: VariantInit.OLEAUT32(00000000), ref: 000C0D1F
Part of subcall function 000C0CDF: VariantCopy.OLEAUT32(?,?), ref: 000C0D28
Part of subcall function 000C0CDF: VariantClear.OLEAUT32(?), ref: 000C0D34

Strings

AUTOIT.ERROR, xrefs: 000D3A80, 000D3A85
Incorrect Parameter format, xrefs: 000D39A6, 000D3BA1

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: fa7f40aadf3bc9bc01911a020bc999d5a00e3418c42945949b0dcc728b875f37
Instruction ID: d95492ca78bc81a0d872239d81c422253c6c92fdc9cb9cd0fcfabc86f4173ae9
Opcode Fuzzy Hash: fa7f40aadf3bc9bc01911a020bc999d5a00e3418c42945949b0dcc728b875f37
Instruction Fuzzy Hash: F89169756083019FC714DF28C4819AAB7E5FF89714F14892EF8899B352DB31EE45CBA2

Function 000D4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 000B000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,000AFF41,80070057,?,?,?,000B035E), ref: 000B002B
Part of subcall function 000B000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000AFF41,80070057,?,?), ref: 000B0046
Part of subcall function 000B000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000AFF41,80070057,?,?), ref: 000B0054
Part of subcall function 000B000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000AFF41,80070057,?), ref: 000B0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 000D4C51
_wcslen.LIBCMT ref: 000D4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 000D4DCF
CoTaskMemFree.OLE32(?), ref: 000D4DDA

Strings

NULL Pointer assignment, xrefs: 000D4E23, 000D4E52

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 5482c62034b70eff9cf829f4cfda6e26ff48c9e4a870601204af1b810de04da4
Instruction ID: c2210d1e0da044906aeb26a2be7116a10b0fda623e562eb7db5bfe311929b701
Opcode Fuzzy Hash: 5482c62034b70eff9cf829f4cfda6e26ff48c9e4a870601204af1b810de04da4
Instruction Fuzzy Hash: 26910771D00219EFDF14DFA4C891AEEB7B9BF08310F10856AE919BB252DB749A45CF60

Function 000E20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 000E2183
GetMenuItemCount.USER32(00000000), ref: 000E21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 000E21DD
_wcslen.LIBCMT ref: 000E2213
GetMenuItemID.USER32(?,?), ref: 000E224D
GetSubMenu.USER32(?,?), ref: 000E225B

Part of subcall function 000B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000B3A57
Part of subcall function 000B3A3D: GetCurrentThreadId.KERNEL32 ref: 000B3A5E
Part of subcall function 000B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000B25B3), ref: 000B3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 000E22E3

Part of subcall function 000BE97B: Sleep.KERNELBASE ref: 000BE9F3

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: eb64c1b48d84649b8f89ec27d4530a00c106d6b6cbcca990c3b0201d37f455df
Instruction ID: 4ac61ba89f6f959844c49471e3db3c5520a412c09b5cbf95d30e7afd8d224f50
Opcode Fuzzy Hash: eb64c1b48d84649b8f89ec27d4530a00c106d6b6cbcca990c3b0201d37f455df
Instruction Fuzzy Hash: 42718E75A00245AFDB10DF65C885AAEB7F9EF88310F1484A9E916FB342D735EE41CB90

Function 000E7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00C86988), ref: 000E7F37
IsWindowEnabled.USER32(00C86988), ref: 000E7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 000E801E
SendMessageW.USER32(00C86988,000000B0,?,?), ref: 000E8051
IsDlgButtonChecked.USER32(?,?), ref: 000E8089
GetWindowLongW.USER32(00C86988,000000EC), ref: 000E80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 000E80C3

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 7950638e7f9ac20f862bd192d9a5cb7f34d0fac643d453546a02f8e618e0d144
Instruction ID: aca099cc409138a3671e77670d9d8a70d90a07908d637753299aaf480a7b1f54
Opcode Fuzzy Hash: 7950638e7f9ac20f862bd192d9a5cb7f34d0fac643d453546a02f8e618e0d144
Instruction Fuzzy Hash: D2718E34608284AFEF65DF56C894FEA7BF9EF09300F144469E949B7262CB31A855CB10

Function 000BAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 000BAEF9
GetKeyboardState.USER32(?), ref: 000BAF0E
SetKeyboardState.USER32(?), ref: 000BAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 000BAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 000BAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 000BAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 000BB020

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: db4d0e042643937f25d2ff5d7decb6520d3c0576b6e2ea4ceb62cdcd4396fcd0
Instruction ID: e0a01110aa2e1cf600f959b00745fc4a4dbd13709cd706284e4ba5749f48172a
Opcode Fuzzy Hash: db4d0e042643937f25d2ff5d7decb6520d3c0576b6e2ea4ceb62cdcd4396fcd0
Instruction Fuzzy Hash: 9151DFA0A147D63EFB7692748845BFBBEE95B06304F088489E1E9558C3C3E9EC88D751

Function 000BACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 000BAD19
GetKeyboardState.USER32(?), ref: 000BAD2E
SetKeyboardState.USER32(?), ref: 000BAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 000BADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 000BADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 000BAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 000BAE38

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 791fad636c3b338c73f163f3cbddf2917f613eb19c0babab147858ad3ee9c3cc
Instruction ID: 57537e0e800328fd759e0fc1c7e816cd5773fc74e95ec6a75644196482dea219
Opcode Fuzzy Hash: 791fad636c3b338c73f163f3cbddf2917f613eb19c0babab147858ad3ee9c3cc
Instruction Fuzzy Hash: E951A4A16047D53DFB3783348C95BFA7EE95B47300F088589E1E6568D3D2A4EC88D762

Function 0008542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00093CD6,?,?,?,?,?,?,?,?,00085BA3,?,?,00093CD6,?,?), ref: 00085470
__fassign.LIBCMT ref: 000854EB
__fassign.LIBCMT ref: 00085506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00093CD6,00000005,00000000,00000000), ref: 0008552C
WriteFile.KERNEL32(?,00093CD6,00000000,00085BA3,00000000,?,?,?,?,?,?,?,?,?,00085BA3,?), ref: 0008554B
WriteFile.KERNEL32(?,?,00000001,00085BA3,00000000,?,?,?,?,?,?,?,?,?,00085BA3,?), ref: 00085584

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: a42d1769f13febe92209d8e9c91dbb8154578c2591339ec67c9ff08e6fbbdfcb
Instruction ID: 0dbe88681c373b35d7ead9d139c4cd1c9aa396ce210f39650c8d50786cd4a5dd
Opcode Fuzzy Hash: a42d1769f13febe92209d8e9c91dbb8154578c2591339ec67c9ff08e6fbbdfcb
Instruction Fuzzy Hash: 1E51C370900748AFDB21DFA8DC95AEEBBF9FF09301F14415AF995E7291D6309A41CB60

Function 00072D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00072D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00072D53
_ValidateLocalCookies.LIBCMT ref: 00072DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00072E0C
_ValidateLocalCookies.LIBCMT ref: 00072E61

Strings

csm, xrefs: 00072DF6

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 279b577d3c6d33f4b7b0c838cd4e4541d210f7f077ce0f81fc5ce248da73d3f9
Instruction ID: 117b41e13cdc33aa4b7fc69505201147df98b85edf8ced1791ea25864dac069c
Opcode Fuzzy Hash: 279b577d3c6d33f4b7b0c838cd4e4541d210f7f077ce0f81fc5ce248da73d3f9
Instruction Fuzzy Hash: AF41A034E00209ABCF20DF68C855AEEBBF5BF44324F15C155E8186B292DB39AE01CBD5

Function 000D10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000D304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 000D307A
Part of subcall function 000D304E: _wcslen.LIBCMT ref: 000D309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 000D1112
WSAGetLastError.WSOCK32 ref: 000D1121
WSAGetLastError.WSOCK32 ref: 000D11C9
closesocket.WSOCK32(00000000), ref: 000D11F9

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: b86e88798a29bc610825c486dd28816c6608a5eecb74e47cca035378bbe931c5
Instruction ID: a15d83be8c650a94b5e2144c6c2e883c1f8b596fccb238d0cfbd8400512370e1
Opcode Fuzzy Hash: b86e88798a29bc610825c486dd28816c6608a5eecb74e47cca035378bbe931c5
Instruction Fuzzy Hash: 1C41E335600304AFEB109F54C884BEABBE9EF45324F14805AFD59AB392CB75AD45CBE1

Function 000BCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000BCF22,?), ref: 000BDDFD

Part of subcall function 000BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000BCF22,?), ref: 000BDE16

lstrcmpiW.KERNEL32(?,?), ref: 000BCF45
MoveFileW.KERNEL32(?,?), ref: 000BCF7F
_wcslen.LIBCMT ref: 000BD005
_wcslen.LIBCMT ref: 000BD01B
SHFileOperationW.SHELL32(?), ref: 000BD061

Strings

\*.*, xrefs: 000BCFF3

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 73b4fb39e1461a2a5e43d3e089558ce155070bf0b25e03857a09f60a2edac91d
Instruction ID: 84e949c6b76a6bc635e12a0b82e5ca1b27528b2ce0479eb34368d5ad8ca4701e
Opcode Fuzzy Hash: 73b4fb39e1461a2a5e43d3e089558ce155070bf0b25e03857a09f60a2edac91d
Instruction Fuzzy Hash: B54135719452199FEF52EFA4C981EEEB7F9AF08340F1004E6E509EB142EB35A649CB50

Function 000E2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 000E2E1C
GetWindowLongW.USER32(?,000000F0), ref: 000E2E4F
GetWindowLongW.USER32(?,000000F0), ref: 000E2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 000E2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 000E2EE0
GetWindowLongW.USER32(?,000000F0), ref: 000E2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 000E2F0B

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 78a3d40564df355f7e6f3ddf23f6084f69162e6a0adae27e462f24d7609b5ba7
Instruction ID: 331bcd67856e8c538896c86851f6c8f03efa05903a523f5360f454abc5e1c42b
Opcode Fuzzy Hash: 78a3d40564df355f7e6f3ddf23f6084f69162e6a0adae27e462f24d7609b5ba7
Instruction Fuzzy Hash: AE310C31605290AFEB21CF59DC84FA537E9FB9A714F1501A4F900AF2B1C771AC91DB41

Function 000B7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000B7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000B778F
SysAllocString.OLEAUT32(00000000), ref: 000B7792
SysAllocString.OLEAUT32(?), ref: 000B77B0
SysFreeString.OLEAUT32(?), ref: 000B77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 000B77DE
SysAllocString.OLEAUT32(?), ref: 000B77EC

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9cf1faefea6140441277b0a5b756848147449f2d865076eadf72298c01228dde
Instruction ID: da06da848e0fd21b6270f536489e9d693cfdfb62ca878c8e09cb917a0eee0b3c
Opcode Fuzzy Hash: 9cf1faefea6140441277b0a5b756848147449f2d865076eadf72298c01228dde
Instruction Fuzzy Hash: 4721B276608219AFEB10DFA8DC88CFB77ECEB497647108025F918DF291DA74DC428760

Function 000B77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000B7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000B7868
SysAllocString.OLEAUT32(00000000), ref: 000B786B
SysAllocString.OLEAUT32 ref: 000B788C
SysFreeString.OLEAUT32 ref: 000B7895
StringFromGUID2.OLE32(?,?,00000028), ref: 000B78AF
SysAllocString.OLEAUT32(?), ref: 000B78BD

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: baca26d754bc6710c3a4297a02579cfcc2ccdcb51e17b788d4e591452d44240c
Instruction ID: fb4f7cc1d8c98f5b7f52f258b32a80f3e51304899d10974dc10fa6a4e2c7d166
Opcode Fuzzy Hash: baca26d754bc6710c3a4297a02579cfcc2ccdcb51e17b788d4e591452d44240c
Instruction Fuzzy Hash: 3A217171608204AFEB109FB8DC88DFA77ECEB497607108125F919DB2A1DA74DC41CB74

Function 000C04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 000C04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000C052E

Strings

nul, xrefs: 000C0567

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 0f039dfdddd6f2b2b88f84ec59f84b3b5684cfee71aa6fd5675e40416f01e260
Instruction ID: 50f552b22db547ac88de555492ff3b4785e2d9c5df54939a602024db0927105c
Opcode Fuzzy Hash: 0f039dfdddd6f2b2b88f84ec59f84b3b5684cfee71aa6fd5675e40416f01e260
Instruction Fuzzy Hash: CD215A75600705EBEF209F29DC44F9E7BE8AF44B64F204A1DE8A1E62E0D7719941CF20

Function 000C05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 000C05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000C0601

Strings

nul, xrefs: 000C0639

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: c78dd0f19db541b54848fba6742a6ec19055f46b8871080d77852a40af2ea4e0
Instruction ID: e878795cd29c151ccdea344341a12e283aeec3a517cfc031f2ac2c3445f5bcd4
Opcode Fuzzy Hash: c78dd0f19db541b54848fba6742a6ec19055f46b8871080d77852a40af2ea4e0
Instruction Fuzzy Hash: 6B21AE75500315EBEB208F68CC44F9E77E8AF85B24F200A1DF8A1E72E0D7B19961CB20

Function 000E40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0005600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0005604C
Part of subcall function 0005600E: GetStockObject.GDI32(00000011), ref: 00056060
Part of subcall function 0005600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0005606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 000E4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 000E411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 000E412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 000E4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 000E4145

Strings

Msctls_Progress32, xrefs: 000E40E3

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: d27c2f7e9995b73325cf5ca43a4008e359d3f09cd81b19bd03da1ed21562ce25
Instruction ID: bec97184ee29eed1e7279af1b5162d9e6390bacf5680aca102cfc511ca9a650f
Opcode Fuzzy Hash: d27c2f7e9995b73325cf5ca43a4008e359d3f09cd81b19bd03da1ed21562ce25
Instruction Fuzzy Hash: 0011B2B2140219BEFF219F65CC85EE77FADEF08798F014120BA18A6190C7769C61DBA4

Function 0008D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0008D7A3: _free.LIBCMT ref: 0008D7CC

_free.LIBCMT ref: 0008D82D

Part of subcall function 000829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0008D7D1,00000000,00000000,00000000,00000000,?,0008D7F8,00000000,00000007,00000000,?,0008DBF5,00000000), ref: 000829DE
Part of subcall function 000829C8: GetLastError.KERNEL32(00000000,?,0008D7D1,00000000,00000000,00000000,00000000,?,0008D7F8,00000000,00000007,00000000,?,0008DBF5,00000000,00000000), ref: 000829F0

_free.LIBCMT ref: 0008D838
_free.LIBCMT ref: 0008D843
_free.LIBCMT ref: 0008D897
_free.LIBCMT ref: 0008D8A2
_free.LIBCMT ref: 0008D8AD
_free.LIBCMT ref: 0008D8B8

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: ad5ff9e79c637d4e6d8c71356891bc0180a6d0a14877daad7716cd50d1342e7d
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 3511F671944B14AADA21BFB0CC46FCF7BDCBF04700F404926F2D9A64D3EA69A5058760

Function 000BDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 000BDA74
LoadStringW.USER32(00000000), ref: 000BDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 000BDA91
LoadStringW.USER32(00000000), ref: 000BDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 000BDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 000BDAB9

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 90903e5777c9023c711c21cd2b39b0762a6967a24f13f73c789873577425db24
Instruction ID: 853dc521534de6e639c4b4f51009697796095faaa1206f0ee50970c85970144b
Opcode Fuzzy Hash: 90903e5777c9023c711c21cd2b39b0762a6967a24f13f73c789873577425db24
Instruction Fuzzy Hash: 1E0162F2500248BFFB109BA09DC9EEB736CEB08701F4004A2B756F6041E6799E858F75

Function 000C096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00C7EDC8,00C7EDC8), ref: 000C097B
EnterCriticalSection.KERNEL32(00C7EDA8,00000000), ref: 000C098D
TerminateThread.KERNEL32(?,000001F6), ref: 000C099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 000C09A9
CloseHandle.KERNEL32(?), ref: 000C09B8
InterlockedExchange.KERNEL32(00C7EDC8,000001F6), ref: 000C09C8
LeaveCriticalSection.KERNEL32(00C7EDA8), ref: 000C09CF

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 84eb2231ff196a6ac4ec32bf3cf454ea029899a7cb6b2ace4d6a825f760653b4
Instruction ID: 8bb7b9f7238ec88e1c83ef9dbb8a63e7f814c5cb3a6e926e233db8ca4ed6e1fa
Opcode Fuzzy Hash: 84eb2231ff196a6ac4ec32bf3cf454ea029899a7cb6b2ace4d6a825f760653b4
Instruction Fuzzy Hash: BBF0CD31442652FBF7515BA4EEC9FDA7A69FF05B02F40101AF201688A1C77A9566CF90

Function 000D1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 000D1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 000D1DE1
WSAGetLastError.WSOCK32 ref: 000D1DF2
htons.WSOCK32(?,?,?,?,?), ref: 000D1EDB
inet_ntoa.WSOCK32(?), ref: 000D1E8C

Part of subcall function 000B39E8: _strlen.LIBCMT ref: 000B39F2

Part of subcall function 000D3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,000CEC0C), ref: 000D3240

_strlen.LIBCMT ref: 000D1F35

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 0e9e35b6a30ebdbb52b8db16bab8ad7d6673aa71fd166c6752c125bcf8aa97ee
Instruction ID: d71bf40ddbd899b9457df7fc870446364a63d2de7e03f3600ef1390c0d23ca12
Opcode Fuzzy Hash: 0e9e35b6a30ebdbb52b8db16bab8ad7d6673aa71fd166c6752c125bcf8aa97ee
Instruction Fuzzy Hash: 3BB1AC30204340AFD324DF24C885EAA7BE5AF84318F54895DF85A5B3A3DB31ED46CBA1

Function 00055D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00055D30
GetWindowRect.USER32(?,?), ref: 00055D71
ScreenToClient.USER32(?,?), ref: 00055D99
GetClientRect.USER32(?,?), ref: 00055ED7
GetWindowRect.USER32(?,?), ref: 00055EF8

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: b0a1a529b713ea3d628d528280ced4c9b85d096fc1650e1089d52ba3ae66d553
Instruction ID: 8ee5a965de359ee50015ed918ddcad825998e742544514d9654e50725ff96eaf
Opcode Fuzzy Hash: b0a1a529b713ea3d628d528280ced4c9b85d096fc1650e1089d52ba3ae66d553
Instruction Fuzzy Hash: E9B17B35A0064ADBDF24CFA8C881BEEB7F1FF48311F14851AE8A9D7250DB34AA55DB50

Function 000801B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 000800BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000800D6
__allrem.LIBCMT ref: 000800ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0008010B
__allrem.LIBCMT ref: 00080122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00080140

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: e2d5945337d8b7716c9ce9aa6b7ed44b2f188a7d36e2a2e1d37580aa0c9ce16a
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 57810772A007069FEB60BE68CC41BAB73E8BF51334F24813AF495D7282EB75D9048B54

Function 000861FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,000782D9,000782D9,?,?,?,0008644F,00000001,00000001,8BE85006), ref: 00086258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0008644F,00000001,00000001,8BE85006,?,?,?), ref: 000862DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 000863D8
__freea.LIBCMT ref: 000863E5

Part of subcall function 00083820: RtlAllocateHeap.NTDLL(00000000,?,00121444,?,0006FDF5,?,?,0005A976,00000010,00121440,000513FC,?,000513C6,?,00051129), ref: 00083852

__freea.LIBCMT ref: 000863EE
__freea.LIBCMT ref: 00086413

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: d73ec597e0788fcb57c18188d22903f799670c0281138e6387b9caa244eecf09
Instruction ID: 0b0eba2ec7d95d1a5630b9c2b5443be1d8f9b4798776b778333beac29ddfe9c4
Opcode Fuzzy Hash: d73ec597e0788fcb57c18188d22903f799670c0281138e6387b9caa244eecf09
Instruction Fuzzy Hash: E5511372A00216ABEB25AF64CC81EBF77AAFF84B10F164268FC45D6141EB36DD40C760

Function 000DBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00059CB3: _wcslen.LIBCMT ref: 00059CBD

Part of subcall function 000DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000DB6AE,?,?), ref: 000DC9B5
Part of subcall function 000DC998: _wcslen.LIBCMT ref: 000DC9F1
Part of subcall function 000DC998: _wcslen.LIBCMT ref: 000DCA68
Part of subcall function 000DC998: _wcslen.LIBCMT ref: 000DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000DBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000DBD25
RegCloseKey.ADVAPI32(00000000), ref: 000DBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 000DBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 000DBDF3
RegCloseKey.ADVAPI32(?), ref: 000DBDFF

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 3a8305f69ca0dbed486bf078b4bca40e09fb1e30d722d899752c6f03b33426cf
Instruction ID: e2da06f997641dbc0bace845c39621925fbbbafb82e13f23675c357f7f738ff7
Opcode Fuzzy Hash: 3a8305f69ca0dbed486bf078b4bca40e09fb1e30d722d899752c6f03b33426cf
Instruction Fuzzy Hash: 45815B30208341EFD714DF24C895E6ABBE5BF84308F15895DF4598B2A2DB32ED45CBA2

Function 000AF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 000AF7B9
SysAllocString.OLEAUT32(00000001), ref: 000AF860
VariantCopy.OLEAUT32(000AFA64,00000000), ref: 000AF889
VariantClear.OLEAUT32(000AFA64), ref: 000AF8AD
VariantCopy.OLEAUT32(000AFA64,00000000), ref: 000AF8B1
VariantClear.OLEAUT32(?), ref: 000AF8BB

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: d487b2ba1abe29bb25bc7a4f433bacdd885ea649e5007b25d67739b209452ee3
Instruction ID: 3fe21fe0208de73c03d5a68d1f77047617527874174cc6c23f83fbce25b14ccd
Opcode Fuzzy Hash: d487b2ba1abe29bb25bc7a4f433bacdd885ea649e5007b25d67739b209452ee3
Instruction Fuzzy Hash: 0451E531600312BADF20ABE5D895BBEB3E5EF46710F248466F805DF292DB749C41C796

Function 000C910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00057620: _wcslen.LIBCMT ref: 00057625

Part of subcall function 00056B57: _wcslen.LIBCMT ref: 00056B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 000C94E5
_wcslen.LIBCMT ref: 000C9506
_wcslen.LIBCMT ref: 000C952D
GetSaveFileNameW.COMDLG32(00000058), ref: 000C9585

Strings

X, xrefs: 000C9412

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: fdd158878b370a14a7f1c94f7290e8d737f5885a3db03057e778ba0906e40063
Instruction ID: 1ca9122db781424f58749f11c9ea7c03fe6cfd1e44b476aefe9fc3b568ddffec
Opcode Fuzzy Hash: fdd158878b370a14a7f1c94f7290e8d737f5885a3db03057e778ba0906e40063
Instruction Fuzzy Hash: 02E16D316083419FD724DF24C885FAEB7E5BF85314F14896DE8899B2A2DB31ED05CB92

Function 0006920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00069BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00069BB2

BeginPaint.USER32(?,?,?), ref: 00069241
GetWindowRect.USER32(?,?), ref: 000692A5
ScreenToClient.USER32(?,?), ref: 000692C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000692D3
EndPaint.USER32(?,?,?,?,?), ref: 00069321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 000A71EA

Part of subcall function 00069339: BeginPath.GDI32(00000000), ref: 00069357

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 1a05e39b584a78a966853b2590b65f8930e9a04d7b9c5a9c2a087cfd087aa6f9
Instruction ID: 8ee63c677aaf03a198d49701110dd671495eb626d86a45a9e88b2536192d518a
Opcode Fuzzy Hash: 1a05e39b584a78a966853b2590b65f8930e9a04d7b9c5a9c2a087cfd087aa6f9
Instruction Fuzzy Hash: 4941E230104340AFE721DF64CC94FBA7BF9EF56724F000229F954976A2C7319886CB61

Function 000C07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 000C080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 000C0847
EnterCriticalSection.KERNEL32(?), ref: 000C0863
LeaveCriticalSection.KERNEL32(?), ref: 000C08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 000C08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 000C0921

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 4230b77ded5964e6b043eec548bfa30b16c2a17fe44645a89ee94b4ca97bf4d8
Instruction ID: 951244928e0e9844d7264936cbc5c73383647b80eba9e7fd999831696eb37cf6
Opcode Fuzzy Hash: 4230b77ded5964e6b043eec548bfa30b16c2a17fe44645a89ee94b4ca97bf4d8
Instruction Fuzzy Hash: 96418B31900205EFEF049F54DC85AAA7BB9FF04700F1080A9ED00AE297DB35DE65DBA4

Function 000E81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,000AF3AB,00000000,?,?,00000000,?,000A682C,00000004,00000000,00000000), ref: 000E824C
EnableWindow.USER32(?,00000000), ref: 000E8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 000E82D1
ShowWindow.USER32(?,00000004), ref: 000E82E5
EnableWindow.USER32(?,00000001), ref: 000E830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 000E832F

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: c41d3843e50f83b5abe5449db32c1420a840b42582455e32c513917facb1d5e7
Instruction ID: 5d824ea23f75c9f39767b00ce62032726cf8bc5617fd9700f0abdfbc52cf5b4a
Opcode Fuzzy Hash: c41d3843e50f83b5abe5449db32c1420a840b42582455e32c513917facb1d5e7
Instruction Fuzzy Hash: 65417634601684BFDF65CF26C899FE47BE1BB46B14F189169E60C6F272C7325892CB50

Function 000B4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 000B4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 000B4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 000B4CEA
_wcslen.LIBCMT ref: 000B4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 000B4D10
_wcsstr.LIBVCRUNTIME ref: 000B4D1A

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 2dd3722d848de705cc93d31013d9063ad2601a494027b2c74b93846aca11def9
Instruction ID: d650bd34e470a474551eaffce7d301b203cf38c1708289d167ade6e835943e40
Opcode Fuzzy Hash: 2dd3722d848de705cc93d31013d9063ad2601a494027b2c74b93846aca11def9
Instruction Fuzzy Hash: A22107326042407BFB655B29AC49EBF7FE8DF45B50F108029F809DA193DA75DD0182A0

Function 000C581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00053AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00053A97,?,?,00052E7F,?,?,?,00000000), ref: 00053AC2

_wcslen.LIBCMT ref: 000C587B
CoInitialize.OLE32(00000000), ref: 000C5995
CoCreateInstance.OLE32(000EFCF8,00000000,00000001,000EFB68,?), ref: 000C59AE
CoUninitialize.OLE32 ref: 000C59CC

Strings

.lnk, xrefs: 000C5876, 000C58C1, 000C5985

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 1dcddef45f953430a9080990fed30c54a87b768b069f4a188cfad3cbf13c2689
Instruction ID: f827428f3691e9b284e35e4da21247f3ad3e097fa6887360c688bba8f51d7c5d
Opcode Fuzzy Hash: 1dcddef45f953430a9080990fed30c54a87b768b069f4a188cfad3cbf13c2689
Instruction Fuzzy Hash: F7D154796047019FC714DF24C880E6EBBE1EF89712F14895DF8899B262DB31ED85CB92

Function 000B175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000B0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000B0FCA
Part of subcall function 000B0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000B0FD6
Part of subcall function 000B0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000B0FE5
Part of subcall function 000B0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000B0FEC
Part of subcall function 000B0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000B1002

GetLengthSid.ADVAPI32(?,00000000,000B1335), ref: 000B17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 000B17BA
HeapAlloc.KERNEL32(00000000), ref: 000B17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 000B17DA
GetProcessHeap.KERNEL32(00000000,00000000,000B1335), ref: 000B17EE
HeapFree.KERNEL32(00000000), ref: 000B17F5

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: ea221721650bfaa1c092d484cc46e7b3478f35d6837c4ca26dba8d991d221098
Instruction ID: db1de609a1dd7c1e06873333995e3c2820b66670068ce847dc06a8ba2b95c2b8
Opcode Fuzzy Hash: ea221721650bfaa1c092d484cc46e7b3478f35d6837c4ca26dba8d991d221098
Instruction Fuzzy Hash: 5F11AF32544205FFEB109FA4CC99FEE7BF9EB42755F504099F441AB110CB369941CB60

Function 000B14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 000B14FF
OpenProcessToken.ADVAPI32(00000000), ref: 000B1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 000B1515
CloseHandle.KERNEL32(00000004), ref: 000B1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000B154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 000B1563

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: a0b3ef3116da576e8548c99346f49003c2d272313bec1dfab14984a02e97ca62
Instruction ID: c4326fb6f9011b05d7c64980db81806729160b67505ce00ebb78f1a6e5948cf8
Opcode Fuzzy Hash: a0b3ef3116da576e8548c99346f49003c2d272313bec1dfab14984a02e97ca62
Instruction Fuzzy Hash: A4112672500249EBEF11CFA8DD89FDE7BA9FF48B44F044025FA05A6060C3768E61DB60

Function 00073382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00073379,00072FE5), ref: 00073390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0007339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 000733B7
SetLastError.KERNEL32(00000000,?,00073379,00072FE5), ref: 00073409

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 599e06693695b22a167f234ccb9e1148f7fdeb80b2e226943e9ff75a07ac7a53
Instruction ID: 712077ebaf313f7ffdf83bccfaff0b1b7b3d66e9db3097d4bd912843072a3236
Opcode Fuzzy Hash: 599e06693695b22a167f234ccb9e1148f7fdeb80b2e226943e9ff75a07ac7a53
Instruction Fuzzy Hash: 27012872E48311BEB63D27747C859D72A96EB09779330C229F518941F1EF194E02719C

Function 00083E80 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00083F0B
__alldvrm.LIBCMT ref: 0008410C
__alldvrm.LIBCMT ref: 0008412E

Strings

InitializeCriticalSectionEx, xrefs: 00083FC6

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: InitializeCriticalSectionEx
API String ID: 1036877536-3084827643
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 16accfacb1a8a475a6aa1996dbe833a61445a3c3574d4431eca382462c16c8a0
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: A7A12571E003879FDB25EE18C8917AEBBE5FF65350F14416DE6C59B282C6388981CB90

Function 00082D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00085686,00093CD6,?,00000000,?,00085B6A,?,?,?,?,?,0007E6D1,?,00118A48), ref: 00082D78
_free.LIBCMT ref: 00082DAB
_free.LIBCMT ref: 00082DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0007E6D1,?,00118A48,00000010,00054F4A,?,?,00000000,00093CD6), ref: 00082DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0007E6D1,?,00118A48,00000010,00054F4A,?,?,00000000,00093CD6), ref: 00082DEC
_abort.LIBCMT ref: 00082DF2

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 6a739566a93c8cdcfa55c19f72b381660ff84f59ea810052d3b94d8622292944
Instruction ID: eb0deabf79760ffc786224c601c1868379a8ded945d35656011d013487144a87
Opcode Fuzzy Hash: 6a739566a93c8cdcfa55c19f72b381660ff84f59ea810052d3b94d8622292944
Instruction Fuzzy Hash: 96F02836545B0077D2623338BC06E9F2D99BFC1BA0F224019F8E4A61D3EF2889024360

Function 000E8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00069639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00069693
Part of subcall function 00069639: SelectObject.GDI32(?,00000000), ref: 000696A2
Part of subcall function 00069639: BeginPath.GDI32(?), ref: 000696B9
Part of subcall function 00069639: SelectObject.GDI32(?,00000000), ref: 000696E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 000E8A4E
LineTo.GDI32(?,00000003,00000000), ref: 000E8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 000E8A70
LineTo.GDI32(?,00000000,00000003), ref: 000E8A80
EndPath.GDI32(?), ref: 000E8A90
StrokePath.GDI32(?), ref: 000E8AA0

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 85ac2d4a0bb5c2ae1db96119926b1443b787a9df433a14ff05f878b1bfabe058
Instruction ID: 50e5d671c6333e43fa8637e6f0981d4980d7cb75388230cb71c39ca996bf9f11
Opcode Fuzzy Hash: 85ac2d4a0bb5c2ae1db96119926b1443b787a9df433a14ff05f878b1bfabe058
Instruction Fuzzy Hash: 72110C7600014CFFEF129F90DC88E9A7F6DEB04354F048461FA19AA161C7729D96DB60

Function 000B51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 000B5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 000B5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000B5230
ReleaseDC.USER32(00000000,00000000), ref: 000B5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 000B524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 000B5261

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 0cd35a263c5854a2ce93bc0d8754175a83309dda75cf54cf27a0b49875b4eb91
Instruction ID: 8c1e8b4bc48f85b7954289e6b5a1808e7f1920c7b84b1197650070d8a2cb0dd2
Opcode Fuzzy Hash: 0cd35a263c5854a2ce93bc0d8754175a83309dda75cf54cf27a0b49875b4eb91
Instruction Fuzzy Hash: 16018F75A01748BBFB109BE59C89F9EBFB8EF49751F044065FA04AB281D6719801CBA0

Function 00051BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00051BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00051BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00051C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00051C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00051C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00051C22

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: ae934d10f6666732cc40076c19f32656cbf2514fa07da27a25e5afe107460424
Instruction ID: 24d9b11171cba42785d8c32818c4f4df1be315c3cc1f68768140bf2e9d24e63f
Opcode Fuzzy Hash: ae934d10f6666732cc40076c19f32656cbf2514fa07da27a25e5afe107460424
Instruction Fuzzy Hash: 6D0144B0902B5ABDE3008F6A8C85A52FFA8FF59754F00411BA15C4BA42C7B5A864CBE5

Function 000BEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 000BEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 000BEB46
GetWindowThreadProcessId.USER32(?,?), ref: 000BEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000BEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000BEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000BEB75

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: ce7f951b051564675b740c5fa04a1327e57414de996c7bd67192e601877af104
Instruction ID: 38c18cbed79c63df4d063ba3c7386f15ac58f512fa0fa321a49522d3ec51c755
Opcode Fuzzy Hash: ce7f951b051564675b740c5fa04a1327e57414de996c7bd67192e601877af104
Instruction Fuzzy Hash: EFF03072140198BBF72157629C4DEEF7A7CEFCBF11F000159FA01E5091D7A55A02C6B5

Function 000A7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 000A7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 000A7469
GetWindowDC.USER32(?), ref: 000A7475
GetPixel.GDI32(00000000,?,?), ref: 000A7484
ReleaseDC.USER32(?,00000000), ref: 000A7496
GetSysColor.USER32(00000005), ref: 000A74B0

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 81368fcb173cca72568d094b6e62d823d3bce17f63c30f5db38d9347090b3a67
Instruction ID: 7ac058e0e707259e137d9f469315a81f831299e56193ee4c3ff67a5db31d7829
Opcode Fuzzy Hash: 81368fcb173cca72568d094b6e62d823d3bce17f63c30f5db38d9347090b3a67
Instruction Fuzzy Hash: 24018F31400655FFFB505FA4DC48FAE7BB6FB44711F104064F925A60A0CB361D52AB10

Function 000B1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 000B187F
UnloadUserProfile.USERENV(?,?), ref: 000B188B
CloseHandle.KERNEL32(?), ref: 000B1894
CloseHandle.KERNEL32(?), ref: 000B189C
GetProcessHeap.KERNEL32(00000000,?), ref: 000B18A5
HeapFree.KERNEL32(00000000), ref: 000B18AC

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: d9b65ed3655de235d8795897746aacc6b5d3a771d50409ad4218204a60977c61
Instruction ID: 1913572a1b58bdc52308634768ff48db88b4bd034c4fb02fd95771c9238b86f0
Opcode Fuzzy Hash: d9b65ed3655de235d8795897746aacc6b5d3a771d50409ad4218204a60977c61
Instruction Fuzzy Hash: 8BE0C236004641BBFB015BA1ED4CD0ABB29FB4AB22B108221F625A9070CB379422DB50

Function 000D7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00070242: EnterCriticalSection.KERNEL32(0012070C,00121884,?,?,0006198B,00122518,?,?,?,000512F9,00000000), ref: 0007024D
Part of subcall function 00070242: LeaveCriticalSection.KERNEL32(0012070C,?,0006198B,00122518,?,?,?,000512F9,00000000), ref: 0007028A

Part of subcall function 00059CB3: _wcslen.LIBCMT ref: 00059CBD

Part of subcall function 000700A3: __onexit.LIBCMT ref: 000700A9

__Init_thread_footer.LIBCMT ref: 000D7BFB

Part of subcall function 000701F8: EnterCriticalSection.KERNEL32(0012070C,?,?,00068747,00122514), ref: 00070202
Part of subcall function 000701F8: LeaveCriticalSection.KERNEL32(0012070C,?,00068747,00122514), ref: 00070235

Strings

Variable must be of type 'Object'., xrefs: 000D7C3A
+T, xrefs: 000D7E2E
G, xrefs: 000D7C7F
5, xrefs: 000D7C78

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T$5$G$Variable must be of type 'Object'.
API String ID: 535116098-814887785
Opcode ID: 07648d4cd8837783ff1575281eff8dbf6d38d6392655fdde47f3513e75d231e9
Instruction ID: fc4a2a6768fa947b68ecda5741357126e02ce50896f33cd27f0016f9d585580e
Opcode Fuzzy Hash: 07648d4cd8837783ff1575281eff8dbf6d38d6392655fdde47f3513e75d231e9
Instruction Fuzzy Hash: 08915C74A04309EFCB14EF54D891DEDB7B2AF49300F50805AF84A6B392EB71AE45CB61

Function 000BC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00057620: _wcslen.LIBCMT ref: 00057625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000BC6EE
_wcslen.LIBCMT ref: 000BC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000BC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 000BC7CA

Strings

0, xrefs: 000BC6AF

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 1def4dd04e5bc2feba88d66453c4f3acddc2aecb848ead1f6b7c14cf747ee990
Instruction ID: 1582d0a89bc621a244e855b2541436919d0c0154b1e907525c395c227d1d9bbe
Opcode Fuzzy Hash: 1def4dd04e5bc2feba88d66453c4f3acddc2aecb848ead1f6b7c14cf747ee990
Instruction Fuzzy Hash: FD51FE716483419BE7A4DF28C885EEB77E8AF89314F040A2DF996E31A1DB70DC44CB52

Function 000DAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 000DAEA3

Part of subcall function 00057620: _wcslen.LIBCMT ref: 00057625

GetProcessId.KERNEL32(00000000), ref: 000DAF38
CloseHandle.KERNEL32(00000000), ref: 000DAF67

Strings

<, xrefs: 000DAE6B
@, xrefs: 000DAE72

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: ed3995734567cd7e431ba04d00c10d555d23487a61dbcf0b21a07f4059c32279
Instruction ID: 822d860fe4badb478d241183e21b247dbf8730ac557c4a204e9fd3592a7c3807
Opcode Fuzzy Hash: ed3995734567cd7e431ba04d00c10d555d23487a61dbcf0b21a07f4059c32279
Instruction Fuzzy Hash: 13717871A00615DFCB14DF94C484A9EBBF0BF09310F0484AAE85AAB392C775ED45CBA1

Function 000B719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 000B7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 000B723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 000B724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 000B72CF

Strings

DllGetClassObject, xrefs: 000B7242

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ff85d8f85d4cb979102ff95768667dbaedfeb6f83ca1f0257e2149e3a1a5d298
Instruction ID: 75e9662716187b0928baf2dbe076990b77d36b4baf50b6a60a1a2c39e6a8cb3a
Opcode Fuzzy Hash: ff85d8f85d4cb979102ff95768667dbaedfeb6f83ca1f0257e2149e3a1a5d298
Instruction Fuzzy Hash: BF416171A04204EFDB25CF54C884ADA7BA9EF85710F1480ADFD099F20AD7B5DA45CBA0

Function 000E3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000E3E35
IsMenu.USER32(?), ref: 000E3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 000E3E92
DrawMenuBar.USER32 ref: 000E3EA5

Strings

0, xrefs: 000E3D89

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 8cc150a9481a7258e5803ce15e28561a2865ed1b5e2454e997508094017712a1
Instruction ID: ab33447ce05eca6bbd22a6ed2d17db616efa87cba0dd8c425b70744e17055bc7
Opcode Fuzzy Hash: 8cc150a9481a7258e5803ce15e28561a2865ed1b5e2454e997508094017712a1
Instruction Fuzzy Hash: 06417775A00289AFEB24DF51D888EEABBF9FF49354F044129E805AB390C330AE41CF50

Function 000B1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00059CB3: _wcslen.LIBCMT ref: 00059CBD

Part of subcall function 000B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000B3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 000B1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 000B1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 000B1EA9

Part of subcall function 00056B57: _wcslen.LIBCMT ref: 00056B6A

Strings

ComboBox, xrefs: 000B1DF0
ListBox, xrefs: 000B1E25

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: b0755ba07614c33fa35f3616d5f4b00b647316152553d67776dec71781da83a0
Instruction ID: 96eb80d68a06f70c19f34c180495dbbb51a4e800141defd7841e4b12c3bd1ef2
Opcode Fuzzy Hash: b0755ba07614c33fa35f3616d5f4b00b647316152553d67776dec71781da83a0
Instruction Fuzzy Hash: D3213871A00104BEEB14ABA4DC96CFFBBBADF45350B504129FC25A71E2DF39894A8620

Function 000E2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 000E2F8D
LoadLibraryW.KERNEL32(?), ref: 000E2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 000E2FA9
DestroyWindow.USER32(?), ref: 000E2FB1

Strings

SysAnimate32, xrefs: 000E2F68

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: b70426681f96260eed6301ebc07127afb2307aeb1fc95c5cefe3dd843b260abe
Instruction ID: 09959816264f46e4cd137bc7073635188ffb10ae48672a73abe8862f2fe6483a
Opcode Fuzzy Hash: b70426681f96260eed6301ebc07127afb2307aeb1fc95c5cefe3dd843b260abe
Instruction Fuzzy Hash: F4219A72600289AFEB208F66DC81EBB77FDEB59764F100638FA50E61A0D771DC919760

Function 00074D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00074D1E,000828E9,?,00074CBE,000828E9,001188B8,0000000C,00074E15,000828E9,00000002), ref: 00074D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00074DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00074D1E,000828E9,?,00074CBE,000828E9,001188B8,0000000C,00074E15,000828E9,00000002,00000000), ref: 00074DC3

Strings

mscoree.dll, xrefs: 00074D86
CorExitProcess, xrefs: 00074D98

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a8da1068e36f75f91cb16d8b6e1ea373793e578dab7a1a992cd5dc760d01deb0
Instruction ID: d87844d11d42f7e0811ce580d7c990c611fb9260b83e12426f74e0bb6f78a344
Opcode Fuzzy Hash: a8da1068e36f75f91cb16d8b6e1ea373793e578dab7a1a992cd5dc760d01deb0
Instruction Fuzzy Hash: E2F0A434940308BBEB115F90DC49FEDBBF5EF44B11F004094F909A6650CB395D41DA94

Function 00054E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00054EDD,?,00121418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00054E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00054EAE
FreeLibrary.KERNEL32(00000000,?,?,00054EDD,?,00121418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00054EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00054EA8
kernel32.dll, xrefs: 00054E94

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 865d712a5fdd65d15875fc2179bf2edd1e3aced5b14d559832129699ac54c85e
Instruction ID: 411881c020690704ceeeb05b45a494c57bed2b7053f3a5f3de0a5c0bffc8f879
Opcode Fuzzy Hash: 865d712a5fdd65d15875fc2179bf2edd1e3aced5b14d559832129699ac54c85e
Instruction Fuzzy Hash: 1CE08635A026225BF26117256C59E9B6594AFC3F67B050155FD00F7104DB65CD4644A0

Function 00054E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00093CDE,?,00121418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00054E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00054E74
FreeLibrary.KERNEL32(00000000,?,?,00093CDE,?,00121418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00054E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00054E6E
kernel32.dll, xrefs: 00054E5B

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 290ac63420c031d2dca28800a8d1e62185f8559abb24b886923ae9dbb3ba5505
Instruction ID: 75ddf0d12a6112ac1bfb0f3f3382fa3537d1ca3d868d9b3a939fac920b494011
Opcode Fuzzy Hash: 290ac63420c031d2dca28800a8d1e62185f8559abb24b886923ae9dbb3ba5505
Instruction Fuzzy Hash: 26D0C2319026615BB6621B256C19DCB2A58AF82F163050164BD00BA114CF26CD4281D0

Function 000C2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000C2C05
DeleteFileW.KERNEL32(?), ref: 000C2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000C2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000C2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000C2CC0

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: e91a1d1368977d3e73c0e1532b3c74cdce4a80a3e184b76f9d64eec07a0ad168
Instruction ID: 08299839885402d5d5de98ddffb4648f60064c93ef88b7e7ff20a291fa27ee08
Opcode Fuzzy Hash: e91a1d1368977d3e73c0e1532b3c74cdce4a80a3e184b76f9d64eec07a0ad168
Instruction Fuzzy Hash: 5CB15071D00119ABDF21DBA4CC85EDEB7BDEF48350F1040AAFA09E7142EB359A448F61

Function 000DA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 000DA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 000DA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 000DA468
CloseHandle.KERNEL32(?), ref: 000DA63D

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 255ff4b8545c5198bfbe2811f85523d70c5470ceacc6721a3beb34e6fa4bcdb3
Instruction ID: 6bad7a9710aa78891390c6d2f2cd20c900df337dfc0490e6a4f048f17f493c01
Opcode Fuzzy Hash: 255ff4b8545c5198bfbe2811f85523d70c5470ceacc6721a3beb34e6fa4bcdb3
Instruction Fuzzy Hash: 35A1C0716043019FE720DF24C882F6AB7E1AF84714F14881DF99A9B392DBB1EC05CB92

Function 0008BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,000F3700), ref: 0008BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0012121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0008BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00121270,000000FF,?,0000003F,00000000,?), ref: 0008BC36
_free.LIBCMT ref: 0008BB7F

Part of subcall function 000829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0008D7D1,00000000,00000000,00000000,00000000,?,0008D7F8,00000000,00000007,00000000,?,0008DBF5,00000000), ref: 000829DE
Part of subcall function 000829C8: GetLastError.KERNEL32(00000000,?,0008D7D1,00000000,00000000,00000000,00000000,?,0008D7F8,00000000,00000007,00000000,?,0008DBF5,00000000,00000000), ref: 000829F0

_free.LIBCMT ref: 0008BD4B

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: d5a45d5165fd1861ab92459a7d995850f649b5758a8af33878be405acc236ff5
Instruction ID: 3f107262421eba10eabdb030e9f4f02107e2876f80a3889781df767bac45367c
Opcode Fuzzy Hash: d5a45d5165fd1861ab92459a7d995850f649b5758a8af33878be405acc236ff5
Instruction Fuzzy Hash: 4351C771900209FFDB24FF699C819AEB7B8FF55310B20426AF5A4E7192EB709E418B54

Function 000BE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000BCF22,?), ref: 000BDDFD

Part of subcall function 000BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000BCF22,?), ref: 000BDE16

Part of subcall function 000BE199: GetFileAttributesW.KERNEL32(?,000BCF95), ref: 000BE19A

lstrcmpiW.KERNEL32(?,?), ref: 000BE473
MoveFileW.KERNEL32(?,?), ref: 000BE4AC
_wcslen.LIBCMT ref: 000BE5EB
_wcslen.LIBCMT ref: 000BE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 000BE650

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 37afdc4c685424b841fee987a42588ce50b745720ca93fb5755bd8939e39cca1
Instruction ID: 968bae6fbed63f58b11071e56dac00064c0c2f2558860f1e8ee3ef3498056031
Opcode Fuzzy Hash: 37afdc4c685424b841fee987a42588ce50b745720ca93fb5755bd8939e39cca1
Instruction Fuzzy Hash: A65163B24083859BD764DBA4D8819DBB3DCAF85340F00492EF689D3152EF75E58C8756

Function 000DB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00059CB3: _wcslen.LIBCMT ref: 00059CBD

Part of subcall function 000DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000DB6AE,?,?), ref: 000DC9B5
Part of subcall function 000DC998: _wcslen.LIBCMT ref: 000DC9F1
Part of subcall function 000DC998: _wcslen.LIBCMT ref: 000DCA68
Part of subcall function 000DC998: _wcslen.LIBCMT ref: 000DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000DBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000DBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 000DBB63
RegCloseKey.ADVAPI32(?,?), ref: 000DBBA6
RegCloseKey.ADVAPI32(00000000), ref: 000DBBB3

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 8486cf9013d673ce78f86358be6a80a8e2a1e2790ad626f246811f871863baf9
Instruction ID: 30c536df38af4ca908fe36689dda559cd651f87d30ae688dc965777942ef8a88
Opcode Fuzzy Hash: 8486cf9013d673ce78f86358be6a80a8e2a1e2790ad626f246811f871863baf9
Instruction Fuzzy Hash: 49616A31208341EFD714DF14C490E6ABBE5BF84318F55895EF4998B2A2DB31ED45CBA2

Function 000B8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000B8BCD
VariantClear.OLEAUT32 ref: 000B8C3E
VariantClear.OLEAUT32 ref: 000B8C9D
VariantClear.OLEAUT32(?), ref: 000B8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 000B8D3B

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 1b5ac3e61744f9a460c97ead20e95051a816b495fb31c0f66e643a1792525c26
Instruction ID: 68baf90c69381de1204295dd2739295c6cf249345a694c4bb89fa6dddd2e88e2
Opcode Fuzzy Hash: 1b5ac3e61744f9a460c97ead20e95051a816b495fb31c0f66e643a1792525c26
Instruction Fuzzy Hash: FB516AB5A00219EFDB14CF58C894AAAB7F8FF89310F15855AE915DB360E734E911CB90

Function 000C8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 000C8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 000C8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 000C8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 000C8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 000C8C5F

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 8eabe5a9b8e2140c765b31bb49325c4ad797a8c10397dd22db5745b633a83816
Instruction ID: 31f0eade9c0554795a09679f3322f2f6490f5688b4b637e8c1e6a59c3d7af32a
Opcode Fuzzy Hash: 8eabe5a9b8e2140c765b31bb49325c4ad797a8c10397dd22db5745b633a83816
Instruction Fuzzy Hash: 26514835A00619AFDB04DF64C880EAEBBF5FF48314F088458E849AB362DB35ED55CB90

Function 000D8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 000D8F40
GetProcAddress.KERNEL32(00000000,?), ref: 000D8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 000D8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 000D9032
FreeLibrary.KERNEL32(00000000), ref: 000D9052

Part of subcall function 0006F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,000C1043,?,761DE610), ref: 0006F6E6
Part of subcall function 0006F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000AFA64,00000000,00000000,?,?,000C1043,?,761DE610,?,000AFA64), ref: 0006F70D

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 63b854791bea1228d9c84c1e0e65d580a7d7f8a0e2d46097d7deeae17581e092
Instruction ID: b041c854db6fadd5a462196cba0e57f3217c306d9acc5dfdd4372a765da0c8d4
Opcode Fuzzy Hash: 63b854791bea1228d9c84c1e0e65d580a7d7f8a0e2d46097d7deeae17581e092
Instruction Fuzzy Hash: CC514B35600205DFD715DF68C484DAEBBF1FF49314B4480A9E80AAB362DB31ED86CBA0

Function 000E6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 000E6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 000E6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 000E6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,000CAB79,00000000,00000000), ref: 000E6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 000E6CC7

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 5df8cb65efd06feb1f429dd4b1b62e88cec3afab4810a79cf3fb6070a530e6b5
Instruction ID: 348923d5bc3c1b373fa5d5b3cdf2edc68fe5e7d052bbd53d54d00d7267431279
Opcode Fuzzy Hash: 5df8cb65efd06feb1f429dd4b1b62e88cec3afab4810a79cf3fb6070a530e6b5
Instruction Fuzzy Hash: 6441C635604184AFEB64CF6ADC95FB97BE5EB19390F240268FC95B72E1C372AD41CA40

Function 00082051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000820C3
_free.LIBCMT ref: 000820E3

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 51a83b4a055fa605c3d0f429c5455baadbf8f9222e29a7b8de7fb63494860a6a
Instruction ID: 0deeaffdedadb090131cb040e64619f9481c3a38f88dc2cd6517dff137d3a08d
Opcode Fuzzy Hash: 51a83b4a055fa605c3d0f429c5455baadbf8f9222e29a7b8de7fb63494860a6a
Instruction Fuzzy Hash: 8C41D472A002009FCB24EF78C985A9DB7E6FF89314F254569E555EB392DB31ED01CB80

Function 0006912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00069141
ScreenToClient.USER32(00000000,?), ref: 0006915E
GetAsyncKeyState.USER32(00000001), ref: 00069183
GetAsyncKeyState.USER32(00000002), ref: 0006919D

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 276023c7e7775cbeba494c8fb2bae9f7b1b850192e66ff53c5ca794b3a3e839a
Instruction ID: 04ca15bd060770f06b7631da6634c269296ed9f96272d077c039271fe3923bb2
Opcode Fuzzy Hash: 276023c7e7775cbeba494c8fb2bae9f7b1b850192e66ff53c5ca794b3a3e839a
Instruction Fuzzy Hash: 62416071A0860AFBDF159FA8C844BEEB7B9FF46320F208215E429A7291C7345994CB91

Function 000C3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 000C38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 000C3922
TranslateMessage.USER32(?), ref: 000C394B
DispatchMessageW.USER32(?), ref: 000C3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000C3966

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 0819f4d69ce49af4838bb3a564743df6f5cbf38620b633b591b56aff2b5d0603
Instruction ID: 8e800773b739c5cb93293d5ca0cb9c8e8a056f67d415bf10f7df3b4cbf8a746b
Opcode Fuzzy Hash: 0819f4d69ce49af4838bb3a564743df6f5cbf38620b633b591b56aff2b5d0603
Instruction Fuzzy Hash: 5131B370924382BEEB75CB34D848FBE37E8EB15304F04856DE462965E0E7B59AC6CB11

Function 000CCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,000CC21E,00000000), ref: 000CCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 000CCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,000CC21E,00000000), ref: 000CCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,000CC21E,00000000), ref: 000CCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,000CC21E,00000000), ref: 000CCFF2

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: c87ce975272688b85120a1f808e24709fd802dfe7145c68e59e750f30da599b6
Instruction ID: baf57dbe37af188a2b21a38448bdcf5cbc9841aa448c0ebd200d34671c9b757a
Opcode Fuzzy Hash: c87ce975272688b85120a1f808e24709fd802dfe7145c68e59e750f30da599b6
Instruction Fuzzy Hash: A5316B71904205AFEB20DFA5D884EAFBBFAEB14310B10443EF51AE6101DB30AE42DB60

Function 000B1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 000B1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 000B19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 000B19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 000B19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 000B19E2

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 644eda936f16c535a4bcce77cea84126d2a022aac2fb3b167aee786c3370eb25
Instruction ID: 5c1cf343da1441b958b49d8bdc176aa46de944e862958b3d27221c28c434e398
Opcode Fuzzy Hash: 644eda936f16c535a4bcce77cea84126d2a022aac2fb3b167aee786c3370eb25
Instruction Fuzzy Hash: 7831F171A00259EFEB10CFA8CDA8ADE3BB5EB45314F004229F921EB2D1C3709D44CB90

Function 000E5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 000E5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 000E579D
_wcslen.LIBCMT ref: 000E57AF
_wcslen.LIBCMT ref: 000E57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 000E5816

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 59c6652e4cac4c052e2b642d097fba516306a20ead406d06ceea1a996e601b50
Instruction ID: 0a1d09b5d6f5087bf2800b036d8cfd051d976ec21c8c1c4e61dc84494993363d
Opcode Fuzzy Hash: 59c6652e4cac4c052e2b642d097fba516306a20ead406d06ceea1a996e601b50
Instruction Fuzzy Hash: 7F21D270904698AEDB208FA1DC84AEE7BB8FF40729F108616E929FB1C1D7708981CF50

Function 000D0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 000D0951
GetForegroundWindow.USER32 ref: 000D0968
GetDC.USER32(00000000), ref: 000D09A4
GetPixel.GDI32(00000000,?,00000003), ref: 000D09B0
ReleaseDC.USER32(00000000,00000003), ref: 000D09E8

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 8fa9c67a439425c0ffa2e19a41d56956f26341a4f0ad0e2d317932a8ed4cf67e
Instruction ID: bd5c325a9e7e0039538eb412c32eccdf06a7a50b0120da3488adadd24b3eb5ff
Opcode Fuzzy Hash: 8fa9c67a439425c0ffa2e19a41d56956f26341a4f0ad0e2d317932a8ed4cf67e
Instruction Fuzzy Hash: E7216F35600204AFE714EF69C894EAFBBE5EF45701F04846DE85AEB352DB35AC05CB90

Function 0008CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0008CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0008CDE9

Part of subcall function 00083820: RtlAllocateHeap.NTDLL(00000000,?,00121444,?,0006FDF5,?,?,0005A976,00000010,00121440,000513FC,?,000513C6,?,00051129), ref: 00083852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0008CE0F
_free.LIBCMT ref: 0008CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0008CE31

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: d68077b45e342b76bbef39cd09bfb5013976ce3b7984a21160e8037859b57db3
Instruction ID: 19f5d7224dad434c1397539283e9ba588d579400bd7d6a2e3e0c7f2385c4c3e0
Opcode Fuzzy Hash: d68077b45e342b76bbef39cd09bfb5013976ce3b7984a21160e8037859b57db3
Instruction Fuzzy Hash: 9F0171726022557F332136B66C88D7B79BDFBC6FA13154129F945D7201EA758D0283B0

Function 00069639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00069693
SelectObject.GDI32(?,00000000), ref: 000696A2
BeginPath.GDI32(?), ref: 000696B9
SelectObject.GDI32(?,00000000), ref: 000696E2

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b955a494eb4b3fa5fdaf2eef373369b1bba8ce55ac22829e5135cce4b3485a94
Instruction ID: db9b8b467b1d08e5c371fe100317525ec3c782024cdab8e3ac954921e82a9546
Opcode Fuzzy Hash: b955a494eb4b3fa5fdaf2eef373369b1bba8ce55ac22829e5135cce4b3485a94
Instruction Fuzzy Hash: 27217F71802345FFEF21DF64DC44BA93BAABB21719F104216F410A69B0D37559E3CB90

Function 000B5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 000B5726
_memcmp.LIBVCRUNTIME ref: 000B5744
_memcmp.LIBVCRUNTIME ref: 000B5757
_memcmp.LIBVCRUNTIME ref: 000B576F
_memcmp.LIBVCRUNTIME ref: 000B5787

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 8180f6600214980cf00aab4c586ee47e303c41d01d25ffef6b6d0ac5015f2328
Instruction ID: 97ef00630e3c233c9901918054b130c7de3ff33f4c95b15312f33ac6a064f269
Opcode Fuzzy Hash: 8180f6600214980cf00aab4c586ee47e303c41d01d25ffef6b6d0ac5015f2328
Instruction Fuzzy Hash: E401BE71785605BFE2185515AD41FFB739C9B61359F104061FE086E181FB64FE1192A4

Function 00082DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0007F2DE,00083863,00121444,?,0006FDF5,?,?,0005A976,00000010,00121440,000513FC,?,000513C6), ref: 00082DFD
_free.LIBCMT ref: 00082E32
_free.LIBCMT ref: 00082E59
SetLastError.KERNEL32(00000000,00051129), ref: 00082E66
SetLastError.KERNEL32(00000000,00051129), ref: 00082E6F

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 8eb5ef8f5cc732bfd08f4f9d7161d0356e2cf7cdb1cfbdd534138672ad084eb0
Instruction ID: 7d80c6a51901db82ef7c053b4d1ed9871ae52337c019b374263ada4e0e1b45a9
Opcode Fuzzy Hash: 8eb5ef8f5cc732bfd08f4f9d7161d0356e2cf7cdb1cfbdd534138672ad084eb0
Instruction Fuzzy Hash: C0012832245A007BD62277746C8ADAF269DBBE17B1B214029F8E1A32D3EF388C014324

Function 000B000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,000AFF41,80070057,?,?,?,000B035E), ref: 000B002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000AFF41,80070057,?,?), ref: 000B0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000AFF41,80070057,?,?), ref: 000B0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000AFF41,80070057,?), ref: 000B0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000AFF41,80070057,?,?), ref: 000B0070

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: cf9b29760d160fe5bac506082537ab5e1c489cab0353bfd7e5036d7cf385244f
Instruction ID: 26ab3526388e3573fe0d94f021d3c13139a595fe5dfe31d8500062a752af3e09
Opcode Fuzzy Hash: cf9b29760d160fe5bac506082537ab5e1c489cab0353bfd7e5036d7cf385244f
Instruction Fuzzy Hash: 7B018F72610205BFEB115F68DD44FEB7AEDEB44B91F144124F905E6210DB76DD418BA0

Function 000B10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000B1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,000B0B9B,?,?,?), ref: 000B1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,000B0B9B,?,?,?), ref: 000B112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,000B0B9B,?,?,?), ref: 000B1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000B114D

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 74704115fbf5822271928b5a377c68dce279b8a135e5bf71b22e788175e2c2c6
Instruction ID: 0a386ee9c3afd987adcfa0f259bbe556ef578eb108f49b76f6506088dc53a558
Opcode Fuzzy Hash: 74704115fbf5822271928b5a377c68dce279b8a135e5bf71b22e788175e2c2c6
Instruction Fuzzy Hash: BA018175100205BFEB114F68DC89EAA3FAEEF86760B100419FA41D7350DB36DC018A60

Function 000B0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000B0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000B0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000B0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000B0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000B1002

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: cff16f91d38ff9b5c0c1e8b01b26021b347384a849f404618c6e6ad3fb65a593
Instruction ID: 8913ffcd434a5b83e4820d0f4a2940c62f9fd230bcea22342c42b165e22971b8
Opcode Fuzzy Hash: cff16f91d38ff9b5c0c1e8b01b26021b347384a849f404618c6e6ad3fb65a593
Instruction Fuzzy Hash: 81F0CD35200345EBFB211FA4DC8DF963BADEF8AB62F500415FE05EB250CA76DC418A60

Function 000B1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000B102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000B1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000B1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 000B104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000B1062

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 314eebbda43e2e0008de062fdabcdc9c05cbf5f1108ead6179d7095b1739d6c7
Instruction ID: 8e8d02a908ef52d97ed8cc90ef0b756af3d8278a35375a70b64258c0bebbbfa5
Opcode Fuzzy Hash: 314eebbda43e2e0008de062fdabcdc9c05cbf5f1108ead6179d7095b1739d6c7
Instruction Fuzzy Hash: 09F0CD35200341EBFB212FA4EC98F963BADEF8AB61F100415FE05EB250CA76D8518A60

Function 000C030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,000C017D,?,000C32FC,?,00000001,00092592,?), ref: 000C0324
CloseHandle.KERNEL32(?,?,?,?,000C017D,?,000C32FC,?,00000001,00092592,?), ref: 000C0331
CloseHandle.KERNEL32(?,?,?,?,000C017D,?,000C32FC,?,00000001,00092592,?), ref: 000C033E
CloseHandle.KERNEL32(?,?,?,?,000C017D,?,000C32FC,?,00000001,00092592,?), ref: 000C034B
CloseHandle.KERNEL32(?,?,?,?,000C017D,?,000C32FC,?,00000001,00092592,?), ref: 000C0358
CloseHandle.KERNEL32(?,?,?,?,000C017D,?,000C32FC,?,00000001,00092592,?), ref: 000C0365

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: cb61b31bb5f58dd57dfc411e1780113b22dab27383e6cb5609b446ed27576052
Instruction ID: 2a430481e3adfddb143f8f32f62144eeca285a0f1861cc7de61ace82c738338f
Opcode Fuzzy Hash: cb61b31bb5f58dd57dfc411e1780113b22dab27383e6cb5609b446ed27576052
Instruction Fuzzy Hash: 3D01AE72800B95DFCB30AF66D88091AFBF9BF603153158A3FD19652931C3B1AA59CF80

Function 0008D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0008D752

Part of subcall function 000829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0008D7D1,00000000,00000000,00000000,00000000,?,0008D7F8,00000000,00000007,00000000,?,0008DBF5,00000000), ref: 000829DE
Part of subcall function 000829C8: GetLastError.KERNEL32(00000000,?,0008D7D1,00000000,00000000,00000000,00000000,?,0008D7F8,00000000,00000007,00000000,?,0008DBF5,00000000,00000000), ref: 000829F0

_free.LIBCMT ref: 0008D764
_free.LIBCMT ref: 0008D776
_free.LIBCMT ref: 0008D788
_free.LIBCMT ref: 0008D79A

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6726aa01d10b8270b7727ac192993d80d2788da65eccafc9412d630503b95b08
Instruction ID: 4af9e0e578684ecf51a067b625b8193027bb302a10279eab5b0722c10ec646e5
Opcode Fuzzy Hash: 6726aa01d10b8270b7727ac192993d80d2788da65eccafc9412d630503b95b08
Instruction Fuzzy Hash: A6F09632548218AB8665FB68FAC5C9A77EEBB043107954D06F0C8D7942D734FCC087A4

Function 000B5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 000B5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 000B5C6F
MessageBeep.USER32(00000000), ref: 000B5C87
KillTimer.USER32(?,0000040A), ref: 000B5CA3
EndDialog.USER32(?,00000001), ref: 000B5CBD

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 66de7cb386f8aeeae8e07aac8ea2932bd9e2c774c82d15e58620614cd5fe5936
Instruction ID: 9b3f7db49d9cea9ea598ef243e6ae8e78e84cc8c53191bbae2740257cf7ecdc6
Opcode Fuzzy Hash: 66de7cb386f8aeeae8e07aac8ea2932bd9e2c774c82d15e58620614cd5fe5936
Instruction Fuzzy Hash: 71018130500B44AFFB305B10DD8EFE67BB9FB00B06F040599A587B50E1DBF5A9898A90

Function 000822A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000822BE

Part of subcall function 000829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0008D7D1,00000000,00000000,00000000,00000000,?,0008D7F8,00000000,00000007,00000000,?,0008DBF5,00000000), ref: 000829DE
Part of subcall function 000829C8: GetLastError.KERNEL32(00000000,?,0008D7D1,00000000,00000000,00000000,00000000,?,0008D7F8,00000000,00000007,00000000,?,0008DBF5,00000000,00000000), ref: 000829F0

_free.LIBCMT ref: 000822D0
_free.LIBCMT ref: 000822E3
_free.LIBCMT ref: 000822F4
_free.LIBCMT ref: 00082305

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e90afa3cd56dc9f03051bfb16f31806c29a394dfa783ce29761f43cf8df38679
Instruction ID: 4356cbc58ef33be9c2118452362c12f1995dc9e4f518df156bd9102bc60cc862
Opcode Fuzzy Hash: e90afa3cd56dc9f03051bfb16f31806c29a394dfa783ce29761f43cf8df38679
Instruction Fuzzy Hash: 4FF03A70880120BB8727BF54BD4188C3BA4B72CB60712060AF490D2AB2C73418E3AFE4

Function 000695C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 000695D4
StrokeAndFillPath.GDI32(?,?,000A71F7,00000000,?,?,?), ref: 000695F0
SelectObject.GDI32(?,00000000), ref: 00069603
DeleteObject.GDI32 ref: 00069616
StrokePath.GDI32(?), ref: 00069631

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 418d8df43bc97d17184ca25517806966d2389045331c303b7ddfc57ee46792c1
Instruction ID: 31dbe59e3847b5c723418fc0ae84e5daff6beb38ac9f9f55d0bebdc96ba60106
Opcode Fuzzy Hash: 418d8df43bc97d17184ca25517806966d2389045331c303b7ddfc57ee46792c1
Instruction Fuzzy Hash: 57F0C931005788FFEB269F65ED58B643BA6AB11726F048214F465698F0C73589E7DF20

Function 00080F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 000810F9
__freea.LIBCMT ref: 00081117

Part of subcall function 00081537: _free.LIBCMT ref: 0008154F

Strings

am/pm, xrefs: 0008117A
a/p, xrefs: 000811DE

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: a8696d61f8f89bb2cb22da553387be470d2327c49e6f9ce266564499463362ab
Instruction ID: 6f85077d25809e1050e8cdace32de4c98a57b555a25ce395914fa2d85f214afb
Opcode Fuzzy Hash: a8696d61f8f89bb2cb22da553387be470d2327c49e6f9ce266564499463362ab
Instruction Fuzzy Hash: C8D12671900206DACB74BF68C845BFEBBF9FF06700F244129E9819B691D7759E82CB91

Function 000B2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000BB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000B21D0,?,?,00000034,00000800,?,00000034), ref: 000BB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 000B2760

Part of subcall function 000BB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000B21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 000BB3F8

Part of subcall function 000BB32A: GetWindowThreadProcessId.USER32(?,?), ref: 000BB355
Part of subcall function 000BB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,000B2194,00000034,?,?,00001004,00000000,00000000), ref: 000BB365
Part of subcall function 000BB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,000B2194,00000034,?,?,00001004,00000000,00000000), ref: 000BB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000B27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000B281A

Strings

@, xrefs: 000B2832

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 4e7c62adf4d05b77afb916a121134d6a4b7a51a19a018b7eb4acbdacf843eab9
Instruction ID: 09326e79c439b177bdf733a60e1ffe5b582401ca3f6e484572ceda816553ea1a
Opcode Fuzzy Hash: 4e7c62adf4d05b77afb916a121134d6a4b7a51a19a018b7eb4acbdacf843eab9
Instruction Fuzzy Hash: BE412972900218AFDB10DFA4CD86EEEBBB8EF09700F104099FA55B7181DB716E45CBA1

Function 0008172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00081769
_free.LIBCMT ref: 00081834
_free.LIBCMT ref: 0008183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00081760, 00081767, 00081796, 000817CE

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3417719964
Opcode ID: 7a44c2eef8b690fff935296c67ef86da591886d5866ab0e2acbd9a1633370e3e
Instruction ID: e6ea8e53e7b2c444a1cc51dc66b956f99ea83eb5ec6af85ae23b3032673d29bf
Opcode Fuzzy Hash: 7a44c2eef8b690fff935296c67ef86da591886d5866ab0e2acbd9a1633370e3e
Instruction Fuzzy Hash: 4B316275A04218FBDB21EB999885DDEBBFCFF95710B2441AAF44497212DA704E82CB90

Function 000BC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 000BC306
DeleteMenu.USER32(?,00000007,00000000), ref: 000BC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00121990,00C868E8), ref: 000BC395

Strings

0, xrefs: 000BC2DF

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 6b340a0bd2f23fa13d0c2fe7f503ac21ddd72c39971363bb0a267c35cf2cef98
Instruction ID: f95cd78f96419152fca64ef1700d3957520fdd21194ebae14e4be01a5928d3eb
Opcode Fuzzy Hash: 6b340a0bd2f23fa13d0c2fe7f503ac21ddd72c39971363bb0a267c35cf2cef98
Instruction Fuzzy Hash: 8E41A0712043419FE720DF24D884FAABBE4EF85710F04861EF8A5972D2D770AA04CB62

Function 000E4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,000ECC08,00000000,?,?,?,?), ref: 000E44AA
GetWindowLongW.USER32 ref: 000E44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 000E44D7

Strings

SysTreeView32, xrefs: 000E447C

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: e2a6877fa00ce8559ab20d5ef2619c1c47c88df1059b7fb48ddccc403d59532c
Instruction ID: 5399ce5c10454b4c1cf33b141ad6e2d4dd651fe3816dceb94b3b2bca70876a22
Opcode Fuzzy Hash: e2a6877fa00ce8559ab20d5ef2619c1c47c88df1059b7fb48ddccc403d59532c
Instruction Fuzzy Hash: 5C31AD72200685AFEB608E39DC45BEB77A9EB08334F204325F975A21E1D775EC519750

Function 000D304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000D335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,000D3077,?,?), ref: 000D3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 000D307A
_wcslen.LIBCMT ref: 000D309B
htons.WSOCK32(00000000,?,?,00000000), ref: 000D3106

Strings

255.255.255.255, xrefs: 000D3095, 000D309A

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: c74718db37dac24ab3d2d8b41c224f455dbf0da38b61a298f8463939e43074fe
Instruction ID: 5d35f7a7d1320e7e9e817e0b3dda2575471ac39e0249af6d116c24349b173646
Opcode Fuzzy Hash: c74718db37dac24ab3d2d8b41c224f455dbf0da38b61a298f8463939e43074fe
Instruction Fuzzy Hash: D931D539600302DFD720CF68C595EAA7BE0EF14314F24815AE9159B392DB72DE45C772

Function 000E3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 000E3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 000E3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 000E3F78

Strings

SysMonthCal32, xrefs: 000E3F0B

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: c236bdd4909d1ec0dc070eaee69a6d405ce526728966991a287e32d7f4ffa69c
Instruction ID: be454437982f7271a825dd0fd59b39690266d22a1ab012724c65837464ab928a
Opcode Fuzzy Hash: c236bdd4909d1ec0dc070eaee69a6d405ce526728966991a287e32d7f4ffa69c
Instruction Fuzzy Hash: EE218D32600259BFEF258E51CC86FEA3BB9EF48714F110224FA15BB1D0D6B5AD518B90

Function 000E4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 000E4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 000E4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 000E471A

Strings

msctls_updown32, xrefs: 000E4684

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 2ae52696702bfffa8b9f6e2b9d292d66a19273fedc9718d3ccde9b01e68cf46f
Instruction ID: 1ed5e56f732817a11d353c0b48ab842050e3d230d36ce9a09fcb839e2a9145bc
Opcode Fuzzy Hash: 2ae52696702bfffa8b9f6e2b9d292d66a19273fedc9718d3ccde9b01e68cf46f
Instruction Fuzzy Hash: CF2162B5605245BFEB10DF65DCC1DA737EDEB5A354B040059F900AB361C771EC52CAA0

Function 000B95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000B961D

Strings

#notrayicon, xrefs: 000B95B7
#OnAutoItStartRegister, xrefs: 000B95F3
#requireadmin, xrefs: 000B95D9

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 2865f37a82e4a87906e85fbae781b4388946cb085b37215ac46ac3e055188460
Instruction ID: 900f6c4e1f7d94dc1582ec5908838def46a87b6cf8e4f1d6271d5c7b85d17fde
Opcode Fuzzy Hash: 2865f37a82e4a87906e85fbae781b4388946cb085b37215ac46ac3e055188460
Instruction Fuzzy Hash: 7521577264461166C331AB25AC02FFB73D8EFA1300F148026FB4D9B082EBA5AD45C395

Function 000E37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 000E3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 000E3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 000E3876

Strings

Listbox, xrefs: 000E380F

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: fbc6a6fe6f605b4febd10333f340413b914e24a6da5c2ba2aaea6f88a2f2d740
Instruction ID: c65d7dbe23ae512c6dec3c4d92fe771b28597a84c2a10d8807f88a37e0ab4a01
Opcode Fuzzy Hash: fbc6a6fe6f605b4febd10333f340413b914e24a6da5c2ba2aaea6f88a2f2d740
Instruction Fuzzy Hash: 832183726142587FEB218F55CC85FAB3BAEEF89750F108124F944AB190CA71DC528790

Function 000C49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000C4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 000C4A5C
SetErrorMode.KERNEL32(00000000,?,?,000ECC08), ref: 000C4AD0

Strings

%lu, xrefs: 000C4A6F

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 8df988f37e517b372a451a3c029e2e06ab1444dc4068f1072af993826052b411
Instruction ID: 5306b684f486dbaacb4208cd7eae5e5ae66ba2a7a18dafd9e28812e74b1df4ce
Opcode Fuzzy Hash: 8df988f37e517b372a451a3c029e2e06ab1444dc4068f1072af993826052b411
Instruction Fuzzy Hash: 71312D75A00109AFDB10DF54C895EAE7BE8EF05304F1440A9E909DB252D775ED46CB61

Function 000E41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 000E424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 000E4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 000E4271

Strings

msctls_trackbar32, xrefs: 000E4226

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 3b9e5e2d18dc762bd14e00b1cb61298322f7f776f371725bb7ff7c3219ba4ce5
Instruction ID: b272306b658537916042ce35ac7a248c23006c33e7d9599ee82ad23ca25b861a
Opcode Fuzzy Hash: 3b9e5e2d18dc762bd14e00b1cb61298322f7f776f371725bb7ff7c3219ba4ce5
Instruction Fuzzy Hash: A111A331240288BEEF205E69CC46FAB3BACEF95B64F114528FA55F60A0D671D8619B10

Function 000B2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00056B57: _wcslen.LIBCMT ref: 00056B6A

Part of subcall function 000B2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 000B2DC5
Part of subcall function 000B2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 000B2DD6
Part of subcall function 000B2DA7: GetCurrentThreadId.KERNEL32 ref: 000B2DDD
Part of subcall function 000B2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 000B2DE4

GetFocus.USER32 ref: 000B2F78

Part of subcall function 000B2DEE: GetParent.USER32(00000000), ref: 000B2DF9

GetClassNameW.USER32(?,?,00000100), ref: 000B2FC3
EnumChildWindows.USER32(?,000B303B), ref: 000B2FEB

Strings

%s%d, xrefs: 000B2FFF

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: f6c82145d8aea65652c6738df66d87c3bc551682cd410c8a9788c192972f5c7c
Instruction ID: a5ab13b3440b6f3865441148286dc3f17a2e94225d77d5005a5c40acc07049eb
Opcode Fuzzy Hash: f6c82145d8aea65652c6738df66d87c3bc551682cd410c8a9788c192972f5c7c
Instruction Fuzzy Hash: D211B471600205ABEF547F708CD5EEE376AAF94304F144075FE09AB153DF75994A8B60

Function 000E5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 000E58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 000E58EE
DrawMenuBar.USER32(?), ref: 000E58FD

Strings

0, xrefs: 000E588F

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 7b22d95512ddc30f5c2bf3fcaeadfd2998c6f6d266683f2d7c9b02e82271a566
Instruction ID: 6cd6c9878cf35d9516be842da52b585154bd2ea5de08ab8b9a57b83c7ff352d0
Opcode Fuzzy Hash: 7b22d95512ddc30f5c2bf3fcaeadfd2998c6f6d266683f2d7c9b02e82271a566
Instruction Fuzzy Hash: 9001A131500249EFEB209F12DC44BEFBBB5FB45765F008499E849EA152DB318A80DF20

Function 000AD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 000AD3BF
FreeLibrary.KERNEL32 ref: 000AD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 000AD3B9
X64, xrefs: 000AD2A8

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 0cbb389b2c25bc027628e596ac982c9d38c1f7d18f8ed992a5ec407e281b1280
Instruction ID: 1ffab8dc4a7fe2e9fbf9f6768d9976c9046ab0433399afcbf4c6bb619c4f0f9d
Opcode Fuzzy Hash: 0cbb389b2c25bc027628e596ac982c9d38c1f7d18f8ed992a5ec407e281b1280
Instruction Fuzzy Hash: 25F055228026219BFBB152A08C64FAD3360BF23B01F54419BF403F5909D728CE44C382

Function 000B007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 882e6a13bd4c15073f747f99cb412e20d2d9a9a14d8c45fd979518443193ba89
Instruction ID: a322d3170781034e32a17ca2e1d56831b6162ed0a78f55c98d224687c3dabf9d
Opcode Fuzzy Hash: 882e6a13bd4c15073f747f99cb412e20d2d9a9a14d8c45fd979518443193ba89
Instruction Fuzzy Hash: D1C12B75A0021AEFDB14CFA8C898EAEB7B9FF48704F148598E505EB251D731EE41CB90

Function 000D342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 000D3459
CoUninitialize.OLE32 ref: 000D3463
VariantInit.OLEAUT32(?), ref: 000D346E
VariantClear.OLEAUT32(?), ref: 000D371B

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 56492e77d85ed65caf05a8a4bc409bfab014cc8f6011116ec14d293be073830b
Instruction ID: 5da11b93cbf70b653de2989c78a9e857b31985ace8a88738ab32a58ad487737b
Opcode Fuzzy Hash: 56492e77d85ed65caf05a8a4bc409bfab014cc8f6011116ec14d293be073830b
Instruction Fuzzy Hash: D3A169752047009FD710DF28D485A6AB7E5FF88714F04885AF98A9B362DB71EE05CBA2

Function 000B0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,000EFC08,?), ref: 000B05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,000EFC08,?), ref: 000B0608
CLSIDFromProgID.OLE32(?,?,00000000,000ECC40,000000FF,?,00000000,00000800,00000000,?,000EFC08,?), ref: 000B062D
_memcmp.LIBVCRUNTIME ref: 000B064E

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 15de2a42d6ce49c58e3bd6391770c18130760d955153d436bfe649186e9573f8
Instruction ID: da80f820dae67ef839a5c97a44ecdc121b8cf7bddbed3d50dc1f08480f6204c6
Opcode Fuzzy Hash: 15de2a42d6ce49c58e3bd6391770c18130760d955153d436bfe649186e9573f8
Instruction Fuzzy Hash: 8B810B71A00109EFDB14DF98C984EEFB7B9FF89315F204558E516AB250DB71AE06CB60

Function 00091391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000914C0

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6f76715c3abfef79ad1371b61f8ac9978e48109d1eb5c7f9605feae198fadfa5
Instruction ID: d8231360871c3ff0969d2e2a661b6d2675ab465202f2bbadef79d646e183ce6c
Opcode Fuzzy Hash: 6f76715c3abfef79ad1371b61f8ac9978e48109d1eb5c7f9605feae198fadfa5
Instruction Fuzzy Hash: E4411835B00503ABDF217BF99C45AFE3AE4EF49370F254225F419D6193E6388942A762

Function 000E6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 000E62E2
ScreenToClient.USER32(?,?), ref: 000E6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 000E6382

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 82fb76280dbc65d89b67902fe97f41db6c5ec8d1751d0dbfff674d172737f44b
Instruction ID: 1edf1b860aec9a039837a30dbf28fe376b1abbcf9743cc2e31ba7520f0e0f53f
Opcode Fuzzy Hash: 82fb76280dbc65d89b67902fe97f41db6c5ec8d1751d0dbfff674d172737f44b
Instruction Fuzzy Hash: A7514D70A00245AFDF20DF65E8809AE7BF6FB653A0F108159F915AB291D732EE81CB50

Function 000D1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 000D1AFD
WSAGetLastError.WSOCK32 ref: 000D1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 000D1B8A
WSAGetLastError.WSOCK32 ref: 000D1B94

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 368d95aa614c3469efe803b127ef2d68143eb964d06de835c1e58a1aebf47680
Instruction ID: 0b37c530b330ba32f5478876c17eea930259c9e80bcdcf711ab46c5a7a113c1d
Opcode Fuzzy Hash: 368d95aa614c3469efe803b127ef2d68143eb964d06de835c1e58a1aebf47680
Instruction Fuzzy Hash: 33418274640300AFE720AF24C886FAA77E5AB44718F548459F95A9F3D3DB72ED42CB90

Function 0008B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb009b459d9c7a0458b072a617995dd7344b6a350f8c6cae2b952b7c1c588d7
Instruction ID: 5d7475d6bbc74772611ae398375d6ccf73d7230929986d2145d74ff242a92f51
Opcode Fuzzy Hash: 5fb009b459d9c7a0458b072a617995dd7344b6a350f8c6cae2b952b7c1c588d7
Instruction Fuzzy Hash: A641F575A00704AFD724AF38CC42BAEBBE9FF88710F10852AF586DB693D77199018790

Function 000C56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 000C5783
GetLastError.KERNEL32(?,00000000), ref: 000C57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 000C57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 000C57FA

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 2a34a45d710fc0d0d96d7343a6667410a2dc3310bee0a8236d398b841be9219a
Instruction ID: e3d71515f196b1086a7234af4c5db15ada90f4f86fe3f823aa73826c456d7e71
Opcode Fuzzy Hash: 2a34a45d710fc0d0d96d7343a6667410a2dc3310bee0a8236d398b841be9219a
Instruction Fuzzy Hash: 67415E39600A10DFCB10DF15D444A5EBBE1EF89721B198488EC4A6F362DB74FD45DB91

Function 0008D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00076D71,00000000,00000000,000782D9,?,000782D9,?,00000001,00076D71,8BE85006,00000001,000782D9,000782D9), ref: 0008D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0008D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0008D9AB
__freea.LIBCMT ref: 0008D9B4

Part of subcall function 00083820: RtlAllocateHeap.NTDLL(00000000,?,00121444,?,0006FDF5,?,?,0005A976,00000010,00121440,000513FC,?,000513C6,?,00051129), ref: 00083852

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: c47bc0575ea10d151a324430bec3cd068750a0f370a0f1736a3d12e6ca3e6199
Instruction ID: 157f99489a7dd40042434eae8f81fb2316cc1a9678db8850981775516d9ce54c
Opcode Fuzzy Hash: c47bc0575ea10d151a324430bec3cd068750a0f370a0f1736a3d12e6ca3e6199
Instruction Fuzzy Hash: FA31D272A0021AABDF25AF65DC41EEE7BA5EB41710F05426AFC88D7191EB35CD50CB90

Function 000E52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 000E5352
GetWindowLongW.USER32(?,000000F0), ref: 000E5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 000E5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 000E53A8

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 4768d9f1bf77976e126c67c0e6bad3f90f0f89bbe85bb7c3741cbc55d6817024
Instruction ID: 322a49d296c30541020272135c1e56cb48f0ffd6c1c62f433f50fa1baf27c75f
Opcode Fuzzy Hash: 4768d9f1bf77976e126c67c0e6bad3f90f0f89bbe85bb7c3741cbc55d6817024
Instruction Fuzzy Hash: E6310634A55A88FFFB709B36CC45FE977A2AB0439AF544801FA10B61E1C3B09F809741

Function 000BAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 000BABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 000BAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 000BAC74
SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 000BACC6

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 44befcfe1ea43d1cfbe32516151ba22a4bfba1ea5af50bc8397d96d036496968
Instruction ID: d0c24eb1211392cfb7188ac90dbc19fec1d60ca7a79917eb9679a68d2976d01f
Opcode Fuzzy Hash: 44befcfe1ea43d1cfbe32516151ba22a4bfba1ea5af50bc8397d96d036496968
Instruction Fuzzy Hash: 16310630B007586FFF35CB658C45BFE7FE5AB8A320F04421AE495962D2D3798D8587A2

Function 000E7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 000E769A
GetWindowRect.USER32(?,?), ref: 000E7710
PtInRect.USER32(?,?,000E8B89), ref: 000E7720
MessageBeep.USER32(00000000), ref: 000E778C

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f85bdfc46df6904ed579c114ec66da3836563decd4f22ed00599dc1db3f4a20e
Instruction ID: c794291e44a89f64f1142178bf0b42c3ff410d60222a9ff4ac4e182e2ed92e55
Opcode Fuzzy Hash: f85bdfc46df6904ed579c114ec66da3836563decd4f22ed00599dc1db3f4a20e
Instruction Fuzzy Hash: 1441BF34609294EFDB11CF5AC894EA9B7F4FF49704F1540A8E898AB261C331E982CF90

Function 000E16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 000E16EB

Part of subcall function 000B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000B3A57
Part of subcall function 000B3A3D: GetCurrentThreadId.KERNEL32 ref: 000B3A5E
Part of subcall function 000B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000B25B3), ref: 000B3A65

GetCaretPos.USER32(?), ref: 000E16FF
ClientToScreen.USER32(00000000,?), ref: 000E174C
GetForegroundWindow.USER32 ref: 000E1752

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 238408288865e5a262349f0d3b1f61d2abe57a265a90de6cd3d642b662950d9c
Instruction ID: 2681f98a9594d8c277ef1d06663b33ad6e5f3136ecafbd3613b9e2ab374a7008
Opcode Fuzzy Hash: 238408288865e5a262349f0d3b1f61d2abe57a265a90de6cd3d642b662950d9c
Instruction Fuzzy Hash: 5C314F71D00249AFDB04EFAAC881CEFBBF9EF48304B5080A9E455E7252D7319E45CBA1

Function 000BD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000BD501
Process32FirstW.KERNEL32(00000000,?), ref: 000BD50F
Process32NextW.KERNEL32(00000000,?), ref: 000BD52F
CloseHandle.KERNEL32(00000000), ref: 000BD5DC

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 8f992a9bd09f90b07e9e1af9c15969a533ee2066cc6db20cc1dafd456c90bee9
Instruction ID: f1f158f6a7e5b81b56238fb1899c6b92cf0a9f67348986a7fd6c99a65b24eca8
Opcode Fuzzy Hash: 8f992a9bd09f90b07e9e1af9c15969a533ee2066cc6db20cc1dafd456c90bee9
Instruction Fuzzy Hash: C43181711083409FE310EF54C881EEFBBE8EF99354F54092DF981971A2EB719949CB92

Function 000E8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00069BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00069BB2

GetCursorPos.USER32(?), ref: 000E9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,000A7711,?,?,?,?,?), ref: 000E9016
GetCursorPos.USER32(?), ref: 000E905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,000A7711,?,?,?), ref: 000E9094

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 144c3d3d66d76eda147f7678a79fb3e3c0d2eddf2ced393bd82feb251fd51b9c
Instruction ID: dc73d3f024bdae6f8911fd41f540b5e6f58d8768e979fa51aaadb0a47603307d
Opcode Fuzzy Hash: 144c3d3d66d76eda147f7678a79fb3e3c0d2eddf2ced393bd82feb251fd51b9c
Instruction Fuzzy Hash: 2421EF32200158FFDB298F95C898EEA7BF9EB89710F400055F905AB261C3319A91DB60

Function 000BD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,000ECB68), ref: 000BD2FB
GetLastError.KERNEL32 ref: 000BD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 000BD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,000ECB68), ref: 000BD376

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 465421163af9c538ffe48f732778d8a5e56c70e0bcd22bee8b9b7ef25a5c560d
Instruction ID: c4eab1e31db72187ab9bf7cb8f53a42d94a108037f4e1a3243f91d9804a512e8
Opcode Fuzzy Hash: 465421163af9c538ffe48f732778d8a5e56c70e0bcd22bee8b9b7ef25a5c560d
Instruction Fuzzy Hash: 292182705042019F9310DF24C8818EEB7E4AF55B54F504A1EF895D72A2E7319A4ACB93

Function 000B1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000B102A
Part of subcall function 000B1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000B1036
Part of subcall function 000B1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000B1045
Part of subcall function 000B1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 000B104C
Part of subcall function 000B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000B1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 000B15BE
_memcmp.LIBVCRUNTIME ref: 000B15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000B1617
HeapFree.KERNEL32(00000000), ref: 000B161E

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 175127de4d5e7b3c6e07222e6b5cfd556395c733b50c939f5b22c5f427c7bb09
Instruction ID: caf0534042415df7831e7c497ebba385c658e6e7be3ae72c1f2fc2b164c1571d
Opcode Fuzzy Hash: 175127de4d5e7b3c6e07222e6b5cfd556395c733b50c939f5b22c5f427c7bb09
Instruction Fuzzy Hash: 9E217832E00208EFEB10DFA4C959BEEB7F8EF45344F488459E441AB241E775AA05CBA0

Function 000E2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 000E280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 000E2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 000E2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 000E2840

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: f194a6e27fe887490c705bb8ef243678805644ce26739856919bc1102d8bddf7
Instruction ID: 35a87bb4544f203f693e9861b3e149812a70e18eb6942f16c1958b07d680ae5c
Opcode Fuzzy Hash: f194a6e27fe887490c705bb8ef243678805644ce26739856919bc1102d8bddf7
Instruction Fuzzy Hash: 0D213631209591AFE714DB25CC45FAA7799AF45324F148158F8269B2E2CB75FC82C790

Function 000B78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000B8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,000B790A,?,000000FF,?,000B8754,00000000,?,0000001C,?,?), ref: 000B8D8C
Part of subcall function 000B8D7D: lstrcpyW.KERNEL32(00000000,?,?,000B790A,?,000000FF,?,000B8754,00000000,?,0000001C,?,?,00000000), ref: 000B8DB2
Part of subcall function 000B8D7D: lstrcmpiW.KERNEL32(00000000,?,000B790A,?,000000FF,?,000B8754,00000000,?,0000001C,?,?), ref: 000B8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,000B8754,00000000,?,0000001C,?,?,00000000), ref: 000B7923
lstrcpyW.KERNEL32(00000000,?,?,000B8754,00000000,?,0000001C,?,?,00000000), ref: 000B7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,000B8754,00000000,?,0000001C,?,?,00000000), ref: 000B7984

Strings

cdecl, xrefs: 000B797B

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: f32ab44a5320864897434091bd7319fc9d78d3b10a33ae48d29ba3563fbacdfc
Instruction ID: 355aa3d5218e4b60bcc12465747593be0d83b746d1d92bdbe19eff21257c9b17
Opcode Fuzzy Hash: f32ab44a5320864897434091bd7319fc9d78d3b10a33ae48d29ba3563fbacdfc
Instruction Fuzzy Hash: 1211D33A201242ABDB259F34D845DBA77E9FF85750B50802AF946CB2A5EB329C11C7A1

Function 000E7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 000E7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 000E7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 000E7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,000CB7AD,00000000), ref: 000E7D6B

Part of subcall function 00069BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00069BB2

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 6c9d2647c5f36090ec67735424a1d0062e61081bfbe65ed66047fdaf96644475
Instruction ID: d43fcd9a15a15948918555e939dbdb5b1e8d1e0727cc7b404401cfd94f8a74fb
Opcode Fuzzy Hash: 6c9d2647c5f36090ec67735424a1d0062e61081bfbe65ed66047fdaf96644475
Instruction Fuzzy Hash: E211C032108694AFDB108F29CC44EBA3BA5EF45360B154329F839EB2F0E7318DA1CB40

Function 000E5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 000E56BB
_wcslen.LIBCMT ref: 000E56CD
_wcslen.LIBCMT ref: 000E56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 000E5816

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: bf3fba1983a6e66100b9ad453b5477a16473cb592401bcf3a6e9fc70937fa81d
Instruction ID: 00b620441445c75bb4486e62082501a11466d42206836e6ce15cd04e8310246d
Opcode Fuzzy Hash: bf3fba1983a6e66100b9ad453b5477a16473cb592401bcf3a6e9fc70937fa81d
Instruction Fuzzy Hash: BE11B771A00699AADB20DF628C85AEE77ACEF50769F104826F915F6082D7748581CB64

Function 00081D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7476e49d06f331b5c8244747d9809d7b1c050dd8be3df2a94f41622f4810e0a
Instruction ID: c209d8428699629f028b5b5c1a840409560ca129b28cf27d07fd78938cc94d9d
Opcode Fuzzy Hash: d7476e49d06f331b5c8244747d9809d7b1c050dd8be3df2a94f41622f4810e0a
Instruction Fuzzy Hash: 4201A2B22067167EF66136786CC0FA7665DFF417B8B310725F5A1A11D2DB658C424360

Function 000B1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 000B1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000B1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000B1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000B1A8A

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 68a99c453e33f2d8c576d1115bf6a51ebe4fa48afa94676455ccfc9d3f26c9ed
Instruction ID: 4190e3345cba4979926946c029ad90d2b0b8667bed33f19f7affc27d94b28743
Opcode Fuzzy Hash: 68a99c453e33f2d8c576d1115bf6a51ebe4fa48afa94676455ccfc9d3f26c9ed
Instruction Fuzzy Hash: F211F73A901219FFEB119BA5C985FEDBBB8EB08750F600091EA04B7290D6716E51DB94

Function 000BE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000BE1FD
MessageBoxW.USER32(?,?,?,?), ref: 000BE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 000BE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 000BE24D

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: d52dceea52c0ada2a2943fb51067ffbd8e54e9471b7649e0601ec4ac18cf8e5f
Instruction ID: 002e96499ab1dc3db5d6429c7b71e7900972aed16177b067fe0cc84919f4dc28
Opcode Fuzzy Hash: d52dceea52c0ada2a2943fb51067ffbd8e54e9471b7649e0601ec4ac18cf8e5f
Instruction Fuzzy Hash: D0114472D04284BFE710DBA8EC49EDE3FEEAB41720F004259F924E3281C2B5CD0187A0

Function 0007D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0007CFF9,00000000,00000004,00000000), ref: 0007D218
GetLastError.KERNEL32 ref: 0007D224
__dosmaperr.LIBCMT ref: 0007D22B
ResumeThread.KERNEL32(00000000), ref: 0007D249

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 9d225ffb71446955748e2b0ff6891c1ed6c22509b30232372dd7500388114d2a
Instruction ID: 8f2d6f40012d8773838d005cadc225943b358f71875cf4b5bd621625137b3ae7
Opcode Fuzzy Hash: 9d225ffb71446955748e2b0ff6891c1ed6c22509b30232372dd7500388114d2a
Instruction Fuzzy Hash: F3012636C042047BE7205BA5DC05BAE3B78EF81730F20821AF928960D2CB798903C6A4

Function 000E9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00069BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00069BB2

GetClientRect.USER32(?,?), ref: 000E9F31
GetCursorPos.USER32(?), ref: 000E9F3B
ScreenToClient.USER32(?,?), ref: 000E9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 000E9F7A

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: b5e8233347ab5fa472b478c959f05bbcd9916a547caf479be0389a7c9fffbd5f
Instruction ID: 90f2348da681718ed0fe07fbdada31297bd1774e24cb05a2efa074f7678cd7d8
Opcode Fuzzy Hash: b5e8233347ab5fa472b478c959f05bbcd9916a547caf479be0389a7c9fffbd5f
Instruction Fuzzy Hash: B811257290029AAFEB10DF6AD885DEE77B9FB05711F000465F911F7152D334AA92CBA1

Function 0005600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0005604C
GetStockObject.GDI32(00000011), ref: 00056060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0005606A

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 6c75a5b8491a2dafd58fbd16ae41549976d7b2dd43a281d91b48854d1a85bf38
Instruction ID: c7a378cc60a2221e6fcc890726226deab65d806f4cefd17bf269223658faf2ae
Opcode Fuzzy Hash: 6c75a5b8491a2dafd58fbd16ae41549976d7b2dd43a281d91b48854d1a85bf38
Instruction Fuzzy Hash: 1D118E72101548BFEF224F94CC54EEB7BA9EF09765F401201FE0456060C737AC619B90

Function 00073B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00073B56

Part of subcall function 00073AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00073AD2
Part of subcall function 00073AA3: ___AdjustPointer.LIBCMT ref: 00073AED

_UnwindNestedFrames.LIBCMT ref: 00073B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00073B7C
CallCatchBlock.LIBVCRUNTIME ref: 00073BA4

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 9cd98ee3429d989623a8c2039eb270aeec20bda9d38235753d43e11fabe88267
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: AD014C32900148BBEF125E95CC46EEB7FADEF48754F048018FE5C56122C73AE961EBA5

Function 00083073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,000513C6,00000000,00000000,?,0008301A,000513C6,00000000,00000000,00000000,?,0008328B,00000006,FlsSetValue), ref: 000830A5
GetLastError.KERNEL32(?,0008301A,000513C6,00000000,00000000,00000000,?,0008328B,00000006,FlsSetValue,000F2290,FlsSetValue,00000000,00000364,?,00082E46), ref: 000830B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0008301A,000513C6,00000000,00000000,00000000,?,0008328B,00000006,FlsSetValue,000F2290,FlsSetValue,00000000), ref: 000830BF

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 14e0ce6c77789ae98c35dde2a0660443411bb084152418c05f7eb90f2f748404
Instruction ID: 0e397e1ff94b23a1ad566173519acf4e2bc887a0480e07f847dfdbdd3151243d
Opcode Fuzzy Hash: 14e0ce6c77789ae98c35dde2a0660443411bb084152418c05f7eb90f2f748404
Instruction Fuzzy Hash: A501F732301322ABEB315BB99C94E677BD8BF85F61B100724F945E7140C726DA02CBE0

Function 000B7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 000B747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 000B7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 000B74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 000B74CA

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: c792ff534daf3feec149453f970ab2807c59a1ed99b97f91d739c6405fa56c5a
Instruction ID: feca6fec4c05b11a5374eb2d68bb9bf7c1d8c28681f3ed80902f138df6eb0ade
Opcode Fuzzy Hash: c792ff534daf3feec149453f970ab2807c59a1ed99b97f91d739c6405fa56c5a
Instruction Fuzzy Hash: 0411ADB1205314ABF7308F14DC48FD67BFCEB80B01F108569EA2AEA191D7B5E904DB60

Function 000BB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,000BACD3,?,00008000), ref: 000BB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,000BACD3,?,00008000), ref: 000BB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,000BACD3,?,00008000), ref: 000BB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,000BACD3,?,00008000), ref: 000BB126

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: b5327494b7fadcb0bf057d8e92d6785ec4fbd35d5bc3f408cca8459cceccf66d
Instruction ID: c152f74cf11892a58c54b6b2bcacd2dc723ff30be6b482261cb5cfa87af7d825
Opcode Fuzzy Hash: b5327494b7fadcb0bf057d8e92d6785ec4fbd35d5bc3f408cca8459cceccf66d
Instruction Fuzzy Hash: C411A131C0052CE7DF10AFE8D998AFEBB78FF0A710F004486D941B2141CBB486518B51

Function 000E7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 000E7E33
ScreenToClient.USER32(?,?), ref: 000E7E4B
ScreenToClient.USER32(?,?), ref: 000E7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 000E7E8A

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 14d86914d71f89a3afcb24fdf95cf4a24037fa7cb687d0da5dc61957e441638e
Instruction ID: 50f5b117547fda0e64dbf5e4fcb423d39515106d4dcc3bd32f94f9ea8845922a
Opcode Fuzzy Hash: 14d86914d71f89a3afcb24fdf95cf4a24037fa7cb687d0da5dc61957e441638e
Instruction Fuzzy Hash: 651156B9D0424AAFEB41CF99D8849EEBBF5FF08310F505056E915E3210D735AA55CF50

Function 000B2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 000B2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 000B2DD6
GetCurrentThreadId.KERNEL32 ref: 000B2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 000B2DE4

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 724bac87f0d4ff5044a7c8eeeb32cdf5867e196e2d64ad06f6e57fcd1f019ef2
Instruction ID: b2ae277579b50e25b1f2c806473ed0d76af7df8aeead2b97a2d629f6c75ad095
Opcode Fuzzy Hash: 724bac87f0d4ff5044a7c8eeeb32cdf5867e196e2d64ad06f6e57fcd1f019ef2
Instruction Fuzzy Hash: 09E01272501224BBFB201B729C4DFEB7E6CEF57FA5F400159F505E90909AAAC942C6B1

Function 000E8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00069639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00069693
Part of subcall function 00069639: SelectObject.GDI32(?,00000000), ref: 000696A2
Part of subcall function 00069639: BeginPath.GDI32(?), ref: 000696B9
Part of subcall function 00069639: SelectObject.GDI32(?,00000000), ref: 000696E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 000E8887
LineTo.GDI32(?,?,?), ref: 000E8894
EndPath.GDI32(?), ref: 000E88A4
StrokePath.GDI32(?), ref: 000E88B2

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: f60fbafd654e7193bc2ac181ba62db034a52f59071fa7580d6cc9acfae6bb684
Instruction ID: 83a206bdfb061a448e6e0ab3f3ca90ac7a99abac07979985a72d61b2d251cbbe
Opcode Fuzzy Hash: f60fbafd654e7193bc2ac181ba62db034a52f59071fa7580d6cc9acfae6bb684
Instruction Fuzzy Hash: 92F03A36041298BAFF125F94AC09FCA3A59AF16714F048100FE11790E2CB7A5562CBA5

Function 000698B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 000698CC
SetTextColor.GDI32(?,?), ref: 000698D6
SetBkMode.GDI32(?,00000001), ref: 000698E9
GetStockObject.GDI32(00000005), ref: 000698F1

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 0dec6dec53d8222b345f8a69061fd2587ca5e489ca3cb8159c7e45347d4281b9
Instruction ID: 58be94930c594168d31f6ebfff2104443f2ce321d6e1016fb217146ec65fb33a
Opcode Fuzzy Hash: 0dec6dec53d8222b345f8a69061fd2587ca5e489ca3cb8159c7e45347d4281b9
Instruction Fuzzy Hash: AFE065312446C0AAFB215B78EC49FD83F51EB13735F04C259F6F9680E1C37646419B10

Function 000B162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000B1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,000B11D9), ref: 000B163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,000B11D9), ref: 000B1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,000B11D9), ref: 000B164F

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: ab18114308ebfd787cc1b8d20516b44a2227827c79013e44f14f089ad7f8e6dd
Instruction ID: 56b3979a8b8d76e4b8fdaeaecf24ae362de1c89d9aa54bfd5bd5b1f43f283fff
Opcode Fuzzy Hash: ab18114308ebfd787cc1b8d20516b44a2227827c79013e44f14f089ad7f8e6dd
Instruction Fuzzy Hash: 2AE08631601251EBF7601FB49D4DFC63BBDAF54B91F144808F645ED080D7394442C750

Function 000AD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 000AD858
GetDC.USER32(00000000), ref: 000AD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 000AD882
ReleaseDC.USER32(?), ref: 000AD8A3

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 99b937903226ad77415fbbbe3b656d3b3a469719b063ffbffb78b4b8f3a3aaea
Instruction ID: 418fd136f09de98db304ce697e2e2a40974af98b752db5b66b058446d39aaa10
Opcode Fuzzy Hash: 99b937903226ad77415fbbbe3b656d3b3a469719b063ffbffb78b4b8f3a3aaea
Instruction Fuzzy Hash: ABE01AB4800244DFFF519FE4D848A6EBBB2FB48711F208419E816FB250CB3D4902AF40

Function 000AD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 000AD86C
GetDC.USER32(00000000), ref: 000AD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 000AD882
ReleaseDC.USER32(?), ref: 000AD8A3

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 70a8ecc193fa8539b2c15bf23b79c6f2067f44baa3dcbaf3769988206d88fc35
Instruction ID: 0b0ed906bcef541a2e7f784c35bc6e78790a2c669cecb2ea033f473c057b2858
Opcode Fuzzy Hash: 70a8ecc193fa8539b2c15bf23b79c6f2067f44baa3dcbaf3769988206d88fc35
Instruction Fuzzy Hash: D9E01A74C00240DFEF509FA4D848A6EBBB1BB48711B108409E81AFB250C73D59029F40

Function 000C4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00057620: _wcslen.LIBCMT ref: 00057625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 000C4ED4

Strings

LPT, xrefs: 000C4DFB
*, xrefs: 000C4E10

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 0e3187b4bca55830502d1340bad38179c297b1c4b68a76f912618d6a1eb7f977
Instruction ID: 1c6a2a6395008987a8152d84086398b2804d6dc5dfd5c11d1084cabe96c06f5c
Opcode Fuzzy Hash: 0e3187b4bca55830502d1340bad38179c297b1c4b68a76f912618d6a1eb7f977
Instruction Fuzzy Hash: 5C912975A002049FDB14DF58C494FAEBBF1BB44304F1980ADE84A9B3A2D775ED86CB90

Function 0007E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0007E30D

Strings

pow, xrefs: 0007E2E5, 0007E302

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 48b62252b1d3fd2783f174e7c9c4d06475eaf8596d9fa581c35f8ede64cbbb4e
Instruction ID: 7b4fa03f995127fa07dbecffbc2ea49bc72599f82b9730a379ac68f48b1723c5
Opcode Fuzzy Hash: 48b62252b1d3fd2783f174e7c9c4d06475eaf8596d9fa581c35f8ede64cbbb4e
Instruction Fuzzy Hash: 63515961E0E24196DB657714C9053B93BE4BB58740F34C9E8E0DD432AEEB38CC959B4A

Function 0006E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0006E1B1

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: aeacaeda7c41c0c8cf410e5b0b7ec79f34fcf3f8a2ea36fe43502c99126bcb89
Instruction ID: bceb580252c9fe18eecd329c678abd77c3ee2864ed10fc09b3f3e8bf4b0e9b5d
Opcode Fuzzy Hash: aeacaeda7c41c0c8cf410e5b0b7ec79f34fcf3f8a2ea36fe43502c99126bcb89
Instruction Fuzzy Hash: A7514279908386DFDB64DFA8C491AFE7BE6EF16310F244015EC919B2C1DA349D46CBA0

Function 0006F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0006F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0006F2BB

Strings

@, xrefs: 0006F2AF

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 83d4327ab7f091aa1b005c76d537fe678030abc4ee1bd51a1f6bf6a70dc73d36
Instruction ID: ff7d9a05cf380d0df23ebbaf6c6a148957c3f595fcdb383341df6833b7d3bd79
Opcode Fuzzy Hash: 83d4327ab7f091aa1b005c76d537fe678030abc4ee1bd51a1f6bf6a70dc73d36
Instruction Fuzzy Hash: BB513771408744ABE320AF10EC86BAFBBF8FB84301F81885DF5D941196EB718569CB67

Function 000D5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 000D57E0
_wcslen.LIBCMT ref: 000D57EC

Strings

CALLARGARRAY, xrefs: 000D57E6, 000D57EB

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 22c6f24c427fdfb2012d63e11428e48f329ac7530c0516ae349a6b3270070edc
Instruction ID: 3c8fdc22072affdbd603becccc3daa56b903d3868012fd603a757c87604d4aed
Opcode Fuzzy Hash: 22c6f24c427fdfb2012d63e11428e48f329ac7530c0516ae349a6b3270070edc
Instruction Fuzzy Hash: BB41B031A006099FCB14DFA8C8818FEBBF5EF59311F20406AE905B7352EB359D81DBA0

Function 000CD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000CD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 000CD13A

Strings

|, xrefs: 000CD10B

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 1b030744940e188bcab51700301a31a194cd505238da1e30749994788dab5c54
Instruction ID: 97258c2726671b55f1df43c46b0ed2441dac10d3916b6c214c34beb24b4bbbf2
Opcode Fuzzy Hash: 1b030744940e188bcab51700301a31a194cd505238da1e30749994788dab5c54
Instruction Fuzzy Hash: 1D31F771D01209ABCF15EFA4CC85EEEBBB9FF04300F000029F819A6162DA31AA46CB60

Function 000E356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 000E3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 000E365C

Strings

static, xrefs: 000E35BC

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: bf76f2c39e4d433d829241059e162c4d1e3581aa5998ea92e42082ba939fe82a
Instruction ID: a72ec9b6ec1c1db6459ee5e2a7745571c9c46403dd9ac4f78298b4f4d320ffe0
Opcode Fuzzy Hash: bf76f2c39e4d433d829241059e162c4d1e3581aa5998ea92e42082ba939fe82a
Instruction Fuzzy Hash: E531BE71100644AEEB20DF39CC85EFB77A9FF88720F008619F8A5A7290DA31AD81C760

Function 000E4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 000E461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000E4634

Strings

', xrefs: 000E458E

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 0070a6444bd4c1d8bfae85185e4409fa91a59475b96860a81d00b3f775d5ed52
Instruction ID: bcc35b88e96da74c00def44d86487cebd7157c6a93bdeeaff773f52e1250aee5
Opcode Fuzzy Hash: 0070a6444bd4c1d8bfae85185e4409fa91a59475b96860a81d00b3f775d5ed52
Instruction Fuzzy Hash: 63312775A00649AFDF14CFAAC980BDABBF5FF49300F10416AE904AB382D771A941CF90

Function 000E31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 000E327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000E3287

Strings

Combobox, xrefs: 000E3249

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 49c075bba9cc0f7ed7672e1c8a806388af8ae4c5ceb64feff9ee24deb156fa03
Instruction ID: d98227896717de96ddff88ea001d9c656925aa0cdf5c65a5ad075c6e3785f3fd
Opcode Fuzzy Hash: 49c075bba9cc0f7ed7672e1c8a806388af8ae4c5ceb64feff9ee24deb156fa03
Instruction Fuzzy Hash: BF11E2713002487FFF659E55DC88EFB3BAAEB94364F104128FA58A7290D6319D518760

Function 000E3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0005600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0005604C
Part of subcall function 0005600E: GetStockObject.GDI32(00000011), ref: 00056060
Part of subcall function 0005600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0005606A

GetWindowRect.USER32(00000000,?), ref: 000E377A
GetSysColor.USER32(00000012), ref: 000E3794

Strings

static, xrefs: 000E3757

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: ca95f45d7c4dd734c6c8a73f297eab82e7d8610115626560a2ffabea9c3f1e93
Instruction ID: 837ed455d38b7ba2a9605085fe29e463e1af6423b301e4727348c2100aaf66d0
Opcode Fuzzy Hash: ca95f45d7c4dd734c6c8a73f297eab82e7d8610115626560a2ffabea9c3f1e93
Instruction Fuzzy Hash: AA1129B2610249AFEF10DFA8CC49EEA7BF8FB08314F004515F995E3250E735E9519B50

Function 000CCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 000CCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 000CCDA6

Strings

<local>, xrefs: 000CCD66

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: d5ae384ef40eb7bcbb51c4e2f51d2b1b105386098b81bbf3d3b3f543856a8cb7
Instruction ID: ce415f0128c6713a22f9ecbe73a1b3af8ee1a6d43c55c8ec3bc64724cb046cd9
Opcode Fuzzy Hash: d5ae384ef40eb7bcbb51c4e2f51d2b1b105386098b81bbf3d3b3f543856a8cb7
Instruction Fuzzy Hash: 2B11E371605632BAE7784B66CC84FEBBEA8EB127A4F00422AF10E92080D3749841D6F0

Function 000E3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 000E34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 000E34BA

Strings

edit, xrefs: 000E348F

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: dbe08eef7613d305634030f34fe5b4e753ab6693ac9c29d1f11fc9aa933b4ed1
Instruction ID: cfecaa652ad47ce2e0c3e2f620876954a8a47cf8f0efa65863cbaa88ed07ce41
Opcode Fuzzy Hash: dbe08eef7613d305634030f34fe5b4e753ab6693ac9c29d1f11fc9aa933b4ed1
Instruction Fuzzy Hash: D311B2B1100144AFEB614E65DC88EEB3BA9EB05774F504324F960A71D0C732ED519750

Function 000B6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00059CB3: _wcslen.LIBCMT ref: 00059CBD

CharUpperBuffW.USER32(?,?,?), ref: 000B6CB6
_wcslen.LIBCMT ref: 000B6CC2

Strings

STOP, xrefs: 000B6CBC, 000B6CC1

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 9b0222324579e1b3fd5662b59ee94bc173bcb15474a203a9ef57848de7666736
Instruction ID: bb52b8ad918fa92a231837e8ddd8f4631ede0b64e4f8b0917e2a4c7d43e015bf
Opcode Fuzzy Hash: 9b0222324579e1b3fd5662b59ee94bc173bcb15474a203a9ef57848de7666736
Instruction Fuzzy Hash: A701C432A005268BCB209FBDDC919FF7BE6EB61710B500934E85296191EB3BDD44C650

Function 000B1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00059CB3: _wcslen.LIBCMT ref: 00059CBD

Part of subcall function 000B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000B3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 000B1D4C

Strings

ComboBox, xrefs: 000B1CEB
ListBox, xrefs: 000B1D16

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9666c3b2f7e63fb6b267c0726932d93c0af1a485b5e00c2170e4b08abd7238a1
Instruction ID: cfb6bffb549cca78f8022c7eda30747603ca866e13015aff61b17df98d9b4fb6
Opcode Fuzzy Hash: 9666c3b2f7e63fb6b267c0726932d93c0af1a485b5e00c2170e4b08abd7238a1
Instruction Fuzzy Hash: 2401D475601218EBCB18EBA4CC61CFF77A9EB46350B940A19FC22673C2EE31590C8760

Function 000B1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00059CB3: _wcslen.LIBCMT ref: 00059CBD

Part of subcall function 000B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000B3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 000B1C46

Strings

ComboBox, xrefs: 000B1BE5
ListBox, xrefs: 000B1C10

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 62cf225558372a3f107de04a71317516e9963a4eb9df54a243127dce7d17c9b2
Instruction ID: 979f7e733588b063ba77b96c8958dd706434bc1c807144a6775825850cb42662
Opcode Fuzzy Hash: 62cf225558372a3f107de04a71317516e9963a4eb9df54a243127dce7d17c9b2
Instruction Fuzzy Hash: 0501A775681108A6DB18EB90C963DFF7BEA9B51340F540019A81677283EE20AE0C87B5

Function 000B1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00059CB3: _wcslen.LIBCMT ref: 00059CBD

Part of subcall function 000B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000B3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 000B1CC8

Strings

ComboBox, xrefs: 000B1C69
ListBox, xrefs: 000B1C94

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9d966e2dbdaf01738e3cb45d2d62078988eabd84cb657c88243211da3ece71d4
Instruction ID: 4d4efd2b5515b43cc08baaff104ee0c68befd2271655c2c256a3dff26e56241a
Opcode Fuzzy Hash: 9d966e2dbdaf01738e3cb45d2d62078988eabd84cb657c88243211da3ece71d4
Instruction Fuzzy Hash: 0401D675680118A7DB14EBA4CA12EFF7BE99B11380FA40025BC0273283EE219F0CC6B1

Function 000B1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00059CB3: _wcslen.LIBCMT ref: 00059CBD

Part of subcall function 000B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000B3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 000B1DD3

Strings

ComboBox, xrefs: 000B1D75
ListBox, xrefs: 000B1DA0

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e3d6e5cbb8ad2c6be94f623924649b6a490243a84c0d298245bf45a5a0429e94
Instruction ID: 95bf78430d012960389eb6cafd895b2fa2723d24c87c5d6f3a7207127307dbba
Opcode Fuzzy Hash: e3d6e5cbb8ad2c6be94f623924649b6a490243a84c0d298245bf45a5a0429e94
Instruction Fuzzy Hash: 49F0A475A41218A6DB18E7A4CC62EFF77B9AB41350F940929B822672C3DE70590C8260

Function 000D747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000D7493
_wcslen.LIBCMT ref: 000D74B9

Strings

3, 3, 16, 1, xrefs: 000D7483

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 74425d95e43479337b807b24562fb7aa183d4760f3825b6e2279ff6fae761d6b
Instruction ID: 2402f08daaf9c78b4e4678401e8f39ba700489a3c8d44a99deea291047499cea
Opcode Fuzzy Hash: 74425d95e43479337b807b24562fb7aa183d4760f3825b6e2279ff6fae761d6b
Instruction Fuzzy Hash: D1E02B026153201192721279ACC19FF56C9DFC5750710182BFA8DC2367FB98CD9193B5

Function 000B0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 000B0B23

Strings

Error allocating memory., xrefs: 000B0B1C
AutoIt, xrefs: 000B0B17

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: a076d8ff522f9b3d8f154cca905e8ab055eb9af2cd1b19280943b77da7721794
Instruction ID: 0f72c2f2a4333dc79f389dbc71b3747072f2420731d93fcbac0c3f36415f10e2
Opcode Fuzzy Hash: a076d8ff522f9b3d8f154cca905e8ab055eb9af2cd1b19280943b77da7721794
Instruction Fuzzy Hash: 08E0D8312883483AE2143655BC03FC97A898F05F25F104466FB98A94C38BE3289046A9

Function 00070D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0006F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00070D71,?,?,?,0005100A), ref: 0006F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0005100A), ref: 00070D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0005100A), ref: 00070D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00070D7F

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 8c3a159bf5b10edd6383ecdb6b17fbd2750677b2afe497f8ae783fff8e0d2e91
Instruction ID: dae162cd16c6be437dba87d4802e50c893d0ef61909ee95b6bfc5792c6ccd855
Opcode Fuzzy Hash: 8c3a159bf5b10edd6383ecdb6b17fbd2750677b2afe497f8ae783fff8e0d2e91
Instruction Fuzzy Hash: C3E06D746003828FE3709FB9E4487567BE0FB10B44F008A2DE496DA752DBB9F8458B91

Function 000C3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 000C302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 000C3044

Strings

aut, xrefs: 000C3038

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 60150dc9aa63276dbe049542f02c5c4278f0508702cd6d8050ae4251e0fb3527
Instruction ID: 951f22f9405d2190c23b6198e09a8e7d2f984385485a8a9f5860a51ddeb65f9e
Opcode Fuzzy Hash: 60150dc9aa63276dbe049542f02c5c4278f0508702cd6d8050ae4251e0fb3527
Instruction Fuzzy Hash: 99D05B7150031467EA249794AC4DFC73A6CDB04751F0001617755E6091DAB59585CAD0

Function 000AD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 000AD220

Strings

X64, xrefs: 000AD2A8
%.3d, xrefs: 000AD22B

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: afb18823709fb92d9e2764d1db8290d62c05a5dbedde622f81bc91c0da4d8e4f
Instruction ID: 598552aa92eedfdbf300c712e478333735383bd6fe256cb5aa8e817dc8fd8b21
Opcode Fuzzy Hash: afb18823709fb92d9e2764d1db8290d62c05a5dbedde622f81bc91c0da4d8e4f
Instruction Fuzzy Hash: 6BD012A1C08109E9DB6096D0DC45AFDB37CBB29341F508463F907A1440E724C548E761

Function 000E2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000E236C
PostMessageW.USER32(00000000), ref: 000E2373

Part of subcall function 000BE97B: Sleep.KERNELBASE ref: 000BE9F3

Strings

Shell_TrayWnd, xrefs: 000E2365

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 5112f78027aa62f3d43783bc6b2bc551e547c1dd875059221d42d4ec107f3f5a
Instruction ID: a60313ab4320b739ac36dfedd178ea626c04b4d476d4767ecd8d052505bdcdd8
Opcode Fuzzy Hash: 5112f78027aa62f3d43783bc6b2bc551e547c1dd875059221d42d4ec107f3f5a
Instruction Fuzzy Hash: 2FD0C936395390BAF668A770DC4FFC676149B44B10F004916B645AA1D1CAB5B8468A54

Function 0008BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0008BE93
GetLastError.KERNEL32 ref: 0008BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0008BEFC

Memory Dump Source

Source File: 00000006.00000002.1351659240.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true

Associated: 00000006.00000002.1351632975.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.00000000000EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351771279.0000000000112000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351828352.000000000011C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1351856063.0000000000124000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: fd7fcff4e11eb51b406db3a6d58bf3a860cd7945a96191886b23ccff5dd69a2d
Instruction ID: ed66cd327ac0820258e4257be78e121fb25cea82b2b3a84d1921a309a0c2d39d
Opcode Fuzzy Hash: fd7fcff4e11eb51b406db3a6d58bf3a860cd7945a96191886b23ccff5dd69a2d
Instruction Fuzzy Hash: 0A41D435604246AFDF31AF64CC44ABA7BE5BF42720F244179FA999B1A2DB318D01CB60

Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIlKHLAQiFoM0BCNy9zQEIucrNAQi/0M0BCMbRzQEIutTNAQjK1s0BCKfYzQEI+cDUFRjymM0BGLnSzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIlKHLAQiFoM0BCNy9zQEIucrNAQi/0M0BCMbRzQEIutTNAQjK1s0BCKfYzQEI+cDUFRjymM0BGLnSzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.149"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.149", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.149"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIlKHLAQiFoM0BCNy9zQEIucrNAQi/0M0BCMbRzQEIutTNAQjK1s0BCKfYzQEI+cDUFRjymM0BGLnSzQEY642lFw==Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=GVna8EtnwkDwSKO&MD=6LkcCrH8 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=GVna8EtnwkDwSKO&MD=6LkcCrH8 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.10:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.10:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.10:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.10:49738 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 91

Chrome Cache Entry: 92

Chrome Cache Entry: 93

Chrome Cache Entry: 94

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
file.exe

Function 0006F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130
keyboardthreadwindowCOMMON

Function 000542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 000542A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00092BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 000DAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Function 00052CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0009065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0005344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00052B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00053170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 00051410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Function 00052C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 000BE97B Relevance: 7.5, APIs: 5, Instructions: 47
sleepCOMMON

Function 00053B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre