Edit tour

Windows Analysis Report
NRFQFP.exe

Overview

General Information

Sample name:	NRFQFP.exe
Analysis ID:	1559974
MD5:	1a911551867098e14d09eba0f3230e20
SHA1:	505baedb0168073fd5f67637a8409b1bab84e2c4
SHA256:	7925886f109959a6344123901123559f304a400dc2a2d3768d9fbe42d7d8305c
Tags:	exeuser-lowmal3
Infos:

Detection

FormBook

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

NRFQFP.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\NRFQFP.exe" MD5: 1A911551867098E14D09EBA0F3230E20)

svchost.exe (PID: 7352 cmdline: "C:\Users\user\Desktop\NRFQFP.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.1530564387.00000000002B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1530811604.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.svchost.exe.2b0000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.svchost.exe.2b0000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\NRFQFP.exe", CommandLine: "C:\Users\user\Desktop\NRFQFP.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\NRFQFP.exe", ParentImage: C:\Users\user\Desktop\NRFQFP.exe, ParentProcessId: 7264, ParentProcessName: NRFQFP.exe, ProcessCommandLine: "C:\Users\user\Desktop\NRFQFP.exe", ProcessId: 7352, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\NRFQFP.exe", CommandLine: "C:\Users\user\Desktop\NRFQFP.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\NRFQFP.exe", ParentImage: C:\Users\user\Desktop\NRFQFP.exe, ParentProcessId: 7264, ParentProcessName: NRFQFP.exe, ProcessCommandLine: "C:\Users\user\Desktop\NRFQFP.exe", ProcessId: 7352, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: NRFQFP.exe	ReversingLabs: Detection: 34%
Source: NRFQFP.exe	Virustotal: Detection: 34%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 3.2.svchost.exe.2b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1530564387.00000000002B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1530811604.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: NRFQFP.exe

Joe Sandbox ML: detected

Source: NRFQFP.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: NRFQFP.exe, 00000000.00000003.1265380491.0000000004070000.00000004.00001000.00020000.00000000.sdmp, NRFQFP.exe, 00000000.00000003.1273280159.0000000004210000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1530842420.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1491660538.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1494952805.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1530842420.000000000309E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: NRFQFP.exe, 00000000.00000003.1265380491.0000000004070000.00000004.00001000.00020000.00000000.sdmp, NRFQFP.exe, 00000000.00000003.1273280159.0000000004210000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.1530842420.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1491660538.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1494952805.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1530842420.000000000309E000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_01006CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_01006CA9
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_010060DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_010060DD
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_010063F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_010063F9
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_0100EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0100EB60
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_0100F56F FindFirstFileW,FindClose,	0_2_0100F56F
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_0100F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0100F5FA
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_01011B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_01011B2F
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_01011C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_01011C8A
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_01011F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_01011F94

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_01014EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_01014EB5

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_01016B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_01016B0C

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_01016D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_01016D07

Source: C:\Users\user\Desktop\NRFQFP.exe

0_2_01016B0C

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_01002B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_01002B37

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.svchost.exe.2b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1530564387.00000000002B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1530811604.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00FC3D19
Source: NRFQFP.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: NRFQFP.exe, 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b66dd3dc-4
Source: NRFQFP.exe, 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_69934bf7-f
Source: NRFQFP.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8d9a4f1d-3
Source: NRFQFP.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_10b75705-7

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: NRFQFP.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002DC8B3 NtClose,	3_2_002DC8B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002B1A71 NtProtectVirtualMemory,	3_2_002B1A71
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002B19A3 NtProtectVirtualMemory,	3_2_002B19A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72B60 NtClose,LdrInitializeThunk,	3_2_02F72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_02F72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F735C0 NtCreateMutant,LdrInitializeThunk,	3_2_02F735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F74340 NtSetContextThread,	3_2_02F74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F74650 NtSuspendThread,	3_2_02F74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72AF0 NtWriteFile,	3_2_02F72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72AD0 NtReadFile,	3_2_02F72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72AB0 NtWaitForSingleObject,	3_2_02F72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72BF0 NtAllocateVirtualMemory,	3_2_02F72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72BE0 NtQueryValueKey,	3_2_02F72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72BA0 NtEnumerateValueKey,	3_2_02F72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72B80 NtQueryInformationFile,	3_2_02F72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72EE0 NtQueueApcThread,	3_2_02F72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72EA0 NtAdjustPrivilegesToken,	3_2_02F72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72E80 NtReadVirtualMemory,	3_2_02F72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72E30 NtWriteVirtualMemory,	3_2_02F72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72FE0 NtCreateFile,	3_2_02F72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72FB0 NtResumeThread,	3_2_02F72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72FA0 NtQuerySection,	3_2_02F72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72F90 NtProtectVirtualMemory,	3_2_02F72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72F60 NtCreateProcessEx,	3_2_02F72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72F30 NtCreateSection,	3_2_02F72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72CF0 NtOpenProcess,	3_2_02F72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72CC0 NtQueryVirtualMemory,	3_2_02F72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72CA0 NtQueryInformationToken,	3_2_02F72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72C70 NtFreeVirtualMemory,	3_2_02F72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72C60 NtCreateKey,	3_2_02F72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72C00 NtQueryInformationProcess,	3_2_02F72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72DD0 NtDelayExecution,	3_2_02F72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72DB0 NtEnumerateKey,	3_2_02F72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72D30 NtUnmapViewOfSection,	3_2_02F72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72D10 NtMapViewOfSection,	3_2_02F72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72D00 NtSetInformationFile,	3_2_02F72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F73090 NtSetValueKey,	3_2_02F73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F73010 NtOpenDirectoryObject,	3_2_02F73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F739B0 NtGetContextThread,	3_2_02F739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F73D70 NtOpenThread,	3_2_02F73D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F73D10 NtOpenProcessToken,	3_2_02F73D10

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_01006713: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_01006713

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_00FFACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00FFACC5

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_010079D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_010079D3

Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FEB043	0_2_00FEB043
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FD3200	0_2_00FD3200
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FD3B70	0_2_00FD3B70
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FF410F	0_2_00FF410F
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FE02A4	0_2_00FE02A4
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FCE3B0	0_2_00FCE3B0
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FF038E	0_2_00FF038E
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FE06D9	0_2_00FE06D9
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FF467F	0_2_00FF467F
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FF4BEF	0_2_00FF4BEF
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_0102AACE	0_2_0102AACE
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FECCC1	0_2_00FECCC1
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FCAF50	0_2_00FCAF50
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FC6F07	0_2_00FC6F07
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_010231BC	0_2_010231BC
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FED1B9	0_2_00FED1B9
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FDB11F	0_2_00FDB11F
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FF724D	0_2_00FF724D
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FE123A	0_2_00FE123A
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_010013CA	0_2_010013CA
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FC93F0	0_2_00FC93F0
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FDF563	0_2_00FDF563
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FC96C0	0_2_00FC96C0
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FC77B0	0_2_00FC77B0
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_0100B6CC	0_2_0100B6CC
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FF79C9	0_2_00FF79C9
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FDFA57	0_2_00FDFA57
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FC9B60	0_2_00FC9B60
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FC7D19	0_2_00FC7D19
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FE9ED0	0_2_00FE9ED0
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FDFE6F	0_2_00FDFE6F
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FC7FA3	0_2_00FC7FA3
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_01ADB5D8	0_2_01ADB5D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002C696F	3_2_002C696F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002C6973	3_2_002C6973
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002BE1B3	3_2_002BE1B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002C01C3	3_2_002C01C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002BE2FE	3_2_002BE2FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002B22FD	3_2_002B22FD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002BE303	3_2_002BE303
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002B2300	3_2_002B2300
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002B2660	3_2_002B2660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002B2E80	3_2_002B2E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002DEF33	3_2_002DEF33
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002BFFA3	3_2_002BFFA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002BFF9C	3_2_002BFF9C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FC02C0	3_2_02FC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FE0274	3_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030003E6	3_2_030003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F4E3F0	3_2_02F4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FFA352	3_2_02FFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030001AA	3_2_030001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FD2000	3_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FF81CC	3_2_02FF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FC8158	3_2_02FC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FDA118	3_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F30100	3_2_02F30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5C6E0	3_2_02F5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3C7C0	3_2_02F3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40770	3_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F64750	3_2_02F64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FEE4F6	3_2_02FEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03000591	3_2_03000591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FF2446	3_2_02FF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40535	3_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3EA80	3_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FF6BD7	3_2_02FF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FFAB40	3_2_02FFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6E8F0	3_2_02F6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F268B8	3_2_02F268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0300A9A6	3_2_0300A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F4A840	3_2_02F4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F42840	3_2_02F42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F429A0	3_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F56962	3_2_02F56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FFEEDB	3_2_02FFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F52E90	3_2_02F52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FFCE93	3_2_02FFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40E59	3_2_02F40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FFEE26	3_2_02FFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F4CFE0	3_2_02F4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F32FC8	3_2_02F32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FBEFA0	3_2_02FBEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB4F40	3_2_02FB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F60F30	3_2_02F60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F82F28	3_2_02F82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F30CF2	3_2_02F30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FE0CB5	3_2_02FE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40C00	3_2_02F40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3ADE0	3_2_02F3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F58DBF	3_2_02F58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FDCD1F	3_2_02FDCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F4AD00	3_2_02F4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FE12ED	3_2_02FE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5B2C0	3_2_02F5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F452A0	3_2_02F452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F8739A	3_2_02F8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2D34C	3_2_02F2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FF132D	3_2_02FF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FF70E9	3_2_02FF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FFF0E0	3_2_02FFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FEF0CC	3_2_02FEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F470C0	3_2_02F470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0300B16B	3_2_0300B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F4B1B0	3_2_02F4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2F172	3_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F7516C	3_2_02F7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FF16CC	3_2_02FF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FFF7B0	3_2_02FFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F31460	3_2_02F31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FFF43F	3_2_02FFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FDD5B0	3_2_02FDD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FF7571	3_2_02FF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FEDAC6	3_2_02FEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FDDAAC	3_2_02FDDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F85AA0	3_2_02F85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FE1AA3	3_2_02FE1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB3A6C	3_2_02FB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FFFA49	3_2_02FFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FF7A46	3_2_02FF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB5BF0	3_2_02FB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F7DBF9	3_2_02F7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5FB80	3_2_02F5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FFFB76	3_2_02FFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F438E0	3_2_02F438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FAD800	3_2_02FAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F49950	3_2_02F49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5B950	3_2_02F5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FD5910	3_2_02FD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F49EB0	3_2_02F49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FFFFB1	3_2_02FFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F41F92	3_2_02F41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FFFF09	3_2_02FFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FFFCF2	3_2_02FFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB9C32	3_2_02FB9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5FDC0	3_2_02F5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FF7D73	3_2_02FF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FF1D5A	3_2_02FF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F43D40	3_2_02F43D40

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02F87E54 appears 101 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02FAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02FBF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02F75130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02F2B970 appears 272 times
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: String function: 00FE6AC0 appears 42 times
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: String function: 00FEF8A0 appears 35 times
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: String function: 00FDEC2F appears 68 times

Source: NRFQFP.exe, 00000000.00000003.1266403579.0000000004193000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs NRFQFP.exe
Source: NRFQFP.exe, 00000000.00000003.1274886140.000000000433D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs NRFQFP.exe

Source: NRFQFP.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.winEXE@3/2@0/0

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_0100CE7A GetLastError,FormatMessageW,

0_2_0100CE7A

Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FFAB84 AdjustTokenPrivileges,CloseHandle,		0_2_00FFAB84
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FFB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00FFB134

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_0100E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0100E1FD

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_01006532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_01006532

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_0101C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_0101C18C

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_00FC406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00FC406B

Source: C:\Users\user\Desktop\NRFQFP.exe

File created: C:\Users\user~1\AppData\Local\Temp\aut7D3A.tmp

Jump to behavior

Source: NRFQFP.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\NRFQFP.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NRFQFP.exe	ReversingLabs: Detection: 34%
Source: NRFQFP.exe	Virustotal: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\NRFQFP.exe "C:\Users\user\Desktop\NRFQFP.exe"
Source: C:\Users\user\Desktop\NRFQFP.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\NRFQFP.exe"
Source: C:\Users\user\Desktop\NRFQFP.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\NRFQFP.exe"	Jump to behavior

Source: C:\Users\user\Desktop\NRFQFP.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NRFQFP.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NRFQFP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NRFQFP.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\NRFQFP.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\NRFQFP.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\NRFQFP.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NRFQFP.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NRFQFP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NRFQFP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NRFQFP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NRFQFP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NRFQFP.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: NRFQFP.exe

Static file information: File size 1212928 > 1048576

Source: NRFQFP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: NRFQFP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: NRFQFP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: NRFQFP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: NRFQFP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: NRFQFP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: NRFQFP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: NRFQFP.exe, 00000000.00000003.1265380491.0000000004070000.00000004.00001000.00020000.00000000.sdmp, NRFQFP.exe, 00000000.00000003.1273280159.0000000004210000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1530842420.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1491660538.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1494952805.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1530842420.000000000309E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: NRFQFP.exe, 00000000.00000003.1265380491.0000000004070000.00000004.00001000.00020000.00000000.sdmp, NRFQFP.exe, 00000000.00000003.1273280159.0000000004210000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.1530842420.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1491660538.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1494952805.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1530842420.000000000309E000.00000040.00001000.00020000.00000000.sdmp

Source: NRFQFP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: NRFQFP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: NRFQFP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: NRFQFP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: NRFQFP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_00FDE01E LoadLibraryA,GetProcAddress,

0_2_00FDE01E

Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FE6B05 push ecx; ret	0_2_00FE6B18
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002B3100 push eax; ret	3_2_002B3102
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002CE9B7 push esp; ret	3_2_002CE9BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002C7333 push ecx; retf	3_2_002C7336
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002BD307 push edx; ret	3_2_002BD30E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002D7C33 push eax; iretd	3_2_002D7CA9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002C1C05 push esi; iretd	3_2_002C1C1E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002C1C13 push esi; iretd	3_2_002C1C1E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002BD53D push esi; retf	3_2_002BD53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002D5553 push ds; iretd	3_2_002D5554
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002B45F9 push ds; ret	3_2_002B45FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_002D3FC1 push ss; retf	3_2_002D3FC4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F309AD push ecx; mov dword ptr [esp], ecx	3_2_02F309B6

Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_01028111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_01028111
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FDEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00FDEB42

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_00FE123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00FE123A

Source: C:\Users\user\Desktop\NRFQFP.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NRFQFP.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\NRFQFP.exe

API/Special instruction interceptor: Address: 1ADB1FC

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_02F7096E rdtsc

3_2_02F7096E

Source: C:\Users\user\Desktop\NRFQFP.exe	Evaded block: after key decision			graph_0-95533
Source: C:\Users\user\Desktop\NRFQFP.exe	Evaded block: after key decision			graph_0-94403

Source: C:\Users\user\Desktop\NRFQFP.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-94944

Source: C:\Users\user\Desktop\NRFQFP.exe	API coverage: 4.5 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 7356

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_01006CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_01006CA9
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_010060DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_010060DD
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_010063F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_010063F9
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_0100EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0100EB60
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_0100F56F FindFirstFileW,FindClose,	0_2_0100F56F
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_0100F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0100F5FA
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_01011B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_01011B2F
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_01011C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_01011C8A
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_01011F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_01011F94

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_00FDDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FDDDC0

Source: C:\Users\user\Desktop\NRFQFP.exe

API call chain: ExitProcess graph end node

graph_0-94157

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_02F7096E rdtsc

3_2_02F7096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_002C7903 LdrLoadDll,

3_2_002C7903

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_01016AAF BlockInput,

0_2_01016AAF

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_00FC3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00FC3D19

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_00FF3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00FF3920

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_00FDE01E LoadLibraryA,GetProcAddress,

0_2_00FDE01E

Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_01ADB4C8 mov eax, dword ptr fs:[00000030h]	0_2_01ADB4C8
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_01ADB468 mov eax, dword ptr fs:[00000030h]	0_2_01ADB468
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_01AD9E48 mov eax, dword ptr fs:[00000030h]	0_2_01AD9E48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F402E1 mov eax, dword ptr fs:[00000030h]	3_2_02F402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F402E1 mov eax, dword ptr fs:[00000030h]	3_2_02F402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F402E1 mov eax, dword ptr fs:[00000030h]	3_2_02F402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]	3_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]	3_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]	3_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]	3_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]	3_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F402A0 mov eax, dword ptr fs:[00000030h]	3_2_02F402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F402A0 mov eax, dword ptr fs:[00000030h]	3_2_02F402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FC62A0 mov eax, dword ptr fs:[00000030h]	3_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FC62A0 mov ecx, dword ptr fs:[00000030h]	3_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FC62A0 mov eax, dword ptr fs:[00000030h]	3_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FC62A0 mov eax, dword ptr fs:[00000030h]	3_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FC62A0 mov eax, dword ptr fs:[00000030h]	3_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FC62A0 mov eax, dword ptr fs:[00000030h]	3_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6E284 mov eax, dword ptr fs:[00000030h]	3_2_02F6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6E284 mov eax, dword ptr fs:[00000030h]	3_2_02F6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB0283 mov eax, dword ptr fs:[00000030h]	3_2_02FB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB0283 mov eax, dword ptr fs:[00000030h]	3_2_02FB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB0283 mov eax, dword ptr fs:[00000030h]	3_2_02FB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FE0274 mov eax, dword ptr fs:[00000030h]	3_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FE0274 mov eax, dword ptr fs:[00000030h]	3_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FE0274 mov eax, dword ptr fs:[00000030h]	3_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FE0274 mov eax, dword ptr fs:[00000030h]	3_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FE0274 mov eax, dword ptr fs:[00000030h]	3_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FE0274 mov eax, dword ptr fs:[00000030h]	3_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FE0274 mov eax, dword ptr fs:[00000030h]	3_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FE0274 mov eax, dword ptr fs:[00000030h]	3_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FE0274 mov eax, dword ptr fs:[00000030h]	3_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FE0274 mov eax, dword ptr fs:[00000030h]	3_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FE0274 mov eax, dword ptr fs:[00000030h]	3_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FE0274 mov eax, dword ptr fs:[00000030h]	3_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F34260 mov eax, dword ptr fs:[00000030h]	3_2_02F34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F34260 mov eax, dword ptr fs:[00000030h]	3_2_02F34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F34260 mov eax, dword ptr fs:[00000030h]	3_2_02F34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2826B mov eax, dword ptr fs:[00000030h]	3_2_02F2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2A250 mov eax, dword ptr fs:[00000030h]	3_2_02F2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F36259 mov eax, dword ptr fs:[00000030h]	3_2_02F36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB8243 mov eax, dword ptr fs:[00000030h]	3_2_02FB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB8243 mov ecx, dword ptr fs:[00000030h]	3_2_02FB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2823B mov eax, dword ptr fs:[00000030h]	3_2_02F2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]	3_2_02F4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]	3_2_02F4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]	3_2_02F4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F663FF mov eax, dword ptr fs:[00000030h]	3_2_02F663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F403E9 mov eax, dword ptr fs:[00000030h]	3_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F403E9 mov eax, dword ptr fs:[00000030h]	3_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F403E9 mov eax, dword ptr fs:[00000030h]	3_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F403E9 mov eax, dword ptr fs:[00000030h]	3_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F403E9 mov eax, dword ptr fs:[00000030h]	3_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F403E9 mov eax, dword ptr fs:[00000030h]	3_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F403E9 mov eax, dword ptr fs:[00000030h]	3_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F403E9 mov eax, dword ptr fs:[00000030h]	3_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FDE3DB mov eax, dword ptr fs:[00000030h]	3_2_02FDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FDE3DB mov eax, dword ptr fs:[00000030h]	3_2_02FDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FDE3DB mov ecx, dword ptr fs:[00000030h]	3_2_02FDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FDE3DB mov eax, dword ptr fs:[00000030h]	3_2_02FDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FD43D4 mov eax, dword ptr fs:[00000030h]	3_2_02FD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FD43D4 mov eax, dword ptr fs:[00000030h]	3_2_02FD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FEC3CD mov eax, dword ptr fs:[00000030h]	3_2_02FEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F383C0 mov eax, dword ptr fs:[00000030h]	3_2_02F383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F383C0 mov eax, dword ptr fs:[00000030h]	3_2_02F383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F383C0 mov eax, dword ptr fs:[00000030h]	3_2_02F383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F383C0 mov eax, dword ptr fs:[00000030h]	3_2_02F383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB63C0 mov eax, dword ptr fs:[00000030h]	3_2_02FB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F28397 mov eax, dword ptr fs:[00000030h]	3_2_02F28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F28397 mov eax, dword ptr fs:[00000030h]	3_2_02F28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F28397 mov eax, dword ptr fs:[00000030h]	3_2_02F28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2E388 mov eax, dword ptr fs:[00000030h]	3_2_02F2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2E388 mov eax, dword ptr fs:[00000030h]	3_2_02F2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2E388 mov eax, dword ptr fs:[00000030h]	3_2_02F2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5438F mov eax, dword ptr fs:[00000030h]	3_2_02F5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5438F mov eax, dword ptr fs:[00000030h]	3_2_02F5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FD437C mov eax, dword ptr fs:[00000030h]	3_2_02FD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB035C mov eax, dword ptr fs:[00000030h]	3_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB035C mov eax, dword ptr fs:[00000030h]	3_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB035C mov eax, dword ptr fs:[00000030h]	3_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB035C mov ecx, dword ptr fs:[00000030h]	3_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB035C mov eax, dword ptr fs:[00000030h]	3_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB035C mov eax, dword ptr fs:[00000030h]	3_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FFA352 mov eax, dword ptr fs:[00000030h]	3_2_02FFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FD8350 mov ecx, dword ptr fs:[00000030h]	3_2_02FD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB2349 mov eax, dword ptr fs:[00000030h]	3_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB2349 mov eax, dword ptr fs:[00000030h]	3_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB2349 mov eax, dword ptr fs:[00000030h]	3_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB2349 mov eax, dword ptr fs:[00000030h]	3_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB2349 mov eax, dword ptr fs:[00000030h]	3_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB2349 mov eax, dword ptr fs:[00000030h]	3_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB2349 mov eax, dword ptr fs:[00000030h]	3_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB2349 mov eax, dword ptr fs:[00000030h]	3_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB2349 mov eax, dword ptr fs:[00000030h]	3_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB2349 mov eax, dword ptr fs:[00000030h]	3_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB2349 mov eax, dword ptr fs:[00000030h]	3_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB2349 mov eax, dword ptr fs:[00000030h]	3_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB2349 mov eax, dword ptr fs:[00000030h]	3_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB2349 mov eax, dword ptr fs:[00000030h]	3_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB2349 mov eax, dword ptr fs:[00000030h]	3_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2C310 mov ecx, dword ptr fs:[00000030h]	3_2_02F2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F50310 mov ecx, dword ptr fs:[00000030h]	3_2_02F50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6A30B mov eax, dword ptr fs:[00000030h]	3_2_02F6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6A30B mov eax, dword ptr fs:[00000030h]	3_2_02F6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6A30B mov eax, dword ptr fs:[00000030h]	3_2_02F6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2C0F0 mov eax, dword ptr fs:[00000030h]	3_2_02F2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F720F0 mov ecx, dword ptr fs:[00000030h]	3_2_02F720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2A0E3 mov ecx, dword ptr fs:[00000030h]	3_2_02F2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F380E9 mov eax, dword ptr fs:[00000030h]	3_2_02F380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB60E0 mov eax, dword ptr fs:[00000030h]	3_2_02FB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB20DE mov eax, dword ptr fs:[00000030h]	3_2_02FB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FF60B8 mov eax, dword ptr fs:[00000030h]	3_2_02FF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FF60B8 mov ecx, dword ptr fs:[00000030h]	3_2_02FF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FC80A8 mov eax, dword ptr fs:[00000030h]	3_2_02FC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3208A mov eax, dword ptr fs:[00000030h]	3_2_02F3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5C073 mov eax, dword ptr fs:[00000030h]	3_2_02F5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F32050 mov eax, dword ptr fs:[00000030h]	3_2_02F32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB6050 mov eax, dword ptr fs:[00000030h]	3_2_02FB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FC6030 mov eax, dword ptr fs:[00000030h]	3_2_02FC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2A020 mov eax, dword ptr fs:[00000030h]	3_2_02F2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2C020 mov eax, dword ptr fs:[00000030h]	3_2_02F2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F4E016 mov eax, dword ptr fs:[00000030h]	3_2_02F4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F4E016 mov eax, dword ptr fs:[00000030h]	3_2_02F4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F4E016 mov eax, dword ptr fs:[00000030h]	3_2_02F4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F4E016 mov eax, dword ptr fs:[00000030h]	3_2_02F4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030061E5 mov eax, dword ptr fs:[00000030h]	3_2_030061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB4000 mov ecx, dword ptr fs:[00000030h]	3_2_02FB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FD2000 mov eax, dword ptr fs:[00000030h]	3_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FD2000 mov eax, dword ptr fs:[00000030h]	3_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FD2000 mov eax, dword ptr fs:[00000030h]	3_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FD2000 mov eax, dword ptr fs:[00000030h]	3_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FD2000 mov eax, dword ptr fs:[00000030h]	3_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FD2000 mov eax, dword ptr fs:[00000030h]	3_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FD2000 mov eax, dword ptr fs:[00000030h]	3_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FD2000 mov eax, dword ptr fs:[00000030h]	3_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F601F8 mov eax, dword ptr fs:[00000030h]	3_2_02F601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]	3_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]	3_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FAE1D0 mov ecx, dword ptr fs:[00000030h]	3_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]	3_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]	3_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FF61C3 mov eax, dword ptr fs:[00000030h]	3_2_02FF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FF61C3 mov eax, dword ptr fs:[00000030h]	3_2_02FF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB019F mov eax, dword ptr fs:[00000030h]	3_2_02FB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB019F mov eax, dword ptr fs:[00000030h]	3_2_02FB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB019F mov eax, dword ptr fs:[00000030h]	3_2_02FB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB019F mov eax, dword ptr fs:[00000030h]	3_2_02FB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2A197 mov eax, dword ptr fs:[00000030h]	3_2_02F2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2A197 mov eax, dword ptr fs:[00000030h]	3_2_02F2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2A197 mov eax, dword ptr fs:[00000030h]	3_2_02F2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F70185 mov eax, dword ptr fs:[00000030h]	3_2_02F70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FEC188 mov eax, dword ptr fs:[00000030h]	3_2_02FEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FEC188 mov eax, dword ptr fs:[00000030h]	3_2_02FEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FD4180 mov eax, dword ptr fs:[00000030h]	3_2_02FD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FD4180 mov eax, dword ptr fs:[00000030h]	3_2_02FD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2C156 mov eax, dword ptr fs:[00000030h]	3_2_02F2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FC8158 mov eax, dword ptr fs:[00000030h]	3_2_02FC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F36154 mov eax, dword ptr fs:[00000030h]	3_2_02F36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F36154 mov eax, dword ptr fs:[00000030h]	3_2_02F36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FC4144 mov eax, dword ptr fs:[00000030h]	3_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FC4144 mov eax, dword ptr fs:[00000030h]	3_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FC4144 mov ecx, dword ptr fs:[00000030h]	3_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FC4144 mov eax, dword ptr fs:[00000030h]	3_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FC4144 mov eax, dword ptr fs:[00000030h]	3_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F60124 mov eax, dword ptr fs:[00000030h]	3_2_02F60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FDA118 mov ecx, dword ptr fs:[00000030h]	3_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FDA118 mov eax, dword ptr fs:[00000030h]	3_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FDA118 mov eax, dword ptr fs:[00000030h]	3_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FDA118 mov eax, dword ptr fs:[00000030h]	3_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FF0115 mov eax, dword ptr fs:[00000030h]	3_2_02FF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FDE10E mov eax, dword ptr fs:[00000030h]	3_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FDE10E mov ecx, dword ptr fs:[00000030h]	3_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FDE10E mov eax, dword ptr fs:[00000030h]	3_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FDE10E mov eax, dword ptr fs:[00000030h]	3_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FDE10E mov ecx, dword ptr fs:[00000030h]	3_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FDE10E mov eax, dword ptr fs:[00000030h]	3_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FDE10E mov eax, dword ptr fs:[00000030h]	3_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FDE10E mov ecx, dword ptr fs:[00000030h]	3_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FDE10E mov eax, dword ptr fs:[00000030h]	3_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FDE10E mov ecx, dword ptr fs:[00000030h]	3_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]	3_2_02FAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]	3_2_02FAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]	3_2_02FAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]	3_2_02FAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB06F1 mov eax, dword ptr fs:[00000030h]	3_2_02FB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB06F1 mov eax, dword ptr fs:[00000030h]	3_2_02FB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6A6C7 mov ebx, dword ptr fs:[00000030h]	3_2_02F6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6A6C7 mov eax, dword ptr fs:[00000030h]	3_2_02F6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F666B0 mov eax, dword ptr fs:[00000030h]	3_2_02F666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6C6A6 mov eax, dword ptr fs:[00000030h]	3_2_02F6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F34690 mov eax, dword ptr fs:[00000030h]	3_2_02F34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F34690 mov eax, dword ptr fs:[00000030h]	3_2_02F34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F62674 mov eax, dword ptr fs:[00000030h]	3_2_02F62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FF866E mov eax, dword ptr fs:[00000030h]	3_2_02FF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FF866E mov eax, dword ptr fs:[00000030h]	3_2_02FF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6A660 mov eax, dword ptr fs:[00000030h]	3_2_02F6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6A660 mov eax, dword ptr fs:[00000030h]	3_2_02F6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F4C640 mov eax, dword ptr fs:[00000030h]	3_2_02F4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F4E627 mov eax, dword ptr fs:[00000030h]	3_2_02F4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F66620 mov eax, dword ptr fs:[00000030h]	3_2_02F66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F68620 mov eax, dword ptr fs:[00000030h]	3_2_02F68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3262C mov eax, dword ptr fs:[00000030h]	3_2_02F3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72619 mov eax, dword ptr fs:[00000030h]	3_2_02F72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FAE609 mov eax, dword ptr fs:[00000030h]	3_2_02FAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F4260B mov eax, dword ptr fs:[00000030h]	3_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F4260B mov eax, dword ptr fs:[00000030h]	3_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F4260B mov eax, dword ptr fs:[00000030h]	3_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F4260B mov eax, dword ptr fs:[00000030h]	3_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F4260B mov eax, dword ptr fs:[00000030h]	3_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F4260B mov eax, dword ptr fs:[00000030h]	3_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F4260B mov eax, dword ptr fs:[00000030h]	3_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F347FB mov eax, dword ptr fs:[00000030h]	3_2_02F347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F347FB mov eax, dword ptr fs:[00000030h]	3_2_02F347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F527ED mov eax, dword ptr fs:[00000030h]	3_2_02F527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F527ED mov eax, dword ptr fs:[00000030h]	3_2_02F527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F527ED mov eax, dword ptr fs:[00000030h]	3_2_02F527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FBE7E1 mov eax, dword ptr fs:[00000030h]	3_2_02FBE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3C7C0 mov eax, dword ptr fs:[00000030h]	3_2_02F3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB07C3 mov eax, dword ptr fs:[00000030h]	3_2_02FB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F307AF mov eax, dword ptr fs:[00000030h]	3_2_02F307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FD678E mov eax, dword ptr fs:[00000030h]	3_2_02FD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F38770 mov eax, dword ptr fs:[00000030h]	3_2_02F38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40770 mov eax, dword ptr fs:[00000030h]	3_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40770 mov eax, dword ptr fs:[00000030h]	3_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40770 mov eax, dword ptr fs:[00000030h]	3_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40770 mov eax, dword ptr fs:[00000030h]	3_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40770 mov eax, dword ptr fs:[00000030h]	3_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40770 mov eax, dword ptr fs:[00000030h]	3_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40770 mov eax, dword ptr fs:[00000030h]	3_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40770 mov eax, dword ptr fs:[00000030h]	3_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40770 mov eax, dword ptr fs:[00000030h]	3_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40770 mov eax, dword ptr fs:[00000030h]	3_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40770 mov eax, dword ptr fs:[00000030h]	3_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40770 mov eax, dword ptr fs:[00000030h]	3_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F30750 mov eax, dword ptr fs:[00000030h]	3_2_02F30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FBE75D mov eax, dword ptr fs:[00000030h]	3_2_02FBE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72750 mov eax, dword ptr fs:[00000030h]	3_2_02F72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F72750 mov eax, dword ptr fs:[00000030h]	3_2_02F72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB4755 mov eax, dword ptr fs:[00000030h]	3_2_02FB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6674D mov esi, dword ptr fs:[00000030h]	3_2_02F6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6674D mov eax, dword ptr fs:[00000030h]	3_2_02F6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6674D mov eax, dword ptr fs:[00000030h]	3_2_02F6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6273C mov eax, dword ptr fs:[00000030h]	3_2_02F6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6273C mov ecx, dword ptr fs:[00000030h]	3_2_02F6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6273C mov eax, dword ptr fs:[00000030h]	3_2_02F6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FAC730 mov eax, dword ptr fs:[00000030h]	3_2_02FAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6C720 mov eax, dword ptr fs:[00000030h]	3_2_02F6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6C720 mov eax, dword ptr fs:[00000030h]	3_2_02F6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F30710 mov eax, dword ptr fs:[00000030h]	3_2_02F30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F60710 mov eax, dword ptr fs:[00000030h]	3_2_02F60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6C700 mov eax, dword ptr fs:[00000030h]	3_2_02F6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03004500 mov eax, dword ptr fs:[00000030h]	3_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03004500 mov eax, dword ptr fs:[00000030h]	3_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03004500 mov eax, dword ptr fs:[00000030h]	3_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03004500 mov eax, dword ptr fs:[00000030h]	3_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03004500 mov eax, dword ptr fs:[00000030h]	3_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03004500 mov eax, dword ptr fs:[00000030h]	3_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03004500 mov eax, dword ptr fs:[00000030h]	3_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F304E5 mov ecx, dword ptr fs:[00000030h]	3_2_02F304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F644B0 mov ecx, dword ptr fs:[00000030h]	3_2_02F644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FBA4B0 mov eax, dword ptr fs:[00000030h]	3_2_02FBA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F364AB mov eax, dword ptr fs:[00000030h]	3_2_02F364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5A470 mov eax, dword ptr fs:[00000030h]	3_2_02F5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5A470 mov eax, dword ptr fs:[00000030h]	3_2_02F5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5A470 mov eax, dword ptr fs:[00000030h]	3_2_02F5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FBC460 mov ecx, dword ptr fs:[00000030h]	3_2_02FBC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2645D mov eax, dword ptr fs:[00000030h]	3_2_02F2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5245A mov eax, dword ptr fs:[00000030h]	3_2_02F5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6E443 mov eax, dword ptr fs:[00000030h]	3_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6E443 mov eax, dword ptr fs:[00000030h]	3_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6E443 mov eax, dword ptr fs:[00000030h]	3_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6E443 mov eax, dword ptr fs:[00000030h]	3_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6E443 mov eax, dword ptr fs:[00000030h]	3_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6E443 mov eax, dword ptr fs:[00000030h]	3_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6E443 mov eax, dword ptr fs:[00000030h]	3_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6E443 mov eax, dword ptr fs:[00000030h]	3_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6A430 mov eax, dword ptr fs:[00000030h]	3_2_02F6A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2E420 mov eax, dword ptr fs:[00000030h]	3_2_02F2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2E420 mov eax, dword ptr fs:[00000030h]	3_2_02F2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2E420 mov eax, dword ptr fs:[00000030h]	3_2_02F2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2C427 mov eax, dword ptr fs:[00000030h]	3_2_02F2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB6420 mov eax, dword ptr fs:[00000030h]	3_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB6420 mov eax, dword ptr fs:[00000030h]	3_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB6420 mov eax, dword ptr fs:[00000030h]	3_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB6420 mov eax, dword ptr fs:[00000030h]	3_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB6420 mov eax, dword ptr fs:[00000030h]	3_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB6420 mov eax, dword ptr fs:[00000030h]	3_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB6420 mov eax, dword ptr fs:[00000030h]	3_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F68402 mov eax, dword ptr fs:[00000030h]	3_2_02F68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F68402 mov eax, dword ptr fs:[00000030h]	3_2_02F68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F68402 mov eax, dword ptr fs:[00000030h]	3_2_02F68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F325E0 mov eax, dword ptr fs:[00000030h]	3_2_02F325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6C5ED mov eax, dword ptr fs:[00000030h]	3_2_02F6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6C5ED mov eax, dword ptr fs:[00000030h]	3_2_02F6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F365D0 mov eax, dword ptr fs:[00000030h]	3_2_02F365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]	3_2_02F6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]	3_2_02F6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6E5CF mov eax, dword ptr fs:[00000030h]	3_2_02F6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6E5CF mov eax, dword ptr fs:[00000030h]	3_2_02F6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F545B1 mov eax, dword ptr fs:[00000030h]	3_2_02F545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F545B1 mov eax, dword ptr fs:[00000030h]	3_2_02F545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB05A7 mov eax, dword ptr fs:[00000030h]	3_2_02FB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB05A7 mov eax, dword ptr fs:[00000030h]	3_2_02FB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB05A7 mov eax, dword ptr fs:[00000030h]	3_2_02FB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6E59C mov eax, dword ptr fs:[00000030h]	3_2_02F6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F32582 mov eax, dword ptr fs:[00000030h]	3_2_02F32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F32582 mov ecx, dword ptr fs:[00000030h]	3_2_02F32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F64588 mov eax, dword ptr fs:[00000030h]	3_2_02F64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6656A mov eax, dword ptr fs:[00000030h]	3_2_02F6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6656A mov eax, dword ptr fs:[00000030h]	3_2_02F6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6656A mov eax, dword ptr fs:[00000030h]	3_2_02F6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F38550 mov eax, dword ptr fs:[00000030h]	3_2_02F38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F38550 mov eax, dword ptr fs:[00000030h]	3_2_02F38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40535 mov eax, dword ptr fs:[00000030h]	3_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40535 mov eax, dword ptr fs:[00000030h]	3_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40535 mov eax, dword ptr fs:[00000030h]	3_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40535 mov eax, dword ptr fs:[00000030h]	3_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40535 mov eax, dword ptr fs:[00000030h]	3_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40535 mov eax, dword ptr fs:[00000030h]	3_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5E53E mov eax, dword ptr fs:[00000030h]	3_2_02F5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5E53E mov eax, dword ptr fs:[00000030h]	3_2_02F5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5E53E mov eax, dword ptr fs:[00000030h]	3_2_02F5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5E53E mov eax, dword ptr fs:[00000030h]	3_2_02F5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5E53E mov eax, dword ptr fs:[00000030h]	3_2_02F5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FC6500 mov eax, dword ptr fs:[00000030h]	3_2_02FC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6AAEE mov eax, dword ptr fs:[00000030h]	3_2_02F6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6AAEE mov eax, dword ptr fs:[00000030h]	3_2_02F6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F30AD0 mov eax, dword ptr fs:[00000030h]	3_2_02F30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F64AD0 mov eax, dword ptr fs:[00000030h]	3_2_02F64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F64AD0 mov eax, dword ptr fs:[00000030h]	3_2_02F64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F86ACC mov eax, dword ptr fs:[00000030h]	3_2_02F86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F86ACC mov eax, dword ptr fs:[00000030h]	3_2_02F86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F86ACC mov eax, dword ptr fs:[00000030h]	3_2_02F86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F38AA0 mov eax, dword ptr fs:[00000030h]	3_2_02F38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F38AA0 mov eax, dword ptr fs:[00000030h]	3_2_02F38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F86AA4 mov eax, dword ptr fs:[00000030h]	3_2_02F86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F68A90 mov edx, dword ptr fs:[00000030h]	3_2_02F68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	3_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	3_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	3_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	3_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	3_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	3_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	3_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	3_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	3_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FACA72 mov eax, dword ptr fs:[00000030h]	3_2_02FACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FACA72 mov eax, dword ptr fs:[00000030h]	3_2_02FACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6CA6F mov eax, dword ptr fs:[00000030h]	3_2_02F6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6CA6F mov eax, dword ptr fs:[00000030h]	3_2_02F6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6CA6F mov eax, dword ptr fs:[00000030h]	3_2_02F6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FDEA60 mov eax, dword ptr fs:[00000030h]	3_2_02FDEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F36A50 mov eax, dword ptr fs:[00000030h]	3_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F36A50 mov eax, dword ptr fs:[00000030h]	3_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F36A50 mov eax, dword ptr fs:[00000030h]	3_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F36A50 mov eax, dword ptr fs:[00000030h]	3_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F36A50 mov eax, dword ptr fs:[00000030h]	3_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F36A50 mov eax, dword ptr fs:[00000030h]	3_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F36A50 mov eax, dword ptr fs:[00000030h]	3_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40A5B mov eax, dword ptr fs:[00000030h]	3_2_02F40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40A5B mov eax, dword ptr fs:[00000030h]	3_2_02F40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F54A35 mov eax, dword ptr fs:[00000030h]	3_2_02F54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F54A35 mov eax, dword ptr fs:[00000030h]	3_2_02F54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6CA38 mov eax, dword ptr fs:[00000030h]	3_2_02F6CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6CA24 mov eax, dword ptr fs:[00000030h]	3_2_02F6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5EA2E mov eax, dword ptr fs:[00000030h]	3_2_02F5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FBCA11 mov eax, dword ptr fs:[00000030h]	3_2_02FBCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F38BF0 mov eax, dword ptr fs:[00000030h]	3_2_02F38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F38BF0 mov eax, dword ptr fs:[00000030h]	3_2_02F38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F38BF0 mov eax, dword ptr fs:[00000030h]	3_2_02F38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5EBFC mov eax, dword ptr fs:[00000030h]	3_2_02F5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FBCBF0 mov eax, dword ptr fs:[00000030h]	3_2_02FBCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FDEBD0 mov eax, dword ptr fs:[00000030h]	3_2_02FDEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F50BCB mov eax, dword ptr fs:[00000030h]	3_2_02F50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F50BCB mov eax, dword ptr fs:[00000030h]	3_2_02F50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F50BCB mov eax, dword ptr fs:[00000030h]	3_2_02F50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F30BCD mov eax, dword ptr fs:[00000030h]	3_2_02F30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F30BCD mov eax, dword ptr fs:[00000030h]	3_2_02F30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F30BCD mov eax, dword ptr fs:[00000030h]	3_2_02F30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40BBE mov eax, dword ptr fs:[00000030h]	3_2_02F40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F40BBE mov eax, dword ptr fs:[00000030h]	3_2_02F40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03004A80 mov eax, dword ptr fs:[00000030h]	3_2_03004A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2CB7E mov eax, dword ptr fs:[00000030h]	3_2_02F2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FDEB50 mov eax, dword ptr fs:[00000030h]	3_2_02FDEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FC6B40 mov eax, dword ptr fs:[00000030h]	3_2_02FC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FC6B40 mov eax, dword ptr fs:[00000030h]	3_2_02FC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FFAB40 mov eax, dword ptr fs:[00000030h]	3_2_02FFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FD8B42 mov eax, dword ptr fs:[00000030h]	3_2_02FD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5EB20 mov eax, dword ptr fs:[00000030h]	3_2_02F5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5EB20 mov eax, dword ptr fs:[00000030h]	3_2_02F5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FF8B28 mov eax, dword ptr fs:[00000030h]	3_2_02FF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FF8B28 mov eax, dword ptr fs:[00000030h]	3_2_02FF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	3_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	3_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	3_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	3_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	3_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	3_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	3_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	3_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	3_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]	3_2_02F6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]	3_2_02F6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FFA8E4 mov eax, dword ptr fs:[00000030h]	3_2_02FFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F5E8C0 mov eax, dword ptr fs:[00000030h]	3_2_02F5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FBC89D mov eax, dword ptr fs:[00000030h]	3_2_02FBC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F30887 mov eax, dword ptr fs:[00000030h]	3_2_02F30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FBE872 mov eax, dword ptr fs:[00000030h]	3_2_02FBE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FBE872 mov eax, dword ptr fs:[00000030h]	3_2_02FBE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FC6870 mov eax, dword ptr fs:[00000030h]	3_2_02FC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FC6870 mov eax, dword ptr fs:[00000030h]	3_2_02FC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F60854 mov eax, dword ptr fs:[00000030h]	3_2_02F60854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F34859 mov eax, dword ptr fs:[00000030h]	3_2_02F34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F34859 mov eax, dword ptr fs:[00000030h]	3_2_02F34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F42840 mov ecx, dword ptr fs:[00000030h]	3_2_02F42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F52835 mov eax, dword ptr fs:[00000030h]	3_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F52835 mov eax, dword ptr fs:[00000030h]	3_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F52835 mov eax, dword ptr fs:[00000030h]	3_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F52835 mov ecx, dword ptr fs:[00000030h]	3_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F52835 mov eax, dword ptr fs:[00000030h]	3_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F52835 mov eax, dword ptr fs:[00000030h]	3_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F6A830 mov eax, dword ptr fs:[00000030h]	3_2_02F6A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FD483A mov eax, dword ptr fs:[00000030h]	3_2_02FD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FD483A mov eax, dword ptr fs:[00000030h]	3_2_02FD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FBC810 mov eax, dword ptr fs:[00000030h]	3_2_02FBC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F629F9 mov eax, dword ptr fs:[00000030h]	3_2_02F629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F629F9 mov eax, dword ptr fs:[00000030h]	3_2_02F629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FBE9E0 mov eax, dword ptr fs:[00000030h]	3_2_02FBE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F649D0 mov eax, dword ptr fs:[00000030h]	3_2_02F649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FFA9D3 mov eax, dword ptr fs:[00000030h]	3_2_02FFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FC69C0 mov eax, dword ptr fs:[00000030h]	3_2_02FC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB89B3 mov esi, dword ptr fs:[00000030h]	3_2_02FB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB89B3 mov eax, dword ptr fs:[00000030h]	3_2_02FB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB89B3 mov eax, dword ptr fs:[00000030h]	3_2_02FB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F429A0 mov eax, dword ptr fs:[00000030h]	3_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F429A0 mov eax, dword ptr fs:[00000030h]	3_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F429A0 mov eax, dword ptr fs:[00000030h]	3_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F429A0 mov eax, dword ptr fs:[00000030h]	3_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F429A0 mov eax, dword ptr fs:[00000030h]	3_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F429A0 mov eax, dword ptr fs:[00000030h]	3_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F429A0 mov eax, dword ptr fs:[00000030h]	3_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F429A0 mov eax, dword ptr fs:[00000030h]	3_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F429A0 mov eax, dword ptr fs:[00000030h]	3_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F429A0 mov eax, dword ptr fs:[00000030h]	3_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F429A0 mov eax, dword ptr fs:[00000030h]	3_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F429A0 mov eax, dword ptr fs:[00000030h]	3_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F429A0 mov eax, dword ptr fs:[00000030h]	3_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F309AD mov eax, dword ptr fs:[00000030h]	3_2_02F309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F309AD mov eax, dword ptr fs:[00000030h]	3_2_02F309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FD4978 mov eax, dword ptr fs:[00000030h]	3_2_02FD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FD4978 mov eax, dword ptr fs:[00000030h]	3_2_02FD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FBC97C mov eax, dword ptr fs:[00000030h]	3_2_02FBC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F56962 mov eax, dword ptr fs:[00000030h]	3_2_02F56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F56962 mov eax, dword ptr fs:[00000030h]	3_2_02F56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F56962 mov eax, dword ptr fs:[00000030h]	3_2_02F56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F7096E mov eax, dword ptr fs:[00000030h]	3_2_02F7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F7096E mov edx, dword ptr fs:[00000030h]	3_2_02F7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F7096E mov eax, dword ptr fs:[00000030h]	3_2_02F7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB0946 mov eax, dword ptr fs:[00000030h]	3_2_02FB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FB892A mov eax, dword ptr fs:[00000030h]	3_2_02FB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FC892B mov eax, dword ptr fs:[00000030h]	3_2_02FC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FBC912 mov eax, dword ptr fs:[00000030h]	3_2_02FBC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F28918 mov eax, dword ptr fs:[00000030h]	3_2_02F28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F28918 mov eax, dword ptr fs:[00000030h]	3_2_02F28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FAE908 mov eax, dword ptr fs:[00000030h]	3_2_02FAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FAE908 mov eax, dword ptr fs:[00000030h]	3_2_02FAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F68EF5 mov eax, dword ptr fs:[00000030h]	3_2_02F68EF5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F36EE0 mov eax, dword ptr fs:[00000030h]	3_2_02F36EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F36EE0 mov eax, dword ptr fs:[00000030h]	3_2_02F36EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F36EE0 mov eax, dword ptr fs:[00000030h]	3_2_02F36EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F36EE0 mov eax, dword ptr fs:[00000030h]	3_2_02F36EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FCAEB0 mov eax, dword ptr fs:[00000030h]	3_2_02FCAEB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FCAEB0 mov eax, dword ptr fs:[00000030h]	3_2_02FCAEB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FBCEA0 mov eax, dword ptr fs:[00000030h]	3_2_02FBCEA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FBCEA0 mov eax, dword ptr fs:[00000030h]	3_2_02FBCEA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02FBCEA0 mov eax, dword ptr fs:[00000030h]	3_2_02FBCEA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2AE90 mov eax, dword ptr fs:[00000030h]	3_2_02F2AE90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2AE90 mov eax, dword ptr fs:[00000030h]	3_2_02F2AE90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_02F2AE90 mov eax, dword ptr fs:[00000030h]	3_2_02F2AE90

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_00FFA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00FFA66C

Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FE81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00FE81AC
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_00FE8189 SetUnhandledExceptionFilter,		0_2_00FE8189

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\NRFQFP.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\NRFQFP.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 252C008

Jump to behavior

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_00FFB106 LogonUserW,

0_2_00FFB106

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_00FC3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00FC3D19

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_0100411C SendInput,keybd_event,

0_2_0100411C

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_01007513 mouse_event,

0_2_01007513

Source: C:\Users\user\Desktop\NRFQFP.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\NRFQFP.exe"

Jump to behavior

Source: C:\Users\user\Desktop\NRFQFP.exe

0_2_00FFA66C

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_010071FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_010071FA

Source: NRFQFP.exe	Binary or memory string: Shell_TrayWnd
Source: NRFQFP.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_00FE65C4 cpuid

0_2_00FE65C4

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_0101091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_0101091D

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_0103B340 GetUserNameW,

0_2_0103B340

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_00FF1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00FF1E8E

Source: C:\Users\user\Desktop\NRFQFP.exe

Code function: 0_2_00FDDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FDDDC0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 3.2.svchost.exe.2b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1530564387.00000000002B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1530811604.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: NRFQFP.exe	Binary or memory string: WIN_81
Source: NRFQFP.exe	Binary or memory string: WIN_XP
Source: NRFQFP.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: NRFQFP.exe	Binary or memory string: WIN_XPe
Source: NRFQFP.exe	Binary or memory string: WIN_VISTA
Source: NRFQFP.exe	Binary or memory string: WIN_7
Source: NRFQFP.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 3.2.svchost.exe.2b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1530564387.00000000002B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1530811604.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_01018C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_01018C4F
Source: C:\Users\user\Desktop\NRFQFP.exe	Code function: 0_2_0101923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_0101923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	3 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	11 Input Capture	2 System Time Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	LSASS Memory	15 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	21 Access Token Manipulation	2 Virtualization/Sandbox Evasion	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	212 Process Injection	21 Access Token Manipulation	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	212 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	115 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
NRFQFP.exe	34%	ReversingLabs	Win32.Trojan.AutoitInject
NRFQFP.exe	35%	Virustotal		Browse
NRFQFP.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1559974
Start date and time:	2024-11-21 08:57:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NRFQFP.exe
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@3/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 51 Number of non-executed functions: 293
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
04:02:27	API Interceptor	3x Sleep call for process: svchost.exe modified

Process:	C:\Users\user\Desktop\NRFQFP.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.995151439528424
Encrypted:	true
SSDEEP:	6144:UQemcuyW5kMsU2K/JX7o3ADT77f9NyPRPhEiP7/zMey/B1e2hroq9J0/Yc:Uf7xwkk2K/Jc3ADTn/yPRPFTI/LecrNG
MD5:	8C0617933EFB72F7F3F65B0938865002
SHA1:	CAB711566819786E6D07A60F8277B265FBB74155
SHA-256:	AF60C22A76662C0CA015BBEDFB44076900D71F55E21404405ECF831846329EC9
SHA-512:	28302A4545F86BF5E499860480A317EF94EF32C62055E64E0E80B0EA1324C3B60518F174ECEB6C0E17905CD8924ECC9C335E200D65A89428F7AFA6FB7511E7E7
Malicious:	false
Reputation:	low
Preview:	.n.BB83K5SKW.TZ.38LX9S4r4LBA83K1SKW1FTZP38LX9S424LBA83K1SKW.FTZ^,.BX.Z...M...g#X k'C)3(1^./9W=[F..'aJF%.:%wu..z=\\)v4^>.4LBA83KHRB..&3.mS_.eY4.(..{XT.+...&3.J...dY4.`]/*\|XT.1SKW1FTZ.v8L.8R4..S.A83K1SKW.FV[[23LXmW424LBA83KQGKW1VTZPC<LX9.42$LBA:3K7SKW1FTZV38LX9S42DHBA:3K1SKW3F..P3(LX)S424\BA(3K1SKW!FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S4.@):583K5.OW1VTZPg<LX)S424LBA83K1SKW.FT:P38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZ

C:\Users\user\AppData\Local\Temp\seskin

Download File

Process:	C:\Users\user\Desktop\NRFQFP.exe
File Type:	data
Category:	modified
Size (bytes):	288256
Entropy (8bit):	7.995151439528424
Encrypted:	true
SSDEEP:	6144:UQemcuyW5kMsU2K/JX7o3ADT77f9NyPRPhEiP7/zMey/B1e2hroq9J0/Yc:Uf7xwkk2K/Jc3ADTn/yPRPFTI/LecrNG
MD5:	8C0617933EFB72F7F3F65B0938865002
SHA1:	CAB711566819786E6D07A60F8277B265FBB74155
SHA-256:	AF60C22A76662C0CA015BBEDFB44076900D71F55E21404405ECF831846329EC9
SHA-512:	28302A4545F86BF5E499860480A317EF94EF32C62055E64E0E80B0EA1324C3B60518F174ECEB6C0E17905CD8924ECC9C335E200D65A89428F7AFA6FB7511E7E7
Malicious:	false
Reputation:	low
Preview:	.n.BB83K5SKW.TZ.38LX9S4r4LBA83K1SKW1FTZP38LX9S424LBA83K1SKW.FTZ^,.BX.Z...M...g#X k'C)3(1^./9W=[F..'aJF%.:%wu..z=\\)v4^>.4LBA83KHRB..&3.mS_.eY4.(..{XT.+...&3.J...dY4.`]/*\|XT.1SKW1FTZ.v8L.8R4..S.A83K1SKW.FV[[23LXmW424LBA83KQGKW1VTZPC<LX9.42$LBA:3K7SKW1FTZV38LX9S42DHBA:3K1SKW3F..P3(LX)S424\BA(3K1SKW!FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S4.@):583K5.OW1VTZPg<LX)S424LBA83K1SKW.FT:P38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZP38LX9S424LBA83K1SKW1FTZ

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.145851449469695
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NRFQFP.exe
File size:	1'212'928 bytes
MD5:	1a911551867098e14d09eba0f3230e20
SHA1:	505baedb0168073fd5f67637a8409b1bab84e2c4
SHA256:	7925886f109959a6344123901123559f304a400dc2a2d3768d9fbe42d7d8305c
SHA512:	fae4e0905641179b32ba73af7071b2ced7ba24bc5ea0f46ea30de04c84cff5d88eb7c6f54d24fe17b4668e51cc439b9c79a6789c33bf874cfce4cfc9cb09373c
SSDEEP:	24576:etb20pkaCqT5TBWgNQ7a1h61Yb6eQdBVfz/Ib06A:LVg5tQ7a1hhbOdBVfz/IY5
TLSH:	0C45C01373DD8361C3725273BA25BB01BEBF782506A5F96B2FD8093DE920122525E673
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x673E8334 [Thu Nov 21 00:47:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F9290D62C2Fh
jmp 00007F9290D55C44h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F9290D55DCAh
cmp edi, eax
jc 00007F9290D5612Eh
bt dword ptr [004C0158h], 01h
jnc 00007F9290D55DC9h
rep movsb
jmp 00007F9290D560DCh
cmp ecx, 00000080h
jc 00007F9290D55F94h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F9290D55DD0h
bt dword ptr [004BA370h], 01h
jc 00007F9290D562A0h
bt dword ptr [004C0158h], 00000000h
jnc 00007F9290D55F6Dh
test edi, 00000003h
jne 00007F9290D55F7Eh
test esi, 00000003h
jne 00007F9290D55F5Dh
bt edi, 02h
jnc 00007F9290D55DCFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F9290D55DD3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F9290D55E25h
bt esi, 03h
jnc 00007F9290D55E78h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x5f0c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x124000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x5f0c8	0x5f200	7e364056e08ee27b72b075ada2fe679f	False	0.9308321698423128	data	7.9012605715517195	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x124000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xca038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xca4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xca4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcaa84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc7b8	0x563cd	data			1.0003283988573985
RT_GROUP_ICON	0x122b88	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x122c00	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x122c14	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x122c28	0x14	data	English	Great Britain	1.25
RT_VERSION	0x122c3c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x122d18	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Target ID:	0
Start time:	02:58:03
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\NRFQFP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NRFQFP.exe"
Imagebase:	0xfc0000
File size:	1'212'928 bytes
MD5 hash:	1A911551867098E14D09EBA0F3230E20
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:58:04
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NRFQFP.exe"
Imagebase:	0x340000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1530564387.00000000002B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1530811604.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0.3%
Signature Coverage:	10.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	165

Executed Functions

Function 00FEB043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb9602fbad7b3b00e44440efd0553adc570078fe39b51305c5df5626263e8f7
Instruction ID: 0b9d0910f2f9dbdca100ef6fed0d370941766e53d4f2d3e6482ec0399ff8553c
Opcode Fuzzy Hash: deb9602fbad7b3b00e44440efd0553adc570078fe39b51305c5df5626263e8f7
Instruction Fuzzy Hash: B9326B75B022A88BCB24CF16DC816EAB7B5FF46310F1840D9E44AA7A85D7349E81DF52

Function 00FC3D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00FC3AA3,?), ref: 00FC3D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00FC3AA3,?), ref: 00FC3D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,01081148,01081130,?,?,?,?,00FC3AA3,?), ref: 00FC3DC8

Part of subcall function 00FC6430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00FC3DEE,01081148,?,?,?,?,?,00FC3AA3,?), ref: 00FC6471

SetCurrentDirectoryW.KERNEL32(?,?,?,00FC3AA3,?), ref: 00FC3E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,010728F4,00000010), ref: 01031CCE
SetCurrentDirectoryW.KERNEL32(?,01081148,?,?,?,?,?,00FC3AA3,?), ref: 01031D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0105DAB4,01081148,?,?,?,?,?,00FC3AA3,?), ref: 01031D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00FC3AA3), ref: 01031D90

Part of subcall function 00FC3E6E: GetSysColorBrush.USER32(0000000F), ref: 00FC3E79
Part of subcall function 00FC3E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00FC3E88
Part of subcall function 00FC3E6E: LoadIconW.USER32(00000063), ref: 00FC3E9E
Part of subcall function 00FC3E6E: LoadIconW.USER32(000000A4), ref: 00FC3EB0
Part of subcall function 00FC3E6E: LoadIconW.USER32(000000A2), ref: 00FC3EC2
Part of subcall function 00FC3E6E: RegisterClassExW.USER32(?), ref: 00FC3F30

Part of subcall function 00FC36B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FC36E6
Part of subcall function 00FC36B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FC3707
Part of subcall function 00FC36B8: ShowWindow.USER32(00000000,?,?,?,?,00FC3AA3,?), ref: 00FC371B
Part of subcall function 00FC36B8: ShowWindow.USER32(00000000,?,?,?,?,00FC3AA3,?), ref: 00FC3724

Part of subcall function 00FC4FFC: _memset.LIBCMT ref: 00FC5022
Part of subcall function 00FC4FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FC50CB

Strings

This is a third-party compiled AutoIt script., xrefs: 01031CC8
runas, xrefs: 01031D84

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-3287110873
Opcode ID: 5601ecf755041798bc72fea35bf7a95e67596146294cca9a0fb74a1bf52c4ad6
Instruction ID: 21e67571060ffae795ede2f79a5616da27e80a5ac82aa8761cffa1871328fe16
Opcode Fuzzy Hash: 5601ecf755041798bc72fea35bf7a95e67596146294cca9a0fb74a1bf52c4ad6
Instruction Fuzzy Hash: C4510631A0824AAECF21BBF0DE46FAD7B75AF55B40F00805CF0D156146CA7D564AAB21

Function 00FDDDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00FDDDEC
GetCurrentProcess.KERNEL32(00000000,0105DC38,?,?), ref: 00FDDEAC
GetNativeSystemInfo.KERNELBASE(?,0105DC38,?,?), ref: 00FDDF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 00FDDF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 00FDDF1F
GetSystemInfo.KERNEL32(?,0105DC38,?,?), ref: 00FDDF29
GetSystemInfo.KERNEL32(?,0105DC38,?,?), ref: 00FDDF35

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: eac56b52fa2c455ee9fffcf38107ca470e5ce19b465587886c12f2023c976dd5
Instruction ID: f59fcd6744bd3f8d885fb0d520e7882456b95324b6054ff08055546ecdcc0d41
Opcode Fuzzy Hash: eac56b52fa2c455ee9fffcf38107ca470e5ce19b465587886c12f2023c976dd5
Instruction Fuzzy Hash: CC61D2B180A384DFCF16CF6898C16ED7FB56F69300B1989DAD8859F30BC624C508DB65

Function 00FC406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00FC449E,?,?,00000000,00000001), ref: 00FC407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00FC449E,?,?,00000000,00000001), ref: 00FC4092
LoadResource.KERNEL32(?,00000000,?,?,00FC449E,?,?,00000000,00000001,?,?,?,?,?,?,00FC41FB), ref: 01034F1A
SizeofResource.KERNEL32(?,00000000,?,?,00FC449E,?,?,00000000,00000001,?,?,?,?,?,?,00FC41FB), ref: 01034F2F
LockResource.KERNEL32(00FC449E,?,?,00FC449E,?,?,00000000,00000001,?,?,?,?,?,?,00FC41FB,00000000), ref: 01034F42

Strings

SCRIPT, xrefs: 00FC4088

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 6015428926915abdde9b7026d9098ceacaf9f7602bbe8e7a6d460ccff5036335
Instruction ID: c1ad9303798bda8d625cd595298e4d0775fbc3bb84dc6976454c701b18d4d81c
Opcode Fuzzy Hash: 6015428926915abdde9b7026d9098ceacaf9f7602bbe8e7a6d460ccff5036335
Instruction Fuzzy Hash: 27115E75240701AFE7318B65DE89F277BB9EBD5B61F10416CF64286254DA72EC009B30

Function 01006CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,01032F49), ref: 01006CB9
FindFirstFileW.KERNELBASE(?,?), ref: 01006CCA
FindClose.KERNEL32(00000000), ref: 01006CDA

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 885f74983d585e83ee4854da78747bd8c4a78e0d1e4aa12a56bba4df381b19b0
Instruction ID: 5ebc349eeb1d77ca01cb42fb75ebc910159f47fec07b41f851ad445401c7c5b0
Opcode Fuzzy Hash: 885f74983d585e83ee4854da78747bd8c4a78e0d1e4aa12a56bba4df381b19b0
Instruction Fuzzy Hash: 61E0D875C104146792256778ED4D8F937EDDA05239F100759FDB1C11D0E776D91047D5

Function 00FD3B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON

Download Yara Rule

Strings

@, xrefs: 00FD4176

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @
API String ID: 3728558374-2766056989
Opcode ID: 2261adc1e4eb12adc72c25fb6c315efc22056ab9167cb1626173a529525818eb
Instruction ID: 3108efbdfd08bfc1a03d9199d4bc3e0029fdf9b0f15c511af3613319cd5b38a4
Opcode Fuzzy Hash: 2261adc1e4eb12adc72c25fb6c315efc22056ab9167cb1626173a529525818eb
Instruction Fuzzy Hash: D972D171D00209DFDF14DF98C881BAEB7B6EF44310F18805AEA45AB391D735AE45EB92

Function 00FD3200 Relevance: 1.0, Instructions: 986COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: f233375ec54271a0da7e9d48cef9e812f488f42e3567fe1b83802dd0b8bcfd3a
Instruction ID: bf3beff0dc2d2204da0ec3b3a26ba679a6b677820cb92c2bc0b809f8075a3618
Opcode Fuzzy Hash: f233375ec54271a0da7e9d48cef9e812f488f42e3567fe1b83802dd0b8bcfd3a
Instruction Fuzzy Hash: 9B928E716083418FD724DF18C480F6ABBE6FF84308F18885EEA8A8B352D775E945DB52

Function 00FCE8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FCE959
timeGetTime.WINMM ref: 00FCEBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FCED2E
TranslateMessage.USER32(?), ref: 00FCED3F
DispatchMessageW.USER32(?), ref: 00FCED4A
LockWindowUpdate.USER32(00000000), ref: 00FCED79
DestroyWindow.USER32 ref: 00FCED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FCED9F
Sleep.KERNEL32(0000000A), ref: 01035270
TranslateMessage.USER32(?), ref: 010359F7
DispatchMessageW.USER32(?), ref: 01035A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 01035A19

Strings

@GUI_CTRLID, xrefs: 01035314
@GUI_CTRLHANDLE, xrefs: 010353AC
@TRAY_ID, xrefs: 010354C9
@GUI_WINHANDLE, xrefs: 01035360

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: eaf50373145666254745dbec63f28e2b46dfdebd8070bb53895241095e07d2d3
Instruction ID: b9e6b26a9331ac743ae97f591ec78713c4e232d1a399e22703b6a97fc334481a
Opcode Fuzzy Hash: eaf50373145666254745dbec63f28e2b46dfdebd8070bb53895241095e07d2d3
Instruction Fuzzy Hash: E862E470508341CFEB21DF24C986FAA77E4BF94304F08496DF9C68B292DB799848DB52

Function 00FF5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 00FF5EC3
___createFile.LIBCMT ref: 00FF5F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00FF5F2D
__dosmaperr.LIBCMT ref: 00FF5F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00FF5F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00FF5F6A
__dosmaperr.LIBCMT ref: 00FF5F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00FF5F7C
__set_osfhnd.LIBCMT ref: 00FF5FAC
__lseeki64_nolock.LIBCMT ref: 00FF6016
__close_nolock.LIBCMT ref: 00FF603C
__chsize_nolock.LIBCMT ref: 00FF606C
__lseeki64_nolock.LIBCMT ref: 00FF607E
__lseeki64_nolock.LIBCMT ref: 00FF6176
__lseeki64_nolock.LIBCMT ref: 00FF618B
__close_nolock.LIBCMT ref: 00FF61EB

Part of subcall function 00FEEA9C: CloseHandle.KERNELBASE(00000000,0106EEF4,00000000,?,00FF6041,0106EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00FEEAEC
Part of subcall function 00FEEA9C: GetLastError.KERNEL32(?,00FF6041,0106EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00FEEAF6
Part of subcall function 00FEEA9C: __free_osfhnd.LIBCMT ref: 00FEEB03
Part of subcall function 00FEEA9C: __dosmaperr.LIBCMT ref: 00FEEB25

Part of subcall function 00FE7C0E: __getptd_noexit.LIBCMT ref: 00FE7C0E

__lseeki64_nolock.LIBCMT ref: 00FF620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00FF6342
___createFile.LIBCMT ref: 00FF6361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00FF636E
__dosmaperr.LIBCMT ref: 00FF6375
__free_osfhnd.LIBCMT ref: 00FF6395
__invoke_watson.LIBCMT ref: 00FF63C3
__wsopen_helper.LIBCMT ref: 00FF63DD

Strings

@, xrefs: 00FF5F98

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: da59d181c0359f08611647a0419cbaecdb4a437ff5b61f5a07aa9ea5a45f7093
Instruction ID: 28c3c12906ff94cb2ea89765d7fab28699d69145e6285bca0b14fb3292b6b010
Opcode Fuzzy Hash: da59d181c0359f08611647a0419cbaecdb4a437ff5b61f5a07aa9ea5a45f7093
Instruction Fuzzy Hash: 62221071D0460E9BEF299E68CC85BBD7B61EF04724F244268E761EB2F1CA398D40E751

Function 0100FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 0100FA96
_wcschr.LIBCMT ref: 0100FAA4
_wcscpy.LIBCMT ref: 0100FABB
_wcscat.LIBCMT ref: 0100FACA
_wcscat.LIBCMT ref: 0100FAE8
_wcscpy.LIBCMT ref: 0100FB09
__wsplitpath.LIBCMT ref: 0100FBE6
_wcscpy.LIBCMT ref: 0100FC0B
_wcscpy.LIBCMT ref: 0100FC1D
_wcscpy.LIBCMT ref: 0100FC32
_wcscat.LIBCMT ref: 0100FC47
_wcscat.LIBCMT ref: 0100FC59
_wcscat.LIBCMT ref: 0100FC6E

Part of subcall function 0100BFA4: _wcscmp.LIBCMT ref: 0100C03E
Part of subcall function 0100BFA4: __wsplitpath.LIBCMT ref: 0100C083
Part of subcall function 0100BFA4: _wcscpy.LIBCMT ref: 0100C096
Part of subcall function 0100BFA4: _wcscat.LIBCMT ref: 0100C0A9
Part of subcall function 0100BFA4: __wsplitpath.LIBCMT ref: 0100C0CE
Part of subcall function 0100BFA4: _wcscat.LIBCMT ref: 0100C0E4
Part of subcall function 0100BFA4: _wcscat.LIBCMT ref: 0100C0F7

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0100FA61

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 2955681530-2806939583
Opcode ID: e20c6f3c24779b822979da663b5cf9aa858171c59d5e03d5b6b013630c843157
Instruction ID: 0a4d4690bf8bce26e25b6ac3b67d2d32e7859b24d77154da5cfca8d968fe31c9
Opcode Fuzzy Hash: e20c6f3c24779b822979da663b5cf9aa858171c59d5e03d5b6b013630c843157
Instruction Fuzzy Hash: 2991F271504246AFEB21EB54CD42F9AB3E8FF84300F04485DF99987292DB79F944DB92

Function 00FC3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FC3F86
RegisterClassExW.USER32(00000030), ref: 00FC3FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FC3FC1
InitCommonControlsEx.COMCTL32(?), ref: 00FC3FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FC3FEE
LoadIconW.USER32(000000A9), ref: 00FC4004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FC4013

Strings

TaskbarCreated, xrefs: 00FC3FB6
+, xrefs: 00FC3F6F
AutoIt v3 GUI, xrefs: 00FC3FA2
0, xrefs: 00FC3F68

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: a5881019a50ef577bd00789ac4d4fa46362a52dddbe4820bf7b300e4da395675
Instruction ID: c980aac6fda1ef8abba550ee163d7c1996e2d74f5b01d621e25964c398ed6677
Opcode Fuzzy Hash: a5881019a50ef577bd00789ac4d4fa46362a52dddbe4820bf7b300e4da395675
Instruction Fuzzy Hash: 9D21F7B5E04318AFDB60DFE4E989BCDBBB4FB18704F00421AF591A6284D7BA05458F90

Function 0100BFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0100BDB4: __time64.LIBCMT ref: 0100BDBE

Part of subcall function 00FC4517: _fseek.LIBCMT ref: 00FC452F

__wsplitpath.LIBCMT ref: 0100C083

Part of subcall function 00FE1DFC: __wsplitpath_helper.LIBCMT ref: 00FE1E3C

_wcscpy.LIBCMT ref: 0100C096
_wcscat.LIBCMT ref: 0100C0A9
__wsplitpath.LIBCMT ref: 0100C0CE
_wcscat.LIBCMT ref: 0100C0E4
_wcscat.LIBCMT ref: 0100C0F7
_wcscmp.LIBCMT ref: 0100C03E

Part of subcall function 0100C56D: _wcscmp.LIBCMT ref: 0100C65D
Part of subcall function 0100C56D: _wcscmp.LIBCMT ref: 0100C670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0100C2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0100C338
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0100C34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0100C35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0100C371

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 2378138488-0
Opcode ID: df627efc82c8af095d8da0b6db3d865b0d6c4c8d660e1480a9832d868dc1f253
Instruction ID: ae4630c7af44c477731747bd1b2ef0d1e82790d007439c155a2f6a60b8c28b29
Opcode Fuzzy Hash: df627efc82c8af095d8da0b6db3d865b0d6c4c8d660e1480a9832d868dc1f253
Instruction Fuzzy Hash: 30C14CB1D00219AFEF21DF95CD81EDEB7BDEF59300F0081AAE649E6151DB349A848F61

Function 00FC3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00FC37B3
KillTimer.USER32(?,00000001), ref: 00FC37DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FC3800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FC380B
CreatePopupMenu.USER32 ref: 00FC381F
PostQuitMessage.USER32(00000000), ref: 00FC382E

Strings

TaskbarCreated, xrefs: 00FC3806

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 816189ac07adba3e3f41b916dac620d375d4369be9bc2ac8e591be40396bf2e5
Instruction ID: c985ad7b1ff1abd599b0cb6609ad88c5cd7f2bff02222b665f30ddf8a7d8d890
Opcode Fuzzy Hash: 816189ac07adba3e3f41b916dac620d375d4369be9bc2ac8e591be40396bf2e5
Instruction Fuzzy Hash: BE412AF660C1476BEB206B68DE4BF7936A5FF58390F04811DF5C296180CA7A9902B761

Function 00FC3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FC3E79
LoadCursorW.USER32(00000000,00007F00), ref: 00FC3E88
LoadIconW.USER32(00000063), ref: 00FC3E9E
LoadIconW.USER32(000000A4), ref: 00FC3EB0
LoadIconW.USER32(000000A2), ref: 00FC3EC2

Part of subcall function 00FC4024: LoadImageW.USER32(00FC0000,00000063,00000001,00000010,00000010,00000000), ref: 00FC4048

RegisterClassExW.USER32(?), ref: 00FC3F30

Part of subcall function 00FC3F53: GetSysColorBrush.USER32(0000000F), ref: 00FC3F86
Part of subcall function 00FC3F53: RegisterClassExW.USER32(00000030), ref: 00FC3FB0
Part of subcall function 00FC3F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FC3FC1
Part of subcall function 00FC3F53: InitCommonControlsEx.COMCTL32(?), ref: 00FC3FDE
Part of subcall function 00FC3F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FC3FEE
Part of subcall function 00FC3F53: LoadIconW.USER32(000000A9), ref: 00FC4004
Part of subcall function 00FC3F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FC4013

Strings

#, xrefs: 00FC3F09
AutoIt v3, xrefs: 00FC3F1F
0, xrefs: 00FC3F02

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 6e4faf703c63eb5af72b81f59794c0ee2f47f2103a9ad3a614810588bee7495d
Instruction ID: 1f10aa46dae1f4501bc0b434a0c0f3c5567e7c2f32d56eba46f36c2c4414e85b
Opcode Fuzzy Hash: 6e4faf703c63eb5af72b81f59794c0ee2f47f2103a9ad3a614810588bee7495d
Instruction Fuzzy Hash: 1E2141B4E08304AFDB24DFA9E946A9DBFF5FF48710F00411AE684A2294D37A45019F91

Function 01ADA5B8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01ADA689
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01ADA8AF

Memory Dump Source

Source File: 00000000.00000002.1276220392.0000000001AD8000.00000040.00000020.00020000.00000000.sdmp, Offset: 01AD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ad8000_NRFQFP.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 966174affad311d6204548a92a281b1da250bb1a2b19b4c878101ea01a330e63
Instruction ID: b6cc49610cfc34bf4514b5def90f94c9d3bf4da43fc8b44958b1a116095eede3
Opcode Fuzzy Hash: 966174affad311d6204548a92a281b1da250bb1a2b19b4c878101ea01a330e63
Instruction Fuzzy Hash: B2A12974E00609EBDB14CFA4C999BEEBBB5FF48304F248159E516BB280D7759A41CF90

Function 00FC49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00FC4A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 010341DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0103421A
RegCloseKey.ADVAPI32(?), ref: 01034249

Strings

Include, xrefs: 010341D3, 01034212
Software\AutoIt v3\AutoIt, xrefs: 00FC4A13

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 32e23861149e3deb74280736b4a9c9e79bacb58f833d0a3996e70f5db7bd6dc1
Instruction ID: b85a74cf1246cf0ff96701b23cadf225b4a44a20221153dc395adf4b71e74efb
Opcode Fuzzy Hash: 32e23861149e3deb74280736b4a9c9e79bacb58f833d0a3996e70f5db7bd6dc1
Instruction Fuzzy Hash: 211172B5600109BFEB10EBE8CE86EBF7BBCEF04344F000059B546E7151EA75AE01A750

Function 00FC36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FC36E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FC3707
ShowWindow.USER32(00000000,?,?,?,?,00FC3AA3,?), ref: 00FC371B
ShowWindow.USER32(00000000,?,?,?,?,00FC3AA3,?), ref: 00FC3724

Strings

AutoIt v3, xrefs: 00FC36DE, 00FC36E3, 00FC36E4
edit, xrefs: 00FC3701

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: a63f71593903e670d968625bd39c387f2d0c8d50af0f097246ee620da589e4e4
Instruction ID: 1e4f67fb7b1822d4326b4dab3a95f5079b0bfb12fc06248f8800cbadb8dde726
Opcode Fuzzy Hash: a63f71593903e670d968625bd39c387f2d0c8d50af0f097246ee620da589e4e4
Instruction Fuzzy Hash: 3AF03A746482D07EE7315697AC48E6B2E7DEBC6F20B00001FBA84A6194C1BA0843EFB0

Function 01ADA388 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01ADA278: Sleep.KERNELBASE(000001F4), ref: 01ADA289

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01ADA4AE

Strings

24LBA83K1SKW1FTZP38LX9S4, xrefs: 01ADA511, 01ADA514

Memory Dump Source

Source File: 00000000.00000002.1276220392.0000000001AD8000.00000040.00000020.00020000.00000000.sdmp, Offset: 01AD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ad8000_NRFQFP.jbxd

Similarity

API ID: CreateFileSleep
String ID: 24LBA83K1SKW1FTZP38LX9S4
API String ID: 2694422964-2867489259
Opcode ID: ca1ae687c46467f4a2ad97251de0ddf65a119b586e40e129c62edb8ed34d9081
Instruction ID: 138ce7e668b801cc2bd7d06c88a316771b1da849115404fe62b85fcb4fa8241c
Opcode Fuzzy Hash: ca1ae687c46467f4a2ad97251de0ddf65a119b586e40e129c62edb8ed34d9081
Instruction Fuzzy Hash: 0D51A370D04289DAEF11DBF4C958BEEBBB8AF15304F044199E6097B2C1D7B90B49CBA5

Function 00FC51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00FC522F
_wcscpy.LIBCMT ref: 00FC5283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FC5293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 01033CB0

Strings

Line: , xrefs: 01033CD9

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: 0b22fc78fe2a9bd56aad4f4e5103abd78a085741eca98b4cfab0a9c9a4affd17
Instruction ID: f2b874494747a3e22fe4947b0646b58736797466461785aa25c3887a009f3988
Opcode Fuzzy Hash: 0b22fc78fe2a9bd56aad4f4e5103abd78a085741eca98b4cfab0a9c9a4affd17
Instruction Fuzzy Hash: 9831BE71508342AFD330EBA0DD47FDEB7D8AF84710F00451EF5C986081EBB8A589AB96

Function 00FC4139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 00FC41A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00FC39FE,?,00000001), ref: 00FC41DB

_free.LIBCMT ref: 010336B7
_free.LIBCMT ref: 010336FE

Part of subcall function 00FCC833: __wsplitpath.LIBCMT ref: 00FCC93E
Part of subcall function 00FCC833: _wcscpy.LIBCMT ref: 00FCC953
Part of subcall function 00FCC833: _wcscat.LIBCMT ref: 00FCC968
Part of subcall function 00FCC833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00FCC978

Strings

Bad directive syntax error, xrefs: 010336E4
>>>AUTOIT SCRIPT<<<, xrefs: 01033491

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: 09b394fd511ad190aea129be6a96e163652c439362f2e9e37d7ee51f4b7760fd
Instruction ID: bc26931a527692b8386f070a06f3fed244c5a0c4cfa435f0936c9ae6b42acf34
Opcode Fuzzy Hash: 09b394fd511ad190aea129be6a96e163652c439362f2e9e37d7ee51f4b7760fd
Instruction Fuzzy Hash: E491A571910219AFDF05EFA8CD92DEEB7B8BF48310F04406EF456AB291DB34A944DB50

Function 00FC4A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00FC5374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01081148,?,00FC61FF,?,00000000,00000001,00000000), ref: 00FC5392

Part of subcall function 00FC49FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00FC4A1D

_wcscat.LIBCMT ref: 01032D80
_wcscat.LIBCMT ref: 01032DB5

Strings

\Include\, xrefs: 00FC4B0A
\, xrefs: 01032DA2

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: \$\Include\
API String ID: 3592542968-2640467822
Opcode ID: c69460cf30ca9500c9032672e3cb084cfc3055e33a361bb8cf8dfeb7a442dee4
Instruction ID: 7c44f470e6b3ab253473e927a0824bf4a68b0186eb9690a79f08dd969eca2da6
Opcode Fuzzy Hash: c69460cf30ca9500c9032672e3cb084cfc3055e33a361bb8cf8dfeb7a442dee4
Instruction Fuzzy Hash: 5A51B3794083419BCB24EF59DA8299EB7F8FFA9700B50052EF6C483241DB399548DB52

Function 00FE34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 00FE34FE

Part of subcall function 00FE7C0E: __getptd_noexit.LIBCMT ref: 00FE7C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00FE3539
__wopenfile.LIBCMT ref: 00FE3549

Strings

<G, xrefs: 00FE34CD, 00FE34F0, 00FE34FC

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: 087cebe63eb135a24e0e5bb1edfb770199eed73a4f634700597ef811da940ba3
Instruction ID: abceff8c21ecb2c03dc61d29df89fe33e535f48ad2161682a323bad8e16f3376
Opcode Fuzzy Hash: 087cebe63eb135a24e0e5bb1edfb770199eed73a4f634700597ef811da940ba3
Instruction Fuzzy Hash: 6411E771E003869BDB11BF779C4A66E36E5AF45360F198425E415DB281EB38CA01B7A1

Function 00FDD298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00FDD28B,SwapMouseButtons,00000004,?), ref: 00FDD2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00FDD28B,SwapMouseButtons,00000004,?,?,?,?,00FDC865), ref: 00FDD2DD
RegCloseKey.KERNELBASE(00000000,?,?,00FDD28B,SwapMouseButtons,00000004,?,?,?,?,00FDC865), ref: 00FDD2FF

Strings

Control Panel\Mouse, xrefs: 00FDD2BA

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 9f2d4056da2e0de929b67e240b523afdfaac4ee9011c9750d87afe4686a4237e
Instruction ID: 85b0849c070319b82f7e47b8bbcc31a66d0db61a7714b7b9c1c24ed459ce4a4c
Opcode Fuzzy Hash: 9f2d4056da2e0de929b67e240b523afdfaac4ee9011c9750d87afe4686a4237e
Instruction Fuzzy Hash: 11115E76A11208BFDB208FA4CC84EAF7BBDEF54754B14456AF805D7210D731DE41AB60

Function 01AD9278 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01AD9A33
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01AD9AC9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01AD9AEB

Memory Dump Source

Source File: 00000000.00000002.1276220392.0000000001AD8000.00000040.00000020.00020000.00000000.sdmp, Offset: 01AD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ad8000_NRFQFP.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e15f4bf7b2d8a2436c426929ce02fd6b814221300437380313034c1dc15b3d9c
Instruction ID: b5252c4bd8982197c4d8d4fbbcf0260e29167184ea3c5501499ef8272205a8bc
Opcode Fuzzy Hash: e15f4bf7b2d8a2436c426929ce02fd6b814221300437380313034c1dc15b3d9c
Instruction Fuzzy Hash: 05620A30A14618DBEB24CFA4C840BDEB776EF58304F1091A9D20DEB394E7769E85CB59

Function 0100C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00FC4517: _fseek.LIBCMT ref: 00FC452F

Part of subcall function 0100C56D: _wcscmp.LIBCMT ref: 0100C65D
Part of subcall function 0100C56D: _wcscmp.LIBCMT ref: 0100C670

_free.LIBCMT ref: 0100C4DD
_free.LIBCMT ref: 0100C4E4
_free.LIBCMT ref: 0100C54F

Part of subcall function 00FE1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00FE7A85), ref: 00FE1CB1
Part of subcall function 00FE1C9D: GetLastError.KERNEL32(00000000,?,00FE7A85), ref: 00FE1CC3

_free.LIBCMT ref: 0100C557

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: acbc9bddfc27afc87d88584c9959c104a0ea567534d53ec5d359cc2505f852cb
Instruction ID: 32fcc7371bb086534ae3876fe55e3bb5e4267d0751a26fdbe2f82e0feba98458
Opcode Fuzzy Hash: acbc9bddfc27afc87d88584c9959c104a0ea567534d53ec5d359cc2505f852cb
Instruction Fuzzy Hash: 575180B5904219AFEF159F68DC81BEDBBB9FF08304F10009EF648A3291DB755A808F18

Function 00FDEB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FDEBB2

Part of subcall function 00FC51AF: _memset.LIBCMT ref: 00FC522F
Part of subcall function 00FC51AF: _wcscpy.LIBCMT ref: 00FC5283
Part of subcall function 00FC51AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FC5293

KillTimer.USER32(?,00000001,?,?), ref: 00FDEC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FDEC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 01033C88

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 02f6c0bea78ca890b8e512d41a00d4ed9ed370df6764af76754e0db8d44fa448
Instruction ID: fb573068061333449a37ea38a3c7cdfe62b0a2a3b93e70a2ce6d1a3d2b043fec
Opcode Fuzzy Hash: 02f6c0bea78ca890b8e512d41a00d4ed9ed370df6764af76754e0db8d44fa448
Instruction Fuzzy Hash: 2B212C709047849FE7339728C895BEBBFECAF41308F04008EE6CE5A241C7752984CB51

Function 00FC40E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01033725
GetOpenFileNameW.COMDLG32 ref: 0103376F

Part of subcall function 00FC660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FC53B1,?,?,00FC61FF,?,00000000,00000001,00000000), ref: 00FC662F

Part of subcall function 00FC40A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FC40C6

Strings

X, xrefs: 0103373E

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: c17575a95acd81d1c6306615d1dfd34405aa861a08c31729ecf338687cc06b4e
Instruction ID: 20c517c89f2fa294413c4954457366d98487112e50e22bdc5b21640b8a5aa7c5
Opcode Fuzzy Hash: c17575a95acd81d1c6306615d1dfd34405aa861a08c31729ecf338687cc06b4e
Instruction Fuzzy Hash: 1521D871A101989FDB16DFD8CC46BDE7BF8AF88304F00405DE544EB241DBB866899F65

Function 0100C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 0100C72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0100C746

Strings

aut, xrefs: 0100C740

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: c5eaaecda3f782fcbf2ca0a2ff284bcf5a2698514816215622145df26f6bb015
Instruction ID: 9082e87aefa5bd0b89a358256504ab9249c9cfa6abaaf4cec5288b06e0f5b640
Opcode Fuzzy Hash: c5eaaecda3f782fcbf2ca0a2ff284bcf5a2698514816215622145df26f6bb015
Instruction Fuzzy Hash: 89D0A57550030E7BDB5097E0DD4DFC6777C5710704F000150B7D0D50A1D779D5958B55

Function 0101F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc0b66c79e8fafab27ee0ab3f394cfb8390c59d82b246bde31bd1962d443927d
Instruction ID: 48130eca2155feae413dd64f4d8a4fb71ce0c204aa77e724948c5693c2674260
Opcode Fuzzy Hash: dc0b66c79e8fafab27ee0ab3f394cfb8390c59d82b246bde31bd1962d443927d
Instruction Fuzzy Hash: 6EF16B716043029FD710DF28C984B6EB7E5BF88314F14896EF9959B391DB39E909CB82

Function 00FC4FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FC5022
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FC50CB

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: c026f718d918659a1b4d9bc55659d7d1d462579faadc4d61857aced9f8e66691
Instruction ID: 5715a32215b9612a51a9a640f393d4543ae963204ae9b3007dabda5211288635
Opcode Fuzzy Hash: c026f718d918659a1b4d9bc55659d7d1d462579faadc4d61857aced9f8e66691
Instruction Fuzzy Hash: 6631ADB1908702CFC721DF64D985B9BBBE8BF48704F00092EE5DAC2240E7766985CB92

Function 00FE395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00FE3973

Part of subcall function 00FE81C2: __NMSG_WRITE.LIBCMT ref: 00FE81E9
Part of subcall function 00FE81C2: __NMSG_WRITE.LIBCMT ref: 00FE81F3

__NMSG_WRITE.LIBCMT ref: 00FE397A

Part of subcall function 00FE821F: GetModuleFileNameW.KERNEL32(00000000,01080312,00000104,00000000,00000001,00000000), ref: 00FE82B1
Part of subcall function 00FE821F: ___crtMessageBoxW.LIBCMT ref: 00FE835F

Part of subcall function 00FE1145: ___crtCorExitProcess.LIBCMT ref: 00FE114B
Part of subcall function 00FE1145: ExitProcess.KERNEL32 ref: 00FE1154

Part of subcall function 00FE7C0E: __getptd_noexit.LIBCMT ref: 00FE7C0E

RtlAllocateHeap.NTDLL(018A0000,00000000,00000001,00000001,00000000,?,?,00FDF507,?,0000000E), ref: 00FE399F

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: b87a259abf68ea53afc3f67ac13931d289153583b1e9f8f34fc02dc9b340ae8b
Instruction ID: 852aee923a689c8563a268e0a8fd4ccdece41078eb1158376a3fd820a0ece713
Opcode Fuzzy Hash: b87a259abf68ea53afc3f67ac13931d289153583b1e9f8f34fc02dc9b340ae8b
Instruction Fuzzy Hash: C401F9327453819AE7213B2BDC4EB2E339A9B81770F210026F545DB286DFBDDD006661

Function 0100C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0100C385,?,?,?,?,?,00000004), ref: 0100C6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0100C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0100C708
CloseHandle.KERNEL32(00000000,?,0100C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0100C70F

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 750ee12562edc9bed8c4c1e32adef8cb14bcc68b0ab63ce96d55d15e597904e7
Instruction ID: f6d2c430cf01dce4150db33b0e03422f2ef5419c41ce7ca0dd56cdbf16b49f53
Opcode Fuzzy Hash: 750ee12562edc9bed8c4c1e32adef8cb14bcc68b0ab63ce96d55d15e597904e7
Instruction Fuzzy Hash: 1DE08636181214B7E7321A94AD49FCA7F58AB15B61F104210FF94690E497B625118798

Function 0100BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0100BB72

Part of subcall function 00FE1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00FE7A85), ref: 00FE1CB1
Part of subcall function 00FE1C9D: GetLastError.KERNEL32(00000000,?,00FE7A85), ref: 00FE1CC3

_free.LIBCMT ref: 0100BB83
_free.LIBCMT ref: 0100BB95

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
Instruction ID: 774e5e4f8c5ef652111c2d7cdfbca1bbab82d3e6b9a3284f7bdadd6f1812e574
Opcode Fuzzy Hash: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
Instruction Fuzzy Hash: 72E0C2B1240B8043FA31653F6E48EF333CC1F04310B24084DB699E3182CE78E44094A4

Function 00FC2322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 00FC22A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00FC24F1), ref: 00FC2303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00FC25A1
CoInitialize.OLE32(00000000), ref: 00FC2618
CloseHandle.KERNEL32(00000000), ref: 0103503A

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: 52a6dee7613484692f4da307feaac3d6f09e0ee5ec86a0f4fcf03a2b54cfb74a
Instruction ID: 14313c55a4d9c3cdcd44c8b62110c039c83e7e069d08a94eb1ff54cd2a46e92d
Opcode Fuzzy Hash: 52a6dee7613484692f4da307feaac3d6f09e0ee5ec86a0f4fcf03a2b54cfb74a
Instruction Fuzzy Hash: 2271ADF49092418FC764EF5AE59199DBBA5FF68344B84812ED0C9C7399CB3E4422DF14

Function 00FC3A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00FC3A73

Part of subcall function 00FE1405: __lock.LIBCMT ref: 00FE140B

Part of subcall function 00FC3ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00FC3AF3
Part of subcall function 00FC3ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FC3B08

Part of subcall function 00FC3D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00FC3AA3,?), ref: 00FC3D45
Part of subcall function 00FC3D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00FC3AA3,?), ref: 00FC3D57
Part of subcall function 00FC3D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,01081148,01081130,?,?,?,?,00FC3AA3,?), ref: 00FC3DC8
Part of subcall function 00FC3D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00FC3AA3,?), ref: 00FC3E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FC3AB3

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: 1cd233f4f39db60b53547612655e7b1564c695c74406eb91915bca28a00fef09
Instruction ID: b55777f57a38cefbd668ada431a972e302798344a50e30aac474da061bec7da9
Opcode Fuzzy Hash: 1cd233f4f39db60b53547612655e7b1564c695c74406eb91915bca28a00fef09
Instruction Fuzzy Hash: 23119D755083419FC310EF6AE845A0EBBE9FFA4760F00891EB5C4832A1DBB98542DF92

Function 00FEE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 00FEEA29
__close_nolock.LIBCMT ref: 00FEEA42

Part of subcall function 00FE7BDA: __getptd_noexit.LIBCMT ref: 00FE7BDA

Part of subcall function 00FE7C0E: __getptd_noexit.LIBCMT ref: 00FE7C0E

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: 3696f1e6c5e622ca0079644fa89560d3e2086231c4966ea008a63ba6a7bf4107
Instruction ID: fc8254b8e8eea4021c973d0a09e4f27f8b6c82a0e3cb7008b27ebb7adb91125e
Opcode Fuzzy Hash: 3696f1e6c5e622ca0079644fa89560d3e2086231c4966ea008a63ba6a7bf4107
Instruction Fuzzy Hash: 3911E572809BD08AD311BF6AEC4135C3A616F81731F264368E4A05F1E2CBBC9C00F7A5

Function 00FDF4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00FE395C: __FF_MSGBANNER.LIBCMT ref: 00FE3973
Part of subcall function 00FE395C: __NMSG_WRITE.LIBCMT ref: 00FE397A
Part of subcall function 00FE395C: RtlAllocateHeap.NTDLL(018A0000,00000000,00000001,00000001,00000000,?,?,00FDF507,?,0000000E), ref: 00FE399F

std::exception::exception.LIBCMT ref: 00FDF51E
__CxxThrowException@8.LIBCMT ref: 00FDF533

Part of subcall function 00FE6805: RaiseException.KERNEL32(?,?,0000000E,01076A30,?,?,?,00FDF538,0000000E,01076A30,?,00000001), ref: 00FE6856

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: b294cb06f3f4695b8d4849e54d217506c0f1b3882e2c3a56a0fc740438477b3f
Instruction ID: 176896fd978d908fca81bd071c9b26ff3f00ad62f718546c27d97523344dc557
Opcode Fuzzy Hash: b294cb06f3f4695b8d4849e54d217506c0f1b3882e2c3a56a0fc740438477b3f
Instruction Fuzzy Hash: 97F0F47150424E67D704FF9AEC01EDE77A9AF11364F284136F906D2381CB709654A7A5

Function 00FE35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FE7C0E: __getptd_noexit.LIBCMT ref: 00FE7C0E

__lock_file.LIBCMT ref: 00FE3629

Part of subcall function 00FE4E1C: __lock.LIBCMT ref: 00FE4E3F

__fclose_nolock.LIBCMT ref: 00FE3634

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: fb3be41bacf79b0ec1869cf33a699d839d417e3f5b1b24de54dd665754ae3bfc
Instruction ID: 9468142635bbab670eba5fc709b8bb6c55322800036aeaa450f5c1c4e598effb
Opcode Fuzzy Hash: fb3be41bacf79b0ec1869cf33a699d839d417e3f5b1b24de54dd665754ae3bfc
Instruction Fuzzy Hash: 1AF02432C01384AAD7117B778C0EB6E7AA06F50330F25810AE424EB2C1CB7C8A01BF55

Function 01AD9275 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01AD9A33
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01AD9AC9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01AD9AEB

Memory Dump Source

Source File: 00000000.00000002.1276220392.0000000001AD8000.00000040.00000020.00020000.00000000.sdmp, Offset: 01AD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ad8000_NRFQFP.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: b3254cef00fc160913454ddf077bcf3b4f90b81927ab1634ec119820693db7bc
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: E312CE24E14658C6EB24DF64D8507DEB232EF68300F10A4E9910DEB7A5E77A4F81CF5A

Function 00FE2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00FE2A0B

Part of subcall function 00FE7C0E: __getptd_noexit.LIBCMT ref: 00FE7C0E

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: 8eb94e7e149a928de818e98cadb71949269179b6bc4fbb155c8a7a5f326f87b7
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: 1F41A471A007869FDB6C8F6BC88056E77AEAF44760B24853DE845C7241FB74DD41BB40

Function 00FDED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00FDEDC7

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: e5ae77b95d9ece87b2c59ffeec7fcd0d319544b0e6b179d37762529b36311034
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: FF31D571A001059BC719EF58C480A69FBB7FF49350B6886A6E809CF356DB30EDC1EB90

Function 0102040F Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01020519

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4f4f27e9daa84a8a212d428f39ec0a091cbd4701a48bafbd777493ec6b3b9db4
Instruction ID: 6308a1a4d380f5f515976bafd870c5d3eefd2d6de5f57b0c36f67692ac0dd60c
Opcode Fuzzy Hash: 4f4f27e9daa84a8a212d428f39ec0a091cbd4701a48bafbd777493ec6b3b9db4
Instruction Fuzzy Hash: C531A275204638DFCB01AF10D4917AEBBB1FF49320F14844AE9D92B389DB74A905CBC1

Function 01039A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 01039A80

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: e0025cef4afb6422609013f6709b5e6a2ea246b81f95533c191c87191e7d55c3
Instruction ID: 365846031f5e3d0cff3767dc49ed7298f603f6e8d2695c07bb1c3cc35940c9be
Opcode Fuzzy Hash: e0025cef4afb6422609013f6709b5e6a2ea246b81f95533c191c87191e7d55c3
Instruction Fuzzy Hash: D0418A745046018FDB25DF18C484B1ABBE2BF85308F1889ADE99A4B362C776F845DF42

Function 00FC41A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC4214: FreeLibrary.KERNEL32(00000000,?), ref: 00FC4247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00FC39FE,?,00000001), ref: 00FC41DB

Part of subcall function 00FC4291: FreeLibrary.KERNEL32(00000000), ref: 00FC42C4

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: 9f5754bacaddfe98fd89fa05db8e874d64f08e01c1d292ce5e0979e533fac5fd
Instruction ID: 61672deac653bfb3cde1bc95d82af29855de2e3c2f91ad289e80e1262a8af469
Opcode Fuzzy Hash: 9f5754bacaddfe98fd89fa05db8e874d64f08e01c1d292ce5e0979e533fac5fd
Instruction Fuzzy Hash: 99119431600207AADB14EB64DE27F9E77A99F50700F10842DB596EA1C1DA79AA05AB60

Function 01039B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 01039B51

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 5a39f5dbedcc69993ca9b3e857af1a0345bb0e8a51c9d210085d168a0820c031
Instruction ID: c9dd13b9a8846e1c26ba36d93aaf7e67cc98994718ebb8a71aca4cfd7cdf6bf9
Opcode Fuzzy Hash: 5a39f5dbedcc69993ca9b3e857af1a0345bb0e8a51c9d210085d168a0820c031
Instruction Fuzzy Hash: 62214674508201CFDB25DF68D844F1ABBE2BF84304F18496EE9964B321CB36E845EF52

Function 00FEAF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 00FEAFC0

Part of subcall function 00FE7BDA: __getptd_noexit.LIBCMT ref: 00FE7BDA

Part of subcall function 00FE7C0E: __getptd_noexit.LIBCMT ref: 00FE7C0E

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: 7c7ee7091f87ae03e1aed31f5f31d2897b4b6f4a90837ae583fdeac404012921
Instruction ID: 6680f693ce3556ecc58ce91ac914635b629c6a42ed331a8f6a93ba492f764b6a
Opcode Fuzzy Hash: 7c7ee7091f87ae03e1aed31f5f31d2897b4b6f4a90837ae583fdeac404012921
Instruction Fuzzy Hash: A111B2728086C09FD7127FA69C0135E3A619F81331F254240E5B05F1E2C7BDAD00BBA1

Function 00FC39DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
Instruction ID: 73625752952f899a66eeadd8fc7efd8b9314c6bd42b45e56eaaf45b7e4ec1612
Opcode Fuzzy Hash: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
Instruction Fuzzy Hash: 3301123150010AAE9B05EF64CD92DEEBB78AB20344F108169A566961A5EA34A649DB60

Function 00FE2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00FE2AED

Part of subcall function 00FE7C0E: __getptd_noexit.LIBCMT ref: 00FE7C0E

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 7f49e30c22dcff2b862ff7b2fa450afaac344b3a1106b5f5d3c2d00838d4e51a
Instruction ID: 41cc2788c9a153a40ce99c7ab2e4cb379e21f8a14f5babf4c323fd745493e977
Opcode Fuzzy Hash: 7f49e30c22dcff2b862ff7b2fa450afaac344b3a1106b5f5d3c2d00838d4e51a
Instruction Fuzzy Hash: 3BF0C231900289EADF61BF678C0239F36A9BF40720F144429B410DB191EB7C8A92FB51

Function 00FC4252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,00FC39FE,?,00000001), ref: 00FC4286

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 2513ea2ce0699ad877daa63db7480cef01e510d99cd92a9e54568f8992dc2e2f
Instruction ID: 58d59bdc1b09a3272b64145d077d165fb05e3bf7fdbf040feb110d6eff3c3793
Opcode Fuzzy Hash: 2513ea2ce0699ad877daa63db7480cef01e510d99cd92a9e54568f8992dc2e2f
Instruction Fuzzy Hash: EAF03071905703DFCB349F65D9A6E96B7E4BF153253248A3EF1D682610C732A844EF50

Function 00FC40A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FC40C6

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 2eb71682e2f5e7db42a9add31715e14eb81a9d771fff93a1368e8220c2350518
Instruction ID: ebc774f60cd3d6f9d15e20a48725388168dd039bfd8e3d57b5b92dda6e492d90
Opcode Fuzzy Hash: 2eb71682e2f5e7db42a9add31715e14eb81a9d771fff93a1368e8220c2350518
Instruction Fuzzy Hash: D3E0CD766001245BC7119654CC46FEA779DDFC8690F050075F905D7244D968D9819790

Function 01ADA278 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01ADA289

Memory Dump Source

Source File: 00000000.00000002.1276220392.0000000001AD8000.00000040.00000020.00020000.00000000.sdmp, Offset: 01AD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ad8000_NRFQFP.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 0f7d62332c9ee4b49351c73db7aebc2b3ddea842495b6f535dba80f75f535c1c
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: F6E0E67494010DDFDB00DFB5D54969D7BB4EF04301F100161FD01D2280D6319E508A62

Non-executed Functions

Function 0102AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0102B1CD

Strings

%d/%02d/%02d, xrefs: 0102AEFC

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 6b9e53186f6c26e7bc3b69db6e64ee6cb8bbe95ee8c1f016f8a561e00a3c7f6d
Instruction ID: 7428aca31fd74d4c73853f6aedd0ab6946edb176c50c3bff6494fd64e0a2e4d0
Opcode Fuzzy Hash: 6b9e53186f6c26e7bc3b69db6e64ee6cb8bbe95ee8c1f016f8a561e00a3c7f6d
Instruction Fuzzy Hash: FF12F3B1600229ABEB259FA8CC49FAE7BF8FF45310F104159FA96DB2D1DB798541CB10

Function 00FDEB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 00FDEB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 01033AEA
IsIconic.USER32(000000FF), ref: 01033AF3
ShowWindow.USER32(000000FF,00000009), ref: 01033B00
SetForegroundWindow.USER32(000000FF), ref: 01033B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 01033B20
GetCurrentThreadId.KERNEL32 ref: 01033B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 01033B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 01033B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 01033B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 01033B54
SetForegroundWindow.USER32(000000FF), ref: 01033B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 01033B6C
keybd_event.USER32(00000012,00000000), ref: 01033B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 01033B81
keybd_event.USER32(00000012,00000000), ref: 01033B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 01033B8F
keybd_event.USER32(00000012,00000000), ref: 01033B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 01033B9E
keybd_event.USER32(00000012,00000000), ref: 01033BA3
SetForegroundWindow.USER32(000000FF), ref: 01033BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 01033BCD

Strings

Shell_TrayWnd, xrefs: 01033AE5

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 9e259fb510575fb2fd552d24f147339bbfa234df69687f5a8115c746b83835b6
Instruction ID: 8525c24e0c4e9a36b24e4535526d04c4474b23fcde0fe948d1108aa44d6ef96f
Opcode Fuzzy Hash: 9e259fb510575fb2fd552d24f147339bbfa234df69687f5a8115c746b83835b6
Instruction Fuzzy Hash: 6E31B2B5A40318BBEB316BA59DC9F7F7E6CEB84B50F104055FB44EA1C1DAB55800ABA0

Function 00FFACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 00FFB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FFB180
Part of subcall function 00FFB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FFB1AD
Part of subcall function 00FFB134: GetLastError.KERNEL32 ref: 00FFB1BA

_memset.LIBCMT ref: 00FFAD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00FFAD5A
CloseHandle.KERNEL32(?), ref: 00FFAD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00FFAD82
GetProcessWindowStation.USER32 ref: 00FFAD9B
SetProcessWindowStation.USER32(00000000), ref: 00FFADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00FFADBF

Part of subcall function 00FFAB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FFACC0), ref: 00FFAB99
Part of subcall function 00FFAB84: CloseHandle.KERNEL32(?,?,00FFACC0), ref: 00FFABAB

Strings

default, xrefs: 00FFADBA
winsta0, xrefs: 00FFAD7D
, xrefs: 00FFAD17

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: a2562be2655e2001dfb1530560cfe9cbc683b3e7b700453c04ad34416b263423
Instruction ID: 1ef70092197c52f9e34b865f216c0f9070dc59cead3b690ea735468503749dbc
Opcode Fuzzy Hash: a2562be2655e2001dfb1530560cfe9cbc683b3e7b700453c04ad34416b263423
Instruction Fuzzy Hash: DE818AB1C0020DAFDF219FA4CD88AFE7BB8EF18314F044119FA18A61A1D7758E54EB21

Function 010060DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 01006EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,01005FA6,?), ref: 01006ED8

Part of subcall function 01006EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,01005FA6,?), ref: 01006EF1

Part of subcall function 0100725E: __wsplitpath.LIBCMT ref: 0100727B
Part of subcall function 0100725E: __wsplitpath.LIBCMT ref: 0100728E

Part of subcall function 010072CB: GetFileAttributesW.KERNEL32(?,01006019), ref: 010072CC

_wcscat.LIBCMT ref: 01006149
_wcscat.LIBCMT ref: 01006167
__wsplitpath.LIBCMT ref: 0100618E
FindFirstFileW.KERNEL32(?,?), ref: 010061A4
_wcscpy.LIBCMT ref: 01006209
_wcscat.LIBCMT ref: 0100621C
_wcscat.LIBCMT ref: 0100622F
lstrcmpiW.KERNEL32(?,?), ref: 0100625D
DeleteFileW.KERNEL32(?), ref: 0100626E
MoveFileW.KERNEL32(?,?), ref: 01006289
MoveFileW.KERNEL32(?,?), ref: 01006298
CopyFileW.KERNEL32(?,?,00000000), ref: 010062AD
DeleteFileW.KERNEL32(?), ref: 010062BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 010062E1
FindClose.KERNEL32(00000000), ref: 010062FD
FindClose.KERNEL32(00000000), ref: 0100630B

Strings

\*.*, xrefs: 01006138, 01006147, 01006165

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*
API String ID: 1917200108-1173974218
Opcode ID: cca4fb9fca6f07cabcb80726d4c3e90547a1030d7689b62c7de6168d3f22aab1
Instruction ID: cf4c567dc83d8bf8bbf46eae7efd8c204b577c1cb9a3873df686955bf3e1e19f
Opcode Fuzzy Hash: cca4fb9fca6f07cabcb80726d4c3e90547a1030d7689b62c7de6168d3f22aab1
Instruction Fuzzy Hash: FF5150B280811C6AEB22EB95CD44DDF77FDAF14200F0900EAE6C5E2041DE7797898FA4

Function 01016B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0105DC00), ref: 01016B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 01016B44
GetClipboardData.USER32(0000000D), ref: 01016B4C
CloseClipboard.USER32 ref: 01016B58
GlobalLock.KERNEL32(00000000), ref: 01016B74
CloseClipboard.USER32 ref: 01016B7E
GlobalUnlock.KERNEL32(00000000), ref: 01016B93
IsClipboardFormatAvailable.USER32(00000001), ref: 01016BA0
GetClipboardData.USER32(00000001), ref: 01016BA8
GlobalLock.KERNEL32(00000000), ref: 01016BB5
GlobalUnlock.KERNEL32(00000000), ref: 01016BE9
CloseClipboard.USER32 ref: 01016CF6

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: c723ce689945fd0a06b52b2c659271ec5b83451f83bbdc7443795db68f98089a
Instruction ID: 38dabb6093d51cd783287b00dd1d772df69584e20f9c30ddaea153af7f82a737
Opcode Fuzzy Hash: c723ce689945fd0a06b52b2c659271ec5b83451f83bbdc7443795db68f98089a
Instruction Fuzzy Hash: 1C51B6752002065BD310AFA4DE86F7E77A8AFA4B10F00002DF6D6D71C4DFBAE8058B62

Function 0100F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0100F62B
FindClose.KERNEL32(00000000), ref: 0100F67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0100F6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0100F6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 0100F6E2
__swprintf.LIBCMT ref: 0100F72E
__swprintf.LIBCMT ref: 0100F767
__swprintf.LIBCMT ref: 0100F7BB

Part of subcall function 00FE172B: __woutput_l.LIBCMT ref: 00FE1784

__swprintf.LIBCMT ref: 0100F809
__swprintf.LIBCMT ref: 0100F858
__swprintf.LIBCMT ref: 0100F8A7
__swprintf.LIBCMT ref: 0100F8F6

Strings

%02d, xrefs: 0100F7B0, 0100F7B9, 0100F807, 0100F856, 0100F8A5, 0100F8F4
%4d%02d%02d%02d%02d%02d, xrefs: 0100F728
%4d, xrefs: 0100F761

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: cf4b29782701634402f78070edc0b8506a4ee17c1a5f1d4be5b836d52d9a8a68
Instruction ID: 7070570f925873ef2b621eaa4068caeddc0fcd8f2d71ca66705d7d05a7834f4e
Opcode Fuzzy Hash: cf4b29782701634402f78070edc0b8506a4ee17c1a5f1d4be5b836d52d9a8a68
Instruction Fuzzy Hash: 11A12FB2408345ABD350EBA5CD86EAFB7ECBF98700F44081EF585C2151EB38D949D7A2

Function 01011B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 01011B50
_wcscmp.LIBCMT ref: 01011B65
_wcscmp.LIBCMT ref: 01011B7C
GetFileAttributesW.KERNEL32(?), ref: 01011B8E
SetFileAttributesW.KERNEL32(?,?), ref: 01011BA8
FindNextFileW.KERNEL32(00000000,?), ref: 01011BC0
FindClose.KERNEL32(00000000), ref: 01011BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 01011BE7
_wcscmp.LIBCMT ref: 01011C0E
_wcscmp.LIBCMT ref: 01011C25
SetCurrentDirectoryW.KERNEL32(?), ref: 01011C37
SetCurrentDirectoryW.KERNEL32(010739FC), ref: 01011C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 01011C5F
FindClose.KERNEL32(00000000), ref: 01011C6C
FindClose.KERNEL32(00000000), ref: 01011C7C

Strings

*.*, xrefs: 01011BE2

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 7e171bffed56ec961b4da61577b2f9d70cb4cedb6a2174ae9da3b0240c70d315
Instruction ID: c1b5c868ce14f1a3e8ddfeda825dc65ea4b8986e5e76b5d23c36dcd7f2c554aa
Opcode Fuzzy Hash: 7e171bffed56ec961b4da61577b2f9d70cb4cedb6a2174ae9da3b0240c70d315
Instruction Fuzzy Hash: 7331E87560021A7FEF64DFF5DD88ADE77ECAF05220F000196EA81D3094EB39DA458B64

Function 01011C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 01011CAB
_wcscmp.LIBCMT ref: 01011CC0
_wcscmp.LIBCMT ref: 01011CD7

Part of subcall function 01006BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 01006BEF

FindNextFileW.KERNEL32(00000000,?), ref: 01011D06
FindClose.KERNEL32(00000000), ref: 01011D11
FindFirstFileW.KERNEL32(*.*,?), ref: 01011D2D
_wcscmp.LIBCMT ref: 01011D54
_wcscmp.LIBCMT ref: 01011D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 01011D7D
SetCurrentDirectoryW.KERNEL32(010739FC), ref: 01011D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 01011DA5
FindClose.KERNEL32(00000000), ref: 01011DB2
FindClose.KERNEL32(00000000), ref: 01011DC2

Strings

*.*, xrefs: 01011D28

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 2376b0d96eee72b0dba63f6d3d340fd65761c687cbef540423649323e9248d1e
Instruction ID: 05ccd1c620e81dd4578be5a2815e74c958f798d3c3a2426ad4ddae7819224d24
Opcode Fuzzy Hash: 2376b0d96eee72b0dba63f6d3d340fd65761c687cbef540423649323e9248d1e
Instruction Fuzzy Hash: F431263250061E7BEF64FBB5DD48ADE3BECAF05224F140595EA80E7090DB39CA45CB64

Function 00FC7D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FC7DBD

Strings

^, xrefs: 00FC7D96
\, xrefs: 00FC7D89
\, xrefs: 0103F95B
[:<:]], xrefs: 00FC7D1D
\b(?<=\w), xrefs: 0103F877
\b(?=\w), xrefs: 0103F85E
], xrefs: 00FC7D9F
[, xrefs: 00FC7E14
[:>:]], xrefs: 00FC7D37
Q\E, xrefs: 00FC86D6
\, xrefs: 00FC7E1D

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
API String ID: 2102423945-2023335898
Opcode ID: 9606e0233a8fff2b1bd125c7721dbde0340c2741aa31a36145e0896d23f2ff20
Instruction ID: f6fd4a34d29d8c810a3afe23498c4e5c72bff12701673fb45ebbc2bf4b0a863c
Opcode Fuzzy Hash: 9606e0233a8fff2b1bd125c7721dbde0340c2741aa31a36145e0896d23f2ff20
Instruction Fuzzy Hash: FF82D472D0421ACBDB24CF98C981BEDBBB1BF84320F2481A9D855AB341D7749D85DF91

Function 0101091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 010109DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 010109EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 010109FB
__wsplitpath.LIBCMT ref: 01010A59
_wcscat.LIBCMT ref: 01010A71
_wcscat.LIBCMT ref: 01010A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01010A98
SetCurrentDirectoryW.KERNEL32(?), ref: 01010AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 01010ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 01010AFF
_wcscpy.LIBCMT ref: 01010B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 01010B4A

Strings

*.*, xrefs: 01010B05

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: ba0ef09e17a3c7cc0d04d08d7495a78034cbc571c5e36250ef9f9eca85e8f304
Instruction ID: bfdf7dcd98013482c3069f25662a3752bb55907fd87364f9393badfe87891c5c
Opcode Fuzzy Hash: ba0ef09e17a3c7cc0d04d08d7495a78034cbc571c5e36250ef9f9eca85e8f304
Instruction Fuzzy Hash: 886166B21042059FD710EF64C981A9EB3E9FF89310F04896EF9C9C7245DB39E944CB92

Function 00FFA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FFABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00FFABD7
Part of subcall function 00FFABBB: GetLastError.KERNEL32(?,00FFA69F,?,?,?), ref: 00FFABE1
Part of subcall function 00FFABBB: GetProcessHeap.KERNEL32(00000008,?,?,00FFA69F,?,?,?), ref: 00FFABF0
Part of subcall function 00FFABBB: HeapAlloc.KERNEL32(00000000,?,00FFA69F,?,?,?), ref: 00FFABF7
Part of subcall function 00FFABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00FFAC0E

Part of subcall function 00FFAC56: GetProcessHeap.KERNEL32(00000008,00FFA6B5,00000000,00000000,?,00FFA6B5,?), ref: 00FFAC62
Part of subcall function 00FFAC56: HeapAlloc.KERNEL32(00000000,?,00FFA6B5,?), ref: 00FFAC69
Part of subcall function 00FFAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00FFA6B5,?), ref: 00FFAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FFA6D0
_memset.LIBCMT ref: 00FFA6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FFA704
GetLengthSid.ADVAPI32(?), ref: 00FFA715
GetAce.ADVAPI32(?,00000000,?), ref: 00FFA752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FFA76E
GetLengthSid.ADVAPI32(?), ref: 00FFA78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00FFA79A
HeapAlloc.KERNEL32(00000000), ref: 00FFA7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FFA7C2
CopySid.ADVAPI32(00000000), ref: 00FFA7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FFA7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FFA820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FFA834

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 03a224e7752c27e8fb5a9f71232c146ddc7ebee098f2131aceae2bb530f94b50
Instruction ID: f60497ad1eb948af3d52c193b1ca0b349cbdd3cebb291eac8aa82615a2ff772d
Opcode Fuzzy Hash: 03a224e7752c27e8fb5a9f71232c146ddc7ebee098f2131aceae2bb530f94b50
Instruction Fuzzy Hash: 75515CB5900209ABDF11DF90DC84EFEBBB9FF04350F048129FA15A7290DB799A05DB61

Function 00FC6F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

UTF), xrefs: 01042C7C
BSR_UNICODE), xrefs: 01042EBA
UCP), xrefs: 01042C8F
NO_START_OPT), xrefs: 01042CD1
CR), xrefs: 01042E09
CRLF), xrefs: 01042E43
ANY), xrefs: 01042E60
BSR_ANYCRLF), xrefs: 01042EA0
LF), xrefs: 01042E26
LIMIT_MATCH=, xrefs: 01042CF2
UTF16), xrefs: 01042C56
NO_AUTO_POSSESS), xrefs: 01042CB0
LIMIT_RECURSION=, xrefs: 01042D7E
ANYCRLF), xrefs: 01042E7D

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 39b4f059bea0132be0591e83768b596ea5f5e458d8013803c1b99311e77030c5
Instruction ID: 08312c6c28de6baf2ec0b42601aadade744f2647da586f0c9e18f4ea2f0c909a
Opcode Fuzzy Hash: 39b4f059bea0132be0591e83768b596ea5f5e458d8013803c1b99311e77030c5
Instruction Fuzzy Hash: 7072A2B1E0431ADBDB24DF58D981BAEB7B5BF48310F1441AEE845EB281DB349941DF90

Function 010063F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01006EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,01005FA6,?), ref: 01006ED8

Part of subcall function 010072CB: GetFileAttributesW.KERNEL32(?,01006019), ref: 010072CC

_wcscat.LIBCMT ref: 01006441
__wsplitpath.LIBCMT ref: 0100645F
FindFirstFileW.KERNEL32(?,?), ref: 01006474
_wcscpy.LIBCMT ref: 010064A3
_wcscat.LIBCMT ref: 010064B8
_wcscat.LIBCMT ref: 010064CA
DeleteFileW.KERNEL32(?), ref: 010064DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 010064EB
FindClose.KERNEL32(00000000), ref: 01006506

Strings

\*.*, xrefs: 0100643B

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: d8bb8f702e3684fb5e864b7ac425779b646c3a8280c440fe3e57677d50d4165e
Instruction ID: 2b17bc1db17a768ed1d5c97cd03a75e435e43767be04a234eb50e24bd2111a09
Opcode Fuzzy Hash: d8bb8f702e3684fb5e864b7ac425779b646c3a8280c440fe3e57677d50d4165e
Instruction Fuzzy Hash: B63182B2408384AAD732DAE88C859DFB7DCAF55210F44096EF6D8C3141EE3AD5498767

Function 010231BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01023C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01022BB5,?,?), ref: 01023C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0102328E

Part of subcall function 00FC936C: __swprintf.LIBCMT ref: 00FC93AB
Part of subcall function 00FC936C: __itow.LIBCMT ref: 00FC93DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0102332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 010233C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 01023604
RegCloseKey.ADVAPI32(00000000), ref: 01023611

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 131e084ae0e20fc04a213a2af2a2d922b2e86a51b31489d930d144b8815a918c
Instruction ID: 2bfe09f87a159de1a8023f082ce0be82cb6127e6c9ac3c6aeb964fef88504451
Opcode Fuzzy Hash: 131e084ae0e20fc04a213a2af2a2d922b2e86a51b31489d930d144b8815a918c
Instruction Fuzzy Hash: 0DE17D75204211AFCB15DF68C995E2EBBE8FF89310F0485ADF58ACB291CB39E905CB41

Function 01002B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 01002B5F
GetAsyncKeyState.USER32(000000A0), ref: 01002BE0
GetKeyState.USER32(000000A0), ref: 01002BFB
GetAsyncKeyState.USER32(000000A1), ref: 01002C15
GetKeyState.USER32(000000A1), ref: 01002C2A
GetAsyncKeyState.USER32(00000011), ref: 01002C42
GetKeyState.USER32(00000011), ref: 01002C54
GetAsyncKeyState.USER32(00000012), ref: 01002C6C
GetKeyState.USER32(00000012), ref: 01002C7E
GetAsyncKeyState.USER32(0000005B), ref: 01002C96
GetKeyState.USER32(0000005B), ref: 01002CA8

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ef33fec0d7706f4ee013e28f4a7302c56f21b88bef09879468a1c5117690195d
Instruction ID: e380dfa52e49a6f5bd586223dbd278d1b23ec0bd641105bbdca760658854f70b
Opcode Fuzzy Hash: ef33fec0d7706f4ee013e28f4a7302c56f21b88bef09879468a1c5117690195d
Instruction Fuzzy Hash: F041E574504BCD6EFFB79AA8894C7A5BEE06B01304F0480C9D6C6566C3DF9495C4C7A2

Function 01016D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 01016D2E
EmptyClipboard.USER32 ref: 01016D34
GlobalAlloc.KERNEL32(00000002,?), ref: 01016D49
CloseClipboard.USER32 ref: 01016DE8

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 5b6f4d173c38dbf02328f4d49d7b6b43899c1060f7ba9feb08a5a7ab82ff2867
Instruction ID: db2621ffe469b3a857bd261deb0969da9c51ff0c88ffa1ac95a3a285f0070093
Opcode Fuzzy Hash: 5b6f4d173c38dbf02328f4d49d7b6b43899c1060f7ba9feb08a5a7ab82ff2867
Instruction Fuzzy Hash: 8F21E5757001109FD721AF54DE89B2D77A8FF58720F04805AF98ADB395CB7AEC018B91

Function 0101C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 00FF9ABF: CLSIDFromProgID.OLE32 ref: 00FF9ADC
Part of subcall function 00FF9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00FF9AF7
Part of subcall function 00FF9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00FF9B05
Part of subcall function 00FF9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00FF9B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0101C235
_memset.LIBCMT ref: 0101C242
_memset.LIBCMT ref: 0101C360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0101C38C
CoTaskMemFree.OLE32(?), ref: 0101C397

Strings

NULL Pointer assignment, xrefs: 0101C3E5

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 6a6dc65f45f5662998892e5bc1f19a5fcce110f37a49f04d6d8bb4f16dc2d9f5
Instruction ID: 6d5a38bff0245fc77836a9f76e9f0ae5a84f1b2ce518eed3a96bc6f8fb20ba58
Opcode Fuzzy Hash: 6a6dc65f45f5662998892e5bc1f19a5fcce110f37a49f04d6d8bb4f16dc2d9f5
Instruction Fuzzy Hash: 3B915C71D40219ABEB10DFD4DD81EEEBBB8EF44310F10816AF519A7281DB759A45CFA0

Function 010079D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00FFB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FFB180
Part of subcall function 00FFB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FFB1AD
Part of subcall function 00FFB134: GetLastError.KERNEL32 ref: 00FFB1BA

ExitWindowsEx.USER32(?,00000000), ref: 01007A0F

Strings

@, xrefs: 01007A02
, xrefs: 010079FD
SeShutdownPrivilege, xrefs: 010079DD

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: f64678b41d4ceb18737b305e88592173029b572dd6d80c1f48df01f54a468f7a
Instruction ID: e942b3f98c5c72015c8adeba21ca47d957b497ac62579191bb1f87df18b47542
Opcode Fuzzy Hash: f64678b41d4ceb18737b305e88592173029b572dd6d80c1f48df01f54a468f7a
Instruction Fuzzy Hash: 0401FC716502116BF76A56ECDC9ABBF36989B41240F144464FAC3E20C2D5AD7E4182B4

Function 01018C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 01018CA8
WSAGetLastError.WSOCK32(00000000), ref: 01018CB7
bind.WSOCK32(00000000,?,00000010), ref: 01018CD3
listen.WSOCK32(00000000,00000005), ref: 01018CE2
WSAGetLastError.WSOCK32(00000000), ref: 01018CFC
closesocket.WSOCK32(00000000,00000000), ref: 01018D10

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: bd22a8c2459a66db196fc78e64fd3a4c32fc502045158dcb7f69fa0dc01725c8
Instruction ID: ca2768ba399915160d38fe00a6fad5a476b590b9b0a79ce170486057a470a93b
Opcode Fuzzy Hash: bd22a8c2459a66db196fc78e64fd3a4c32fc502045158dcb7f69fa0dc01725c8
Instruction Fuzzy Hash: 5721E4756002059FDB20EF68CE85B6E77E9FF58320F14815DE996A73C5CB38AD018B51

Function 01006532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 01006554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 01006564
Process32NextW.KERNEL32(00000000,0000022C), ref: 01006583
__wsplitpath.LIBCMT ref: 010065A7
_wcscat.LIBCMT ref: 010065BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 010065F9

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 78dd39ed630c02c9968cc54c1bcc6a8c6cefd16bfdd77cf0f60f681792842fe5
Instruction ID: a9aa959ca8d91548899f719159a70f185c297dbddedb046315eb804b2d48c922
Opcode Fuzzy Hash: 78dd39ed630c02c9968cc54c1bcc6a8c6cefd16bfdd77cf0f60f681792842fe5
Instruction Fuzzy Hash: 1421AAB1900258ABEB21ABA4CD88FDDB7FDAB04300F5000F5F545D3181DB769B85CB50

Function 0101923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0101A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0101A84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 01019296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 010192B9

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 53d373404791b2ee6eae36b2efd333944d73f6800867a73a429c41254ace7a31
Instruction ID: 2d913a1f37f84425f972508fccba368992f50f42316c331089b3d31b47d29b49
Opcode Fuzzy Hash: 53d373404791b2ee6eae36b2efd333944d73f6800867a73a429c41254ace7a31
Instruction Fuzzy Hash: A241DE70600200AFEB14AB688D92F7E77EDEF44324F04844DF996AB3C2DB799D019B91

Function 0100EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0100EB8A
_wcscmp.LIBCMT ref: 0100EBBA
_wcscmp.LIBCMT ref: 0100EBCF
FindNextFileW.KERNEL32(00000000,?), ref: 0100EBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0100EC0E

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 6338efb4ab48730085f149cf16a15c045bfd04253622dd21979e1594b9086194
Instruction ID: 26df3757240751c1ad6955a08136a0a7f8dcc4779c532b263c0169ffa8439d8e
Opcode Fuzzy Hash: 6338efb4ab48730085f149cf16a15c045bfd04253622dd21979e1594b9086194
Instruction Fuzzy Hash: 7741E4746007028FD709DF68C890E9AB7E4FF49320F04455EEA9A8B3A1DB36E941CB91

Function 01028111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 01028160
IsWindowEnabled.USER32 ref: 0102816E
GetForegroundWindow.USER32(?,?,00000001), ref: 0102817B
IsIconic.USER32 ref: 01028189
IsZoomed.USER32 ref: 01028197

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: a4291c79a11fd2a0aec7ba0ee7aad51d37d9e40676c861c0b6e2f964a0f2b86b
Instruction ID: 4ab3b4f28d024a272b9b4e191dd93891e5009890884c4474f621f7079724afdf
Opcode Fuzzy Hash: a4291c79a11fd2a0aec7ba0ee7aad51d37d9e40676c861c0b6e2f964a0f2b86b
Instruction Fuzzy Hash: 9111E6753001216FF7215F5ADD84F6F7BDCEF54720B14846AF889D3281CB3998018790

Function 00FC9B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0104BE14
ERCP, xrefs: 00FC9C32
VUUU, xrefs: 00FC9EA7
VUUU, xrefs: 00FC9E95
VUUU, xrefs: 00FC9ED4

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: d93bebce8a3bb3518ec2a5cbfec0eea82ab6d48d09d8fff40c272087f8237b94
Instruction ID: 5ed61405fd620d3dc185d3105085200fecdae2e3cd10860a647a689dd3363ece
Opcode Fuzzy Hash: d93bebce8a3bb3518ec2a5cbfec0eea82ab6d48d09d8fff40c272087f8237b94
Instruction Fuzzy Hash: 0892B4B1E0421ACBDF24CF58CA85BEDB7B1BB44314F1481AEE856A7280D771AD81EF51

Function 00FDE01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00FDE014,771B0AE0,00FDDEF1,0105DC38,?,?), ref: 00FDE02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00FDE03E

Strings

kernel32.dll, xrefs: 00FDE027
GetNativeSystemInfo, xrefs: 00FDE038

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: bd59c9f404b4c0e54a412da4905029726b10955f728a4bebafc096f2bbd584ea
Instruction ID: 553f195bb1d350551c1d8eefbd04268a2e57354324be578c98eb96fa57145acc
Opcode Fuzzy Hash: bd59c9f404b4c0e54a412da4905029726b10955f728a4bebafc096f2bbd584ea
Instruction Fuzzy Hash: EED0A7B4D00712AFC7316FA1E94C61276D9AB10310F1C481EE8C1D6210D7F8C884C760

Function 01006713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 01006733
_memset.LIBCMT ref: 01006754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 010067A6
CloseHandle.KERNEL32(00000000), ref: 010067AF

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 05875ea678cc92500d64f8c7198b54169375124360799e2a2db56c28a7c06f7e
Instruction ID: 1d16759753fb74efe765ba91eff951192bb85eb35b818c12e2d5e38a3038f859
Opcode Fuzzy Hash: 05875ea678cc92500d64f8c7198b54169375124360799e2a2db56c28a7c06f7e
Instruction Fuzzy Hash: 3A11CAB59012287AE73157A5AD4DFABBABCEF44B60F10419AF908E71C0D7744E808B64

Function 010013CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 010013DC

Strings

(, xrefs: 01001422
|, xrefs: 0100140C

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 4e2a0ac43b3d48acc63bff0430b60431a48e4844cdbf16549d5f7a9527bd70b2
Instruction ID: 0a67728e63f436b327df22d6572adcedad3dd1c96b12502a367355671f09f701
Opcode Fuzzy Hash: 4e2a0ac43b3d48acc63bff0430b60431a48e4844cdbf16549d5f7a9527bd70b2
Instruction Fuzzy Hash: 66322575A006059FD729CF69C480A6AB7F0FF48310F15C5AEE59ADB3A2EB70E941CB44

Function 00FDB11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 00FDB34E: GetWindowLongW.USER32(?,000000EB), ref: 00FDB35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 00FDB22F

Part of subcall function 00FDB55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00FDB5A5

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: 53eae7e240708d521ef80c47312f85a172b061f1cc30d1b1967f303368743fef
Instruction ID: 5913476faee985a929fae9d292864ee2f32d3194aa8973516ef9e7f034188703
Opcode Fuzzy Hash: 53eae7e240708d521ef80c47312f85a172b061f1cc30d1b1967f303368743fef
Instruction Fuzzy Hash: D3A13B72114006FAE6356F698C48FBF396EEBA6351B1A421FF5C1D2381DB259C01B372

Function 01014EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,010143BF,00000000), ref: 01014FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 01014FD2

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: ec08a84072cf7c830adfe3bbc7a0bbae4bc2880a2f5325dc6f72320e65924b23
Instruction ID: f63cb7664342f94c00b15ed4548c51b0de9e2067b1a145d5f7cae7dbf475085d
Opcode Fuzzy Hash: ec08a84072cf7c830adfe3bbc7a0bbae4bc2880a2f5325dc6f72320e65924b23
Instruction Fuzzy Hash: 4641F971504209BFEB21CE84CC88EBF77FCEB80754F00406EF285A6295E7799E419790

Function 0100E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0100E20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0100E267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0100E2B4

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: bb5a7ddd596f615f2f0e177d6743d0d15f97b6842c28d898879c121277767f50
Instruction ID: ee1cdeae0a7f26f8a7cda74d68858067d24d3c24926faafdb552bd8fea8050f9
Opcode Fuzzy Hash: bb5a7ddd596f615f2f0e177d6743d0d15f97b6842c28d898879c121277767f50
Instruction Fuzzy Hash: 3B216D75A00118EFDB00EFA5D994EEDFBB8FF58310F0484AAE945A7391DB369905CB50

Function 00FFB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00FDF4EA: std::exception::exception.LIBCMT ref: 00FDF51E
Part of subcall function 00FDF4EA: __CxxThrowException@8.LIBCMT ref: 00FDF533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FFB180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FFB1AD
GetLastError.KERNEL32 ref: 00FFB1BA

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: c2af2ad14f6ea919faf3af881e88e8a5822048049e61baa6d76d917fef4775a7
Instruction ID: ee326805b1a487dd36435866347a00ec7f53ffdc2ddd2d5ac8aa5393df9385da
Opcode Fuzzy Hash: c2af2ad14f6ea919faf3af881e88e8a5822048049e61baa6d76d917fef4775a7
Instruction Fuzzy Hash: B111BCB2900205AFE728EFA4DCC5D2BB7ADEF44310B20852EF59697240DB75FC418B60

Function 010071FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 01007223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0100723A
FreeSid.ADVAPI32(?), ref: 0100724A

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: fa5c36202077fe652777a6da963c3771cda9e820c826f289f4e3e0d49f1a2259
Instruction ID: 4319bf383773ab94f32457575c46a79c20798acc0685aaad79e3bbb497655180
Opcode Fuzzy Hash: fa5c36202077fe652777a6da963c3771cda9e820c826f289f4e3e0d49f1a2259
Instruction Fuzzy Hash: 38F01DBAA00209BFDF14DFE4D989AEEBBB8EF08241F104469B602E3181E27596548B10

Function 01007513 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 01007547

Strings

DOWN, xrefs: 0100752C

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: 8be2b6d9879d72b73c4e3bbc643680dac5c0cb9c5171f80698b2b509ee181383
Instruction ID: 2b7b97298c7316a459baf21aff25e39b5c667b05ba356e827421ccf13984231f
Opcode Fuzzy Hash: 8be2b6d9879d72b73c4e3bbc643680dac5c0cb9c5171f80698b2b509ee181383
Instruction Fuzzy Hash: 4AE0866618C7A239FA9531597C02EF7338CCB22132B100157F8D0D40C2FDC969D262BA

Function 0100F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0100F599
FindClose.KERNEL32(00000000), ref: 0100F5C9

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 49105fcfc1ac35900fb1b2579227ad363a5ea49ddbb466dbf1ac01f927eeaa38
Instruction ID: 52a2a78cc267ae523654f38a117bef0bc8110e3840d2199ea2679a809ce61aa9
Opcode Fuzzy Hash: 49105fcfc1ac35900fb1b2579227ad363a5ea49ddbb466dbf1ac01f927eeaa38
Instruction Fuzzy Hash: 0C11C0726002019FE711EF28D849A2EB3E9FF94325F04895EF9A9D7391CB34AD008B81

Function 0100CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0101BE6A,?,?,00000000,?), ref: 0100CEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0101BE6A,?,?,00000000,?), ref: 0100CEB9

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 29df4cc394a8e30bdb70d0bdaacc909ab7d0e6de7ca7c332dde0fcb7f5e726b1
Instruction ID: 9cf63871758e03dc9db307eb1db6f5cfe8d93e201ee15317d357cf9e86ac1994
Opcode Fuzzy Hash: 29df4cc394a8e30bdb70d0bdaacc909ab7d0e6de7ca7c332dde0fcb7f5e726b1
Instruction Fuzzy Hash: 92F0E275100229ABEB209BA4CD89FEB336CBF08361F008165F849D2081C7349A00CBA0

Function 0100411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 01004153
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 01004166

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: f2cc476ae62271dfae53d129100e917c25b05ac3f0a6fd27663bc89cf7bd26d6
Instruction ID: 4ab15c223ee1a8e2abfd90330eaca9198e7f74e19aca5b58b979f1c3b2776fe4
Opcode Fuzzy Hash: f2cc476ae62271dfae53d129100e917c25b05ac3f0a6fd27663bc89cf7bd26d6
Instruction Fuzzy Hash: 57F06D7490424DAFEB068FA4C805BFE7FB0EF10305F008009F9A596191D77986128FA4

Function 00FFAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FFACC0), ref: 00FFAB99
CloseHandle.KERNEL32(?,?,00FFACC0), ref: 00FFABAB

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 49d17d646abed1494fe8a0c18e090958a6f6a737c1e39753647959643d3826c5
Instruction ID: 41fde27a9770c9fc7d9706aac6214248c76d6a354222a266f3a56f6036548696
Opcode Fuzzy Hash: 49d17d646abed1494fe8a0c18e090958a6f6a737c1e39753647959643d3826c5
Instruction Fuzzy Hash: 11E08675000510AFE7322F54FC04E7377EAEF003207148429F99A81534D7276C90EB50

Function 00FE81AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00FE6DB3,-0000031A,?,?,00000001), ref: 00FE81B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00FE81BA

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9300d5b927eab869d0cd253f041f3406a4a2e6ef9a48796fd9cd56f683708fb9
Instruction ID: bbc5a1bfb28a1350d2df440f7871dac356c72717c7e2ca84f40bb5c313983682
Opcode Fuzzy Hash: 9300d5b927eab869d0cd253f041f3406a4a2e6ef9a48796fd9cd56f683708fb9
Instruction Fuzzy Hash: E7B092B5144608ABDB102BE1E949B587FA8EB18A53F00C010F64D440558B7754109BA1

Function 00FC77B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FC7921

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: ca1399394d06c4cc2f2b6cea92728b6988acdf8a49fed7b2bef6eb97aef70c25
Instruction ID: 4b08990f761569cf8cf72417df77dd69954512dc43b30b14ec54937246b43366
Opcode Fuzzy Hash: ca1399394d06c4cc2f2b6cea92728b6988acdf8a49fed7b2bef6eb97aef70c25
Instruction Fuzzy Hash: 03A26CB1E0421ACFDB24CF58C581BADBBB1FF48310F2581A9E859AB391D7349A81DF50

Function 00FED1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4987da00839e81af59ef9480ac8a5f6482c6fd4f26b536dd3c77354955dd9ad8
Instruction ID: c1eafcaf093aca1a3f485724d23987cdd3412dd66614c375c57219bcb7a8a65c
Opcode Fuzzy Hash: 4987da00839e81af59ef9480ac8a5f6482c6fd4f26b536dd3c77354955dd9ad8
Instruction Fuzzy Hash: 6A322332D29F418DD7239535C82233AA698AFB73D4F15D737F81AB5D9AEB29C4835200

Function 00FC96C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 1a2464d23fbee85e857b4c2d443f8198380033ce9fd1897fcc5d5c5859e0dd72
Instruction ID: 2dc040b82737814c53177f56f3c6f6b58ca890567f2ff018716aa8e8940bb314
Opcode Fuzzy Hash: 1a2464d23fbee85e857b4c2d443f8198380033ce9fd1897fcc5d5c5859e0dd72
Instruction Fuzzy Hash: 3C22AA715083029FE724DF14CA96B6FB7E5BF84310F04491EF89A9B291DB75E904DB82

Function 00FF038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c14356c9735a89ae1c24029da52a074c0b80071e4c9437a1744036bd0b66013a
Instruction ID: 59fc2ca068add852dae2432ba9a78eee0dda5863c86b10ba9595543ff2f1dcc3
Opcode Fuzzy Hash: c14356c9735a89ae1c24029da52a074c0b80071e4c9437a1744036bd0b66013a
Instruction Fuzzy Hash: 76B1DE30D2AF414DD72396398831337B65CAFBB2D5B91E71BFC5A74D26EB2685834280

Function 0100B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0100B6DF

Part of subcall function 00FE344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0100BDC3,00000000,?,?,?,?,0100BF70,00000000,?), ref: 00FE3453
Part of subcall function 00FE344A: __aulldiv.LIBCMT ref: 00FE3473

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: a11f9e23ba1dbc2f1358296e43d0d3127a1ee49f5091e867030d10d1d620ce5e
Instruction ID: 58281554bfccbdc47064b88929c9b0c48425db55c8220736589df56302eeb139
Opcode Fuzzy Hash: a11f9e23ba1dbc2f1358296e43d0d3127a1ee49f5091e867030d10d1d620ce5e
Instruction Fuzzy Hash: 2821AF76634610CBD72ACF28C481A96B7E1EB99710B248E6DE0E5CF2C0CA78B905DB54

Function 01016AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 01016ACA

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 427bdb0ff6577421af21dd89437c1138717a12096de1464dd83eddef54bd55cc
Instruction ID: d253028aa474ccd1bc0c7da47792408b6d3944801f42543fa7a10e2c7f7daf28
Opcode Fuzzy Hash: 427bdb0ff6577421af21dd89437c1138717a12096de1464dd83eddef54bd55cc
Instruction Fuzzy Hash: 7FE048362102046FC740EF99DD05E9AB7EDAF78761F04C466F985C7355DAB5F8048B90

Function 00FFB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00FFAD3E), ref: 00FFB124

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 9e0e2446be490d61c7fa0101a90c98c8bc7bc365c9ce2f83ed781947d0766bdd
Instruction ID: e8465f74aebdb48122f623ebae16cb9d1f1c7a0fae1ac41482ef6755a4fa8985
Opcode Fuzzy Hash: 9e0e2446be490d61c7fa0101a90c98c8bc7bc365c9ce2f83ed781947d0766bdd
Instruction Fuzzy Hash: 3BD05E321A460EAFDF024EA4DC02EAE3F6AEB04700F408110FA11C6090C676D531AB50

Function 0103B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 0103B352

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 3c5a811cc67032c214e5010a4a9da4e39af1d924e87c1604d4caea8a541f40be
Instruction ID: f71ee6448afec3f0700c7c78a662d79fa5c815fb0ef7ef19af36c652bc39cb9b
Opcode Fuzzy Hash: 3c5a811cc67032c214e5010a4a9da4e39af1d924e87c1604d4caea8a541f40be
Instruction Fuzzy Hash: FDC04CF140010DDFC751CBC0CA84AEEB7BCAB04301F104091A185F2100D7759B458B71

Function 00FE8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00FE818F

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 97210687e7bbc1d94046cb4911bb53292f11031f377e6597f4d1b5fc42ebc349
Instruction ID: c791e98d11d1402f4895204e04846cfb366554c19cc9bd0c46134e590453487f
Opcode Fuzzy Hash: 97210687e7bbc1d94046cb4911bb53292f11031f377e6597f4d1b5fc42ebc349
Instruction Fuzzy Hash: 6AA0223000020CFBCF003FC2FC088883FACFB002A2B008020F80C00020CB33A820ABE0

Function 00FCE3B0 Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d654eeb2f2e832115aaee05572ec164401d2f49cbc3c9ec9418e1d7eaa054de7
Instruction ID: 1a031dac8dd656e333b672e4dfbb334f8acbd489365e160209a1e78c2c988d60
Opcode Fuzzy Hash: d654eeb2f2e832115aaee05572ec164401d2f49cbc3c9ec9418e1d7eaa054de7
Instruction Fuzzy Hash: 1522CF75E002068FDB28DF58C582FAAB7F1FF54310F18806ED9869B351E335A985EB91

Function 00FC93F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5ed1c7c573c4447c4da88b9850205df706bde28214d4ef333ae553daf0dfc22
Instruction ID: 2cd242d370719ca5ebdb2afe3e1bf585fbb9e5e09de9dbc5a49075a94123f34a
Opcode Fuzzy Hash: c5ed1c7c573c4447c4da88b9850205df706bde28214d4ef333ae553daf0dfc22
Instruction Fuzzy Hash: 3D12A070A0450ADFDF14DFA4DA86AEEB7F5FF88300F144569E446E7290EB3AA910DB50

Function 00FCAF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 151cbf2ed50dbc7c0376001a5617433fecefb85dafb7006dcc4697e7cd5929e1
Instruction ID: f36f9cbbc9cb25837ed99a6fc28f75f5f600ac11a824b11042f58bd11ab1407c
Opcode Fuzzy Hash: 151cbf2ed50dbc7c0376001a5617433fecefb85dafb7006dcc4697e7cd5929e1
Instruction Fuzzy Hash: 0E02A270E0010ADBDF14DF68D982BAEBBB9FF84300F148069E846EB255EB35D915DB91

Function 00FE02A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: c033105b5ce6f5e299165f399f24d3be0fafb46971f71a991a4381d9b5c37c81
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: 11C1C7326051E30ADF2D463AC43493EFBA15A927B131E076ED4B3CB5D5EF60C568E620

Function 00FE06D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: fafd4552daead57d7e2b85ec38af974cfa91882d53e5ffc509ed9daac7554d6f
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: A5C1C5336051E309DF2D463AD43453EBBA15AA2BB131E076ED4B3CB5D5EF60C568E620

Function 00FDFE6F Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: daf7466a2a85eb19738f72ee7791169a38b77a1688d2787fdd55dab4fafe33e2
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: B4C185326051E309DF2D463A943493EBBA25AA27B131E077ED4B3CF6D5EF24C568E610

Function 00FDFA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 7f700be77c4ede42dc397a4cb054e2e47363977c4f445e3a81dfc5db7d99368b
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 26C181326051A309DF2D4639D43493EBBA25AA17B531E077FD4B3CB6D5EE20C56CE620

Function 0101A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0101A2FE
DeleteObject.GDI32(00000000), ref: 0101A310
DestroyWindow.USER32 ref: 0101A31E
GetDesktopWindow.USER32 ref: 0101A338
GetWindowRect.USER32(00000000), ref: 0101A33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0101A480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0101A490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0101A4D8
GetClientRect.USER32(00000000,?), ref: 0101A4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0101A51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0101A540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0101A553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0101A55E
GlobalLock.KERNEL32(00000000), ref: 0101A567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0101A576
GlobalUnlock.KERNEL32(00000000), ref: 0101A57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0101A586
GlobalFree.KERNEL32(00000000), ref: 0101A591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0101A5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0104D9BC,00000000), ref: 0101A5B9
GlobalFree.KERNEL32(00000000), ref: 0101A5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0101A5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0101A60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0101A630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0101A81D

Strings

DISPLAY, xrefs: 0101A680
AutoIt v3, xrefs: 0101A4D0
static, xrefs: 0101A518, 0101A66F
, xrefs: 0101A7A3

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 9672bbab4b95d08ecdba07d29a50a6a2a5b652310e7c7bb1f120084e14fbb0c4
Instruction ID: eef95b33b0c4ed7c93c60f7020ad2c3ed5505dc895e593bc0564999cc4f38831
Opcode Fuzzy Hash: 9672bbab4b95d08ecdba07d29a50a6a2a5b652310e7c7bb1f120084e14fbb0c4
Instruction Fuzzy Hash: E7028F75A00145EFDB24DFA8CE89EAE7BB9FF48310F048158F945AB295CB799D01CB60

Function 0102D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0102D2DB
GetSysColorBrush.USER32(0000000F), ref: 0102D30C
GetSysColor.USER32(0000000F), ref: 0102D318
SetBkColor.GDI32(?,000000FF), ref: 0102D332
SelectObject.GDI32(?,00000000), ref: 0102D341
InflateRect.USER32(?,000000FF,000000FF), ref: 0102D36C
GetSysColor.USER32(00000010), ref: 0102D374
CreateSolidBrush.GDI32(00000000), ref: 0102D37B
FrameRect.USER32(?,?,00000000), ref: 0102D38A
DeleteObject.GDI32(00000000), ref: 0102D391
InflateRect.USER32(?,000000FE,000000FE), ref: 0102D3DC
FillRect.USER32(?,?,00000000), ref: 0102D40E
GetWindowLongW.USER32(?,000000F0), ref: 0102D439

Part of subcall function 0102D575: GetSysColor.USER32(00000012), ref: 0102D5AE
Part of subcall function 0102D575: SetTextColor.GDI32(?,?), ref: 0102D5B2
Part of subcall function 0102D575: GetSysColorBrush.USER32(0000000F), ref: 0102D5C8
Part of subcall function 0102D575: GetSysColor.USER32(0000000F), ref: 0102D5D3
Part of subcall function 0102D575: GetSysColor.USER32(00000011), ref: 0102D5F0
Part of subcall function 0102D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0102D5FE
Part of subcall function 0102D575: SelectObject.GDI32(?,00000000), ref: 0102D60F
Part of subcall function 0102D575: SetBkColor.GDI32(?,00000000), ref: 0102D618
Part of subcall function 0102D575: SelectObject.GDI32(?,?), ref: 0102D625
Part of subcall function 0102D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0102D644
Part of subcall function 0102D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0102D65B
Part of subcall function 0102D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0102D670
Part of subcall function 0102D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0102D698

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: dacf0e722c9fb0be52a47d55b46df18c10b7ccb432b1a80651f01328d2e38c12
Instruction ID: 56303b7af80b51f95c434aa13aafc41b1dfd7485d004679d29d140af404ca187
Opcode Fuzzy Hash: dacf0e722c9fb0be52a47d55b46df18c10b7ccb432b1a80651f01328d2e38c12
Instruction Fuzzy Hash: BC91BFB5408311BFD7219FA4DD48A6B7BA9FF89321F000A19F9A2961D0CB36D944CB91

Function 00FDB8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00FDB98B
DeleteObject.GDI32(00000000), ref: 00FDB9CD
DeleteObject.GDI32(00000000), ref: 00FDB9D8
DestroyIcon.USER32(00000000), ref: 00FDB9E3
DestroyWindow.USER32(00000000), ref: 00FDB9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 0103D2AA
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0103D2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0103D711

Part of subcall function 00FDB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FDB759,?,00000000,?,?,?,?,00FDB72B,00000000,?), ref: 00FDBA58

SendMessageW.USER32 ref: 0103D758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0103D76F
ImageList_Destroy.COMCTL32(00000000), ref: 0103D785
ImageList_Destroy.COMCTL32(00000000), ref: 0103D790

Strings

0, xrefs: 0103D5A5

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: a0c682a1309a2a06e672bec7192da36a07473cff152ecc654177a5d31a026331
Instruction ID: 5cfa002a57edf859d6f0214ee41bd5050d3286e0c9771c15f751d56b67fd3c6e
Opcode Fuzzy Hash: a0c682a1309a2a06e672bec7192da36a07473cff152ecc654177a5d31a026331
Instruction Fuzzy Hash: C612CF74200241DFDB61CF68C494BA9BBE9FF88304F5845AAFAC9CB252C731E841DB91

Function 01019F50 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 01019F83
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0101A042
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 0101A080
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 0101A092
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 0101A0D8
GetClientRect.USER32(00000000,?), ref: 0101A0E4
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 0101A128
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0101A137
GetStockObject.GDI32(00000011), ref: 0101A147
SelectObject.GDI32(00000000,00000000), ref: 0101A14B
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 0101A15B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0101A164
DeleteDC.GDI32(00000000), ref: 0101A16D
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0101A19B
SendMessageW.USER32(00000030,00000000,00000001), ref: 0101A1B2
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 0101A1ED
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0101A201
SendMessageW.USER32(00000404,00000001,00000000), ref: 0101A212
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0101A242
GetStockObject.GDI32(00000011), ref: 0101A24D
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 0101A258
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 0101A262

Strings

msctls_progress32, xrefs: 0101A1E3
DISPLAY, xrefs: 0101A12D
AutoIt v3, xrefs: 0101A0D0
static, xrefs: 0101A122, 0101A23C

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 66f440d292c802a85baf186a5449abc186e80bbbb63d273984d0d7ac2ab40f3e
Instruction ID: 745fc52054d20c2f09b94420e954e400a4833bd49cb197f0e09e75a68200b2c1
Opcode Fuzzy Hash: 66f440d292c802a85baf186a5449abc186e80bbbb63d273984d0d7ac2ab40f3e
Instruction Fuzzy Hash: 0DA172B5A00215BFEB24DBA4DD4AFAE7BA9EF04710F004118FA54AB1D4D7B9AD01CF64

Function 0100DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0100DBD6
GetDriveTypeW.KERNEL32(?,0105DC54,?,\\.\,0105DC00), ref: 0100DCC3
SetErrorMode.KERNEL32(00000000,0105DC54,?,\\.\,0105DC00), ref: 0100DE29

Strings

Virtual, xrefs: 0100DDEE
\\.\, xrefs: 0100DC2B
SATA, xrefs: 0100DDD9
ATA, xrefs: 0100DDA1
RAID, xrefs: 0100DDC4
iSCSI, xrefs: 0100DDCB
Removable, xrefs: 0100DD15
Unknown, xrefs: 0100DCE3, 0100DD8C
1394, xrefs: 0100DDA8
Fibre, xrefs: 0100DDB6
CDROM, xrefs: 0100DCF7
SSD, xrefs: 0100DD50
Network, xrefs: 0100DD01
RAMDisk, xrefs: 0100DCED
PhysicalDrive, xrefs: 0100DC67
FileBackedVirtual, xrefs: 0100DDF5
Fixed, xrefs: 0100DD0B
ATAPI, xrefs: 0100DD9A
SSA, xrefs: 0100DDAF
SAS, xrefs: 0100DDD2
USB, xrefs: 0100DDBD
MMC, xrefs: 0100DDE7
SCSI, xrefs: 0100DD93

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 20aed6cbb766da61c31b0859d89c72a3ca75b5204221151763f1662e67dd3c39
Instruction ID: 014b673d97f78599f03349ceb34d0d0ac71ce6e9ffe1a056f1549523ac98218c
Opcode Fuzzy Hash: 20aed6cbb766da61c31b0859d89c72a3ca75b5204221151763f1662e67dd3c39
Instruction Fuzzy Hash: 2351BE30648306ABB212EBD5C992D3DBBE0FB94600F04486EF5CB9F2D1DB60D845D766

Function 00FCCC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00FCCC68
__wcsnicmp.LIBCMT ref: 00FCCC80
__wcsnicmp.LIBCMT ref: 00FCCC98
__wcsnicmp.LIBCMT ref: 00FCCCB0
__wcsnicmp.LIBCMT ref: 00FCCCC8
__wcsnicmp.LIBCMT ref: 00FCCCE0
__wcsnicmp.LIBCMT ref: 00FCCCF8
__wcsnicmp.LIBCMT ref: 00FCCD0C
__wcsnicmp.LIBCMT ref: 00FCCD4D
__wcsnicmp.LIBCMT ref: 00FCCD61
__wcsnicmp.LIBCMT ref: 00FCCD75
__wcsnicmp.LIBCMT ref: 00FCCD89

Strings

Bad directive syntax error, xrefs: 01032ECB
#ce, xrefs: 00FCCD83
#requireadmin, xrefs: 00FCCC92
Unterminated group of comments, xrefs: 01032FB4
#OnAutoItStartRegister, xrefs: 00FCCCAA
#notrayicon, xrefs: 00FCCC7A
#comments-start, xrefs: 00FCCCF2, 00FCCD47
#cs, xrefs: 00FCCD06, 00FCCD5B
#pragma compile, xrefs: 00FCCC62
#include-once, xrefs: 00FCCCC2
Cannot parse #include, xrefs: 01032FA1
#comments-end, xrefs: 00FCCD6F
#include, xrefs: 00FCCCDA

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: dd1306615e0e39d20d62c0688371ef12567b049de3fc0bf08c61a91cd2a934c4
Instruction ID: 6c23ecce51f80c1128b33e6c5d1f408ad1efe7b703426ddd8fffbab052089149
Opcode Fuzzy Hash: dd1306615e0e39d20d62c0688371ef12567b049de3fc0bf08c61a91cd2a934c4
Instruction Fuzzy Hash: 3A81F931640216AADB11AAA5DD83FBF3BA9BF54700F04402DF94AAA182EB64D541E3E1

Function 0102C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0102C788
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0102C83E
SendMessageW.USER32(?,00001102,00000002,?), ref: 0102C859
SendMessageW.USER32(?,000000F1,?,00000000), ref: 0102CB15

Strings

0, xrefs: 0102C89C

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: ca33a6cdcebe7eb8cb6aaba8421449e35ceab7326a7c135cf9d2785ca2feaca9
Instruction ID: ca7abc398886f6e4f590fc7a9b1dde531e4293fb4da952d724b1368a372c814e
Opcode Fuzzy Hash: ca33a6cdcebe7eb8cb6aaba8421449e35ceab7326a7c135cf9d2785ca2feaca9
Instruction Fuzzy Hash: B2F1BF70204321AFF7618F28CA89BAEBFE4FF49354F08456DF6C996291C7798841DB91

Function 0102638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0105DC00), ref: 01026449

Strings

UNCHECK, xrefs: 010266A1
ADDSTRING, xrefs: 01026536
ISCHECKED, xrefs: 01026659
GETCURRENTSELECTION, xrefs: 01026603
CURRENTTAB, xrefs: 010264DD
SETCURRENTSELECTION, xrefs: 010265D6
EDITPASTE, xrefs: 0102675B
CHECK, xrefs: 0102668B
DELSTRING, xrefs: 01026569
TABRIGHT, xrefs: 010264BD
ISVISIBLE, xrefs: 01026455
SELECTSTRING, xrefs: 01026626
GETLINECOUNT, xrefs: 010266E4
GETCURRENTCOL, xrefs: 01026724
SENDCOMMANDID, xrefs: 010267CA
GETCURRENTLINE, xrefs: 01026704
GETLINE, xrefs: 0102678B
FINDSTRING, xrefs: 01026596
GETSELECTED, xrefs: 010266C1
HIDEDROPDOWN, xrefs: 01026520
TABLEFT, xrefs: 010264A7
ISENABLED, xrefs: 0102648C
SHOWDROPDOWN, xrefs: 01026500

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 28cc767973cc037901da84f9608adc2dc915dec806b337afe5d6a19c8e9a4683
Instruction ID: a351d0a9cc184aa6e59164139998d54596de776d134a04770339f08ce1369f64
Opcode Fuzzy Hash: 28cc767973cc037901da84f9608adc2dc915dec806b337afe5d6a19c8e9a4683
Instruction Fuzzy Hash: 75C19430204265CBCA04EF14C951A6E77E6BF94344F04489DFDC69B3E2DB36E90ADB82

Function 0102D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0102D5AE
SetTextColor.GDI32(?,?), ref: 0102D5B2
GetSysColorBrush.USER32(0000000F), ref: 0102D5C8
GetSysColor.USER32(0000000F), ref: 0102D5D3
CreateSolidBrush.GDI32(?), ref: 0102D5D8
GetSysColor.USER32(00000011), ref: 0102D5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0102D5FE
SelectObject.GDI32(?,00000000), ref: 0102D60F
SetBkColor.GDI32(?,00000000), ref: 0102D618
SelectObject.GDI32(?,?), ref: 0102D625
InflateRect.USER32(?,000000FF,000000FF), ref: 0102D644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0102D65B
GetWindowLongW.USER32(00000000,000000F0), ref: 0102D670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0102D698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0102D6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 0102D6DD
DrawFocusRect.USER32(?,?), ref: 0102D6E8
GetSysColor.USER32(00000011), ref: 0102D6F6
SetTextColor.GDI32(?,00000000), ref: 0102D6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0102D712
SelectObject.GDI32(?,0102D2A5), ref: 0102D729
DeleteObject.GDI32(?), ref: 0102D734
SelectObject.GDI32(?,?), ref: 0102D73A
DeleteObject.GDI32(?), ref: 0102D73F
SetTextColor.GDI32(?,?), ref: 0102D745
SetBkColor.GDI32(?,?), ref: 0102D74F

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: fa896b326627109b3b224119d24e915ebf2403b2afb4b1d6eef8935b89aee1fc
Instruction ID: 6e8bedf20868f43b1276210e464a27e5e3748a087384248821caa948ebad3a45
Opcode Fuzzy Hash: fa896b326627109b3b224119d24e915ebf2403b2afb4b1d6eef8935b89aee1fc
Instruction Fuzzy Hash: DD515DB5900218BFDB219FE8DD88EAE7BB9FF08324F104115FA55AB291D7759A40CF90

Function 0102B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0102B7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0102B7C1
CharNextW.USER32(0000014E), ref: 0102B7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0102B831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0102B847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0102B858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0102B875
SetWindowTextW.USER32(?,0000014E), ref: 0102B8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0102B8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 0102B90E
_memset.LIBCMT ref: 0102B933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0102B97C
_memset.LIBCMT ref: 0102B9DB
SendMessageW.USER32 ref: 0102BA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 0102BA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 0102BB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 0102BB2C
GetMenuItemInfoW.USER32(?), ref: 0102BB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0102BBA3
DrawMenuBar.USER32(?), ref: 0102BBB2
SetWindowTextW.USER32(?,0000014E), ref: 0102BBDA

Strings

0, xrefs: 0102BB4F

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: d4f243b9ddf51925d6759c83fbb5aa36be56515a6b956c50009364d33bc344ea
Instruction ID: b6db02d8cb9ddca643f2fc0da4e29ab3cad201b8f83c0634557fb5106461d1d0
Opcode Fuzzy Hash: d4f243b9ddf51925d6759c83fbb5aa36be56515a6b956c50009364d33bc344ea
Instruction Fuzzy Hash: 8CE16175900229AFDF219F95CC84EFE7BB8FF09714F048196FA99AA280DB758541CF60

Function 0102764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0102778A
GetDesktopWindow.USER32 ref: 0102779F
GetWindowRect.USER32(00000000), ref: 010277A6
GetWindowLongW.USER32(?,000000F0), ref: 01027808
DestroyWindow.USER32(?), ref: 01027834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0102785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0102787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 010278A1
SendMessageW.USER32(?,00000421,?,?), ref: 010278B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 010278C9
IsWindowVisible.USER32(?), ref: 010278E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 01027904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 01027918
GetWindowRect.USER32(?,?), ref: 01027930
MonitorFromPoint.USER32(?,?,00000002), ref: 01027956
GetMonitorInfoW.USER32 ref: 01027970
CopyRect.USER32(?,?), ref: 01027987
SendMessageW.USER32(?,00000412,00000000), ref: 010279F2

Strings

(, xrefs: 01027965
tooltips_class32, xrefs: 01027856
0, xrefs: 01027735

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 64791da6237e353977b09b417b02ddaa4ffcb66e69218204152ac46a7f943078
Instruction ID: 174ec551023853218e00835204f167cbbf38128ffa0ad9fb9a8e93ed8ad16cd1
Opcode Fuzzy Hash: 64791da6237e353977b09b417b02ddaa4ffcb66e69218204152ac46a7f943078
Instruction Fuzzy Hash: F3B1AA71604311AFD750DF68C989B6ABBE4FF98310F00891DF5C99B292DB75E804CB92

Function 01006CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 01006CFB
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 01006D21
_wcscpy.LIBCMT ref: 01006D4F
_wcscmp.LIBCMT ref: 01006D5A
_wcscat.LIBCMT ref: 01006D70
_wcsstr.LIBCMT ref: 01006D7B
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 01006D97
_wcscat.LIBCMT ref: 01006DE0
_wcscat.LIBCMT ref: 01006DE7
_wcsncpy.LIBCMT ref: 01006E12

Strings

DefaultLangCodepage, xrefs: 01006DFA
\VarFileInfo\Translation, xrefs: 01006D8F
04090000, xrefs: 01006DCD
%u.%u.%u.%u, xrefs: 01006E75
StringFileInfo\, xrefs: 01006D6A

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: dc8b733f062c7420275a797f12b3e4625b509edc64363c74147e092b81f17985
Instruction ID: ebdc17f1abe0d00867ba664b76ec16f1edd82c057a0cc8cf8778308b83fa93b9
Opcode Fuzzy Hash: dc8b733f062c7420275a797f12b3e4625b509edc64363c74147e092b81f17985
Instruction Fuzzy Hash: DA413871900245BBF711BB6ADD43EBF77BDEF41310F04006AF941A6182EF79AA10A7A1

Function 00FDA856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FDA939
GetSystemMetrics.USER32(00000007), ref: 00FDA941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FDA96C
GetSystemMetrics.USER32(00000008), ref: 00FDA974
GetSystemMetrics.USER32(00000004), ref: 00FDA999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00FDA9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00FDA9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00FDA9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00FDAA0D
GetClientRect.USER32(00000000,000000FF), ref: 00FDAA2B
GetStockObject.GDI32(00000011), ref: 00FDAA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 00FDAA52

Part of subcall function 00FDB63C: GetCursorPos.USER32(000000FF), ref: 00FDB64F
Part of subcall function 00FDB63C: ScreenToClient.USER32(00000000,000000FF), ref: 00FDB66C
Part of subcall function 00FDB63C: GetAsyncKeyState.USER32(00000001), ref: 00FDB691
Part of subcall function 00FDB63C: GetAsyncKeyState.USER32(00000002), ref: 00FDB69F

SetTimer.USER32(00000000,00000000,00000028,00FDAB87), ref: 00FDAA79

Strings

AutoIt v3 GUI, xrefs: 00FDA9F1

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 1d196dba4f929bcabc3c478d1c7e80b586ffa851948f7c50167a04808f49357b
Instruction ID: 9720b606fafc84ce73bccbe0cb4cd0dea6a217850b85832022d257a89e67261d
Opcode Fuzzy Hash: 1d196dba4f929bcabc3c478d1c7e80b586ffa851948f7c50167a04808f49357b
Instruction Fuzzy Hash: F9B1CE71A0020ADFDB24DFA8C985BAD7BB5FF48314F04421AFA85A7380DB39D841DB55

Function 00FC2EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00FC2F7A
IsWindow.USER32(?), ref: 010322FD

Strings

INSTANCE, xrefs: 0103223C
TITLE, xrefs: 01032292
HANDLE, xrefs: 010320E2
ACTIVE, xrefs: 010320CC
REGEXPCLASS, xrefs: 01032149
LAST, xrefs: 010320B6
CLASS, xrefs: 01032128
ALL, xrefs: 01032264
REGEXPTITLE, xrefs: 010320F8

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 62970417-1919597938
Opcode ID: 8b0294741dfd53e7d7fdb9c0b02f9764e4907829b7e1fc20cb618c0fbbbc5dc9
Instruction ID: e3de07f8c08dfd1aa06b4da48369423d1e145212b45548533ad652ac88598ec9
Opcode Fuzzy Hash: 8b0294741dfd53e7d7fdb9c0b02f9764e4907829b7e1fc20cb618c0fbbbc5dc9
Instruction Fuzzy Hash: C9D1B330508247EBCB04EF54CD81AAABBB9FF94340F004A5DF4D6572A2DB34E59ADB91

Function 01023639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01023735
RegCreateKeyExW.ADVAPI32(?,?,00000000,0105DC00,00000000,?,00000000,?,?), ref: 010237A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 010237EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 01023874
RegCloseKey.ADVAPI32(?), ref: 01023B94
RegCloseKey.ADVAPI32(00000000), ref: 01023BA1

Strings

REG_DWORD, xrefs: 01023A65
REG_QWORD, xrefs: 01023AE2
REG_MULTI_SZ, xrefs: 0102395C
REG_BINARY, xrefs: 01023B2F
REG_EXPAND_SZ, xrefs: 01023811
REG_SZ, xrefs: 010238B2

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 49e8e4f0e976cb5cd4f709274c7a4dbf42032c61b7575034d81ba32bef68d7c1
Instruction ID: 34ffe33fd2f55ff76503d3a65f95aaab8fd2e5850e27c9f327c8e3eaba46db47
Opcode Fuzzy Hash: 49e8e4f0e976cb5cd4f709274c7a4dbf42032c61b7575034d81ba32bef68d7c1
Instruction Fuzzy Hash: 970258756046119FDB15EF18C945E2AB7E9FF88720F04845DF99A9B3A1CB39EC01CB81

Function 01026BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 01026C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 01026D16

Strings

GETITEMCOUNT, xrefs: 01026C84
FINDITEM, xrefs: 01026E81
SELECT, xrefs: 01026DA8
SELECTINVERT, xrefs: 01026DDE
GETSUBITEMCOUNT, xrefs: 01026CA1
SELECTCLEAR, xrefs: 01026D8D
SELECTALL, xrefs: 01026D75
GETTEXT, xrefs: 01026CBF
VIEWCHANGE, xrefs: 01026ECD
DESELECT, xrefs: 01026DFC
ISSELECTED, xrefs: 01026D21
GETSELECTEDCOUNT, xrefs: 01026CF9
GETSELECTED, xrefs: 01026E3C

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 9631a3ee4406822bb2ff5f42ec80fef4d6f7adc2caec914544201282889c3ab5
Instruction ID: 469d85ff7d36e41ed862b4fd09a63ab92340d2603d2d5e3ad97cb68bb17cf0be
Opcode Fuzzy Hash: 9631a3ee4406822bb2ff5f42ec80fef4d6f7adc2caec914544201282889c3ab5
Instruction Fuzzy Hash: D2A18B306142569BCA54FF24CD52E6EB3A6BF84310F0449ADED969B392DB35EC09CB81

Function 00FFCF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00FFCF91
__swprintf.LIBCMT ref: 00FFD032
_wcscmp.LIBCMT ref: 00FFD045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00FFD09A
_wcscmp.LIBCMT ref: 00FFD0D6
GetClassNameW.USER32(?,?,00000400), ref: 00FFD10D
GetDlgCtrlID.USER32(?), ref: 00FFD15F
GetWindowRect.USER32(?,?), ref: 00FFD195
GetParent.USER32(?), ref: 00FFD1B3
ScreenToClient.USER32(00000000), ref: 00FFD1BA
GetClassNameW.USER32(?,?,00000100), ref: 00FFD234
_wcscmp.LIBCMT ref: 00FFD248
GetWindowTextW.USER32(?,?,00000400), ref: 00FFD26E
_wcscmp.LIBCMT ref: 00FFD282

Strings

%s%u, xrefs: 00FFD02C

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: 6d741a9fa8eb589db7d3c8dfe360ab1d0d032f537a6ac04e82b629d90c65704f
Instruction ID: dabd6bb5a1843a5eaa29e9498a83e8187ec83dfb824cec0bce759173958d1e7c
Opcode Fuzzy Hash: 6d741a9fa8eb589db7d3c8dfe360ab1d0d032f537a6ac04e82b629d90c65704f
Instruction Fuzzy Hash: CDA1F171A0430AAFD715DF60C984FBAB7A9FF44364F004619FA99D21A0DB30EA05DBE1

Function 00FFD8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00FFD8EB
_wcscmp.LIBCMT ref: 00FFD8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00FFD924
CharUpperBuffW.USER32(?,00000000), ref: 00FFD941
_wcscmp.LIBCMT ref: 00FFD95F
_wcsstr.LIBCMT ref: 00FFD970
GetClassNameW.USER32(00000018,?,00000400), ref: 00FFD9A8
_wcscmp.LIBCMT ref: 00FFD9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00FFD9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 00FFDA28
_wcscmp.LIBCMT ref: 00FFDA38
GetClassNameW.USER32(00000010,?,00000400), ref: 00FFDA60
GetWindowRect.USER32(00000004,?), ref: 00FFDAC9

Strings

@, xrefs: 00FFD8C6
ThumbnailClass, xrefs: 00FFD9B3, 00FFDA33

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: a535bf0ad36cf542bb1c275979e8581a0b903e367dd9774c5ed58782e5cf9f09
Instruction ID: 999488649c0df66ef57814954ee0a9c3835c587e62b9068430c2cac43f7d417d
Opcode Fuzzy Hash: a535bf0ad36cf542bb1c275979e8581a0b903e367dd9774c5ed58782e5cf9f09
Instruction Fuzzy Hash: A281153140830A9BDB11DF50C985FBA7BE9FF84324F04406AFE899A0A6DB74DD45DBA1

Function 00FFD6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00FFD753

Strings

[ALL, xrefs: 00FFD7F9
[HANDLE:, xrefs: 00FFD75F
[REGEXPTITLE:, xrefs: 00FFD77B
REGEXP=, xrefs: 00FFD768
[CLASS:, xrefs: 00FFD7A3
HANDLE=, xrefs: 00FFD74C
[ACTIVE, xrefs: 00FFD740
ACTIVE, xrefs: 00FFD72E
LAST, xrefs: 00FFD718
CLASSNAME=, xrefs: 00FFD790
[LAST, xrefs: 00FFD800
ALL, xrefs: 00FFD7E7

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 9628925386f4ed217713b59fe6a9334b0cf8c97b9a1865dbece90b037e739ab8
Instruction ID: 700af8491d9e92ee422e6309b1bddf87dce09a99ce31786b4199b70829fba89e
Opcode Fuzzy Hash: 9628925386f4ed217713b59fe6a9334b0cf8c97b9a1865dbece90b037e739ab8
Instruction Fuzzy Hash: 1731A132E4424AA6DB14FA52CE43FBD73759F20750F20002DF681B90E1EF69AE44E659

Function 00FFEA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00FFEAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00FFEAC2
SetWindowTextW.USER32(?,?), ref: 00FFEAD9
GetDlgItem.USER32(?,000003EA), ref: 00FFEAEE
SetWindowTextW.USER32(00000000,?), ref: 00FFEAF4
GetDlgItem.USER32(?,000003E9), ref: 00FFEB04
SetWindowTextW.USER32(00000000,?), ref: 00FFEB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00FFEB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00FFEB45
GetWindowRect.USER32(?,?), ref: 00FFEB4E
SetWindowTextW.USER32(?,?), ref: 00FFEBB9
GetDesktopWindow.USER32 ref: 00FFEBBF
GetWindowRect.USER32(00000000), ref: 00FFEBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00FFEC12
GetClientRect.USER32(?,?), ref: 00FFEC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00FFEC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00FFEC6F

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: b245d19e7297582c9da4d32d69f54e1cdb96e01ab64b62c0a99465b66472704d
Instruction ID: 58905ab315e4b4aeaddb86526557e1225e88ac88493bf3655ff1576a46e1a6e1
Opcode Fuzzy Hash: b245d19e7297582c9da4d32d69f54e1cdb96e01ab64b62c0a99465b66472704d
Instruction Fuzzy Hash: 82516D75900709EFDB21DFA8CE89F6EBBF5FF48714F004918E686A25A0D779A904DB10

Function 010179B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 010179C6
LoadCursorW.USER32(00000000,00007F00), ref: 010179D1
LoadCursorW.USER32(00000000,00007F03), ref: 010179DC
LoadCursorW.USER32(00000000,00007F8B), ref: 010179E7
LoadCursorW.USER32(00000000,00007F01), ref: 010179F2
LoadCursorW.USER32(00000000,00007F81), ref: 010179FD
LoadCursorW.USER32(00000000,00007F88), ref: 01017A08
LoadCursorW.USER32(00000000,00007F80), ref: 01017A13
LoadCursorW.USER32(00000000,00007F86), ref: 01017A1E
LoadCursorW.USER32(00000000,00007F83), ref: 01017A29
LoadCursorW.USER32(00000000,00007F85), ref: 01017A34
LoadCursorW.USER32(00000000,00007F82), ref: 01017A3F
LoadCursorW.USER32(00000000,00007F84), ref: 01017A4A
LoadCursorW.USER32(00000000,00007F04), ref: 01017A55
LoadCursorW.USER32(00000000,00007F02), ref: 01017A60
LoadCursorW.USER32(00000000,00007F89), ref: 01017A6B
GetCursorInfo.USER32(?), ref: 01017A7B

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 8cf23bdf584a956425f4f52073279e2743018d353df929b0e847c4de4524f17f
Instruction ID: d1f90f80fddea5df421402359bec2c000e0d790a9656c21fcdcc5888961f2761
Opcode Fuzzy Hash: 8cf23bdf584a956425f4f52073279e2743018d353df929b0e847c4de4524f17f
Instruction Fuzzy Hash: E53115B1D4431A6ADB509FF68C8995FBFE8FF44750F40452BA54DE7280DA7CA5008FA1

Function 00FCC833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 00FDE968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00FCC8B7,?,00002000,?,?,00000000,?,00FC419E,?,?,?,0105DC00), ref: 00FDE984

Part of subcall function 00FC660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FC53B1,?,?,00FC61FF,?,00000000,00000001,00000000), ref: 00FC662F

__wsplitpath.LIBCMT ref: 00FCC93E

Part of subcall function 00FE1DFC: __wsplitpath_helper.LIBCMT ref: 00FE1E3C

_wcscpy.LIBCMT ref: 00FCC953
_wcscat.LIBCMT ref: 00FCC968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00FCC978
SetCurrentDirectoryW.KERNEL32(?), ref: 00FCCABE

Part of subcall function 00FCB337: _wcscpy.LIBCMT ref: 00FCB36F

Strings

Error opening the file, xrefs: 010330B4, 0103313D
Bad directive syntax error, xrefs: 01033429
AU3!, xrefs: 00FCC90C
Unterminated string, xrefs: 01033470
>>>AUTOIT SCRIPT<<<, xrefs: 0103311B
#include depth exceeded. Make sure there are no recursive includes, xrefs: 01033098
EA06, xrefs: 010330C9

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: cb51398766dc5795ca05a1ffeb2330549ac7e1e3c7c8c06e0f2f5488f4198d87
Instruction ID: 95509536213bafb274318d91555096c5303b6adbb35a3455316c1500988bd6d3
Opcode Fuzzy Hash: cb51398766dc5795ca05a1ffeb2330549ac7e1e3c7c8c06e0f2f5488f4198d87
Instruction Fuzzy Hash: 46129A714083429FC725EF24C992EAEBBE9BFD8300F04491EF5CA97251DB349949DB92

Function 0102CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0102CEFB
DestroyWindow.USER32(?,?), ref: 0102CF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0102CFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0102D016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0102D025
DestroyWindow.USER32(?), ref: 0102D042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00FC0000,00000000), ref: 0102D075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0102D094
GetDesktopWindow.USER32 ref: 0102D0A9
GetWindowRect.USER32(00000000), ref: 0102D0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0102D0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0102D0DA

Part of subcall function 00FDB526: GetWindowLongW.USER32(?,000000EB), ref: 00FDB537

Strings

0, xrefs: 0102CF1B
tooltips_class32, xrefs: 0102CFED, 0102D06E

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: bb64335ec19a09adbb9924772fcff36fde82be3739c74f9a73d8b412cfd6040a
Instruction ID: b51a995b901c4b8448de82b583a16d5151d1159c5c252ac99110f56fc24517e7
Opcode Fuzzy Hash: bb64335ec19a09adbb9924772fcff36fde82be3739c74f9a73d8b412cfd6040a
Instruction Fuzzy Hash: 9371CCB4144305AFE724CF68CC85F6A3BE5EB88748F04495DFAC5872A1D739E842CB12

Function 0102F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FDB34E: GetWindowLongW.USER32(?,000000EB), ref: 00FDB35F

DragQueryPoint.SHELL32(?,?), ref: 0102F37A

Part of subcall function 0102D7DE: ClientToScreen.USER32(?,?), ref: 0102D807
Part of subcall function 0102D7DE: GetWindowRect.USER32(?,?), ref: 0102D87D
Part of subcall function 0102D7DE: PtInRect.USER32(?,?,0102ED5A), ref: 0102D88D

SendMessageW.USER32(?,000000B0,?,?), ref: 0102F3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0102F3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0102F411
_wcscat.LIBCMT ref: 0102F441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0102F458
SendMessageW.USER32(?,000000B0,?,?), ref: 0102F471
SendMessageW.USER32(?,000000B1,?,?), ref: 0102F488
SendMessageW.USER32(?,000000B1,?,?), ref: 0102F4AA
DragFinish.SHELL32(?), ref: 0102F4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0102F59C

Strings

@GUI_DRAGID, xrefs: 0102F510
@GUI_DRAGFILE, xrefs: 0102F54B
@GUI_DROPID, xrefs: 0102F4D1

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 690c3b8816f7711bd156d00bdaf404c20cc2e37b4fe82a7af6290e237c896043
Instruction ID: cfb7e1f60ba271959975aa78294f3acca54b6d04a73d9ad7c7e80b4ab78e9639
Opcode Fuzzy Hash: 690c3b8816f7711bd156d00bdaf404c20cc2e37b4fe82a7af6290e237c896043
Instruction Fuzzy Hash: B9615971108301AFC311EFA4CD85E9FBBF8AF99714F000A1EF6D5961A1DB759A09CB92

Function 0100AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 0100AB3D
VariantCopy.OLEAUT32(?,?), ref: 0100AB46
VariantClear.OLEAUT32(?), ref: 0100AB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0100AC40
__swprintf.LIBCMT ref: 0100AC70
VarR8FromDec.OLEAUT32(?,?), ref: 0100AC9C
VariantInit.OLEAUT32(?), ref: 0100AD4D
SysFreeString.OLEAUT32(00000016), ref: 0100ADDF
VariantClear.OLEAUT32(?), ref: 0100AE35
VariantClear.OLEAUT32(?), ref: 0100AE44
VariantInit.OLEAUT32(00000000), ref: 0100AE80

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0100AC6A
Default, xrefs: 0100ACFD

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 37cab0d85bdaadd1c10a7ec6dd1d645985fb45f41ad4a5fc792456b065774716
Instruction ID: 067404031c3adfebcac14936c4a0e4bc4904f6c831d93a8eb16ec3767bce7221
Opcode Fuzzy Hash: 37cab0d85bdaadd1c10a7ec6dd1d645985fb45f41ad4a5fc792456b065774716
Instruction Fuzzy Hash: F5D1B171700706DBEB229F59C885BADBBF5BF05700F048456E5869F2C2DB78E840DBA1

Function 0102716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010271FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01027247

Strings

UNCHECK, xrefs: 0102740B
COLLAPSE, xrefs: 0102728D
EXPAND, xrefs: 010272E1
ISCHECKED, xrefs: 010273B2
GETITEMCOUNT, xrefs: 01027311
EXISTS, xrefs: 010272B0
GETTOTALCOUNT, xrefs: 0102722A
SELECT, xrefs: 010273E0
CHECK, xrefs: 01027267
GETSELECTED, xrefs: 0102733F
GETTEXT, xrefs: 01027382

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: d42f5ccc9a10d7b979af012c367f36b8fbdc6776a16693fba7f9cac1a5c62b74
Instruction ID: 620911b2bafd31b84e1b7b9e1f2a34b3d7d41680e6f9611e6b79e060cf4a4b89
Opcode Fuzzy Hash: d42f5ccc9a10d7b979af012c367f36b8fbdc6776a16693fba7f9cac1a5c62b74
Instruction Fuzzy Hash: C69180302043159BCB04EF14C952A6EBBE6BFA4310F04489DF9965B3A3DB75ED0ADB81

Function 0102E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0102E5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0102BEAF), ref: 0102E607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0102E647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0102E68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0102E6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0102BEAF), ref: 0102E6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0102E6DF
DestroyIcon.USER32(?,?,?,?,?,0102BEAF), ref: 0102E6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0102E70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0102E717

Part of subcall function 00FE0FA7: __wcsicmp_l.LIBCMT ref: 00FE1030

Strings

.exe, xrefs: 0102E541
.dll, xrefs: 0102E564
.icl, xrefs: 0102E521

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 5ae01a8f925a28bb9c40d28c8b7fb6a7de2ec639d2b33bf5944bae36df62f252
Instruction ID: 4797a920b10aeb19dacf695a2205019de6964ce11d7c953eef73e9b6ec841e37
Opcode Fuzzy Hash: 5ae01a8f925a28bb9c40d28c8b7fb6a7de2ec639d2b33bf5944bae36df62f252
Instruction Fuzzy Hash: D161F471540225FBEB20DF68CD86FFE7BA8BB08750F104155F995D61C1EBB59980C7A0

Function 0100D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00FC936C: __swprintf.LIBCMT ref: 00FC93AB
Part of subcall function 00FC936C: __itow.LIBCMT ref: 00FC93DF

CharLowerBuffW.USER32(?,?), ref: 0100D292
GetDriveTypeW.KERNEL32 ref: 0100D2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0100D327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0100D35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0100D38C

Strings

open, xrefs: 0100D2B9
closed, xrefs: 0100D2A6, 0100D2AF
close, xrefs: 0100D298
set cd door , xrefs: 0100D32D
open , xrefs: 0100D2EE
type cdaudio alias cd wait, xrefs: 0100D30A
close cd wait, xrefs: 0100D377
wait, xrefs: 0100D349

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: 2b8e23c5ef23414c83b18ed5dca13a5504f4c0bacb098ded07d9a5159a2864e7
Instruction ID: 73be6fafcc96d60b5dbe0ab68bdf4824b5f3971456b6e368c443920fe64ac727
Opcode Fuzzy Hash: 2b8e23c5ef23414c83b18ed5dca13a5504f4c0bacb098ded07d9a5159a2864e7
Instruction Fuzzy Hash: 94516A71504205AFD700EF54C982E6EB7E8FF98718F04885DF8896B291DB35EE09DB92

Function 010026BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,01033973,00000016,0000138C,00000016,?,00000016,0105DDB4,00000000,?), ref: 010026F1
LoadStringW.USER32(00000000,?,01033973,00000016), ref: 010026FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,01033973,00000016,0000138C,00000016,?,00000016,0105DDB4,00000000,?,00000016), ref: 0100271C
LoadStringW.USER32(00000000,?,01033973,00000016), ref: 0100271F
__swprintf.LIBCMT ref: 0100276F
__swprintf.LIBCMT ref: 01002780
_wprintf.LIBCMT ref: 01002829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 01002840

Strings

^ ERROR, xrefs: 010027D5
Line %d (File "%s"):, xrefs: 01002769
Error: , xrefs: 010027F7
Line %d:, xrefs: 0100277A
%s (%d) : ==> %s: %s %s, xrefs: 01002824

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: a382fc6ab8d16c3ceab2ab523978f5aaeac754d063f1e6856d173a439a6e5879
Instruction ID: b50d77036f613d0cfdf494f846e0740ebb54b1de7e0f58de156be2f00a9e4443
Opcode Fuzzy Hash: a382fc6ab8d16c3ceab2ab523978f5aaeac754d063f1e6856d173a439a6e5879
Instruction Fuzzy Hash: 3541627280010ABADB15FBD0CE87EEEB778AF54740F100069F54576092EA396F49EBA0

Function 0100D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0100D0D8
__swprintf.LIBCMT ref: 0100D0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 0100D137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0100D15C
_memset.LIBCMT ref: 0100D17B
_wcsncpy.LIBCMT ref: 0100D1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0100D1EC
CloseHandle.KERNEL32(00000000), ref: 0100D1F7
RemoveDirectoryW.KERNEL32(?), ref: 0100D200
CloseHandle.KERNEL32(00000000), ref: 0100D20A

Strings

\??\%s, xrefs: 0100D0F4
:, xrefs: 0100D11B
\, xrefs: 0100D110

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 9933c79981b0a78da9ae246666ae890457867ecb8cbd7700df65d00c11556d62
Instruction ID: 5fc2ac51ef04ce026f96ff29f106e70c204b7e7b56c1fe42c8f7ad0d9b44856e
Opcode Fuzzy Hash: 9933c79981b0a78da9ae246666ae890457867ecb8cbd7700df65d00c11556d62
Instruction Fuzzy Hash: 123190B6500109ABEB22DFE5DD89FEB77BCAF98700F1040B6F649D2195EB7492448B34

Function 0102E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0102BEF4,?,?), ref: 0102E754
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0102BEF4,?,?,00000000,?), ref: 0102E76B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0102BEF4,?,?,00000000,?), ref: 0102E776
CloseHandle.KERNEL32(00000000,?,?,?,?,0102BEF4,?,?,00000000,?), ref: 0102E783
GlobalLock.KERNEL32(00000000), ref: 0102E78C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0102BEF4,?,?,00000000,?), ref: 0102E79B
GlobalUnlock.KERNEL32(00000000), ref: 0102E7A4
CloseHandle.KERNEL32(00000000,?,?,?,?,0102BEF4,?,?,00000000,?), ref: 0102E7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0102BEF4,?,?,00000000,?), ref: 0102E7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,0104D9BC,?), ref: 0102E7D5
GlobalFree.KERNEL32(00000000), ref: 0102E7E5
GetObjectW.GDI32(00000000,00000018,?), ref: 0102E809
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0102E834
DeleteObject.GDI32(00000000), ref: 0102E85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0102E872

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 0e4bfa10f5ebc9e809a08ef5ddd523c8087ca0bb5e4681066a100bedf4882a5c
Instruction ID: 9cfd4f085be3ad66b3c91b4c42009d6e82bd798985c2558deba92f2601cb3674
Opcode Fuzzy Hash: 0e4bfa10f5ebc9e809a08ef5ddd523c8087ca0bb5e4681066a100bedf4882a5c
Instruction Fuzzy Hash: 07418DB9600214FFDB219FA5DD88EAE7BB9FF99B21F108058F989D7250C7759900CB20

Function 010105F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0101076F
_wcscat.LIBCMT ref: 01010787
_wcscat.LIBCMT ref: 01010799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 010107AE
SetCurrentDirectoryW.KERNEL32(?), ref: 010107C2
GetFileAttributesW.KERNEL32(?), ref: 010107DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 010107F4
SetCurrentDirectoryW.KERNEL32(?), ref: 01010806

Strings

*.*, xrefs: 01010845

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 47503f05e0e2e829ebd6b2da042f4f9f3e8c843e703f160d05516954cbc25b9f
Instruction ID: 85d2970e880fe9bfb183f74548ad224a6e81201c48c05875682ea8914eea4cf5
Opcode Fuzzy Hash: 47503f05e0e2e829ebd6b2da042f4f9f3e8c843e703f160d05516954cbc25b9f
Instruction Fuzzy Hash: DE81B0715043419FDB60DF68C84596EB7E8BBC8314F188C6EF9C9C7259EB38D9848B92

Function 0102EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FDB34E: GetWindowLongW.USER32(?,000000EB), ref: 00FDB35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0102EF3B
GetFocus.USER32 ref: 0102EF4B
GetDlgCtrlID.USER32(00000000), ref: 0102EF56
_memset.LIBCMT ref: 0102F081
GetMenuItemInfoW.USER32 ref: 0102F0AC
GetMenuItemCount.USER32(00000000), ref: 0102F0CC
GetMenuItemID.USER32(?,00000000), ref: 0102F0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0102F113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0102F15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0102F193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0102F1C8

Strings

0, xrefs: 0102F079

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: c5f29d1afd2fa731226a2e2fcff712d854e773a09682772070731bec6549e3de
Instruction ID: df447d53a1211abe6ecdbb2f74f3cd76bbbbd87547b17168ca3249170bd7af88
Opcode Fuzzy Hash: c5f29d1afd2fa731226a2e2fcff712d854e773a09682772070731bec6549e3de
Instruction Fuzzy Hash: 73818A70208322AFE761CF18C984A6BBBE9FB89354F10056EF9D997281D735D801CB92

Function 00FFA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FFABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00FFABD7
Part of subcall function 00FFABBB: GetLastError.KERNEL32(?,00FFA69F,?,?,?), ref: 00FFABE1
Part of subcall function 00FFABBB: GetProcessHeap.KERNEL32(00000008,?,?,00FFA69F,?,?,?), ref: 00FFABF0
Part of subcall function 00FFABBB: HeapAlloc.KERNEL32(00000000,?,00FFA69F,?,?,?), ref: 00FFABF7
Part of subcall function 00FFABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00FFAC0E

Part of subcall function 00FFAC56: GetProcessHeap.KERNEL32(00000008,00FFA6B5,00000000,00000000,?,00FFA6B5,?), ref: 00FFAC62
Part of subcall function 00FFAC56: HeapAlloc.KERNEL32(00000000,?,00FFA6B5,?), ref: 00FFAC69
Part of subcall function 00FFAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00FFA6B5,?), ref: 00FFAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FFA8CB
_memset.LIBCMT ref: 00FFA8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FFA8FF
GetLengthSid.ADVAPI32(?), ref: 00FFA910
GetAce.ADVAPI32(?,00000000,?), ref: 00FFA94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FFA969
GetLengthSid.ADVAPI32(?), ref: 00FFA986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00FFA995
HeapAlloc.KERNEL32(00000000), ref: 00FFA99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FFA9BD
CopySid.ADVAPI32(00000000), ref: 00FFA9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FFA9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FFAA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FFAA2F

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: abfb3c4ed699967ae845164dc5502b51650199133fdd0819b78d2161fb1eecfc
Instruction ID: 37ac57edc7e439502ecbac8146b3de1172fafed6da72350d4580ec2676737bb9
Opcode Fuzzy Hash: abfb3c4ed699967ae845164dc5502b51650199133fdd0819b78d2161fb1eecfc
Instruction Fuzzy Hash: C0515BB5900209AFDF10DF90DD84AFEBBB9FF04310F048129FA55A7290DB7A9A05DB61

Function 01019DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 01019E36
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 01019E42
CreateCompatibleDC.GDI32(?), ref: 01019E4E
SelectObject.GDI32(00000000,?), ref: 01019E5B
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 01019EAF
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 01019EEB
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 01019F0F
SelectObject.GDI32(00000006,?), ref: 01019F17
DeleteObject.GDI32(?), ref: 01019F20
DeleteDC.GDI32(00000006), ref: 01019F27
ReleaseDC.USER32(00000000,?), ref: 01019F32

Strings

(, xrefs: 01019ED7

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 3476498e989d40e5b9461d0b897dbb29202020dbe36db7f872ae3b3a35ced505
Instruction ID: 78abba471c07ef6905a0652d90d501523b259d31a225b4595328fe410ae1de01
Opcode Fuzzy Hash: 3476498e989d40e5b9461d0b897dbb29202020dbe36db7f872ae3b3a35ced505
Instruction Fuzzy Hash: 9F514CB5900309EFDB25CFA8C885EAEBBF9EF48710F14841DF99A97214D739A941CB50

Function 0100CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 0100CCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 0100CCC5
__swprintf.LIBCMT ref: 0100CD1E
__swprintf.LIBCMT ref: 0100CD37
_wprintf.LIBCMT ref: 0100CDED
_wprintf.LIBCMT ref: 0100CE0B

Strings

^ ERROR, xrefs: 0100CD8F
"%s" (%d) : ==> %s:, xrefs: 0100CE06
Line %d (File "%s"):, xrefs: 0100CD18, 0100CD31
Error: , xrefs: 0100CDB5
"%s" (%d) : ==> %s:%s%s, xrefs: 0100CDE8

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: a895417f0721b1dc06034f3b7f08963ea8a188a9520ba92b4bd3cf6ae56c4dfb
Instruction ID: 02c53eaa175a79176c5c244407fa2ddbcc0a804759347876bf7331084251de63
Opcode Fuzzy Hash: a895417f0721b1dc06034f3b7f08963ea8a188a9520ba92b4bd3cf6ae56c4dfb
Instruction Fuzzy Hash: 7C51737190014AAAEB15EBE0CE47EEEB778AF14300F100169F54576091EB356F59EF61

Function 0100CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 0100CA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0100CAB0
__swprintf.LIBCMT ref: 0100CB09
__swprintf.LIBCMT ref: 0100CB22
_wprintf.LIBCMT ref: 0100CBCD
_wprintf.LIBCMT ref: 0100CBEB

Strings

"%s" (%d) : ==> %s:, xrefs: 0100CBE6
Line %d (File "%s"):, xrefs: 0100CB03, 0100CB1C
^ ERROR , xrefs: 0100CB64
Error: , xrefs: 0100CB95
"%s" (%d) : ==> %s:%s%s, xrefs: 0100CBC8

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: 09581d6135acea7c914a5463f2440af27ffe69f80d0b83a3ef35f02e5379fef5
Instruction ID: 49e6fa3102cfa4b569de01e8fd043018702b3ca089b54e55c16b245231effd14
Opcode Fuzzy Hash: 09581d6135acea7c914a5463f2440af27ffe69f80d0b83a3ef35f02e5379fef5
Instruction Fuzzy Hash: 4551B23190050AAAEB25EBE0CE47FEEB778AF04300F100169F54576092EB796F59EF61

Function 010055BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 010055D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 01005664
GetMenuItemCount.USER32(01081708), ref: 010056ED
DeleteMenu.USER32(01081708,00000005,00000000,000000F5,?,?), ref: 0100577D
DeleteMenu.USER32(01081708,00000004,00000000), ref: 01005785
DeleteMenu.USER32(01081708,00000006,00000000), ref: 0100578D
DeleteMenu.USER32(01081708,00000003,00000000), ref: 01005795
GetMenuItemCount.USER32(01081708), ref: 0100579D
SetMenuItemInfoW.USER32(01081708,00000004,00000000,00000030), ref: 010057D3
GetCursorPos.USER32(?), ref: 010057DD
SetForegroundWindow.USER32(00000000), ref: 010057E6
TrackPopupMenuEx.USER32(01081708,00000000,?,00000000,00000000,00000000), ref: 010057F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 01005805

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 4d629774b6e87342795d251b3125d8585b887d14dedbf6d817685e9f4184a0d0
Instruction ID: 307e72e40ef735b3f9eb08f14657399d9b74606db47178577ceed6d9f71baf5a
Opcode Fuzzy Hash: 4d629774b6e87342795d251b3125d8585b887d14dedbf6d817685e9f4184a0d0
Instruction Fuzzy Hash: A671F670640205BFFB229B59EC88FAABFA5FF04364F140245F699AB1D1CB716850DF94

Function 00FFA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FFA1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00FFA211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00FFA22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00FFA249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00FFA273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00FFA29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FFA2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FFA2AB

Strings

\IPC$, xrefs: 00FFA1F3
\CLSID, xrefs: 00FFA193
SOFTWARE\Classes\, xrefs: 00FFA17D

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: 544361f836728c19a870f25266712e3761762d33b98adba5ecc2421e43a943c7
Instruction ID: 9ef4ca4b3e0763c06aa7c65f82fce27ef65089b83271d19e6f57752d23f2a959
Opcode Fuzzy Hash: 544361f836728c19a870f25266712e3761762d33b98adba5ecc2421e43a943c7
Instruction Fuzzy Hash: 8E4127B6C1022DABCB21EBA4DD86EEDB7B8FF14710F044069F905A7160EA799E05DB50

Function 01023C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,01022BB5,?,?), ref: 01023C1D

Strings

HKEY_USERS, xrefs: 01023D04
HKEY_CLASSES_ROOT, xrefs: 01023C96
HKEY_CURRENT_USER, xrefs: 01023CE2
HKCU, xrefs: 01023CF3
HKLM, xrefs: 01023C81
HKEY_LOCAL_MACHINE, xrefs: 01023C6C
HKCC, xrefs: 01023CD1
HKCR, xrefs: 01023CAB
HKEY_CURRENT_CONFIG, xrefs: 01023CC0
HKU, xrefs: 01023D15

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 4b37eacb29d1b6adc98bd63b4e579512b6754f91c39ecfab54fd2bb3e4cb4251
Instruction ID: c0dcb85909f5454bcf5c85c5c17beeb79e720c1ff71370676d3cce1572078ea8
Opcode Fuzzy Hash: 4b37eacb29d1b6adc98bd63b4e579512b6754f91c39ecfab54fd2bb3e4cb4251
Instruction Fuzzy Hash: 34415B3051025A8BDF01FF14ED41AEA3366BF56300F544899ECD55F793EB78A90ACB50

Function 010025B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,010336F4,00000010,?,Bad directive syntax error,0105DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 010025D6
LoadStringW.USER32(00000000,?,010336F4,00000010), ref: 010025DD
_wprintf.LIBCMT ref: 01002610
__swprintf.LIBCMT ref: 01002632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 010026A1

Strings

., xrefs: 01002687
Line %d (File "%s"):, xrefs: 01002647
%s (%d) : ==> %s.: %s %s, xrefs: 0100260B
Line %d:, xrefs: 0100262C
Error: , xrefs: 0100266F

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: 0860b05aad469aebaeb24b86fd2c93bbe6943551a4b89d6461cbcc6d4e204310
Instruction ID: c4c6d740c98e94295e9cd3e7c4752c18b661eab125dad21f0b2bd1f94b85bc45
Opcode Fuzzy Hash: 0860b05aad469aebaeb24b86fd2c93bbe6943551a4b89d6461cbcc6d4e204310
Instruction Fuzzy Hash: 43218D7180021EBFDF12AF91CC4AFEE7B78BF18704F040459F5456A0A2EA75A659EB50

Function 01007AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 01007B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 01007B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 01007B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 01007B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 01007B8C

Strings

status PlayMe mode, xrefs: 01007B3D
play PlayMe wait, xrefs: 01007B76
close PlayMe, xrefs: 01007B53, 01007B80
alias PlayMe, xrefs: 01007B1B
open , xrefs: 01007AF1
play PlayMe, xrefs: 01007B87

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: 621da7c7a88195f7c44cdc85a227ab5e839de825f868bcb0e0a6f1cffb7ebe37
Instruction ID: 86b67728d8d789d8d1af14b9568d71ec273be6fc30cc043c365b829de860a8fa
Opcode Fuzzy Hash: 621da7c7a88195f7c44cdc85a227ab5e839de825f868bcb0e0a6f1cffb7ebe37
Instruction Fuzzy Hash: 7411B6A0A5016A79F770B2A6CD4BEFFBABCFFD1B00F00041DB591AA0C1DE645945D6B1

Function 0100778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 01007794

Part of subcall function 00FDDC38: timeGetTime.WINMM(?,75A4B400,010358AB), ref: 00FDDC3C

Sleep.KERNEL32(0000000A), ref: 010077C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 010077E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 01007806
SetActiveWindow.USER32 ref: 01007825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 01007833
SendMessageW.USER32(00000010,00000000,00000000), ref: 01007852
Sleep.KERNEL32(000000FA), ref: 0100785D
IsWindow.USER32 ref: 01007869
EndDialog.USER32(00000000), ref: 0100787A

Strings

BUTTON, xrefs: 010077F8

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: e6cc89d2dfeb978dc66436bf0db4c1faea4a8d72d418b5a89c2d8f268f84fe60
Instruction ID: ee7a4852d227f404a4de2712a71efa5a5b8006add1d3b59e5a38707d32e583e7
Opcode Fuzzy Hash: e6cc89d2dfeb978dc66436bf0db4c1faea4a8d72d418b5a89c2d8f268f84fe60
Instruction Fuzzy Hash: 0E217FB4204605AFF3265BA0EC88A2A3F69FB94648F004058F5C586295DF7FA804DB61

Function 010102EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC936C: __swprintf.LIBCMT ref: 00FC93AB
Part of subcall function 00FC936C: __itow.LIBCMT ref: 00FC93DF

CoInitialize.OLE32(00000000), ref: 0101034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 010103DE
SHGetDesktopFolder.SHELL32(?), ref: 010103F2
CoCreateInstance.OLE32(0104DA8C,00000000,00000001,01073CF8,?), ref: 0101043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 010104AD
CoTaskMemFree.OLE32(?,?), ref: 01010505
_memset.LIBCMT ref: 01010542
SHBrowseForFolderW.SHELL32(?), ref: 0101057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 010105A1
CoTaskMemFree.OLE32(00000000), ref: 010105A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 010105DF
CoUninitialize.OLE32(00000001,00000000), ref: 010105E1

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 06f126c20be7a13f4b6018c1e28dd6a22e9dacd2ab2411bbee11c501f4dcf63c
Instruction ID: fba5c6a2b761bd05e6fbad891363d564514ba4a4873ecfbf2457b288aba8c314
Opcode Fuzzy Hash: 06f126c20be7a13f4b6018c1e28dd6a22e9dacd2ab2411bbee11c501f4dcf63c
Instruction Fuzzy Hash: 3EB12C74A00109AFDB04DFA4C989EAEBBF9FF48304B048499F949EB255DB35ED41CB50

Function 01002E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 01002ED6
SetKeyboardState.USER32(?), ref: 01002F41
GetAsyncKeyState.USER32(000000A0), ref: 01002F61
GetKeyState.USER32(000000A0), ref: 01002F78
GetAsyncKeyState.USER32(000000A1), ref: 01002FA7
GetKeyState.USER32(000000A1), ref: 01002FB8
GetAsyncKeyState.USER32(00000011), ref: 01002FE4
GetKeyState.USER32(00000011), ref: 01002FF2
GetAsyncKeyState.USER32(00000012), ref: 0100301B
GetKeyState.USER32(00000012), ref: 01003029
GetAsyncKeyState.USER32(0000005B), ref: 01003052
GetKeyState.USER32(0000005B), ref: 01003060

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ad06202d43b3097e30d68cb261042b6332b392c06defd5cbeabc60d20ed61ab3
Instruction ID: 9e64c0206c045771db6d4fa005b1aab3c416398253a854ceb113489eccf6eda7
Opcode Fuzzy Hash: ad06202d43b3097e30d68cb261042b6332b392c06defd5cbeabc60d20ed61ab3
Instruction Fuzzy Hash: BF51B464A087C92DFB77DBA888547EABFF45F12380F0845DDC6C25A1C2DA54978CC7A2

Function 00FFED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00FFED1E
GetWindowRect.USER32(00000000,?), ref: 00FFED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00FFED8E
GetDlgItem.USER32(?,00000002), ref: 00FFED99
GetWindowRect.USER32(00000000,?), ref: 00FFEDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00FFEE01
GetDlgItem.USER32(?,000003E9), ref: 00FFEE0F
GetWindowRect.USER32(00000000,?), ref: 00FFEE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00FFEE63
GetDlgItem.USER32(?,000003EA), ref: 00FFEE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00FFEE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 00FFEE9B

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 06bf61060a7ad19cd55518084e69f1ee58b87d8e32e48e9b9401e2e99897f8bb
Instruction ID: 321c135b6f64642a6d7d3fe213d7f26df10df0e1d23f33bc2ff6a25e86d0c480
Opcode Fuzzy Hash: 06bf61060a7ad19cd55518084e69f1ee58b87d8e32e48e9b9401e2e99897f8bb
Instruction Fuzzy Hash: F75143B5B00209AFDB18CFA8DD85AAEBBB6FF98310F148129F619D7294D7759D00CB10

Function 00FDB73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00FDB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FDB759,?,00000000,?,?,?,?,00FDB72B,00000000,?), ref: 00FDBA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00FDB72B), ref: 00FDB7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,00FDB72B,00000000,?,?,00FDB2EF,?,?), ref: 00FDB88D
DestroyAcceleratorTable.USER32(00000000), ref: 0103D8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FDB72B,00000000,?,?,00FDB2EF,?,?), ref: 0103D8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FDB72B,00000000,?,?,00FDB2EF,?,?), ref: 0103D8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FDB72B,00000000,?,?,00FDB2EF,?,?), ref: 0103D90A
DeleteObject.GDI32(00000000), ref: 0103D91C

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: cebb8d4d78b7b1d6e821dbd83a16c602a74243d5108f4fad96198c43a8267304
Instruction ID: e69287f290e77023c971564d71da07f10dc809a5cd5e991c9807bd0139dd36d9
Opcode Fuzzy Hash: cebb8d4d78b7b1d6e821dbd83a16c602a74243d5108f4fad96198c43a8267304
Instruction Fuzzy Hash: 3261B231904601DFDB369F58D988B29B7FAFF98326F19051EE0C647664C739A891EF40

Function 00FDB40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 00FDB526: GetWindowLongW.USER32(?,000000EB), ref: 00FDB537

GetSysColor.USER32(0000000F), ref: 00FDB438

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 888e9441a55c576e96494ef99e593db1afe1a9c01d13a9bea0c6509238d18236
Instruction ID: 68c8100d1ea5995b25426654352c486b8574eda9515edf91f551714bdc43739c
Opcode Fuzzy Hash: 888e9441a55c576e96494ef99e593db1afe1a9c01d13a9bea0c6509238d18236
Instruction Fuzzy Hash: BC41F775400100EFDF35EF68D889BB93B66AB46330F594252FDE58A2EAC7358C41E721

Function 0100690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 01006923
_wcscpy.LIBCMT ref: 01006934
__wsplitpath.LIBCMT ref: 01006958
__wsplitpath.LIBCMT ref: 01006979
_wcscpy.LIBCMT ref: 0100699B
_wcscpy.LIBCMT ref: 010069B9
_wcscpy.LIBCMT ref: 010069C7
_wcscat.LIBCMT ref: 010069D6
_wcscat.LIBCMT ref: 01006A2B
_wcscat.LIBCMT ref: 01006A61
_wcscat.LIBCMT ref: 01006A73

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: 6d91a5f21dc345ecc7e38fa396a17a255d2073424e43b9a6294d312e435c4493
Instruction ID: 127865b0d43210dd5f8a1c9fe744e59f6908d86f00aaa3e86e1a4c5bf7554c85
Opcode Fuzzy Hash: 6d91a5f21dc345ecc7e38fa396a17a255d2073424e43b9a6294d312e435c4493
Instruction Fuzzy Hash: 4E415D7688515CAEDF62EB95CC45DCF73BDEB84200F0041E6BA89A2041EE75A7E88F50

Function 0100D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(0105DC00,0105DC00,0105DC00), ref: 0100D7CE
GetDriveTypeW.KERNEL32(?,01073A70,00000061), ref: 0100D898
_wcscpy.LIBCMT ref: 0100D8C2

Strings

all, xrefs: 0100D7D4
unknown, xrefs: 0100D859
network, xrefs: 0100D82C
removable, xrefs: 0100D800
ramdisk, xrefs: 0100D842
cdrom, xrefs: 0100D7EA
fixed, xrefs: 0100D816

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: fb7f306c4a55dd41625a263289a6e7904139a99265bf7827a529c8c3a0ee9b6f
Instruction ID: c69a4a653ef96ead8a67d3ab18b5bd90e1792b552229199060cdf9e3013c02c0
Opcode Fuzzy Hash: fb7f306c4a55dd41625a263289a6e7904139a99265bf7827a529c8c3a0ee9b6f
Instruction Fuzzy Hash: 7951D330508201AFE301EF94DC82A6EB7A5FF94310F14885EF5D95B292EB31DA05DB52

Function 00FC936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00FC93AB
__itow.LIBCMT ref: 00FC93DF

Part of subcall function 00FE1557: _xtow@16.LIBCMT ref: 00FE1578

Strings

%.15g, xrefs: 00FC93A5
False, xrefs: 01034C93
0x%p, xrefs: 01034CAD
True, xrefs: 01034C8C

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: d89b4a4589a0c885b7fded3787452e4c5ebe6ad1fb2a0b5ede576424a07ad270
Instruction ID: 73dd3d8f649be4231be646a1d5f2a68671500cdfac39156716b868131bf2a3a3
Opcode Fuzzy Hash: d89b4a4589a0c885b7fded3787452e4c5ebe6ad1fb2a0b5ede576424a07ad270
Instruction Fuzzy Hash: E44107725042099BEB64DF79DD46F6977ECFB84300F2444AEE18ACB181EB759941EB10

Function 0102A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0102A259
CreateCompatibleDC.GDI32(00000000), ref: 0102A260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0102A273
SelectObject.GDI32(00000000,00000000), ref: 0102A27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0102A286
DeleteDC.GDI32(00000000), ref: 0102A28F
GetWindowLongW.USER32(?,000000EC), ref: 0102A299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0102A2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0102A2B9

Strings

static, xrefs: 0102A1F1

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 8abd0cfa06e2bb0d615d8fce3b1c73fd4efb25fc45f75fceccdd69f5c2c9e9ad
Instruction ID: 1acac4718c75c7f43b471e879352e43597fb1e3b15ed95f0c6c109bda5629ef4
Opcode Fuzzy Hash: 8abd0cfa06e2bb0d615d8fce3b1c73fd4efb25fc45f75fceccdd69f5c2c9e9ad
Instruction Fuzzy Hash: 2F31A071200125FBDF225FA8DD49FDA3BA9FF1E364F100215FA9996090CB36D811DB64

Function 01006F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 01006F1D
gethostname.WSOCK32(?,00000100), ref: 01006F37
gethostbyname.WSOCK32(?), ref: 01006F44
_wcscpy.LIBCMT ref: 01006F6C
inet_ntoa.WSOCK32(?), ref: 01006F8A
_strcat.LIBCMT ref: 01006F98
_wcscpy.LIBCMT ref: 01006FAF
WSACleanup.WSOCK32 ref: 01006FBD
_wcscpy.LIBCMT ref: 01006FCB

Strings

0.0.0.0, xrefs: 01006F66

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: b2609e074caf22226b9dcfb37f6cbecab65cb746282a2b4b580390ff13f67cf5
Instruction ID: 5c166d00229f9315fd8ee6510dc1e997070f925a79a4898a3449a44731b4b452
Opcode Fuzzy Hash: b2609e074caf22226b9dcfb37f6cbecab65cb746282a2b4b580390ff13f67cf5
Instruction Fuzzy Hash: C4113A71504209ABEB36ABB5DD49EEE77ADEF40710F0400ADF18596080FFBAEA948750

Function 00FE500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FE5047

Part of subcall function 00FE7C0E: __getptd_noexit.LIBCMT ref: 00FE7C0E

__gmtime64_s.LIBCMT ref: 00FE50E0
__gmtime64_s.LIBCMT ref: 00FE5116
__gmtime64_s.LIBCMT ref: 00FE5133
__allrem.LIBCMT ref: 00FE5189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FE51A5
__allrem.LIBCMT ref: 00FE51BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FE51DA
__allrem.LIBCMT ref: 00FE51F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FE520F
__invoke_watson.LIBCMT ref: 00FE5280

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: a14e6d6d2ff18eaf02edecb5fa390a1df6af1f17c72cbc91d0272402b2518d37
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: 1071E872E01B57ABD714AE7ACC41B6AB3A8BF00B68F144229F614D7681E774DD40ABD0

Function 01004DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01004DF8
GetMenuItemInfoW.USER32(01081708,000000FF,00000000,00000030), ref: 01004E59
SetMenuItemInfoW.USER32(01081708,00000004,00000000,00000030), ref: 01004E8F
Sleep.KERNEL32(000001F4), ref: 01004EA1
GetMenuItemCount.USER32(?), ref: 01004EE5
GetMenuItemID.USER32(?,00000000), ref: 01004F01
GetMenuItemID.USER32(?,-00000001), ref: 01004F2B
GetMenuItemID.USER32(?,?), ref: 01004F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 01004FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01004FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01004FEB

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 1fe23f4bb31246b0cf4f10ee7889c680ad9112cf707ba28f56abc7f57ee63e95
Instruction ID: 569505ceddee482c43112ca5793588a1face4b8881764d7cf0381d10445f9e1c
Opcode Fuzzy Hash: 1fe23f4bb31246b0cf4f10ee7889c680ad9112cf707ba28f56abc7f57ee63e95
Instruction Fuzzy Hash: 886192B5A04249AFEB22CFA8D988ABE7BF8EB41304F14015DF6C1D3291D775AD05CB64

Function 01029C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01029C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01029C9B
GetWindowLongW.USER32(?,000000F0), ref: 01029CBF
_memset.LIBCMT ref: 01029CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01029CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01029D5A

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: af2c7a35244fb5d6b7c818fcc42db20bd8bd90645ed0f172a183643232232d29
Instruction ID: a7fc7b87b24fe70029ee4717d2023da11243694d18aca660bdbbe555d8b58408
Opcode Fuzzy Hash: af2c7a35244fb5d6b7c818fcc42db20bd8bd90645ed0f172a183643232232d29
Instruction Fuzzy Hash: 8061B075900228AFDB20DFA8CC81EEE77F8EF09708F104199FA84E7291D774A942DB50

Function 00FF94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 00FF94FE
SafeArrayAllocData.OLEAUT32(?), ref: 00FF9549
VariantInit.OLEAUT32(?), ref: 00FF955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 00FF957B
VariantCopy.OLEAUT32(?,?), ref: 00FF95BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 00FF95D2
VariantClear.OLEAUT32(?), ref: 00FF95E7
SafeArrayDestroyData.OLEAUT32(?), ref: 00FF95F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FF95FD
VariantClear.OLEAUT32(?), ref: 00FF960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FF961A

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: c6caf8905db7d77a52e4bdb9075043d44e3a9d78dd16fd7571a6d9cbb1b7c2b6
Instruction ID: d7ea2fd6ba2752b380557ccaebffb73a84dcd8824b93018833da7d6ed499b071
Opcode Fuzzy Hash: c6caf8905db7d77a52e4bdb9075043d44e3a9d78dd16fd7571a6d9cbb1b7c2b6
Instruction Fuzzy Hash: F2419E75A0021DAFCB01DFE4C888AEEBBB9FF58350F048065E541E3250DB79EA45DBA0

Function 0101ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC936C: __swprintf.LIBCMT ref: 00FC93AB
Part of subcall function 00FC936C: __itow.LIBCMT ref: 00FC93DF

CoInitialize.OLE32 ref: 0101ADF6
CoUninitialize.OLE32 ref: 0101AE01
CoCreateInstance.OLE32(?,00000000,00000017,0104D8FC,?), ref: 0101AE61
IIDFromString.OLE32(?,?), ref: 0101AED4
VariantInit.OLEAUT32(?), ref: 0101AF6E
VariantClear.OLEAUT32(?), ref: 0101AFCF

Strings

Failed to create object, xrefs: 0101AE6C, 0101AF22
Invalid parameter, xrefs: 0101AEED
NULL Pointer assignment, xrefs: 0101AEA6

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 91452f49564a8566c51003486156671392b2dca5dc0d5395613eb8da836a8f09
Instruction ID: 3f7ae9a0c0c917727b884c747a00b9355683df032641bd11d1d212703b27fce1
Opcode Fuzzy Hash: 91452f49564a8566c51003486156671392b2dca5dc0d5395613eb8da836a8f09
Instruction Fuzzy Hash: 4D6188B0309342DFD711DFA4C988B6ABBE8AF88714F00444DF9859B295C779ED44CB92

Function 01018107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 01018168
inet_addr.WSOCK32(?,?,?), ref: 010181AD
gethostbyname.WSOCK32(?), ref: 010181B9
IcmpCreateFile.IPHLPAPI ref: 010181C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 01018237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0101824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 010182C2
WSACleanup.WSOCK32 ref: 010182C8

Strings

Ping, xrefs: 010181EB

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: d763c2fe09f6b032166c573d4f67e930ddb8589d856a6eb477f251f5e9b914e6
Instruction ID: 36af5b00f788ff8d2124b90b326f558ccad59ba63bfc158335a0e27e80cfe743
Opcode Fuzzy Hash: d763c2fe09f6b032166c573d4f67e930ddb8589d856a6eb477f251f5e9b914e6
Instruction Fuzzy Hash: 4B51A135604601AFD761DF64CD85B6EBBE4BF48310F04896AFA95DB294DB38E900CB42

Function 0100E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0100E396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0100E40C
GetLastError.KERNEL32 ref: 0100E416
SetErrorMode.KERNEL32(00000000,READY), ref: 0100E483

Strings

NOTREADY, xrefs: 0100E442
READY, xrefs: 0100E45C
UNKNOWN, xrefs: 0100E43B
READONLY, xrefs: 0100E44E
INVALID, xrefs: 0100E455

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: d6f70949e481d758686437cf41a085b9b2a75a31a08331784aabb2be51d65230
Instruction ID: ee8e4eb1899fab891e475ecd34b30e3b6d204555666e8cb6c4af3549956479ff
Opcode Fuzzy Hash: d6f70949e481d758686437cf41a085b9b2a75a31a08331784aabb2be51d65230
Instruction Fuzzy Hash: 03318375A0020A9FF712DFA8C985FADBBB4FF44300F058459E685EB2D1DB759901C791

Function 00FFB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00FFB98C
GetDlgCtrlID.USER32 ref: 00FFB997
GetParent.USER32 ref: 00FFB9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FFB9B6
GetDlgCtrlID.USER32(?), ref: 00FFB9BF
GetParent.USER32(?), ref: 00FFB9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 00FFB9DE

Strings

ComboBox, xrefs: 00FFB911
ListBox, xrefs: 00FFB949

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: ab7b5d2d94bff43be23d577a533cd1babda66e20167ab4646272e2c0e14f67ec
Instruction ID: 453c4af223a1edab22e5dd1196e432cf7ade64e672a6dfe5321352128ec4931a
Opcode Fuzzy Hash: ab7b5d2d94bff43be23d577a533cd1babda66e20167ab4646272e2c0e14f67ec
Instruction Fuzzy Hash: B521F8B4A00108BFCB14ABE0CCC6EFEB775EF59310F140119F695972A1DBB95815EB60

Function 00FFB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00FFBA73
GetDlgCtrlID.USER32 ref: 00FFBA7E
GetParent.USER32 ref: 00FFBA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FFBA9D
GetDlgCtrlID.USER32(?), ref: 00FFBAA6
GetParent.USER32(?), ref: 00FFBAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 00FFBAC5

Strings

ComboBox, xrefs: 00FFB9FA
ListBox, xrefs: 00FFBA32

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: e5a186510f457a02a19b43a6e64130f92ef6e573bf2260125b73527570123a6d
Instruction ID: 71d070249a7a555d7893365ed0646da68a601e1bc476476af8581b58cf3b4604
Opcode Fuzzy Hash: e5a186510f457a02a19b43a6e64130f92ef6e573bf2260125b73527570123a6d
Instruction Fuzzy Hash: 4421F5B4A00108BFDB00ABA0CC86FFEB775EF49300F040019FA51A71A5DB7D8815AB60

Function 00FFBAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00FFBAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 00FFBAF8
_wcscmp.LIBCMT ref: 00FFBB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00FFBB85

Strings

SHELLDLL_DefView, xrefs: 00FFBB04
details, xrefs: 00FFBB33
largeicons, xrefs: 00FFBB19
smallicons, xrefs: 00FFBB4D
list, xrefs: 00FFBB67

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: c30739a6a4d3d9491ea738c01d0476e4ff394a1f92f5a07cfca1b098cebb9689
Instruction ID: b39153f5dd03cbd1d5761e1e36169a1b440285b5d169eb9e43468ff4cd68b8b0
Opcode Fuzzy Hash: c30739a6a4d3d9491ea738c01d0476e4ff394a1f92f5a07cfca1b098cebb9689
Instruction Fuzzy Hash: 05110A76E0834BFAFA207A22DC06DB6379CDF65334B200025FB44E40A9FFA5A8516618

Function 0101B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0101B2D5
CoInitialize.OLE32(00000000), ref: 0101B302
CoUninitialize.OLE32 ref: 0101B30C
GetRunningObjectTable.OLE32(00000000,?), ref: 0101B40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 0101B539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0101B56D
CoGetObject.OLE32(?,00000000,0104D91C,?), ref: 0101B590
SetErrorMode.KERNEL32(00000000), ref: 0101B5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0101B623
VariantClear.OLEAUT32(0104D91C), ref: 0101B633

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: fa575bf53d881a6753d834b93f228ee1fde7a05f131176fed6fe6bc5045a6358
Instruction ID: 53e61c9a4731802c7d10aadbd1391e3e2a70ec831768aa4da6632b82864964d1
Opcode Fuzzy Hash: fa575bf53d881a6753d834b93f228ee1fde7a05f131176fed6fe6bc5045a6358
Instruction Fuzzy Hash: 18C112B1608305AFD700DF68C884A6BBBF9BF89304F00495DF98A9B255DB75ED05CB52

Function 00FEACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00FEACC1

Part of subcall function 00FE7CF4: __mtinitlocknum.LIBCMT ref: 00FE7D06
Part of subcall function 00FE7CF4: EnterCriticalSection.KERNEL32(00000000,?,00FE7ADD,0000000D), ref: 00FE7D1F

__calloc_crt.LIBCMT ref: 00FEACD2

Part of subcall function 00FE6986: __calloc_impl.LIBCMT ref: 00FE6995
Part of subcall function 00FE6986: Sleep.KERNEL32(00000000,000003BC,00FDF507,?,0000000E), ref: 00FE69AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 00FEACED
GetStartupInfoW.KERNEL32(?,01076E28,00000064,00FE5E91,01076C70,00000014), ref: 00FEAD46
__calloc_crt.LIBCMT ref: 00FEAD91
GetFileType.KERNEL32(00000001), ref: 00FEADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00FEAE11

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: b3352870a9eeb23fc99526ac99789149525eab98e0a10e415920bd86e00b52ce
Instruction ID: 679c3a68393837ca8d589411b936cb73d93fd0dd13c56fd725c8e0a27dd18660
Opcode Fuzzy Hash: b3352870a9eeb23fc99526ac99789149525eab98e0a10e415920bd86e00b52ce
Instruction Fuzzy Hash: DA81B1B1D056858FDB24CF6AC8805ADBBF0AF15330B24426DE4E6AB3D1C739A803DB55

Function 010067E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 010067FD
__swprintf.LIBCMT ref: 0100680A

Part of subcall function 00FE172B: __woutput_l.LIBCMT ref: 00FE1784

FindResourceW.KERNEL32(?,?,0000000E), ref: 01006834
LoadResource.KERNEL32(?,00000000), ref: 01006840
LockResource.KERNEL32(00000000), ref: 0100684D
FindResourceW.KERNEL32(?,?,00000003), ref: 0100686D
LoadResource.KERNEL32(?,00000000), ref: 0100687F
SizeofResource.KERNEL32(?,00000000), ref: 0100688E
LockResource.KERNEL32(?), ref: 0100689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 010068F9

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 54f32de605bc1412a7971516cdc8159db3e350df4053f30b8bd6a89e2fac4083
Instruction ID: 47273665d08e9c2a987158769ba58981cadc9dd2646692cff4691efa2aa3f6e3
Opcode Fuzzy Hash: 54f32de605bc1412a7971516cdc8159db3e350df4053f30b8bd6a89e2fac4083
Instruction Fuzzy Hash: 6831A6B590021AAFEB119FA1DD549BE7BA9FF08350F004515F981D2180D73ADA21DB70

Function 01004025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 01004047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,010030A5,?,00000001), ref: 0100405B
GetWindowThreadProcessId.USER32(00000000), ref: 01004062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,010030A5,?,00000001), ref: 01004071
GetWindowThreadProcessId.USER32(?,00000000), ref: 01004083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,010030A5,?,00000001), ref: 0100409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,010030A5,?,00000001), ref: 010040AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,010030A5,?,00000001), ref: 010040F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,010030A5,?,00000001), ref: 01004108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,010030A5,?,00000001), ref: 01004113

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: a517e59a2e1b7afa3fee3218a22230a750dac4bfdcd54eff9860ecfc9e658920
Instruction ID: 931b175c7529e877140ffbe66baec8d0358b64e1b167cc4f9ac2b1fc15c4f248
Opcode Fuzzy Hash: a517e59a2e1b7afa3fee3218a22230a750dac4bfdcd54eff9860ecfc9e658920
Instruction Fuzzy Hash: DE31B4B5600204BBFB32DF59D885BAD77AABB94711F108145FBC4DA284CBBAD8408B58

Function 0103DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00FDB496
SetTextColor.GDI32(?,000000FF), ref: 00FDB4A0
SetBkMode.GDI32(?,00000001), ref: 00FDB4B5
GetStockObject.GDI32(00000005), ref: 00FDB4BD
GetClientRect.USER32(?), ref: 0103DD63
SendMessageW.USER32(?,00001328,00000000,?), ref: 0103DD7A
GetWindowDC.USER32(?), ref: 0103DD86
GetPixel.GDI32(00000000,?,?), ref: 0103DD95
ReleaseDC.USER32(?,00000000), ref: 0103DDA7
GetSysColor.USER32(00000005), ref: 0103DDC5

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: 330c30301f71bd3c3fbfcf26634854db56ee545fe349b3e0b65a8179846fa2c1
Instruction ID: 5329b1c38e9cf7ddcb6e99d307efbb2fe386fe3d7ac8d825e42b0f4c8a3dc247
Opcode Fuzzy Hash: 330c30301f71bd3c3fbfcf26634854db56ee545fe349b3e0b65a8179846fa2c1
Instruction Fuzzy Hash: 1811B175500200FFDB21AFE4ED48BAD3F65EB19321F108261FAA6950E6CB360941EF20

Function 00FFCB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00FFCF50), ref: 00FFCE90

Strings

CLASSNN, xrefs: 00FFCC33
INSTANCE, xrefs: 00FFCD9E
REGEXPCLASS, xrefs: 00FFCC56
NAME, xrefs: 00FFCCC2
CLASS, xrefs: 00FFCC10
TEXT, xrefs: 00FFCDC7

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 4956d11035da06fa4bc9398dc9465602eb4e42b20f7ecdfe4cdb288702780dbe
Instruction ID: b12e52b0a2ccf25c2698d8a57d72780f9f2274de5b0ec9d5b974cd21dca38976
Opcode Fuzzy Hash: 4956d11035da06fa4bc9398dc9465602eb4e42b20f7ecdfe4cdb288702780dbe
Instruction Fuzzy Hash: A791C331A0011EAACB18EF60C982BFEFB75BF04310F54851AE659A7261DF346959EBD0

Function 00FC3093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00FC30DC
CoUninitialize.OLE32(?,00000000), ref: 00FC3181
UnregisterHotKey.USER32(?), ref: 00FC32A9
DestroyWindow.USER32(?), ref: 01035079
FreeLibrary.KERNEL32(?), ref: 010350F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 01035125

Strings

close all, xrefs: 00FC30D7

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 2468573843645b33d0f4f8ac1d382f1cda14efb81dde785f49de0f2fa320ef4e
Instruction ID: 3b12320bef7b63e52a1383876a3d6c5f149a6f69e99db8a4a809a79f6a49e1be
Opcode Fuzzy Hash: 2468573843645b33d0f4f8ac1d382f1cda14efb81dde785f49de0f2fa320ef4e
Instruction Fuzzy Hash: C99159746002038FC719EF14CA96FA8F3A8BF54344F5482ADE54AA7262DF35AE16DF40

Function 00FDCB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00FDCC15

Part of subcall function 00FDCCCD: GetClientRect.USER32(?,?), ref: 00FDCCF6
Part of subcall function 00FDCCCD: GetWindowRect.USER32(?,?), ref: 00FDCD37
Part of subcall function 00FDCCCD: ScreenToClient.USER32(?,?), ref: 00FDCD5F

GetDC.USER32 ref: 0103D137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0103D14A
SelectObject.GDI32(00000000,00000000), ref: 0103D158
SelectObject.GDI32(00000000,00000000), ref: 0103D16D
ReleaseDC.USER32(?,00000000), ref: 0103D175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0103D200

Strings

U, xrefs: 0103D0D5

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 10d12bc656cd5ab0b7cfe770eff1f81e1cbaf304b2b4d6671a5e5594674e7369
Instruction ID: 15d616ef0e404d926b410ea57f250efa66c645fc8e2418676425f632fc45b8b6
Opcode Fuzzy Hash: 10d12bc656cd5ab0b7cfe770eff1f81e1cbaf304b2b4d6671a5e5594674e7369
Instruction Fuzzy Hash: 2571D735500205EFDF21DFA8C880AE97BBAFF98364F1842AAFED55A256C7358841DF50

Function 0102ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FDB34E: GetWindowLongW.USER32(?,000000EB), ref: 00FDB35F

Part of subcall function 00FDB63C: GetCursorPos.USER32(000000FF), ref: 00FDB64F
Part of subcall function 00FDB63C: ScreenToClient.USER32(00000000,000000FF), ref: 00FDB66C
Part of subcall function 00FDB63C: GetAsyncKeyState.USER32(00000001), ref: 00FDB691
Part of subcall function 00FDB63C: GetAsyncKeyState.USER32(00000002), ref: 00FDB69F

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0102ED3C
ImageList_EndDrag.COMCTL32 ref: 0102ED42
ReleaseCapture.USER32 ref: 0102ED48
SetWindowTextW.USER32(?,00000000), ref: 0102EDF0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0102EE03
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0102EEDC

Strings

@GUI_DRAGFILE, xrefs: 0102EE77
@GUI_DROPID, xrefs: 0102EE33

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: d729320b076a1c2951ac404cd715d9f065cfa40e3da35cac7c7102348c2fb134
Instruction ID: 6815fee130f40a183e9e4bc7d78b225d8fc464dc77b36e6e67cd3a6b4fb7d582
Opcode Fuzzy Hash: d729320b076a1c2951ac404cd715d9f065cfa40e3da35cac7c7102348c2fb134
Instruction Fuzzy Hash: 3F51A974204300AFD710EF24DC96FAA77E5BF88314F04491EF5D5972A2DB799914CB52

Function 010145C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 010145FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0101462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0101466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 01014682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0101468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 010146BF
InternetCloseHandle.WININET(00000000), ref: 01014706

Part of subcall function 01015052: GetLastError.KERNEL32(?,?,010143CC,00000000,00000000,00000001), ref: 01015067

Strings

, xrefs: 010146B8

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: 12babf8f0baf22c93222c523bfc61141df143d383a64ec7baba4f69a62e96139
Instruction ID: 62ff413f54b1831694801f1ec72d2df60acc7470b2e98af22f9dc841553c819d
Opcode Fuzzy Hash: 12babf8f0baf22c93222c523bfc61141df143d383a64ec7baba4f69a62e96139
Instruction Fuzzy Hash: B6418CB5500205BFEB129F94CC89FFE7BACFF08318F004056FA81DA159E7B899448BA5

Function 0101B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0105DC00), ref: 0101B715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0105DC00), ref: 0101B749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0101B8C1
SysFreeString.OLEAUT32(?), ref: 0101B8EB

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: a4a0dd97bbb8fcb2badf225d927bf7808826018ab73e8341f8d494b79c4323ea
Instruction ID: 34f91e0e67de5333e2a8195dfd754309a416d18a23b43670f3f661914627c649
Opcode Fuzzy Hash: a4a0dd97bbb8fcb2badf225d927bf7808826018ab73e8341f8d494b79c4323ea
Instruction Fuzzy Hash: 34F16E75A00209EFDF04DF94C984EAEBBB9FF48715F108498F945AB254DB35AE42CB90

Function 010224D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 010224F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 01022688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 010226AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 010226EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0102270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0102286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 010228A1
CloseHandle.KERNEL32(?), ref: 010228D0
CloseHandle.KERNEL32(?), ref: 01022947

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 58c42660b2f424121ad3084f57a9aec8f31abbeb11080dca63d98bfa715a182e
Instruction ID: 53818dce68f7d0b3359a8c4bd84277be61ab148f5a15acdd03a04bc82b07a430
Opcode Fuzzy Hash: 58c42660b2f424121ad3084f57a9aec8f31abbeb11080dca63d98bfa715a182e
Instruction Fuzzy Hash: FED1CB31204211DFDB15EF68C891B6EBBE1BF84310F18856DF98A9B2A2DB35DC44CB52

Function 0102B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0102B3F4

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: ff8f86add5adb83e9f2f944ef3b2039ce8eaf4ebd8054c2453150581679d477a
Instruction ID: ace3ca723595336c903a64b71d188ff0926f8fed7be3782f341c1623ae0157a8
Opcode Fuzzy Hash: ff8f86add5adb83e9f2f944ef3b2039ce8eaf4ebd8054c2453150581679d477a
Instruction Fuzzy Hash: 7B51C130600224BFEF319E68CCC9BAD3FA5AB08318F548056FAD4DA2D1CB75E9408B50

Function 00FDA699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0103DB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0103DB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0103DB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0103DB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0103DB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,00FDA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0103DBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0103DBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,00FDA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0103DBC8

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: eaed7fd5830266b2f5f12f97fd4173a4257a41171b57e993820b399bc38aa761
Instruction ID: e6ade8a7213fcc7d90cc124226a5b7a6fd4d3fc0ffdcc5f2ea8314a205a7747a
Opcode Fuzzy Hash: eaed7fd5830266b2f5f12f97fd4173a4257a41171b57e993820b399bc38aa761
Instruction Fuzzy Hash: 45518871600209EFDB24DFA8CC81FAA3BFAAF48354F140519F986972C0D7B5E990EB54

Function 01007555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 01006EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,01005FA6,?), ref: 01006ED8

Part of subcall function 01006EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,01005FA6,?), ref: 01006EF1

Part of subcall function 010072CB: GetFileAttributesW.KERNEL32(?,01006019), ref: 010072CC

lstrcmpiW.KERNEL32(?,?), ref: 010075CA
_wcscmp.LIBCMT ref: 010075E2
MoveFileW.KERNEL32(?,?), ref: 010075FB

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 2a5b1d55738ca01befb299fcce6a57a56677849ab4093c914664b7b7e45df6ef
Instruction ID: 96607541f464a49bb064503f3de8b71c70339eff9cbc842c13c4e29ce4d44d01
Opcode Fuzzy Hash: 2a5b1d55738ca01befb299fcce6a57a56677849ab4093c914664b7b7e45df6ef
Instruction Fuzzy Hash: 2C5133B2A052199BEF61EB94DC419DE73BCAF0C210F0040EAF685E3181DB79A3C5CB60

Function 00FDEA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0103DAD1,00000004,00000000,00000000), ref: 00FDEAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0103DAD1,00000004,00000000,00000000), ref: 00FDEB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0103DAD1,00000004,00000000,00000000), ref: 0103DC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0103DAD1,00000004,00000000,00000000), ref: 0103DCF2

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: ae0adf4a2d6bdd34b9a5d20a1c9afa390e1bd7bf0ba9bf52de178f14cb568cfc
Instruction ID: f4faf8e21dc884beee1aa0ed9245fc644a34550eff1d6b4d5dee34a654b58e54
Opcode Fuzzy Hash: ae0adf4a2d6bdd34b9a5d20a1c9afa390e1bd7bf0ba9bf52de178f14cb568cfc
Instruction Fuzzy Hash: 984128716282819BD7357B6889CCB2A7A9BBFD6314F5D080FE0C78A751C675B840F310

Function 00FFB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00FFAEF1,00000B00,?,?), ref: 00FFB26C
HeapAlloc.KERNEL32(00000000,?,00FFAEF1,00000B00,?,?), ref: 00FFB273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FFAEF1,00000B00,?,?), ref: 00FFB288
GetCurrentProcess.KERNEL32(?,00000000,?,00FFAEF1,00000B00,?,?), ref: 00FFB290
DuplicateHandle.KERNEL32(00000000,?,00FFAEF1,00000B00,?,?), ref: 00FFB293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00FFAEF1,00000B00,?,?), ref: 00FFB2A3
GetCurrentProcess.KERNEL32(00FFAEF1,00000000,?,00FFAEF1,00000B00,?,?), ref: 00FFB2AB
DuplicateHandle.KERNEL32(00000000,?,00FFAEF1,00000B00,?,?), ref: 00FFB2AE
CreateThread.KERNEL32(00000000,00000000,00FFB2D4,00000000,00000000,00000000), ref: 00FFB2C8

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 18178dcdb22ec87676220e2a9358b1f1354e7eaca20a4e45d002f4375f0f8b7b
Instruction ID: 7a2b329ea6395f4ae5343114906950cb6313b667684b6121c1b4ecbf18cf081c
Opcode Fuzzy Hash: 18178dcdb22ec87676220e2a9358b1f1354e7eaca20a4e45d002f4375f0f8b7b
Instruction Fuzzy Hash: 4C01BBB5240308BFE720ABA5DD89F6B7BACEB98B11F018411FA45DB195CA75D810CB60

Function 0101C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0101C876, 0101C887
Not an Object type, xrefs: 0101C49E

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: f8a3c3b65700c6ab24c2c2b4141cfba9a53a25f8f0ade63309237eb425b3ba37
Instruction ID: ca76424eaa77322069972c2876555f9f63b577dc8f8f29030ac5f650d303223a
Opcode Fuzzy Hash: f8a3c3b65700c6ab24c2c2b4141cfba9a53a25f8f0ade63309237eb425b3ba37
Instruction Fuzzy Hash: DCE1D571A4021A9BEF14DFA8CA80BEE77F5FF48314F144069E985AB285D778ED41CB90

Function 0101BB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0101BB5C
VariantInit.OLEAUT32(?), ref: 0101BC2D
VariantInit.OLEAUT32(?), ref: 0101BD2E
VariantClear.OLEAUT32(?), ref: 0101BD38
VariantClear.OLEAUT32(?), ref: 0101BD99

Strings

Null Object assignment in FOR..IN loop, xrefs: 0101BBBD, 0101BCEB, 0101BDA7
Incorrect Object type in FOR..IN loop, xrefs: 0101BD11

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 926c175c2f832853ec58392947528c49da378985d755b95a3c8fe778029e821b
Instruction ID: cca324d461dcaa7a5b11997984fbc13ddcf2ba89b054907b0ef06373d58b5284
Opcode Fuzzy Hash: 926c175c2f832853ec58392947528c49da378985d755b95a3c8fe778029e821b
Instruction Fuzzy Hash: DD919371A00209ABDF25DFA9C884FAEBBB8EF45710F008159F595AB285DB789940CF91

Function 01029A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01029B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 01029B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01029B47
_wcscat.LIBCMT ref: 01029BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 01029BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 01029BE7

Strings

SysListView32, xrefs: 01029AEB

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: f3f2d7453a4c667313ca4cf05df874d3f1ae4c10ee803c0c277aff5933e57736
Instruction ID: 857e8f63424ed61cea0b86ee1f553b5e762c72a3fe398f5c359ec22e2c2e3716
Opcode Fuzzy Hash: f3f2d7453a4c667313ca4cf05df874d3f1ae4c10ee803c0c277aff5933e57736
Instruction Fuzzy Hash: 12419671940328AFDF229FA8CC85BEE77E8EF08354F10446AF5C5A7281D6759984CB50

Function 0102172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 01006532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 01006554
Part of subcall function 01006532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 01006564
Part of subcall function 01006532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 010065F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0102179A
GetLastError.KERNEL32 ref: 010217AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 010217D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 01021855
GetLastError.KERNEL32(00000000), ref: 01021860
CloseHandle.KERNEL32(00000000), ref: 01021895

Strings

SeDebugPrivilege, xrefs: 010217B8

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 042497311f1e838449ed94a908fa1727d209a9f52650d49d07af577ca3e988dd
Instruction ID: cd5c52f56fce7777bb4f332b247ae6c9392a017fcb6a0c40c5f8c84f9ff95932
Opcode Fuzzy Hash: 042497311f1e838449ed94a908fa1727d209a9f52650d49d07af577ca3e988dd
Instruction Fuzzy Hash: AC419171600211AFEB15EF54CDD5FBE77A5AF54310F088099F9469F3C2DBB9A9008B91

Function 01005819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 010058B8

Strings

question, xrefs: 01005871
info, xrefs: 01005859
blank, xrefs: 0100583A
warning, xrefs: 010058A1
stop, xrefs: 01005889

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: feb065c8d7589c4c94e10337c2f03ec8caf66f98bde06c2c9aa8c672f51b97fa
Instruction ID: 33e6fd68be4045ecd952b2c196913489b0181da843a0920d4c066c8ca30ad3d2
Opcode Fuzzy Hash: feb065c8d7589c4c94e10337c2f03ec8caf66f98bde06c2c9aa8c672f51b97fa
Instruction Fuzzy Hash: 3611EE35609386BAF7135A559C82D6E37ECEF15210F10007AF9C0B92C2FBA496504B69

Function 0100A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0100A806

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 2f7f1ed6b0d91ff10066e8103d392d5c8980cde32929b31bcfebbdda376f0586
Instruction ID: 2e189151011e902e8c64f24e73e64321579f881fb9bfec1ef486144270cb02b1
Opcode Fuzzy Hash: 2f7f1ed6b0d91ff10066e8103d392d5c8980cde32929b31bcfebbdda376f0586
Instruction Fuzzy Hash: 96C17175A04306DFEB11DF98C584BAEBBF4FF09315F14406AE686E7281D735AA81CB90

Function 01006B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 01006B63
LoadStringW.USER32(00000000), ref: 01006B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 01006B80
LoadStringW.USER32(00000000), ref: 01006B87
_wprintf.LIBCMT ref: 01006BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 01006BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 01006BA8

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 1d065c094423ed70d3a8adcfb67e8355e46acecbc67a7592a3734fd5bfc8dbba
Instruction ID: b2da235e1da9d9df33c6b5dd4f21bdeeef74d79da977f879c78aad1373cb194c
Opcode Fuzzy Hash: 1d065c094423ed70d3a8adcfb67e8355e46acecbc67a7592a3734fd5bfc8dbba
Instruction Fuzzy Hash: BE0162F6900208BFE721A7D49DC9EEB376CE708304F004491BB85D6145EA799E844B70

Function 01022B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01023C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01022BB5,?,?), ref: 01023C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01022BF6

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: 216d26bb7455f78833923dff1b7f179f6554ddd6415c295b6e11b14cdf54050d
Instruction ID: a3693f5933e3114766df7f90347d0e001920a7beefdeccd15ac8855e928efc70
Opcode Fuzzy Hash: 216d26bb7455f78833923dff1b7f179f6554ddd6415c295b6e11b14cdf54050d
Instruction Fuzzy Hash: 3591BD712042019FDB11EF98C981F6EB7E5FF98310F04885DF9969B291DB39E905DB82

Function 010195BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 01019691
WSAGetLastError.WSOCK32(00000000), ref: 0101969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 010196C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 010196E9
WSAGetLastError.WSOCK32(00000000), ref: 010196F8
htons.WSOCK32(?,?,?,00000000,?), ref: 010197AA
inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,0105DC00), ref: 01019765

Part of subcall function 00FFD2FF: _strlen.LIBCMT ref: 00FFD309

_strlen.LIBCMT ref: 01019800

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ErrorLast_strlen$htonsinet_ntoaselect
String ID:
API String ID: 3480843537-0
Opcode ID: d6a6adc2502b32b3c9e3ba26e4c67e18e9ea1b7602f123e7c83c013a38508080
Instruction ID: 3867b493b3ad287b44ca1dc90611490058abe7a1b7d5925cf0a1511f20807c42
Opcode Fuzzy Hash: d6a6adc2502b32b3c9e3ba26e4c67e18e9ea1b7602f123e7c83c013a38508080
Instruction Fuzzy Hash: 4A81ED71504201ABD310EFA4CD96F6FBBE8AF88714F044A1DF5959B291EB38D904CB92

Function 00FEA979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 00FEA991

Part of subcall function 00FE7D7C: __FF_MSGBANNER.LIBCMT ref: 00FE7D91
Part of subcall function 00FE7D7C: __NMSG_WRITE.LIBCMT ref: 00FE7D98
Part of subcall function 00FE7D7C: __malloc_crt.LIBCMT ref: 00FE7DB8

__lock.LIBCMT ref: 00FEA9A4
__lock.LIBCMT ref: 00FEA9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,01076DE0,00000018,00FF5E7B,?,00000000,00000109), ref: 00FEAA0C
EnterCriticalSection.KERNEL32(8000000C,01076DE0,00000018,00FF5E7B,?,00000000,00000109), ref: 00FEAA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 00FEAA39

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 4e5c63d573c5dbc56768dc77be35e9d41b5fb55503e4b648b069ff916bc7671c
Instruction ID: ee8cca4af64c326d0c8d8927f34961fe5abdd76192f163e4c80e591354d865bf
Opcode Fuzzy Hash: 4e5c63d573c5dbc56768dc77be35e9d41b5fb55503e4b648b069ff916bc7671c
Instruction Fuzzy Hash: 79417A71D00785DBEB209F6ACA4475CB7B0AF00734F208238E4A5AB2C1D77DA801DB86

Function 01028ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01028EE4
GetDC.USER32(00000000), ref: 01028EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01028EF7
ReleaseDC.USER32(00000000,00000000), ref: 01028F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 01028F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01028F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0102BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 01028F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 01028FAA

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 032285dccff68b106e7ecb80da8b50228aa2a640e3fc77a9062e5e1685613325
Instruction ID: da6c98b7f730ed615bb4e16eaee7178e4f057e6525dc051c83ac089f33c2f018
Opcode Fuzzy Hash: 032285dccff68b106e7ecb80da8b50228aa2a640e3fc77a9062e5e1685613325
Instruction Fuzzy Hash: AD3191B6200214BFEB218F94CD89FEA3FADEF59755F044055FF489A185C67A9841CB70

Function 010116DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 00FC936C: __swprintf.LIBCMT ref: 00FC93AB
Part of subcall function 00FC936C: __itow.LIBCMT ref: 00FC93DF

Part of subcall function 00FDC6F4: _wcscpy.LIBCMT ref: 00FDC717

_wcstok.LIBCMT ref: 0101184E
_wcscpy.LIBCMT ref: 010118DD
_memset.LIBCMT ref: 01011910

Strings

X, xrefs: 01011948

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 9189ca6ed8eb95e0173256a7027826faf9987c4fd9c06d10e19a0a01879fdf65
Instruction ID: 88ded7c7cb01a9a14c36f1249185d41abb206fded02148b4815c3a3b55ebcbc8
Opcode Fuzzy Hash: 9189ca6ed8eb95e0173256a7027826faf9987c4fd9c06d10e19a0a01879fdf65
Instruction Fuzzy Hash: 9DC18E315043419FD768EF64CD82E9EBBE4BF85350F04496DF999972A1DB38E844CB82

Function 01030133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FDB34E: GetWindowLongW.USER32(?,000000EB), ref: 00FDB35F

GetSystemMetrics.USER32(0000000F), ref: 0103016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0103038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 010303AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 010303D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 010303FF
ShowWindow.USER32(00000003,00000000), ref: 01030421
DefDlgProcW.USER32(?,00000005,?,?), ref: 01030440

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: c0137b8ff16760424a3a08fac53e31a4c0040ed734bcb937aa5f05a36f04dcc6
Instruction ID: 473be42ad13ab488516a0029b2d1444884fd67b09f9072580ed6d35cfb4eb66e
Opcode Fuzzy Hash: c0137b8ff16760424a3a08fac53e31a4c0040ed734bcb937aa5f05a36f04dcc6
Instruction Fuzzy Hash: C7A1BE75601616EFDB18CF6CC5857BEBBB9BF88700F048155FD94AB288D734A960CB90

Function 00FDAE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519728c3e13e0f4c89779d81aee66e9573ba5024459f0d138851aba66cfd92f0
Instruction ID: 579a16035b31a8c4feea59be3ef7086c1c17b630530267341541854c60048c18
Opcode Fuzzy Hash: 519728c3e13e0f4c89779d81aee66e9573ba5024459f0d138851aba66cfd92f0
Instruction Fuzzy Hash: 61718EB1900109EFDB14CF98CC89AAEBB79FF85310F18818AF955A7351C7349A11EF69

Function 01022230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0102225A
_memset.LIBCMT ref: 01022323
ShellExecuteExW.SHELL32(?), ref: 01022368

Part of subcall function 00FC936C: __swprintf.LIBCMT ref: 00FC93AB
Part of subcall function 00FC936C: __itow.LIBCMT ref: 00FC93DF

Part of subcall function 00FDC6F4: _wcscpy.LIBCMT ref: 00FDC717

CloseHandle.KERNEL32(00000000), ref: 0102242F
FreeLibrary.KERNEL32(00000000), ref: 0102243E

Strings

@, xrefs: 01022334

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: c3524dd782cdd57c348b04398ae00f3cba93e26b6638e83292114eeb3afa80c7
Instruction ID: df6f4b0e4396c867e76aed75bd5d2058fe58c124d4f2f3cfadd7a2c7a8c017bb
Opcode Fuzzy Hash: c3524dd782cdd57c348b04398ae00f3cba93e26b6638e83292114eeb3afa80c7
Instruction Fuzzy Hash: 6A71A174900629DFDF15EF98C985A9EBBF5FF48310F148059E895AB351CB35AD40CB90

Function 01003DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 01003DE7
GetKeyboardState.USER32(?), ref: 01003DFC
SetKeyboardState.USER32(?), ref: 01003E5D
PostMessageW.USER32(?,00000101,00000010,?), ref: 01003E8B
PostMessageW.USER32(?,00000101,00000011,?), ref: 01003EAA
PostMessageW.USER32(?,00000101,00000012,?), ref: 01003EF0
PostMessageW.USER32(?,00000101,0000005B,?), ref: 01003F13

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 1de71c62ad9719e2653a4f20fc14bf085bb77fabe2da8bdf8dcba815fdba4241
Instruction ID: 9b018815ab333a71d524598aee8fac24a3c0f86cd2120c8e7a83d51e36ad4849
Opcode Fuzzy Hash: 1de71c62ad9719e2653a4f20fc14bf085bb77fabe2da8bdf8dcba815fdba4241
Instruction Fuzzy Hash: 9B51C3A06447D53DFB3747388C45BBA7EE96B06304F0885CDE2D98A8C3D7A9E984D760

Function 01003BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 01003C02
GetKeyboardState.USER32(?), ref: 01003C17
SetKeyboardState.USER32(?), ref: 01003C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 01003CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 01003CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 01003D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 01003D26

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d813f7b44e4dbdc2ab956b0c5c663e70b4c1af3b836d27149e9dd9ab56e037c7
Instruction ID: f7cd11fc0d4a11f703479ff17e9ccf1354a103fee17d7349b54e90e1e20227ad
Opcode Fuzzy Hash: d813f7b44e4dbdc2ab956b0c5c663e70b4c1af3b836d27149e9dd9ab56e037c7
Instruction Fuzzy Hash: 1C5105A06487D53DFB3793298C45BBABFE97B06304F0884C9E2D58E8C2D695E884D760

Function 01007DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 01007DBE
_wcsncpy.LIBCMT ref: 01007DF3
_wcsncpy.LIBCMT ref: 01007E25
_wcsncpy.LIBCMT ref: 01007E58
_wcsncpy.LIBCMT ref: 01007E9A
_wcsncpy.LIBCMT ref: 01007ED4
_wcsncpy.LIBCMT ref: 01007F03

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 0e845a3bdc2162f6769a855f968eb0ab288ea0a2210f3717d402d8a0456d14c9
Instruction ID: ef28f0fbd9b8966ba72e8b68ab160b9c152f3793acc96f344f0865b1faf8ee56
Opcode Fuzzy Hash: 0e845a3bdc2162f6769a855f968eb0ab288ea0a2210f3717d402d8a0456d14c9
Instruction Fuzzy Hash: 1B41E166D10244BADB11EBF9CC469CFB7ACAF04310F108866E648F3162FA78E650C3A5

Function 01029F8A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01029FA3
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0102A04A
IsMenu.USER32(?), ref: 0102A062
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0102A0AA
DrawMenuBar.USER32 ref: 0102A0C3

Strings

0, xrefs: 01029F9C

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 90aacc8d55f56d3ceab4cd28ca19d56b59bf5c069716b1feed2a1bf226540e46
Instruction ID: 437020e8321caa20264406897b6e453f2578dbcd255ef1ada4ae1afc20d6bd12
Opcode Fuzzy Hash: 90aacc8d55f56d3ceab4cd28ca19d56b59bf5c069716b1feed2a1bf226540e46
Instruction Fuzzy Hash: 87416C75A00219EFDB20DF94D8C4EAABBF5FF08324F04815AF99597641DB39A950CF50

Function 01023D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 01023DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01023DCB
FreeLibrary.KERNEL32(00000000), ref: 01023E80

Part of subcall function 01023D72: RegCloseKey.ADVAPI32(?), ref: 01023DE8
Part of subcall function 01023D72: FreeLibrary.KERNEL32(?), ref: 01023E3A
Part of subcall function 01023D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 01023E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 01023E25

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 71a3a5b0d30c4b3cc7f47f45c9f9d84f4ee673de72dd7b481a0036d1a5aca416
Instruction ID: 86077a37a6cf94960e925fea8f220ef5dbdcb84e67583b011f566ec1146df3f4
Opcode Fuzzy Hash: 71a3a5b0d30c4b3cc7f47f45c9f9d84f4ee673de72dd7b481a0036d1a5aca416
Instruction Fuzzy Hash: AD315EB5901119BFEF159FD4D889AFFB7BCFF0C340F0001AAE652E6180D6799A498B60

Function 01005F85 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 01006EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,01005FA6,?), ref: 01006ED8

Part of subcall function 01006EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,01005FA6,?), ref: 01006EF1

lstrcmpiW.KERNEL32(?,?), ref: 01005FC9
_wcscmp.LIBCMT ref: 01005FE7
MoveFileW.KERNEL32(?,?), ref: 01006000

Part of subcall function 01006318: GetFileAttributesW.KERNEL32(?,?,?,?,010060C3), ref: 01006369
Part of subcall function 01006318: GetLastError.KERNEL32(?,?,?,010060C3), ref: 01006374
Part of subcall function 01006318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,010060C3), ref: 01006388

_wcscat.LIBCMT ref: 01006042
SHFileOperationW.SHELL32 ref: 010060AA

Strings

\*.*, xrefs: 0100603C

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: File$FullNamePath$AttributesCreateDirectoryErrorLastMoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1724171360-1173974218
Opcode ID: 67c3663028a50113e0f6a80d309779819362020f3f1f2df27142036169424a49
Instruction ID: 13cc675a27d4c7f52e2c7dbcd23c2dd85b658ac83ca24844f4c9e669b8698860
Opcode Fuzzy Hash: 67c3663028a50113e0f6a80d309779819362020f3f1f2df27142036169424a49
Instruction Fuzzy Hash: 10311F71D443199AEF62DBA4C849FEE77F9AF1C300F0400EAA989E3192DA75D384CB50

Function 01028FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01028FE7
GetWindowLongW.USER32(018BD268,000000F0), ref: 0102901A
GetWindowLongW.USER32(018BD268,000000F0), ref: 0102904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 01029081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 010290AB
GetWindowLongW.USER32(00000000,000000F0), ref: 010290BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 010290D6

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: e6eb8f7e6d759c398af5747c9245b294ce2a6d3068caecb85c09ab486f067fe9
Instruction ID: ca8f837ab73fdce3e8511234cb56707e2f132ac5d77e97ef49708bf39177f18a
Opcode Fuzzy Hash: e6eb8f7e6d759c398af5747c9245b294ce2a6d3068caecb85c09ab486f067fe9
Instruction Fuzzy Hash: A7315974604229DFDB31CF98D8C4F6837E5FB49318F1441A5FAD98B2A6CB7AA851CB40

Function 010008AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 010008F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01000918
SysAllocString.OLEAUT32(00000000), ref: 0100091B
SysAllocString.OLEAUT32(?), ref: 01000939
SysFreeString.OLEAUT32(?), ref: 01000942
StringFromGUID2.OLE32(?,?,00000028), ref: 01000967
SysAllocString.OLEAUT32(?), ref: 01000975

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 41e36d33f8482d4b989013ede45c28cb081ba8a0580825b527af4854ce1e8c5b
Instruction ID: 6028d6573197d456e14119708bc9aa783f9c0a0b752e45a87923cc4cb1fcb8a3
Opcode Fuzzy Hash: 41e36d33f8482d4b989013ede45c28cb081ba8a0580825b527af4854ce1e8c5b
Instruction Fuzzy Hash: 4421BA766012086FBB119FACCC84EBB73ECEF093A0F048125F989DB195D674DC458750

Function 01002472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 01002485
__wcsnicmp.LIBCMT ref: 010024A6
__wcsnicmp.LIBCMT ref: 010024C0

Strings

#requireadmin, xrefs: 010024A0
#OnAutoItStartRegister, xrefs: 010024BA
#notrayicon, xrefs: 0100247D

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 5e8a0327cf22f2f192e02c65e5d24507dd5a4b0675ff2564ef521d7734b86bf5
Instruction ID: 9e3cc06c42e9aed02b8801d8a7d3aa18b68f002f174122e5e49bf308fbabe7ac
Opcode Fuzzy Hash: 5e8a0327cf22f2f192e02c65e5d24507dd5a4b0675ff2564ef521d7734b86bf5
Instruction Fuzzy Hash: 64216A3120015167F323AA299C0AF7B73E8EF55301F14402AF9C6971C2EA6A9582C3A5

Function 01000986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 010009CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 010009F1
SysAllocString.OLEAUT32(00000000), ref: 010009F4
SysAllocString.OLEAUT32 ref: 01000A15
SysFreeString.OLEAUT32 ref: 01000A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 01000A38
SysAllocString.OLEAUT32(?), ref: 01000A46

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 410073438e74290b534101a044b5854332d51a81a258678e623cda37bf6f197e
Instruction ID: beec99862ac9c902bdb79037e9151265f371971e85da5a565313cea284e9868e
Opcode Fuzzy Hash: 410073438e74290b534101a044b5854332d51a81a258678e623cda37bf6f197e
Instruction Fuzzy Hash: CE218879200104AFEB11DFECDD88DAA77ECEF493A0B048165F989CB299DA74EC858754

Function 0102A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FDD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FDD1BA
Part of subcall function 00FDD17C: GetStockObject.GDI32(00000011), ref: 00FDD1CE
Part of subcall function 00FDD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FDD1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0102A32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0102A33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0102A345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0102A354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0102A360

Strings

Msctls_Progress32, xrefs: 0102A2FE

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 62fd006c403d18b96610c1190376f51b45a0fa38695a49648b88abb2d20784b4
Instruction ID: 49cd2a942e1531de042bbb8f022eeda94d33b89457d640bc273925053156d1c2
Opcode Fuzzy Hash: 62fd006c403d18b96610c1190376f51b45a0fa38695a49648b88abb2d20784b4
Instruction Fuzzy Hash: E111B2B1250229BEEF115FA4CC85EEBBF6DFF09798F014115FA48A6050CB769C21DBA4

Function 00FDCCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00FDCCF6
GetWindowRect.USER32(?,?), ref: 00FDCD37
ScreenToClient.USER32(?,?), ref: 00FDCD5F
GetClientRect.USER32(?,?), ref: 00FDCE8C
GetWindowRect.USER32(?,?), ref: 00FDCEA5

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 9fe3ad71a21344ddf6cb29e4bf26114c1cd65bd7d9e42ba5828232c40a061889
Instruction ID: 9ea0d2fd0fbfa5408d737edc4d02211c03fdfb95c8941e0dc8c86afb74455ff0
Opcode Fuzzy Hash: 9fe3ad71a21344ddf6cb29e4bf26114c1cd65bd7d9e42ba5828232c40a061889
Instruction Fuzzy Hash: F8B16C7990024ADBDF10CFA8C5807EDBBB6FF48310F18856AED999B350DB30A950DB94

Function 01021BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 01021C18
Process32FirstW.KERNEL32(00000000,?), ref: 01021C26
__wsplitpath.LIBCMT ref: 01021C54

Part of subcall function 00FE1DFC: __wsplitpath_helper.LIBCMT ref: 00FE1E3C

_wcscat.LIBCMT ref: 01021C69
Process32NextW.KERNEL32(00000000,?), ref: 01021CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 01021CF1

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: b2a114139942f91815e89fc0b734572415a6e214125541f5e73bc86d4d5b58d7
Instruction ID: fa21c4aafa64132fdbf7285b58e32585ae102c5c29e9b785ad7878bdcacf5748
Opcode Fuzzy Hash: b2a114139942f91815e89fc0b734572415a6e214125541f5e73bc86d4d5b58d7
Instruction Fuzzy Hash: 5B515D71504341AFD720EF64CC85EABB7E8EF88754F04492EF98997251EB749A04CB92

Function 01022FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01023C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01022BB5,?,?), ref: 01023C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010230AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 010230EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 01023112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0102313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0102317E
RegCloseKey.ADVAPI32(00000000), ref: 0102318B

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: 401a5668d6d9a831085002523d28b83f5ab7bb5787bd41f209c7cf8074630f3e
Instruction ID: 074ede539f036cc34e5854bdb7b5329e1299e85fec8d0fbdf626294b64d4e295
Opcode Fuzzy Hash: 401a5668d6d9a831085002523d28b83f5ab7bb5787bd41f209c7cf8074630f3e
Instruction Fuzzy Hash: 22514731204201AFD704EF64CD96E6EBBF9BF88300F04495DF5958B291DB39E905DB52

Function 010284DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 01028540
GetMenuItemCount.USER32(00000000), ref: 01028577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0102859F
GetMenuItemID.USER32(?,?), ref: 0102860E
GetSubMenu.USER32(?,?), ref: 0102861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 0102866D

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: f029e13bc9cb7b5ecaf846a3fd2498e69581c38cf6c71a0bb37e1d3d21b6ddac
Instruction ID: 149fd2c8ee2f61a5a97e664fd990d2298793e0bcafdba1b5f3b24eccb2a8a82e
Opcode Fuzzy Hash: f029e13bc9cb7b5ecaf846a3fd2498e69581c38cf6c71a0bb37e1d3d21b6ddac
Instruction Fuzzy Hash: 7E51C179A00125AFDB21DF98C945AEEB7F4FF48310F00809AE945B7341CB79AE408B90

Function 01004AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01004B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01004B5B
IsMenu.USER32(00000000), ref: 01004B7B
CreatePopupMenu.USER32 ref: 01004BAF
GetMenuItemCount.USER32(000000FF), ref: 01004C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 01004C3E

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 956bcb9f32a9b8d86f676f277b1dbfad8084e6b015d182724560aabbe7ac597f
Instruction ID: 57d80644244ff88ff480e55691e3d86876394f5feefa12359ea98a752ba68812
Opcode Fuzzy Hash: 956bcb9f32a9b8d86f676f277b1dbfad8084e6b015d182724560aabbe7ac597f
Instruction Fuzzy Hash: 1D51F370600609EBEF62CF68C984BADBFF4AF04304F008199E695D72C1D7719644CB59

Function 01018DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0105DC00), ref: 01018E7C
WSAGetLastError.WSOCK32(00000000), ref: 01018E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 01018EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 01018EC5
_strlen.LIBCMT ref: 01018EF7
WSAGetLastError.WSOCK32(00000000), ref: 01018F6A

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: bf4da57af5f5c56e5e6c5a90f29ac99d9ba087fe9339cd9114d1bcd80dc5b4a9
Instruction ID: ef67e3473962889bc0fec3e7e8492f34d1c03a1ad67c35ca2d1d311f78452efa
Opcode Fuzzy Hash: bf4da57af5f5c56e5e6c5a90f29ac99d9ba087fe9339cd9114d1bcd80dc5b4a9
Instruction Fuzzy Hash: 0F41C671500105AFD714EBA4CD86FEEB7B9AF58310F10825EF556972D1DB38AE00CB50

Function 00FDABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00FDB34E: GetWindowLongW.USER32(?,000000EB), ref: 00FDB35F

BeginPaint.USER32(?,?,?), ref: 00FDAC2A
GetWindowRect.USER32(?,?), ref: 00FDAC8E
ScreenToClient.USER32(?,?), ref: 00FDACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00FDACBC
EndPaint.USER32(?,?,?,?,?), ref: 00FDAD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0103E673

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: 7a245b9c1a435a2d51527abf0b4bd26eb71448d428c52101c7c28fdd2190491e
Instruction ID: a09751f56a5dfe8feda3176c1c17bedf43f23b9b8e66307a87802398ef0b6d5f
Opcode Fuzzy Hash: 7a245b9c1a435a2d51527abf0b4bd26eb71448d428c52101c7c28fdd2190491e
Instruction Fuzzy Hash: CF41E475104300AFC721DF24D884F7A7BE9EF59374F18026AF9E4872A1C7369845EB62

Function 0102E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(01081628,00000000,01081628,00000000,00000000,01081628,?,0103DC5D,00000000,?,00000000,00000000,00000000,?,0103DAD1,00000004), ref: 0102E40B
EnableWindow.USER32(00000000,00000000), ref: 0102E42F
ShowWindow.USER32(01081628,00000000), ref: 0102E48F
ShowWindow.USER32(00000000,00000004), ref: 0102E4A1
EnableWindow.USER32(00000000,00000001), ref: 0102E4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0102E4E8

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 4c26498697a266355c0779f293410e0a4315ffc1e33f12f1af5b4fbccb4899cf
Instruction ID: 62ddaffef143f1fbdc1c27289797a08724303140a894d65457544c72eb0820f1
Opcode Fuzzy Hash: 4c26498697a266355c0779f293410e0a4315ffc1e33f12f1af5b4fbccb4899cf
Instruction Fuzzy Hash: 92418034641151EFEB62CF68C599F947FE1BF09304F2881E9EA988F2A2CB35E441CB51

Function 010098BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 010098D1

Part of subcall function 00FDF4EA: std::exception::exception.LIBCMT ref: 00FDF51E
Part of subcall function 00FDF4EA: __CxxThrowException@8.LIBCMT ref: 00FDF533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 01009908
EnterCriticalSection.KERNEL32(?), ref: 01009924
LeaveCriticalSection.KERNEL32(?), ref: 0100999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 010099B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 010099D2

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: e85125cbec6ec65b8ed4614aa7fcf13687eb8b251241f1682a9d5e4cd26c4a82
Instruction ID: 85b4bb13e33a151a09c6d26d53332513b26bde1b23ff5abade16dc994dd132e5
Opcode Fuzzy Hash: e85125cbec6ec65b8ed4614aa7fcf13687eb8b251241f1682a9d5e4cd26c4a82
Instruction Fuzzy Hash: A331F471900105EBDB11EF98DD85EAFB7B8FF84310F1480A5F905AB28AD735DA14DB60

Function 01019B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,010177F4,?,?,00000000,00000001), ref: 01019B53

Part of subcall function 01016544: GetWindowRect.USER32(?,?), ref: 01016557

GetDesktopWindow.USER32 ref: 01019B7D
GetWindowRect.USER32(00000000), ref: 01019B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 01019BB6

Part of subcall function 01007A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 01007AD0

GetCursorPos.USER32(?), ref: 01019BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 01019C44

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: aa964be5f5e800ef00238e5521ed248b013f44eb24bda3213a1f55ec02d4a19d
Instruction ID: 1710642043865d6a53e893df70e76c02042fa913de17769511677ba3d363c040
Opcode Fuzzy Hash: aa964be5f5e800ef00238e5521ed248b013f44eb24bda3213a1f55ec02d4a19d
Instruction Fuzzy Hash: 2C31D472104306ABD720DF58C984F9BB7E9FF99318F000919F5C5D7181DA75E944CB91

Function 00FFAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00FFAFAE
OpenProcessToken.ADVAPI32(00000000), ref: 00FFAFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00FFAFC4
CloseHandle.KERNEL32(00000004), ref: 00FFAFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FFAFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 00FFB012

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 21e5e581a9e069dcc6285acbabc26ace7d73fb6d8ee372e8bf7b6c46b4ed8918
Instruction ID: b14c15971cd0cf75a512a350aa4b0187b7e26e7eff6877fe21ff99f7e191583d
Opcode Fuzzy Hash: 21e5e581a9e069dcc6285acbabc26ace7d73fb6d8ee372e8bf7b6c46b4ed8918
Instruction Fuzzy Hash: DB218EB250020DAFCF128F94DE49FAE7BA9EF48314F044015FA05A61A1D37ACD20EB61

Function 0102EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00FDAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00FDAFE3
Part of subcall function 00FDAF83: SelectObject.GDI32(?,00000000), ref: 00FDAFF2
Part of subcall function 00FDAF83: BeginPath.GDI32(?), ref: 00FDB009
Part of subcall function 00FDAF83: SelectObject.GDI32(?,00000000), ref: 00FDB033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0102EC20
LineTo.GDI32(00000000,00000003,?), ref: 0102EC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0102EC42
LineTo.GDI32(00000000,00000000,?), ref: 0102EC52
EndPath.GDI32(00000000), ref: 0102EC62
StrokePath.GDI32(00000000), ref: 0102EC72

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: ed37be1919c70b909d576bb95aeb9137ab345d13ca575b40bfac0b1542e19a16
Instruction ID: e65917abe3fb0f6ccb24a6edc1c4f8bdbeb77b31e5d35ea176ab77e412af35f3
Opcode Fuzzy Hash: ed37be1919c70b909d576bb95aeb9137ab345d13ca575b40bfac0b1542e19a16
Instruction Fuzzy Hash: 83113CB600014CBFEB219F90DD88FEA7F6DEF08394F148152FE8846164C7769956DBA0

Function 00FFE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FFE1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 00FFE1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FFE1D8
ReleaseDC.USER32(00000000,00000000), ref: 00FFE1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00FFE1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 00FFE209

Part of subcall function 00FF9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00FF9A05,00000000,00000000,?,00FF9DDB), ref: 00FFA53A

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: caf386677a78b2f31c1da5f125ec2c5729b089fc7ef6b987d899fb3a7247993c
Instruction ID: 7043d9bce2b4ac26ef503585bd20ed8a7901972e2c56399d8239ac1ae324b49e
Opcode Fuzzy Hash: caf386677a78b2f31c1da5f125ec2c5729b089fc7ef6b987d899fb3a7247993c
Instruction Fuzzy Hash: 5D018FB9E00618BFEB109BE68D85B5EBFB9EF58751F004066EE04A7290D6759C01CBA0

Function 00FE7B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00FE7B47

Part of subcall function 00FE123A: __initp_misc_winsig.LIBCMT ref: 00FE125E
Part of subcall function 00FE123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00FE7F51
Part of subcall function 00FE123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00FE7F65
Part of subcall function 00FE123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00FE7F78
Part of subcall function 00FE123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00FE7F8B
Part of subcall function 00FE123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00FE7F9E
Part of subcall function 00FE123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00FE7FB1
Part of subcall function 00FE123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00FE7FC4
Part of subcall function 00FE123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00FE7FD7
Part of subcall function 00FE123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00FE7FEA
Part of subcall function 00FE123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00FE7FFD
Part of subcall function 00FE123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00FE8010
Part of subcall function 00FE123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00FE8023
Part of subcall function 00FE123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00FE8036
Part of subcall function 00FE123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00FE8049
Part of subcall function 00FE123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00FE805C
Part of subcall function 00FE123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00FE806F

__mtinitlocks.LIBCMT ref: 00FE7B4C

Part of subcall function 00FE7E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0107AC68,00000FA0,?,?,00FE7B51,00FE5E77,01076C70,00000014), ref: 00FE7E41

__mtterm.LIBCMT ref: 00FE7B55

Part of subcall function 00FE7BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00FE7B5A,00FE5E77,01076C70,00000014), ref: 00FE7D3F
Part of subcall function 00FE7BBD: _free.LIBCMT ref: 00FE7D46
Part of subcall function 00FE7BBD: DeleteCriticalSection.KERNEL32(0107AC68,?,?,00FE7B5A,00FE5E77,01076C70,00000014), ref: 00FE7D68

__calloc_crt.LIBCMT ref: 00FE7B7A
GetCurrentThreadId.KERNEL32 ref: 00FE7BA3

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: 1d8f5eb768de1ef8c85755e090b7def97416d951c744cc007dba17f13b22d706
Instruction ID: 7e948f986f58ac46d1df67ec3d06232ed40114d5fa51dbd2ed30eb1c78247555
Opcode Fuzzy Hash: 1d8f5eb768de1ef8c85755e090b7def97416d951c744cc007dba17f13b22d706
Instruction Fuzzy Hash: 21F0B47291D3D21AE6747A777C07A4B36C5AF41730B2406A9F8A0DA0DAFF2D88427270

Function 00FC27EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FC281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00FC2825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FC2830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FC283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00FC2843
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FC284B

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 4d410865ccfee89f5f0d7ce78025acbf99fb73a6109d6000d9c1e4d945381b87
Instruction ID: b95d8a3a516f24cca246668a6c0fe88dc602784d7710779b49b9faf6bc83c549
Opcode Fuzzy Hash: 4d410865ccfee89f5f0d7ce78025acbf99fb73a6109d6000d9c1e4d945381b87
Instruction Fuzzy Hash: 4B0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C47A42C7F5A864CBE5

Function 01009AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 5e993d2728447aa1dc2bd530045c001b796e4a4dfa58d671053035abf155710b
Instruction ID: 133896b87e62ea9964a9f0da1b85f4b9c558d48dc142241e1112379e68bd0fa3
Opcode Fuzzy Hash: 5e993d2728447aa1dc2bd530045c001b796e4a4dfa58d671053035abf155710b
Instruction Fuzzy Hash: 0701FE75201211ABFB261BD8FE88DEB77A5FF69311F040059F587910C5CB799400CB90

Function 01007BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 01007C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 01007C1D
GetWindowThreadProcessId.USER32(?,?), ref: 01007C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 01007C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 01007C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 01007C4C

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 1abff5a17aac006e4938c464a7a5e551165efcc90460bfe6e7e59623fdaccd5a
Instruction ID: a9e48e171623ef4adb4f8c833a3b9775d3fd450ade92ebcf60e00128e76589f1
Opcode Fuzzy Hash: 1abff5a17aac006e4938c464a7a5e551165efcc90460bfe6e7e59623fdaccd5a
Instruction Fuzzy Hash: E4F090BA101158BBE73117929D4DEEF3B7CEFCAB11F000018FA4591045D7A92A41C7B4

Function 01009A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 01009A33
EnterCriticalSection.KERNEL32(?,?,?,?,01035DEE,?,?,?,?,?,00FCED63), ref: 01009A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,01035DEE,?,?,?,?,?,00FCED63), ref: 01009A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,01035DEE,?,?,?,?,?,00FCED63), ref: 01009A5E

Part of subcall function 010093D1: CloseHandle.KERNEL32(?,?,01009A6B,?,?,?,01035DEE,?,?,?,?,?,00FCED63), ref: 010093DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 01009A71
LeaveCriticalSection.KERNEL32(?,?,?,?,01035DEE,?,?,?,?,?,00FCED63), ref: 01009A78

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 0f892b42e394000625a66fbd4c0ce95d23ac284bde8826031646e91dd2006494
Instruction ID: b6e1d02242672b8194d82f42b322dd7077af3ea435cf4a44ef6ae0d9cc398cec
Opcode Fuzzy Hash: 0f892b42e394000625a66fbd4c0ce95d23ac284bde8826031646e91dd2006494
Instruction Fuzzy Hash: 35F0B476145201ABE7221BD4FEC8DEA7769FFA5311F040021F24391099CB7A9400DB50

Function 00FC1CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 00FDF4EA: std::exception::exception.LIBCMT ref: 00FDF51E
Part of subcall function 00FDF4EA: __CxxThrowException@8.LIBCMT ref: 00FDF533

__swprintf.LIBCMT ref: 00FC1EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00FC1D49

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: d742033014e654b3181057284f42cf20ac53c8a3e34743e5ebcdba74ac423c9d
Instruction ID: 8466646e3dd4cc6fbb85c77dba16532203c4cdb24174aa0714bcc8100d8b635c
Opcode Fuzzy Hash: d742033014e654b3181057284f42cf20ac53c8a3e34743e5ebcdba74ac423c9d
Instruction Fuzzy Hash: 0F917D715082029FD714EF24CE96E6EBBA8BF85700F04491EF985D72A2DB34E944DB92

Function 0101AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0101B006
CharUpperBuffW.USER32(?,?), ref: 0101B115
VariantClear.OLEAUT32(?), ref: 0101B298

Part of subcall function 01009DC5: VariantInit.OLEAUT32(00000000), ref: 01009E05
Part of subcall function 01009DC5: VariantCopy.OLEAUT32(?,?), ref: 01009E0E
Part of subcall function 01009DC5: VariantClear.OLEAUT32(?), ref: 01009E1A

Strings

Incorrect Parameter format, xrefs: 0101B03E, 0101B20B
AUTOIT.ERROR, xrefs: 0101B11B

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 0871e062241acde47bf51bd687323bc78ec0874e17d6be31140a4c21215f8a69
Instruction ID: cbb49d42887625b98f6eb9f236535e7fd4ab01a7da27d43c804cdc9ce4cb6e04
Opcode Fuzzy Hash: 0871e062241acde47bf51bd687323bc78ec0874e17d6be31140a4c21215f8a69
Instruction Fuzzy Hash: 67916C746083029FCB10DF68C585A9EBBF4BF89704F04486DF99A9B351DB35E909CB52

Function 01005347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FDC6F4: _wcscpy.LIBCMT ref: 00FDC717

_memset.LIBCMT ref: 01005438
GetMenuItemInfoW.USER32(?), ref: 01005467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01005513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0100553D

Strings

0, xrefs: 01005430

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: c679b95d76a143111962b0f22447285ff4711eb0031d23a96bd326fddb680523
Instruction ID: 7bc8aabf4f9b12a8d8f64eb9adb8c3de1a0d814feeb6a2a3e978f53282c99439
Opcode Fuzzy Hash: c679b95d76a143111962b0f22447285ff4711eb0031d23a96bd326fddb680523
Instruction Fuzzy Hash: 875133712083018BF7929A2CCC55AAFBBE8AF45314F040A2EF9D5C31D1DBB5C8008F52

Function 01000213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0100027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 010002B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 010002C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 01000344

Strings

DllGetClassObject, xrefs: 010002B7

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 5feef0e02729d667a8c5ebb7efb4f3f64ce20e14a209c4bbd77b6e30556f388d
Instruction ID: f5259815803632810587047cd3658346cb9ca4130cf219b9ed0627f84e25b298
Opcode Fuzzy Hash: 5feef0e02729d667a8c5ebb7efb4f3f64ce20e14a209c4bbd77b6e30556f388d
Instruction Fuzzy Hash: 13416FB1600204EFEB16CF54C894B9B7BA9EF44251F14C0A9BD899F249D7B5DA44CBA0

Function 01005007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01005075
GetMenuItemInfoW.USER32 ref: 01005091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 010050D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01081708,00000000), ref: 01005120

Strings

0, xrefs: 0100506D

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 34f921b93d2dc7d285b9f766c758489563224a59d16201daa6714c57d0d4406f
Instruction ID: 3fe3330dbc587d8b8c0f959da4588388704fb5e73d4052f8a7df5684618bf19e
Opcode Fuzzy Hash: 34f921b93d2dc7d285b9f766c758489563224a59d16201daa6714c57d0d4406f
Instruction Fuzzy Hash: 7A41B1742053019FE722DF28DC80BAABBE4AF85314F044A5EF995972C1D770E900CF66

Function 01020567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 01020587

Strings

winapi, xrefs: 010205F8
none, xrefs: 01020662
cdecl, xrefs: 010205DE
stdcall, xrefs: 01020609

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: f4be73b6abb82dc911e6a081077175ae5283e2e92ea9e5ac3fc2e1601511b4d6
Instruction ID: 9bc4da920a30546ec078b1cfe6e1ed9d24032c792a6005d15cef838b613e846b
Opcode Fuzzy Hash: f4be73b6abb82dc911e6a081077175ae5283e2e92ea9e5ac3fc2e1601511b4d6
Instruction Fuzzy Hash: 1931B230900226AFCF10EF98CD419EEB3B5FF54314B108659F8A6A76D5DB75E905CB80

Function 00FFB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00FFB88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00FFB8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 00FFB8D1

Strings

ComboBox, xrefs: 00FFB815
ListBox, xrefs: 00FFB84D

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: ee7d94b36699d8063a138387426410a38c598634f9dddd9c99e4c032a2d01076
Instruction ID: 7f1e5c64e155df84c295fd9ae030db9915e22b45313aacf635d66eb91b8af992
Opcode Fuzzy Hash: ee7d94b36699d8063a138387426410a38c598634f9dddd9c99e4c032a2d01076
Instruction Fuzzy Hash: 9C2104B6A00108BFD714ABA4CC86EBE7778DF85360B14412DF155A61E1DB794D0AA760

Function 010143E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 01014401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01014427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 01014457
InternetCloseHandle.WININET(00000000), ref: 0101449E

Part of subcall function 01015052: GetLastError.KERNEL32(?,?,010143CC,00000000,00000000,00000001), ref: 01015067

Strings

, xrefs: 01014450

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 4822539fd423d42a9c4cfb405d71dd4cb13382c180b4c344701aed804232fa1d
Instruction ID: e604439f4ad69b83f406a8c758f2b37ab608f026325f2cbf5dc14996154f5811
Opcode Fuzzy Hash: 4822539fd423d42a9c4cfb405d71dd4cb13382c180b4c344701aed804232fa1d
Instruction Fuzzy Hash: 1521B0B5540209BFE721DF94CC84EBF7AECFB48748F00801AF185D6154EB689D059770

Function 010290E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FDD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FDD1BA
Part of subcall function 00FDD17C: GetStockObject.GDI32(00000011), ref: 00FDD1CE
Part of subcall function 00FDD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FDD1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0102915C
LoadLibraryW.KERNEL32(?), ref: 01029163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 01029178
DestroyWindow.USER32(?), ref: 01029180

Strings

SysAnimate32, xrefs: 01029137

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: fedc046814f7a8eaeca94c5c2d1c0db81f04c48e194a89a13b75d4f9ade800db
Instruction ID: 4e5dd93bba1911224deba4035e0c4810fee6aab515f83ac5a5563f5e7488ee09
Opcode Fuzzy Hash: fedc046814f7a8eaeca94c5c2d1c0db81f04c48e194a89a13b75d4f9ade800db
Instruction Fuzzy Hash: 86218E71200225BFFF214EA99C85EBA37E9FF89368F200658FA9492191C7369C51A760

Function 01009568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 01009588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 010095B9
GetStdHandle.KERNEL32(0000000C), ref: 010095CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 01009605

Strings

nul, xrefs: 01009600

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: d2cb84cbd35c338e85eb360453ccf79a66b15ca702f424c09d8498c9f35d5cde
Instruction ID: 2de0e1b7ac97d2ccfc6dfc3524363cb1d7328e6b5d8a258203c3e576cfe92dac
Opcode Fuzzy Hash: d2cb84cbd35c338e85eb360453ccf79a66b15ca702f424c09d8498c9f35d5cde
Instruction Fuzzy Hash: D321DE70600306ABFB219F2AD844A9E7BF8AF54329F104A58F9E9D72D1D772D940CB10

Function 01009634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 01009653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01009683
GetStdHandle.KERNEL32(000000F6), ref: 01009694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 010096CE

Strings

nul, xrefs: 010096C9

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: a4dd9d50f946ff63fdbd54b0aa47b3e81c186b3f92e050e71faca5f7a1c08f2a
Instruction ID: be269092c5652acca7f55075db8a3f23dc72acbc70a2e4f94d15a08de8f01b73
Opcode Fuzzy Hash: a4dd9d50f946ff63fdbd54b0aa47b3e81c186b3f92e050e71faca5f7a1c08f2a
Instruction Fuzzy Hash: AA21A171600205ABFB219F699C44E9E77E8AF58738F200A58F9E5E72D1D7719440CB10

Function 0100DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0100DB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0100DB5E
__swprintf.LIBCMT ref: 0100DB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,0105DC00), ref: 0100DBB5

Strings

%lu, xrefs: 0100DB71

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: a981a0ee6988f81a9805717d6c729593ad5c08db514e28779a83bc80d865f977
Instruction ID: c21112b0dc6a2afb7a97da63b1af3008646d298e05886c92876ab3e3c8df6ea9
Opcode Fuzzy Hash: a981a0ee6988f81a9805717d6c729593ad5c08db514e28779a83bc80d865f977
Instruction Fuzzy Hash: 4621B675600109AFDB10EF95CE95EAEBBB8FF88700B004069F549D7251DB75EA01DB61

Function 00FFC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FFC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00FFC84A
Part of subcall function 00FFC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FFC85D
Part of subcall function 00FFC82D: GetCurrentThreadId.KERNEL32 ref: 00FFC864
Part of subcall function 00FFC82D: AttachThreadInput.USER32(00000000), ref: 00FFC86B

GetFocus.USER32 ref: 00FFCA05

Part of subcall function 00FFC876: GetParent.USER32(?), ref: 00FFC884

GetClassNameW.USER32(?,?,00000100), ref: 00FFCA4E
EnumChildWindows.USER32(?,00FFCAC4), ref: 00FFCA76
__swprintf.LIBCMT ref: 00FFCA90

Strings

%s%d, xrefs: 00FFCA8A

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: a9fbedc53ca86418f9b9effe98853c2b7b73804e3a52160e0894f85f6d8b2c6e
Instruction ID: dd709dd619879283d7f3694995adcca421c42b425a4ea197f1a706ea112aae7d
Opcode Fuzzy Hash: a9fbedc53ca86418f9b9effe98853c2b7b73804e3a52160e0894f85f6d8b2c6e
Instruction Fuzzy Hash: FD1190B560021D7BCB11BEA09E96FF93768AF44714F00406ABF09AA052CB799545EBB0

Function 01021945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 010219F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 01021A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 01021B49
CloseHandle.KERNEL32(?), ref: 01021BBF

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 03e1038effe77625da8deefc6fb5b05d7240cdf26d3efc5e11b612f0b4309bdf
Instruction ID: 947983b6623170aaf2e13ca295261feb4b4e28beb84d6a67f31dd8b129ce9d52
Opcode Fuzzy Hash: 03e1038effe77625da8deefc6fb5b05d7240cdf26d3efc5e11b612f0b4309bdf
Instruction Fuzzy Hash: 65819374600214ABDF11DF64CD86BADBBF5BF48720F08845AF945AF382D7B9A941CB90

Function 0102E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0102E1D5
SendMessageW.USER32(?,000000B0,?,?), ref: 0102E20D
IsDlgButtonChecked.USER32(?,00000001), ref: 0102E248
GetWindowLongW.USER32(?,000000EC), ref: 0102E269
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0102E281

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID:
API String ID: 3188977179-0
Opcode ID: 5f42457f4feb3a20b67722cf2fe9401c82839803efa4426e1d484af33f8b9eac
Instruction ID: e6ca11436145693cc1ee345fc63536e1d5d4912836727bdcf876ae3014ce753b
Opcode Fuzzy Hash: 5f42457f4feb3a20b67722cf2fe9401c82839803efa4426e1d484af33f8b9eac
Instruction Fuzzy Hash: 4E61DF34A84224AFEB25DF58C884FEE7BFAAF49304F1440A9F9C997391C735A951CB10

Function 01001C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01001CB4
VariantClear.OLEAUT32(00000013), ref: 01001D26
VariantClear.OLEAUT32(00000000), ref: 01001D81
VariantClear.OLEAUT32(?), ref: 01001DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 01001E26

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 29fec62f6188a79111d9afe631e203f1dec819c3b67190c128ca6dfe8e3ccc90
Instruction ID: a5ff0d5e75f4378dfa92bf850a1b47476fb84a16b9368f112b75ff1054e31480
Opcode Fuzzy Hash: 29fec62f6188a79111d9afe631e203f1dec819c3b67190c128ca6dfe8e3ccc90
Instruction Fuzzy Hash: 35517CB5A00209EFDB11DF58C880AAAB7F8FF8C314F15855AE995DB345D734E901CBA0

Function 01020688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC936C: __swprintf.LIBCMT ref: 00FC93AB
Part of subcall function 00FC936C: __itow.LIBCMT ref: 00FC93DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 010206EE
GetProcAddress.KERNEL32(00000000,?), ref: 0102077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0102079B
GetProcAddress.KERNEL32(00000000,?), ref: 010207E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 010207FB

Part of subcall function 00FDE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0100A574,?,?,00000000,00000008), ref: 00FDE675
Part of subcall function 00FDE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0100A574,?,?,00000000,00000008), ref: 00FDE699

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 6d00ae2c24b0f313802f0163912727e3470af8bea0d4964c85255c29e5d7ebd3
Instruction ID: a82b65a3909ba5212a766dbeb5a95bd6de84b6c1c01614d163745374dc85bceb
Opcode Fuzzy Hash: 6d00ae2c24b0f313802f0163912727e3470af8bea0d4964c85255c29e5d7ebd3
Instruction Fuzzy Hash: 59515D75A00216DFCB00EFA8C995EADB7F5BF58310B048099F995AB351DB34ED45DB80

Function 01022E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01023C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01022BB5,?,?), ref: 01023C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01022EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01022F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 01022F75
RegCloseKey.ADVAPI32(?,?), ref: 01022FA1
RegCloseKey.ADVAPI32(00000000), ref: 01022FAE

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: 892892c96a8e1fa98a51035eee28ae1a64a80a475c20f3dc091d44cc3ab4431c
Instruction ID: 98f4b9f37254cdf96d0a225933834e2e329dfaaf7e63c80c18552c5272ca39fb
Opcode Fuzzy Hash: 892892c96a8e1fa98a51035eee28ae1a64a80a475c20f3dc091d44cc3ab4431c
Instruction Fuzzy Hash: 1F515971208205AFD744EFA8CD81FAEBBE8BF88304F04496DF59987291DB35E904DB52

Function 0102CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40635765ed5c3fa7ec073226bceff9508f005205f67a833e92887264afa793f1
Instruction ID: 23c245c7fbbd1e076a0c3ee649b624fc56d5c3be6eea00caa37d16abb9d5d916
Opcode Fuzzy Hash: 40635765ed5c3fa7ec073226bceff9508f005205f67a833e92887264afa793f1
Instruction Fuzzy Hash: 6141B679900124AFFB60EB6CCE44FADBFA8EB09350F050295EAD9A72D1C774A911C750

Function 01011206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 010112B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 010112DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0101131C

Part of subcall function 00FC936C: __swprintf.LIBCMT ref: 00FC93AB
Part of subcall function 00FC936C: __itow.LIBCMT ref: 00FC93DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 01011341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 01011349

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 397374b76febd6b2da5bf3387c64d274598eac81d7433ebcc3f1de1aab76b5e6
Instruction ID: 315debf54e823c2ef64bd8a66f385499c2ae0e3295148ff1bc04fcfd10baf52c
Opcode Fuzzy Hash: 397374b76febd6b2da5bf3387c64d274598eac81d7433ebcc3f1de1aab76b5e6
Instruction Fuzzy Hash: 2F413B75A00105DFDB05EF64CA85EAEBBF5FF48310B148099E94AAB365CB39ED01DB50

Function 00FDB63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 00FDB64F
ScreenToClient.USER32(00000000,000000FF), ref: 00FDB66C
GetAsyncKeyState.USER32(00000001), ref: 00FDB691
GetAsyncKeyState.USER32(00000002), ref: 00FDB69F

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: b4815b7f48aaad9a31b3363bdf7dd2873682e671cb183388aa5cf9e12a17bf00
Instruction ID: be5ba77225619f1a66b7845368c1457974d02eb2e6e245a2b0f52eb42ed9fdbe
Opcode Fuzzy Hash: b4815b7f48aaad9a31b3363bdf7dd2873682e671cb183388aa5cf9e12a17bf00
Instruction Fuzzy Hash: 5341C275904115FFDF159FA8C884AEDBBB5FF45324F10835AF8A892290C734A990EF90

Function 00FFB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FFB369
PostMessageW.USER32(?,00000201,00000001), ref: 00FFB413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00FFB41B
PostMessageW.USER32(?,00000202,00000000), ref: 00FFB429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00FFB431

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: ad2f4299a0b5514d2526b009c0ecca456acfd29518982710f34b832261938cd0
Instruction ID: 860f840d3e12fbea0922040efbd7f1b74986f418de9f0cf1bc2cfa7916429b37
Opcode Fuzzy Hash: ad2f4299a0b5514d2526b009c0ecca456acfd29518982710f34b832261938cd0
Instruction Fuzzy Hash: 7331C0B190021DEBDF14CFA8DA8DAAE3BB5EF04329F104229F965A61D1C3B49914DB90

Function 00FFDBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00FFDBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00FFDBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00FFDC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00FFDC52
_wcsstr.LIBCMT ref: 00FFDC5C

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 0d062dc4e09dc5a232d62089d800c5bb0b842b246135065033ccd322d77a0a75
Instruction ID: 20646478060bbdab8f82d84d85e8799970296546f5215db99cd55f5ce2a5d178
Opcode Fuzzy Hash: 0d062dc4e09dc5a232d62089d800c5bb0b842b246135065033ccd322d77a0a75
Instruction Fuzzy Hash: 9D214C72604108BBE7259F79DD49E7B7BAADF45760F144039FA0ACA151DAA5CC00F360

Function 00FFBC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FFBC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FFBCC2
__itow.LIBCMT ref: 00FFBCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FFBD00
__itow.LIBCMT ref: 00FFBD11

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: c919be8d8618795a616086088b65f13c748f260d7ba063676a6866a141cf3732
Instruction ID: 78531f33d628f2a26a941c355230716c4f380a951182570e5d190218a78df980
Opcode Fuzzy Hash: c919be8d8618795a616086088b65f13c748f260d7ba063676a6866a141cf3732
Instruction Fuzzy Hash: 2D21F975B0020CBBDB20AAA5CD86FEF7B68AF59710F040028FB45EB191DB75894563A1

Function 01006318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00FC50E6: _wcsncpy.LIBCMT ref: 00FC50FA

GetFileAttributesW.KERNEL32(?,?,?,?,010060C3), ref: 01006369
GetLastError.KERNEL32(?,?,?,010060C3), ref: 01006374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,010060C3), ref: 01006388
_wcsrchr.LIBCMT ref: 010063AA

Part of subcall function 01006318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,010060C3), ref: 010063E0

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: 13bc4a4af1a65a323336559f594e41d181d739816548eaaf1bafe2e82562859a
Instruction ID: e98425567b14a60c64959ad223a4ee9c81a567992e9d9764c579f82d9b470a29
Opcode Fuzzy Hash: 13bc4a4af1a65a323336559f594e41d181d739816548eaaf1bafe2e82562859a
Instruction Fuzzy Hash: 4621F93190421557FB63AB78AD42FEE339DAF05360F1480A5F185C31C1EBA6D59497A0

Function 01018B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0101A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0101A84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 01018BD3
WSAGetLastError.WSOCK32(00000000), ref: 01018BE2
connect.WSOCK32(00000000,?,00000010), ref: 01018BFE

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: 862650c0b5970036decfffb23541d7eaa5f19b7e9e17b9c5e0f37a98b52889f6
Instruction ID: d40fe13bbf9801ea374bc5a792c5760864c44caa563ae7a709f2adce2aadd61a
Opcode Fuzzy Hash: 862650c0b5970036decfffb23541d7eaa5f19b7e9e17b9c5e0f37a98b52889f6
Instruction Fuzzy Hash: DC21D1712001059FDB10EF68CD85F7E77A9BF54320F04844EE986973C6CB78A9018751

Function 01018420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 01018441
GetForegroundWindow.USER32 ref: 01018458
GetDC.USER32(00000000), ref: 01018494
GetPixel.GDI32(00000000,?,00000003), ref: 010184A0
ReleaseDC.USER32(00000000,00000003), ref: 010184DB

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: d3fb5d9f911248020fed6629864c1ca0800ce1d36def1badc11edf09c31cd3f8
Instruction ID: 884e6a71a0634859c5db6d2dbb6d66f9a428a5ceca6f5ac1d5dedc9eff63ef0f
Opcode Fuzzy Hash: d3fb5d9f911248020fed6629864c1ca0800ce1d36def1badc11edf09c31cd3f8
Instruction Fuzzy Hash: C721A17AA00204AFD710DFA4DD84AAEBBE5EF48301F04C479E98997345DE79AD00CB60

Function 00FDAF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00FDAFE3
SelectObject.GDI32(?,00000000), ref: 00FDAFF2
BeginPath.GDI32(?), ref: 00FDB009
SelectObject.GDI32(?,00000000), ref: 00FDB033

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: cb51a540b3780ccead0d5d28cbad673a6c08e2b69b4c472478eb258e3bc4c0ed
Instruction ID: 1074b8a820a767861aca9426c8180059b7b1afdf94a0fd8aacc4c7cb4bfaf0e9
Opcode Fuzzy Hash: cb51a540b3780ccead0d5d28cbad673a6c08e2b69b4c472478eb258e3bc4c0ed
Instruction Fuzzy Hash: 4321C4B5904204EFDB319F94E84879E3B69BF143A9F18431AF4E092294C37A4862DB90

Function 00FE217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00FE21A9
CreateThread.KERNEL32(?,?,00FE22DF,00000000,?,?), ref: 00FE21ED
GetLastError.KERNEL32 ref: 00FE21F7
_free.LIBCMT ref: 00FE2200
__dosmaperr.LIBCMT ref: 00FE220B

Part of subcall function 00FE7C0E: __getptd_noexit.LIBCMT ref: 00FE7C0E

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: c17e6d0d0500b976f3f020fbea482e3cefb15d9f3140e09c8093012e5e80978c
Instruction ID: 3955515523b5c4c39b8fdcde3a02a0b0c08c478dd5d99b82d276a0b50e5cab4e
Opcode Fuzzy Hash: c17e6d0d0500b976f3f020fbea482e3cefb15d9f3140e09c8093012e5e80978c
Instruction Fuzzy Hash: 8511A5325043C66FEB21BFA79C41DAB379DEF45770B10042AFA14C6191EB79D911A7A0

Function 00FFABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00FFABD7
GetLastError.KERNEL32(?,00FFA69F,?,?,?), ref: 00FFABE1
GetProcessHeap.KERNEL32(00000008,?,?,00FFA69F,?,?,?), ref: 00FFABF0
HeapAlloc.KERNEL32(00000000,?,00FFA69F,?,?,?), ref: 00FFABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00FFAC0E

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: ff91b1e0f717892219ad33a28b9805598f3f8e806963de1d30df3aa91e1a9947
Instruction ID: 64e608206b690ebec42ed4054c04cfd5e4301d31266ae3863e0b797a07402f61
Opcode Fuzzy Hash: ff91b1e0f717892219ad33a28b9805598f3f8e806963de1d30df3aa91e1a9947
Instruction Fuzzy Hash: 110181F4600208BFDB214FE5DD88D6B3BACEF893657100429F949C3260D672DC40DB60

Function 00FF9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 00FF9ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 00FF9AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 00FF9B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00FF9B15
CLSIDFromString.OLE32(?,?), ref: 00FF9B21

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 3f9150e9cd97e15f6fb630ed687d6cb07d476f071446bdde8cf6941de75d825a
Instruction ID: 4adfa234ecb021b84527edccc21736bef3fa328254bacb262db9f96ef6946573
Opcode Fuzzy Hash: 3f9150e9cd97e15f6fb630ed687d6cb07d476f071446bdde8cf6941de75d825a
Instruction Fuzzy Hash: 040184BA600219BFDB114F54DD44BBD7AEDEF94351F144028FB49D2110D7B5DE41ABA0

Function 01007A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 01007A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01007A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 01007A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01007A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 01007AD0

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 801f89887f33c196e18f836a1210f3d4d33dd323882c04f27a3b6cd8a10651a4
Instruction ID: f5cffb6dcbb98774a92f2ea45f9f0bba57410c4c50c6ee556daaa93840a38f3e
Opcode Fuzzy Hash: 801f89887f33c196e18f836a1210f3d4d33dd323882c04f27a3b6cd8a10651a4
Instruction Fuzzy Hash: A1018C75D00619EBEF21AFE4D988ADDBB78FF59311F040085D9C2B2284DB39A690C7A1

Function 00FFAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FFAADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FFAAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FFAAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FFAAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FFAB10

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: db573216d76b0c0c253a494f68c711e53ffd5c8ac099deeaf0f5b7783810b07a
Instruction ID: 6ad74562626ec8d747a52624e0e3bff0653296b6e50e5f8c561ad17903ef05d9
Opcode Fuzzy Hash: db573216d76b0c0c253a494f68c711e53ffd5c8ac099deeaf0f5b7783810b07a
Instruction Fuzzy Hash: 3EF03CB53002086FEB220FE4EC88E7B3B6DFF85769B000029FA85C7190CA6598019B61

Function 00FFAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FFAA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FFAA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FFAA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FFAA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FFAAAF

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 859c1573d9f6aac9c5271c5b71162df98dc8f118ae537061d849ceab94f6729e
Instruction ID: 761749a16c30f5b71532794a57d356d0c67d3e801d7576394af8299b470e7b30
Opcode Fuzzy Hash: 859c1573d9f6aac9c5271c5b71162df98dc8f118ae537061d849ceab94f6729e
Instruction Fuzzy Hash: 01F0A4B5200208BFD7201FE49D88F773B6CFF49794B000019FA45C7160D665DC05DB61

Function 00FFEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00FFEC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 00FFECAB
MessageBeep.USER32(00000000), ref: 00FFECC3
KillTimer.USER32(?,0000040A), ref: 00FFECDF
EndDialog.USER32(?,00000001), ref: 00FFECF9

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 54ed46ae9a484dcbbc408c6e019b573a0917dae47fea1908d439e0b2ef06179d
Instruction ID: e7519b3db5f668a99267c08f391a1389787e112da782a541eeac27673fe9ca97
Opcode Fuzzy Hash: 54ed46ae9a484dcbbc408c6e019b573a0917dae47fea1908d439e0b2ef06179d
Instruction Fuzzy Hash: 6B01D174900758ABEB309F50DF8EBA677B8FF10B05F00055DB682A10E0DBF9AA44DB90

Function 00FDB0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00FDB0BA
StrokeAndFillPath.GDI32(?,?,0103E680,00000000,?,?,?), ref: 00FDB0D6
SelectObject.GDI32(?,00000000), ref: 00FDB0E9
DeleteObject.GDI32 ref: 00FDB0FC
StrokePath.GDI32(?), ref: 00FDB117

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 974e602884fa0fb35e674cd0a8083b54dcd935990556386bff441ff29b80568f
Instruction ID: d78abb77fa09354073f6fb2c5fdefe804a5b7a4845a72e776167a107a99d17c9
Opcode Fuzzy Hash: 974e602884fa0fb35e674cd0a8083b54dcd935990556386bff441ff29b80568f
Instruction Fuzzy Hash: AEF01979008244EFDB319FA5E90C7583B66AB147AAF188315F4E5451E8C73A89A6DF10

Function 0100F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0100F2DA
CoCreateInstance.OLE32(0104DA7C,00000000,00000001,0104D8EC,?), ref: 0100F2F2
CoUninitialize.OLE32 ref: 0100F555

Strings

.lnk, xrefs: 0100F28B, 0100F290, 0100F29E

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: 3bf9e7bca0ac5d2ae900be8b5c9c207e5ffad415e7dc83f8ef5e6dc96b4eb9c1
Instruction ID: de9b76a9c147a8e5a150a52ae686082eb67308d61ac841be8d1f49d6f62591f7
Opcode Fuzzy Hash: 3bf9e7bca0ac5d2ae900be8b5c9c207e5ffad415e7dc83f8ef5e6dc96b4eb9c1
Instruction Fuzzy Hash: 00A16C71104201AFD300EFA4CC92EABB7ECEF98714F04495DF19597292EB75EA09DB92

Function 0100E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FC53B1,?,?,00FC61FF,?,00000000,00000001,00000000), ref: 00FC662F

CoInitialize.OLE32(00000000), ref: 0100E85D
CoCreateInstance.OLE32(0104DA7C,00000000,00000001,0104D8EC,?), ref: 0100E876
CoUninitialize.OLE32 ref: 0100E893

Part of subcall function 00FC936C: __swprintf.LIBCMT ref: 00FC93AB
Part of subcall function 00FC936C: __itow.LIBCMT ref: 00FC93DF

Strings

.lnk, xrefs: 0100E83B, 0100E84D

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 2b23b4fc298286c7c95d549414b36ce9437bea0f79e2c15bda692a95a2ea3233
Instruction ID: 87532d5103a75cd3ec59ec7caf820b95359178f395f686e5be7322ce0efba360
Opcode Fuzzy Hash: 2b23b4fc298286c7c95d549414b36ce9437bea0f79e2c15bda692a95a2ea3233
Instruction Fuzzy Hash: 8AA156756043019FDB11DF14C985E2ABBE5BF89310F04899CF99AAB3A2CB35EC45CB91

Function 00FE325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00FE32ED

Part of subcall function 00FEE0D0: __87except.LIBCMT ref: 00FEE10B

Strings

pow, xrefs: 00FE32C5, 00FE32E2

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: fe6dabe9acfa76b7a6f96c5ff3383e34b00d3c5d94ec9bd7ea3fe8810a7711bd
Instruction ID: c7e0e3ee4bfb786e1b557f180f31d6dabb8dbd5185f189be5408b9c678090b30
Opcode Fuzzy Hash: fe6dabe9acfa76b7a6f96c5ff3383e34b00d3c5d94ec9bd7ea3fe8810a7711bd
Instruction Fuzzy Hash: B2514A32E09281D6CB257A16E90D77A3BA49B40730F308D68F4D58329DDE3D8DD8B742

Function 01004606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0105DC50,?,0000000F,0000000C,00000016,0105DC50,?), ref: 01004645

Part of subcall function 00FC936C: __swprintf.LIBCMT ref: 00FC93AB
Part of subcall function 00FC936C: __itow.LIBCMT ref: 00FC93DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 010046C5

Strings

THIS, xrefs: 01004703
REMOVE, xrefs: 01004676

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: f54baabd203551c53acbfe3c129fdb834ee8f1a3895f9f12286e373e51c526d9
Instruction ID: 8c044239169138f991f8e2cb8a3f4d5899e7caba6039b68063658912d59afe4b
Opcode Fuzzy Hash: f54baabd203551c53acbfe3c129fdb834ee8f1a3895f9f12286e373e51c526d9
Instruction Fuzzy Hash: D5418334A0020A9FEF02DF98C985AADB7F5FF49304F048059EA5AEB292DB74DD45CB54

Function 00FFC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0100430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FFBC08,?,?,00000034,00000800,?,00000034), ref: 01004335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00FFC1D3

Part of subcall function 010042D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FFBC37,?,?,00000800,?,00001073,00000000,?,?), ref: 01004300

Part of subcall function 0100422F: GetWindowThreadProcessId.USER32(?,?), ref: 0100425A
Part of subcall function 0100422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00FFBBCC,00000034,?,?,00001004,00000000,00000000), ref: 0100426A
Part of subcall function 0100422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00FFBBCC,00000034,?,?,00001004,00000000,00000000), ref: 01004280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FFC240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FFC28D

Strings

@, xrefs: 00FFC2A5

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 70f9e61e34e5b0229e9d5ce8a373dbcbfa16077d73c7e2430af9e5d2559005b2
Instruction ID: 7dd89a6fd16ce4eadaccf4f6cc103c428d3b4051cbf4b3bf1849590c415d9c37
Opcode Fuzzy Hash: 70f9e61e34e5b0229e9d5ce8a373dbcbfa16077d73c7e2430af9e5d2559005b2
Instruction Fuzzy Hash: E6415B76A0021DBFDB11DFA4CE81AEEB7B8EF19310F004095EA85B7190DA716E45DBA1

Function 0102A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0105DC00,00000000,?,?,?,?), ref: 0102A6D8
GetWindowLongW.USER32 ref: 0102A6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0102A705

Strings

SysTreeView32, xrefs: 0102A6AA

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 3d535d76101277242b034a9713345f330e95266fb79f40a5d9c0156d8d86a7bd
Instruction ID: acc5da83eb74b289752a01b4dfefe27a6e94bc6f0bad69eb67540b7df5ea21fb
Opcode Fuzzy Hash: 3d535d76101277242b034a9713345f330e95266fb79f40a5d9c0156d8d86a7bd
Instruction Fuzzy Hash: 5031E13120021AEFDB218E78CC45BEA7BA9FF49324F244359F9B5932D1CB34E8509B54

Function 0102A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0102A15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0102A172
SendMessageW.USER32(?,00001002,00000000,?), ref: 0102A196

Strings

SysMonthCal32, xrefs: 0102A129

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 191078177400eeee3418b92b7024276b1f0637c57abf8f04df756dbc08c0a8ca
Instruction ID: 4be725745fad5c01d7798a3a96f67adae381066215d528cbdbf98ba1c9f0f8db
Opcode Fuzzy Hash: 191078177400eeee3418b92b7024276b1f0637c57abf8f04df756dbc08c0a8ca
Instruction Fuzzy Hash: D6219132610228BBEF168E94CC82FEA3BB5EF48764F110114FA956B1D1DAB5A855CB90

Function 0102A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0102A941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0102A94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0102A956

Strings

msctls_updown32, xrefs: 0102A8BB

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 51c721abbcc8c43add971c9a3b1e9be375ae7b3c5754520a03e0b9a12665f39e
Instruction ID: a35ef9a4d90c2bd24710d83af64dd3b9f5183ec6ba5ca84eba237f980d4bd954
Opcode Fuzzy Hash: 51c721abbcc8c43add971c9a3b1e9be375ae7b3c5754520a03e0b9a12665f39e
Instruction Fuzzy Hash: E321A1B5700219AFEB11DF59CCC1D7B37ADEF4A358B040099FA849B351CA31EC128B60

Function 010299A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01029A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01029A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01029A65

Strings

Listbox, xrefs: 010299FD

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: cc7a5472944f5aa9e785de4428c94d20b8434ddca6d25d0af338268c943fa674
Instruction ID: 472021446461ec3a953210e6fbb2b12957fe860dc054e5de88eb35ffc82045de
Opcode Fuzzy Hash: cc7a5472944f5aa9e785de4428c94d20b8434ddca6d25d0af338268c943fa674
Instruction Fuzzy Hash: E821C572610128BFDF228F58CC85EBF3BAAEF89768F018125F9959B191C6719C1187A0

Function 0102A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0102A46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0102A482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0102A48F

Strings

msctls_trackbar32, xrefs: 0102A444

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 64bc8e161ae983aefe79c031bc8db981d60717d27598353bb7d7dbfa4a65494c
Instruction ID: 98f32a7810b57ef3bfdd573becca16bdcfe61580362aff2e9583f259a1359258
Opcode Fuzzy Hash: 64bc8e161ae983aefe79c031bc8db981d60717d27598353bb7d7dbfa4a65494c
Instruction Fuzzy Hash: 78110671240218FEEF215F65CC49FEB3BA9EFC9758F014218FA85A7091DA76E811CB24

Function 00FE2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00FE2350,?), ref: 00FE22A1
GetProcAddress.KERNEL32(00000000), ref: 00FE22A8

Strings

RoInitialize, xrefs: 00FE2290
combase.dll, xrefs: 00FE229C

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: 8697fe566eb14054611c4efdadae0548c1acfa65ed59609b1905f186a5ba18c3
Instruction ID: 94d3916beeff777c4d7d306b76278caf543f48c6e54ddc58891b93800cb1e6a3
Opcode Fuzzy Hash: 8697fe566eb14054611c4efdadae0548c1acfa65ed59609b1905f186a5ba18c3
Instruction Fuzzy Hash: 03E0EDB4A94300ABDF705FA19D89B193654BB10721F004424B2C1D618CDBBE4044DB04

Function 00FE235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00FE2276), ref: 00FE2376
GetProcAddress.KERNEL32(00000000), ref: 00FE237D

Strings

combase.dll, xrefs: 00FE2371
RoUninitialize, xrefs: 00FE2365

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: 1a46ea3f8cfa6c5bee0d8ada19b9f68ccc7c2879a07df08a892bdecb9d3932d2
Instruction ID: 2ab74977481e75a82446e301c44581b1432fdcde40b5beb20f9c9efd9cfa0e6e
Opcode Fuzzy Hash: 1a46ea3f8cfa6c5bee0d8ada19b9f68ccc7c2879a07df08a892bdecb9d3932d2
Instruction Fuzzy Hash: B4E0BFB4A48700EFDB715FA1ED4DB093665B720722F100424F1C9E606CD7BE5414DB58

Function 0103AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0103AC60
__swprintf.LIBCMT ref: 0103AC94

Strings

WIN_XPe, xrefs: 0103ACD3
%.3d, xrefs: 0103AC6E

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 09c0dcd19bd9e14bc247f223e1c00cdfc67deb137d9271516ada5b65f0741f75
Instruction ID: b6da153c0bde824d5c784ffaa72cb1d18603f19e7bd57bf447e102d25ac82333
Opcode Fuzzy Hash: 09c0dcd19bd9e14bc247f223e1c00cdfc67deb137d9271516ada5b65f0741f75
Instruction Fuzzy Hash: 40E012B291461CDBCB109B91CE45DFD737CA744741F440092F9C6E3104D6399B95DB21

Function 00FC42F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00FC42EC,?,00FC42AA,?), ref: 00FC4304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FC4316

Strings

Wow64RevertWow64FsRedirection, xrefs: 00FC4310
kernel32.dll, xrefs: 00FC42FF

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: d22cf95af84167e66b3a1dcabf105b0d22b7c7ff8c20473fca5edec056e00ef6
Instruction ID: 834b08d950bde0ad917466319ef9c78cd9e796b11ec8b69e1c978f978f6de7c1
Opcode Fuzzy Hash: d22cf95af84167e66b3a1dcabf105b0d22b7c7ff8c20473fca5edec056e00ef6
Instruction Fuzzy Hash: C4D0A7B4D00B13BFD7305F61E95DB0276D8BB14311B00441DE8C1D2124D774D880EB10

Function 01022205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,010221FB,?,010223EF), ref: 01022213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 01022225

Strings

GetProcessId, xrefs: 0102221F
kernel32.dll, xrefs: 0102220E

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: 67de5fef4af9d1510c684df70c59471cef1c39a2ac822c822421cca88f7cb415
Instruction ID: 99ef03961fd0aefbbdbf3f5281bd89648b921d9ef6dbdec4d00032101433ef7b
Opcode Fuzzy Hash: 67de5fef4af9d1510c684df70c59471cef1c39a2ac822c822421cca88f7cb415
Instruction Fuzzy Hash: ADD0A7B8900726FFD7315FB5F54860176D8EB05200B00445DECC1E2110E776D484C750

Function 00FC434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00FC41BB,00FC4341,?,00FC422F,?,00FC41BB,?,?,?,?,00FC39FE,?,00000001), ref: 00FC4359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FC436B

Strings

Wow64DisableWow64FsRedirection, xrefs: 00FC4365
kernel32.dll, xrefs: 00FC4354

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: c9b890f85309fa5345832316962b72eaff7a6a03adf473c5fb4420041e179113
Instruction ID: 14a247c63a4777698a08d548cd32c383aaf96e2051e8712b0ebf43b34b275569
Opcode Fuzzy Hash: c9b890f85309fa5345832316962b72eaff7a6a03adf473c5fb4420041e179113
Instruction Fuzzy Hash: 56D0A7B4D00B53AFD7305F71E659B0276D8BB20725B00441DE8C1D2110D774E880E714

Function 01000539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,0100051D,?,010005FE), ref: 01000547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 01000559

Strings

oleaut32.dll, xrefs: 01000542
RegisterTypeLibForUser, xrefs: 01000553

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: 42b0942d20b7796293d6ec3c6f57947af6faf05331aac236d97972fffc3554c9
Instruction ID: 99e0abe1c4681ef6ca0d6d0319f635e4fc9821482ea9c40473908bccd98fc58d
Opcode Fuzzy Hash: 42b0942d20b7796293d6ec3c6f57947af6faf05331aac236d97972fffc3554c9
Instruction Fuzzy Hash: 9DD0A7F4900712AFE7319F75E44870276D4AB10302F50C46DF8C6D3158D676C480C710

Function 01000564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0100052F,?,010006D7), ref: 01000572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 01000584

Strings

oleaut32.dll, xrefs: 0100056D
UnRegisterTypeLibForUser, xrefs: 0100057E

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 78f537ad3e1f34a154ccc3db12f1d6cf427f9acf9c1b4caf0ecdf96fd15dc898
Instruction ID: 33ba8c9bf816f34dcf09a55ba5f9f69d9ee0865600bd049f108b7ff4f207d49e
Opcode Fuzzy Hash: 78f537ad3e1f34a154ccc3db12f1d6cf427f9acf9c1b4caf0ecdf96fd15dc898
Instruction Fuzzy Hash: 83D05EB4900312ABE7215F75E448B027BE4AB04211F10846DFCC1A2298DA75C0808720

Function 0101ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0101ECBE,?,0101EBBB), ref: 0101ECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0101ECE8

Strings

GetSystemWow64DirectoryW, xrefs: 0101ECE2
kernel32.dll, xrefs: 0101ECD1

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 6cbd0822736192bf507241785911c9fd844dce4dae5fcb9ea346ad9f2b4de614
Instruction ID: 64097c861c6bcb3f643814282ab46fc7bfebdf9f1d2694711a9b3d0b15eb02bd
Opcode Fuzzy Hash: 6cbd0822736192bf507241785911c9fd844dce4dae5fcb9ea346ad9f2b4de614
Instruction Fuzzy Hash: 3ED0A7B4900723AFDB315FA5E9886067AE8AB01200B00845DFCC5D2115DF78D480DB10

Function 01023BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,01023BD1,?,01023E06), ref: 01023BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 01023BFB

Strings

RegDeleteKeyExW, xrefs: 01023BF5
advapi32.dll, xrefs: 01023BE4

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 734dec375fb0382c388c6b194d8ab99773b0cd96231ecb9c56436a923726572d
Instruction ID: ea333dca8253ea5a2788301eaeb4629287ee7ba63982e19f7c5c4326c9e31090
Opcode Fuzzy Hash: 734dec375fb0382c388c6b194d8ab99773b0cd96231ecb9c56436a923726572d
Instruction Fuzzy Hash: DCD05EB4A00766EBD7205BA6A548602BAE4AB08214B20845DE8C5D6210D7B8D0808F10

Function 0101BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,0101BAD3,00000001,0101B6EE,?,0105DC00), ref: 0101BAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0101BAFD

Strings

kernel32.dll, xrefs: 0101BAE6
GetModuleHandleExW, xrefs: 0101BAF7

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 122c15969c4dfac5fee401483665f1e74573d2655d95e07ad573cec21d31a4e4
Instruction ID: c1199dce16e5d390d4b9591e1bd2356e76d9d9a019990fd6a37719b8e6404ebb
Opcode Fuzzy Hash: 122c15969c4dfac5fee401483665f1e74573d2655d95e07ad573cec21d31a4e4
Instruction Fuzzy Hash: 16D05EB4D00712AFD7316F65A888A1276F8BB00200B10445DB8C3D2518D7B8C480C754

Function 00FF9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b739a794a5133737c2ed8292e6ed2f52abbb355f7bedf7c66a7a129d340f31a4
Instruction ID: d5ec67655283b4a6c528b14e8c535af746f0206a779a98a9d1760f2f5b881541
Opcode Fuzzy Hash: b739a794a5133737c2ed8292e6ed2f52abbb355f7bedf7c66a7a129d340f31a4
Instruction Fuzzy Hash: BBC14D75A0421AEFCB14DF94C884BBEB7B5FF48710F104599EA059B2A1D7B0DE41EBA0

Function 0101AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0101AAB4
CoUninitialize.OLE32 ref: 0101AABF

Part of subcall function 01000213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0100027B

VariantInit.OLEAUT32(?), ref: 0101AACA
VariantClear.OLEAUT32(?), ref: 0101AD9D

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: b574669192c307078be5c214f42dbfd45ae64e9bb50961ca0daceb432fc4a5fd
Instruction ID: 52e416b0e7fe81fbc6c17e753ed50584a7c4cb1f9fae38d4909876a7bae48101
Opcode Fuzzy Hash: b574669192c307078be5c214f42dbfd45ae64e9bb50961ca0daceb432fc4a5fd
Instruction Fuzzy Hash: 8AA14775204742DFDB11EF18C985B5AB7E5BF98310F044449FA9A9B3A2CB38ED04CB81

Function 00FF91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FF91DD
SysAllocString.OLEAUT32(?), ref: 00FF9286
VariantCopy.OLEAUT32 ref: 00FF92B5
VariantClear.OLEAUT32(?), ref: 00FF92DC

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: d956472d865fbe71cec800ca5f9e7c2bdde77505655f8dd12250b7ef030bb2bf
Instruction ID: 75c0d7251fcd93ef0d7d99b1740d2ae870a89f2f8235818b6b06c0017556c1b5
Opcode Fuzzy Hash: d956472d865fbe71cec800ca5f9e7c2bdde77505655f8dd12250b7ef030bb2bf
Instruction Fuzzy Hash: 2251B835A0830A9BDB24AF65D891B7EB3EDEF55314F20881FE646C72F1DBB49840A701

Function 00FE365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FE36B7
_memcpy_s.LIBCMT ref: 00FE3729
__filbuf.LIBCMT ref: 00FE37AA
_memset.LIBCMT ref: 00FE37EE

Part of subcall function 00FE7C0E: __getptd_noexit.LIBCMT ref: 00FE7C0E

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction ID: c6c3baea0992fd2670a17c7c947e4d9a91dad3e3bf2b36be970a7d62c717fdbd
Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction Fuzzy Hash: 8B5194B1E04285ABDB249F7B8C8DA6E77B5AF40330F248729F825972D0D7759F50AB40

Function 0102C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(018C5600,?), ref: 0102C544
ScreenToClient.USER32(?,00000002), ref: 0102C574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0102C5DA

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: c88e9b48f05264e9bd119d63dd28e27ea1fea82538fd07c7dd842a7ac6e96791
Instruction ID: b42330f552f14d4fdbeec51595d5d98f5bedf8b9dd71783da17a191ea71de09b
Opcode Fuzzy Hash: c88e9b48f05264e9bd119d63dd28e27ea1fea82538fd07c7dd842a7ac6e96791
Instruction Fuzzy Hash: 2F519275900225EFDF21DF68C984AAE7BF6FF48324F108299F99597281D734E981CB90

Function 00FFC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00FFC462
__itow.LIBCMT ref: 00FFC49C

Part of subcall function 00FFC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00FFC753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00FFC505
__itow.LIBCMT ref: 00FFC55A

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 29fad5512b53aea832da2e42872157337787e2384c170e173809bf5fbb454ebc
Instruction ID: 5d682a43fd8901b375cf2960f593eafc9ecf971ead5c50d2d4b1f0b007651008
Opcode Fuzzy Hash: 29fad5512b53aea832da2e42872157337787e2384c170e173809bf5fbb454ebc
Instruction Fuzzy Hash: AF41F671A0021D6BDF21EF54CE46FFE7BB5AF48710F040019F605A7191DB74AA499B91

Function 0100390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 01003966
SetKeyboardState.USER32(00000080,?,00000001), ref: 01003982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 010039EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 01003A4D

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9be1d159700bfcd5a6d0bc96a027f27c745128b9637a02e71b7af1fc5d816d44
Instruction ID: 0d08324b6754f3b4d3b4217005642e5351951bd4fc50542dad24784aac53d4c7
Opcode Fuzzy Hash: 9be1d159700bfcd5a6d0bc96a027f27c745128b9637a02e71b7af1fc5d816d44
Instruction Fuzzy Hash: E7412770E44248AEFF738B688849BFDBBF5BB55310F04019AE5C19A2C1CB758985C765

Function 0100E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0100E742
GetLastError.KERNEL32(?,00000000), ref: 0100E768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0100E78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0100E7B9

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: a14f331826e95a7b9ade4651c5f63be89f66d77a96a225228a357963a2c6a055
Instruction ID: a15b3c1f6ea701de3b53073ad9f55ea2a4ba849be6f294895108e7d7435d6d18
Opcode Fuzzy Hash: a14f331826e95a7b9ade4651c5f63be89f66d77a96a225228a357963a2c6a055
Instruction Fuzzy Hash: 60418E39200611DFDF11EF14C945A4DBBE5BF99720F088489E956AB3A2CB79FC00DB81

Function 0102B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0102B5D1

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 74fa9321e2f3da09e98fb0a75c9cc1024fd28f2e95da981ed9bb1e724aa9afed
Instruction ID: 467116edf8b220346cb52d0cf6fbfa0fc44c1ea2595b407476b790738d55b14e
Opcode Fuzzy Hash: 74fa9321e2f3da09e98fb0a75c9cc1024fd28f2e95da981ed9bb1e724aa9afed
Instruction Fuzzy Hash: F931EE74600238BFEF709E5CCC88FAC7BA5EB0A314F944542FBD1DA2E1CA39A5408B51

Function 0102D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0102D807
GetWindowRect.USER32(?,?), ref: 0102D87D
PtInRect.USER32(?,?,0102ED5A), ref: 0102D88D
MessageBeep.USER32(00000000), ref: 0102D8FE

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 5402cd427a3ffbb914c508541a48a248cf9f949d6390aedc04f96166e6b8cf32
Instruction ID: 56ecee51e6e03025775fba978ec6ac7eda1ae3805203b7491dae8f6222e329ad
Opcode Fuzzy Hash: 5402cd427a3ffbb914c508541a48a248cf9f949d6390aedc04f96166e6b8cf32
Instruction Fuzzy Hash: 8D41DD74A00229DFDB22CF98C480BADBBF5FF48314F1881AAE5C89B245C771E841CB50

Function 01003A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 01003AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 01003AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 01003B34
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 01003B92

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c88793647506bd3c2fe47539dfa94360f38f6aae3257d83f83b819c86e87e989
Instruction ID: 9679d8b584f2b67c1ed38ad7df1b510261982a5b38200f9f296ad9a10cc6e2e4
Opcode Fuzzy Hash: c88793647506bd3c2fe47539dfa94360f38f6aae3257d83f83b819c86e87e989
Instruction Fuzzy Hash: 88312870A40A58AEFF339BA888187FE7FE5BB55318F04019AE6C19B1C1C7758A45C761

Function 00FF4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00FF4038
__isleadbyte_l.LIBCMT ref: 00FF4066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00FF4094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00FF40CA

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 37bdf70b51d776135806ac75f57b9ba5f7e47c487c3fefcf54d1c280db03383c
Instruction ID: 704f0ea9f96570a7bfc5db01c1ad10a23aa292c5a436286f32aed897621cfe11
Opcode Fuzzy Hash: 37bdf70b51d776135806ac75f57b9ba5f7e47c487c3fefcf54d1c280db03383c
Instruction Fuzzy Hash: EC31B231A0024AAFDB219F75C844B7B7BB5FF40320F154429EB65871B1EB31E890E790

Function 01027CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 01027CB9

Part of subcall function 01005F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 01005F6F
Part of subcall function 01005F55: GetCurrentThreadId.KERNEL32 ref: 01005F76
Part of subcall function 01005F55: AttachThreadInput.USER32(00000000,?,0100781F), ref: 01005F7D

GetCaretPos.USER32(?), ref: 01027CCA
ClientToScreen.USER32(00000000,?), ref: 01027D03
GetForegroundWindow.USER32 ref: 01027D09

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 6129965c128d74c5c6bae01dfa1933d27b2b5cdcc8ad1df4d64cfb6bb03599a9
Instruction ID: 5c5bf10e4b22573bf4a9e238557102c855f360505d316b26adc49ee4af1dac80
Opcode Fuzzy Hash: 6129965c128d74c5c6bae01dfa1933d27b2b5cdcc8ad1df4d64cfb6bb03599a9
Instruction Fuzzy Hash: E3314F72900108AFDB11EFA9CC859EFBBF9EF64310B10806AE855E3211DB359E01DFA1

Function 0102F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FDB34E: GetWindowLongW.USER32(?,000000EB), ref: 00FDB35F

GetCursorPos.USER32(?), ref: 0102F211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0103E4C0,?,?,?,?,?), ref: 0102F226
GetCursorPos.USER32(?), ref: 0102F270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0103E4C0,?,?,?), ref: 0102F2A6

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: f277af8b877ac95f2ec0b4e6fa1a3c75ba4bbddb2f0155d9a31aae69cccccc5f
Instruction ID: fd5471bdd366c8015a07231266deb1cfddbdfff48aa0a8c968cde05971c3a510
Opcode Fuzzy Hash: f277af8b877ac95f2ec0b4e6fa1a3c75ba4bbddb2f0155d9a31aae69cccccc5f
Instruction Fuzzy Hash: 5B21E139600028EFDB258F98C888EEE7FB5EF0B350F184099FA8547295D3759951DB90

Function 0101431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 01014358

Part of subcall function 010143E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 01014401
Part of subcall function 010143E2: InternetCloseHandle.WININET(00000000), ref: 0101449E

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 34553ef962fb30ba9bc7ac49cb2633840a73aa6500fc54bf2f08836757130291
Instruction ID: 3465789f9d1dcb6d07b9b448ec19dd2b0addc85c19734ea74283efa72b11f57f
Opcode Fuzzy Hash: 34553ef962fb30ba9bc7ac49cb2633840a73aa6500fc54bf2f08836757130291
Instruction Fuzzy Hash: B121F675200601BFEB129FA4DC40FBBBBE9FF54710F00801AFA95D6564E779D4219B90

Function 01028A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 01028AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01028AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01028ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 01028ADC

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: c8ce1875cf2a50b92b778ad1dad8835a6dc54fb1cd913ba18b2bea5f4894ca1c
Instruction ID: 67b41edf6a7841bc35ab83ff0b575ce26dce11de86b0ab13ae7416e3e4bdcea7
Opcode Fuzzy Hash: c8ce1875cf2a50b92b778ad1dad8835a6dc54fb1cd913ba18b2bea5f4894ca1c
Instruction Fuzzy Hash: B011D035305121AFE754AB18CD45FBE77D9EF95320F18811AF956C72D1CF69AC008794

Function 01018A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 01018AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 01018AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 01018AFF
WSAGetLastError.WSOCK32(00000000), ref: 01018B16

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: cae44f2c98e01c6d527e8252ab6bccbe810d148edf0220ed480867d4b7b7906b
Instruction ID: 6ff866f865e23083d81e11c52d09f965be13793238d87fa5cb44ff15a49d3a55
Opcode Fuzzy Hash: cae44f2c98e01c6d527e8252ab6bccbe810d148edf0220ed480867d4b7b7906b
Instruction Fuzzy Hash: 18219676A001249FD721DF68DD84A9E7BECFF59310F0481AAF849D7280DB789A418F90

Function 01000AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 01001E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,01000ABB,?,?,?,0100187A,00000000,000000EF,00000119,?,?), ref: 01001E77
Part of subcall function 01001E68: lstrcpyW.KERNEL32(00000000,?,?,01000ABB,?,?,?,0100187A,00000000,000000EF,00000119,?,?,00000000), ref: 01001E9D
Part of subcall function 01001E68: lstrcmpiW.KERNEL32(00000000,?,01000ABB,?,?,?,0100187A,00000000,000000EF,00000119,?,?), ref: 01001ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0100187A,00000000,000000EF,00000119,?,?,00000000), ref: 01000AD4
lstrcpyW.KERNEL32(00000000,?,?,0100187A,00000000,000000EF,00000119,?,?,00000000), ref: 01000AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,0100187A,00000000,000000EF,00000119,?,?,00000000), ref: 01000B2E

Strings

cdecl, xrefs: 01000B25

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 2d80512f73bc55eec454f000be9e201671ecbe5f316d4925231519a1021fa371
Instruction ID: 1bfcff87288541f17877d89577624d4bbeea63ea91603ec3005d031ca4b03f7e
Opcode Fuzzy Hash: 2d80512f73bc55eec454f000be9e201671ecbe5f316d4925231519a1021fa371
Instruction Fuzzy Hash: A111D63A200305AFEB26AF68DC45E7A77A9FF45350F80406AF946CB294EB71D850C7A0

Function 00FF2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FF2FB5

Part of subcall function 00FE395C: __FF_MSGBANNER.LIBCMT ref: 00FE3973
Part of subcall function 00FE395C: __NMSG_WRITE.LIBCMT ref: 00FE397A
Part of subcall function 00FE395C: RtlAllocateHeap.NTDLL(018A0000,00000000,00000001,00000001,00000000,?,?,00FDF507,?,0000000E), ref: 00FE399F

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 6f0b334ad4339d9678038a29c525455846e5fd6a57e1de738d47c861c732c282
Instruction ID: 7e8767b05585f7a41b13a5fe25fc46651c14816ae34bd6a84b174654510dfc9b
Opcode Fuzzy Hash: 6f0b334ad4339d9678038a29c525455846e5fd6a57e1de738d47c861c732c282
Instruction Fuzzy Hash: 79110D7290835AABCB313BB5AC4467D3B98AF10374F304515FA89D62A5DF39C940B790

Function 0100058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 010005AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 010005C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 010005DD
FreeLibrary.KERNEL32(?), ref: 01000632

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: 1b58e990c0c52f8f4d1b116f47460b75063f625384bc4e7f0b223a02277f90ec
Instruction ID: 5417970acf33821e6a88ddb52ba372e437ec399663c6c87251023f994174bda1
Opcode Fuzzy Hash: 1b58e990c0c52f8f4d1b116f47460b75063f625384bc4e7f0b223a02277f90ec
Instruction Fuzzy Hash: 3221D271940209EFEB228FD4DC88BDABBB9EF44380F108469F68692184DB75E604CF51

Function 00FFB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FFAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FFAA79
Part of subcall function 00FFAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FFAA83
Part of subcall function 00FFAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FFAA92
Part of subcall function 00FFAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FFAA99
Part of subcall function 00FFAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FFAAAF

GetLengthSid.ADVAPI32(?,00000000,00FFADE4,?,?), ref: 00FFB21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00FFB227
HeapAlloc.KERNEL32(00000000), ref: 00FFB22E
CopySid.ADVAPI32(?,00000000,?), ref: 00FFB247

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: f9ebbee3138918eb49987ffcae203f2db759e64523c4e9cb16a55f0f489429b6
Instruction ID: 3e2886ecd5dfbfe581ba01328bb9685d6efd40de96a3c184689f0b6b8e9afbe3
Opcode Fuzzy Hash: f9ebbee3138918eb49987ffcae203f2db759e64523c4e9cb16a55f0f489429b6
Instruction Fuzzy Hash: 8711E3B5A00209FFCB159F94DD84ABEB7B9EF84314B14802DEA82D7220D735EE44EB10

Function 00FFB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00FFB498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FFB4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FFB4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FFB4DB

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 463bee56a85f4f21a3519a1709745eff2e92ee0a1a14e54c21da40d574653811
Instruction ID: fc0d2169c16de462dd0d70545eb9a8ecc570e5b7175c83204b7a6393c008b491
Opcode Fuzzy Hash: 463bee56a85f4f21a3519a1709745eff2e92ee0a1a14e54c21da40d574653811
Instruction Fuzzy Hash: 8811187A900218FFDB11DFA9C985EADBBB4FF08710F204091E604B7295D771AE11EB94

Function 00FDB55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00FDB34E: GetWindowLongW.USER32(?,000000EB), ref: 00FDB35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00FDB5A5
GetClientRect.USER32(?,?), ref: 0103E69A
GetCursorPos.USER32(?), ref: 0103E6A4
ScreenToClient.USER32(?,?), ref: 0103E6AF

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 329d78b0a4e216060c297a84e68847d78e3351e93a2d4b133730ccadd64f8cdb
Instruction ID: 643a5e58e6ad05884bae51079997025061d23bb439d4cc6f58adb609ee8596b4
Opcode Fuzzy Hash: 329d78b0a4e216060c297a84e68847d78e3351e93a2d4b133730ccadd64f8cdb
Instruction Fuzzy Hash: 6F113A7550002AFFCF10DF98D9859EE77B9EF48304F150452E981E7244D738AA91DBA1

Function 0100732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 01007352
MessageBoxW.USER32(?,?,?,?), ref: 01007385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0100739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 010073A2

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: c4f9cb39803531dccbddeac6e3e8a2df7551ade22d01c160ab95e599ec624351
Instruction ID: 908dcd276d5293924c4b3f38db5241d17f157258ccfa4a1a4fd26583360f76e8
Opcode Fuzzy Hash: c4f9cb39803531dccbddeac6e3e8a2df7551ade22d01c160ab95e599ec624351
Instruction Fuzzy Hash: 5C1148B6A04204BFE7228BACDC46A9E7FEDAB44310F004355F9E0D3285D779D90087A0

Function 00FDD17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FDD1BA
GetStockObject.GDI32(00000011), ref: 00FDD1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 00FDD1D8

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 5d1917a3ac7a68843e6dc91914938e83f69d5189585a88949c557f66a96f1b55
Instruction ID: 642beb83b39a3042a23e30fd6d36b2a979d4f946a60c82a2a0ac6f49957cc13c
Opcode Fuzzy Hash: 5d1917a3ac7a68843e6dc91914938e83f69d5189585a88949c557f66a96f1b55
Instruction Fuzzy Hash: 1B11C4B2501549BFEF224F90DC50EEA7B6EFF18368F080112FA5452154D736DC60EBA0

Function 00FF4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00FF4E16

Part of subcall function 00FF54F5: __fltout2.LIBCMT ref: 00FF551E

__cftog_l.LIBCMT ref: 00FF4E3C
__cftoe_l.LIBCMT ref: 00FF4E6E

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: e1c8fe78cbde72a209c722a5b98d473b6b2a0628e57d3bc7bd8669898fb0592b
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 1201363644014EBBCF125F88DC518EE3F62BF18764B588455FB2899031D336EAB2BB85

Function 00FE7452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FE7A0D: __getptd_noexit.LIBCMT ref: 00FE7A0E

__lock.LIBCMT ref: 00FE748F
InterlockedDecrement.KERNEL32(?), ref: 00FE74AC
_free.LIBCMT ref: 00FE74BF
InterlockedIncrement.KERNEL32(018B2AD0), ref: 00FE74D7

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: ed5cbc88b84805f22b9187471667fd62532bb32ac0b1555bb050473023f0ae25
Instruction ID: e4e43efe701d4261a41f9040011d0cca9a588d6f84c70ac4dafca1d617b03d39
Opcode Fuzzy Hash: ed5cbc88b84805f22b9187471667fd62532bb32ac0b1555bb050473023f0ae25
Instruction Fuzzy Hash: 87018E32E09795D7E622FF66990575EBB60BB04B20F148009F854A76C0C7786901EBD1

Function 00FE7A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00FE7AD8

Part of subcall function 00FE7CF4: __mtinitlocknum.LIBCMT ref: 00FE7D06
Part of subcall function 00FE7CF4: EnterCriticalSection.KERNEL32(00000000,?,00FE7ADD,0000000D), ref: 00FE7D1F

InterlockedIncrement.KERNEL32(?), ref: 00FE7AE5
__lock.LIBCMT ref: 00FE7AF9
___addlocaleref.LIBCMT ref: 00FE7B17

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: c23eba35b234cf6afacd5587d5a8ebd8c1a428664fc1fa2e7bce35c265f701f3
Instruction ID: f15acf54fefdcafb52b58865aa81d34757ae77339a4091b9dcaf529db279f88b
Opcode Fuzzy Hash: c23eba35b234cf6afacd5587d5a8ebd8c1a428664fc1fa2e7bce35c265f701f3
Instruction Fuzzy Hash: 70016D71904B44EFD730EF7AC90574AB7F0AF50325F20890EA4DAD7291CB78A680DB05

Function 0102E32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0102E33D
_memset.LIBCMT ref: 0102E34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,01083D00,01083D44), ref: 0102E37B
CloseHandle.KERNEL32 ref: 0102E38D

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 7f53b4caca244cc92c3cae58c4a5e1556e70d21c8b0c7eec40632415696689e4
Instruction ID: f2e7d4106d8682cf7ff238e7e7b9edbe47b3ef56be02c104d88fb24885fd6bd5
Opcode Fuzzy Hash: 7f53b4caca244cc92c3cae58c4a5e1556e70d21c8b0c7eec40632415696689e4
Instruction Fuzzy Hash: 8AF03AF1544314BAE2203AA5BC45F7B7E6CEB44A54F004421FEC8DA186D6BA980097A8

Function 0102EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00FDAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00FDAFE3
Part of subcall function 00FDAF83: SelectObject.GDI32(?,00000000), ref: 00FDAFF2
Part of subcall function 00FDAF83: BeginPath.GDI32(?), ref: 00FDB009
Part of subcall function 00FDAF83: SelectObject.GDI32(?,00000000), ref: 00FDB033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0102EA8E
LineTo.GDI32(00000000,?,?), ref: 0102EA9B
EndPath.GDI32(00000000), ref: 0102EAAB
StrokePath.GDI32(00000000), ref: 0102EAB9

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: bbc273ae27d27e050b4a857a2d8bfec123170ec31b0e3d28d7f8262449c07575
Instruction ID: 8d9cb6d2448cef64117dedd10df1d33fa191317a936ad282f0393883816c6f82
Opcode Fuzzy Hash: bbc273ae27d27e050b4a857a2d8bfec123170ec31b0e3d28d7f8262449c07575
Instruction Fuzzy Hash: 8DF0B435045154BBDB229F94AD09FCE3F556F15310F144141FA81610D1837E5122DB95

Function 00FFC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00FFC84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FFC85D
GetCurrentThreadId.KERNEL32 ref: 00FFC864
AttachThreadInput.USER32(00000000), ref: 00FFC86B

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 15ca06bc1e0867d9f3bf83848bf7c62b031db61516ad3d88ca84d577df4c716c
Instruction ID: 1d9dddfddc07e87e63f16e84446b3e6a475a994fedb989efdabcddbd79dda902
Opcode Fuzzy Hash: 15ca06bc1e0867d9f3bf83848bf7c62b031db61516ad3d88ca84d577df4c716c
Instruction Fuzzy Hash: F3E030B554122C77DB201AA29D4DEDB7F1CEF157B1F008411B64D84450C6768580D7E0

Function 00FFB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00FFB0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,00FFAC9D), ref: 00FFB0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00FFAC9D), ref: 00FFB0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,00FFAC9D), ref: 00FFB0F1

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: cd45591314ca552ab28f9e7810ca5875c4558c9c9e2b4708e22316198ab61324
Instruction ID: c34859a48583eedb1cd8290af323a08aa40808c2afc675c993e823652f8cd331
Opcode Fuzzy Hash: cd45591314ca552ab28f9e7810ca5875c4558c9c9e2b4708e22316198ab61324
Instruction Fuzzy Hash: B2E04FB6B01211ABD7301FF19E4CB573BA8EF657A6F018818B781D6044DA2984018760

Function 00FDB47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00FDB496
SetTextColor.GDI32(?,000000FF), ref: 00FDB4A0
SetBkMode.GDI32(?,00000001), ref: 00FDB4B5
GetStockObject.GDI32(00000005), ref: 00FDB4BD
GetWindowDC.USER32(?,00000000), ref: 0103DE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0103DE38
GetPixel.GDI32(00000000,?,00000000), ref: 0103DE51
GetPixel.GDI32(00000000,00000000,?), ref: 0103DE6A
GetPixel.GDI32(00000000,?,?), ref: 0103DE8A
ReleaseDC.USER32(?,00000000), ref: 0103DE95

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 9b7a1868247b90326e7434b4ab58d73b71dcdcd3d14f75fcb858f3bc26d11d8f
Instruction ID: 3aa983d790adb34c989665448f409a02ed65a8219e1e74f9279200b52b3b49e1
Opcode Fuzzy Hash: 9b7a1868247b90326e7434b4ab58d73b71dcdcd3d14f75fcb858f3bc26d11d8f
Instruction Fuzzy Hash: 2FE06D75100280BBEB326FE8A84DBD83F11AB62335F04C266FBEA580E6C7764580DB11

Function 00FFB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FFB2DF
UnloadUserProfile.USERENV(?,?), ref: 00FFB2EB
CloseHandle.KERNEL32(?), ref: 00FFB2F4
CloseHandle.KERNEL32(?), ref: 00FFB2FC

Part of subcall function 00FFAB24: GetProcessHeap.KERNEL32(00000000,?,00FFA848), ref: 00FFAB2B
Part of subcall function 00FFAB24: HeapFree.KERNEL32(00000000), ref: 00FFAB32

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: ac9699bf27bf1a3903ce6a3d85186ef8834cee9cf87d561c18a04fc1a2ddd929
Instruction ID: 34f0b6686550e2011f451aea9b9d4cb4fad02bbf1b0628fbe8123eced42d93d6
Opcode Fuzzy Hash: ac9699bf27bf1a3903ce6a3d85186ef8834cee9cf87d561c18a04fc1a2ddd929
Instruction Fuzzy Hash: A7E0BF7A104005BBCB126BD5DD48859FBA6FFA87213108221F65581579CB3B9471EB50

Function 0103B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0103B29A
GetDC.USER32(00000000), ref: 0103B2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0103B2C3
ReleaseDC.USER32 ref: 0103B2E2

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 316918434503ce00c07c789a4d63c26c3fe6175f855422eb61093187afb54eba
Instruction ID: 0aa29ba77ab8fed75087b23833ef15106a1e8ec9d429766e3978fb8b15aa46d6
Opcode Fuzzy Hash: 316918434503ce00c07c789a4d63c26c3fe6175f855422eb61093187afb54eba
Instruction Fuzzy Hash: D3E04FF9100204EFDB115FB0C98862D7BA9EF5C354F15C806FC9A87300CB7A98409B40

Function 0103B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0103B2AE
GetDC.USER32(00000000), ref: 0103B2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0103B2C3
ReleaseDC.USER32 ref: 0103B2E2

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 73e6943697c0d246bcd151c1fe30872c320e6e105f058416780af8e7e04ab524
Instruction ID: 5e66b3a72ed00693b4bf85a88c01d7fd68573b5a92181970db62ccc72c1beb7b
Opcode Fuzzy Hash: 73e6943697c0d246bcd151c1fe30872c320e6e105f058416780af8e7e04ab524
Instruction Fuzzy Hash: 6DE04FF9500200EFDB115FB0C98862D7BA5EB5C350B158406F99A87300CB7E98009B40

Function 00FFDCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00FFDEAA

Strings

AutoIt3GUI, xrefs: 00FFDE22
Container, xrefs: 00FFDE29

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: dadad5c35ab86404762327f6e4928138619ed2c539bf101e88a6d3c9965cadc8
Instruction ID: ef0c1d4a0863e582fbb6047b4800d44b8d4a3f6be43fc7c1b5cbda3881032107
Opcode Fuzzy Hash: dadad5c35ab86404762327f6e4928138619ed2c539bf101e88a6d3c9965cadc8
Instruction Fuzzy Hash: 71913774600609AFDB14DF64C884F6AB7BABF49710F10856EF94ACF2A0DB71E841DB60

Function 00FDBCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00FDBCDA
GlobalMemoryStatusEx.KERNEL32 ref: 00FDBCF3

Strings

@, xrefs: 00FDBCE8

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f1acaa31280e791976472a356d1f2dcc0d3126dc9e2c2ffd0529828af142d154
Instruction ID: e64f603e97f82b450f752948c51fc2140b390920f4eaeb450cd88ca619016774
Opcode Fuzzy Hash: f1acaa31280e791976472a356d1f2dcc0d3126dc9e2c2ffd0529828af142d154
Instruction Fuzzy Hash: 5E5179714087449BE360AF10DC85BAFBBECFFA4354F41484EF1C8422A6DF7588A89792

Function 0100C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00FC44ED: __fread_nolock.LIBCMT ref: 00FC450B

_wcscmp.LIBCMT ref: 0100C65D
_wcscmp.LIBCMT ref: 0100C670

Strings

FILE, xrefs: 0100C5A5

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 28a594201326c812f8a996c004632d9346b378bd74434e6cad72fc8b4ee79a23
Instruction ID: ae9cead236d0cfe854ba21bd2bf397bd23920f66bb5244bc079b0733b9f746fc
Opcode Fuzzy Hash: 28a594201326c812f8a996c004632d9346b378bd74434e6cad72fc8b4ee79a23
Instruction Fuzzy Hash: E641F876A0020ABBEF21DAA4CC42FEF77B9AF49700F000469FA41EB181D675AA04DB51

Function 0102A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0102A85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0102A86F

Strings

', xrefs: 0102A7C3

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 9780e836df08b2aaf6bcb6da9a35b6c873a34a74944d26460f2c34e7d0e3e959
Instruction ID: 173bb33d9500b7785daf92e4abd5662fcb3033b47dc686bc632ba7be958528dd
Opcode Fuzzy Hash: 9780e836df08b2aaf6bcb6da9a35b6c873a34a74944d26460f2c34e7d0e3e959
Instruction Fuzzy Hash: 20410774B01219DFDB54CFA8C981BDA7BB9FF08304F1000AAEA45AB741DB75A942CF94

Function 01015180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01015190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 010151C6

Strings

|, xrefs: 010151B5

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 25788f228f0e7f697f9fabfc5a55d792f2739facdc015d90e6ed3e20095c11a0
Instruction ID: e95012605b517057835d55531d550f86780ca16f17dc43983f5012845a503c8a
Opcode Fuzzy Hash: 25788f228f0e7f697f9fabfc5a55d792f2739facdc015d90e6ed3e20095c11a0
Instruction Fuzzy Hash: 32311971800119ABCF11EFE4CD86EEE7FB9FF59700F000059F919A6166EA35A946DBA0

Function 0102975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 0102980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0102984A

Strings

static, xrefs: 010297AA

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: ae2bb5dd9e0542eecb25ed04b10e9b63b30e51f1075c001f474135853da823c3
Instruction ID: 6999b1033ad1e331ea91f174f32ff2959bc82a9443b6fb3983ed6850a5f062fe
Opcode Fuzzy Hash: ae2bb5dd9e0542eecb25ed04b10e9b63b30e51f1075c001f474135853da823c3
Instruction Fuzzy Hash: 8B317C71100624AEEB219F78CC80BFB77A9FF58764F048619F9E9C7191CA75A882D760

Function 01005157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 010051C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01005201

Strings

0, xrefs: 010051BF

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: c6a250f9dfb0cae6ed082ad76e87fe0f61017a48d58684d5b5e77f700c26e95a
Instruction ID: 7a129682484d90c1b1d68f04c4d05eeee2e6cbca5b4c4daa31eefd18662d61e3
Opcode Fuzzy Hash: c6a250f9dfb0cae6ed082ad76e87fe0f61017a48d58684d5b5e77f700c26e95a
Instruction Fuzzy Hash: 7C31AE31A00204EBFB66CE9DDC45BAEBBF8AF46350F144459FAC1A61D0E7749644CF10

Function 0101658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 01016608

Strings

, $, xrefs: 01016648
AUTOITCALLVARIABLE%d, xrefs: 010165FA

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 86d3e32f4d26e13e2b324c9cbc9b7444ea1e9a3c4a9aad87cc0ef04a4afc69f1
Instruction ID: da40b060b313a4f3c20578e0954183fafc5b30398f81c793966f915a5edf63cb
Opcode Fuzzy Hash: 86d3e32f4d26e13e2b324c9cbc9b7444ea1e9a3c4a9aad87cc0ef04a4afc69f1
Instruction Fuzzy Hash: F2219A31A00219AACF10EFA4DD82FAE77B4AF48700F04046DF545AF146DB78E945EBA5

Function 010293CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0102945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01029467

Strings

Combobox, xrefs: 01029429

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 604d849af66b59c0cdc923b3069890c2cfebc157ed7c00224a179ac5408af66a
Instruction ID: 4d79ef4cd4032d3d986731ab590593c9fd47691a8f35305eebfc16f992864012
Opcode Fuzzy Hash: 604d849af66b59c0cdc923b3069890c2cfebc157ed7c00224a179ac5408af66a
Instruction Fuzzy Hash: C011B6713001287FEF269E58DC80EFB37AEEB483A8F104125F99997291D6359C518760

Function 010298FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00FDD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FDD1BA
Part of subcall function 00FDD17C: GetStockObject.GDI32(00000011), ref: 00FDD1CE
Part of subcall function 00FDD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FDD1D8

GetWindowRect.USER32(00000000,?), ref: 01029968
GetSysColor.USER32(00000012), ref: 01029982

Strings

static, xrefs: 01029945

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: f19ff47813f754346be70729c4625f48e7310cdb53052033d8792ac0671b93f5
Instruction ID: d9416fae6485cfa79ecbd6436988551fa8320502ae973ed99c6c7df2a91bd975
Opcode Fuzzy Hash: f19ff47813f754346be70729c4625f48e7310cdb53052033d8792ac0671b93f5
Instruction Fuzzy Hash: 87116A7261021AAFDB15DFB8CC45AEE7BA8FF08318F050618F995D3240D735E810DB50

Function 01029617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 01029699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010296A8

Strings

edit, xrefs: 0102967D

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 20d82dd777345f6722a31ea523a742a6fed11d9ed78eafe871f24ca49664cf17
Instruction ID: 9a3296df54bb76db9ff27b1685756e6e03cfb0114f2fe669702849a574db761e
Opcode Fuzzy Hash: 20d82dd777345f6722a31ea523a742a6fed11d9ed78eafe871f24ca49664cf17
Instruction Fuzzy Hash: 42119A71100128AFEB614EA8DC88AEB3BEAEB0936CF100314F9A5931E0C7369C50D760

Function 01005262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 010052D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 010052F4

Strings

0, xrefs: 010052CE

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 094b7be019e5032a9f8bc0ecc4430ebc6ac3457bdc673d3dd17a9e45c25e38e1
Instruction ID: 0fea4ef20d6e857b4da3f382d3007fbf058b6cf410cb49c1f85c384cb5215859
Opcode Fuzzy Hash: 094b7be019e5032a9f8bc0ecc4430ebc6ac3457bdc673d3dd17a9e45c25e38e1
Instruction Fuzzy Hash: 8511DD72901214EBFB62EA9CDD45BAD7BF8AF06710F044065EAC1A72D4D7B0A905CFA0

Function 01014D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 01014DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 01014E1E

Strings

<local>, xrefs: 01014DE6

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 87d999a0f4c98b2740cedce474e675524de2efc851de7ac5b36ce6d766341ccc
Instruction ID: eabadf42d631a4eb6049fc8b2a32aaf42d61e38abc512c89df9ddb532e36c0b1
Opcode Fuzzy Hash: 87d999a0f4c98b2740cedce474e675524de2efc851de7ac5b36ce6d766341ccc
Instruction Fuzzy Hash: 2711E0B0600221BBDF259EA5C888EFBFEE8FF06350F40822AF18596054E3B85845C6E0

Function 0101A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0101A84E
htons.WSOCK32(00000000,?,00000000), ref: 0101A88B

Strings

255.255.255.255, xrefs: 0101A866

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: 225eaed352e8b6f585c0946970fcf5c4936b005bf4e650d02a2f200bf263b675
Instruction ID: e4812a12351b2cd86eee59d34eca4665339e900d09cc130f1a723dd53e2f1372
Opcode Fuzzy Hash: 225eaed352e8b6f585c0946970fcf5c4936b005bf4e650d02a2f200bf263b675
Instruction Fuzzy Hash: 96014578300345EBDB21DFA8C886FAEB3A4FF44314F10846AE9569B2D1D739E801C751

Function 00FFB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00FFB7EF

Strings

ComboBox, xrefs: 00FFB78B
ListBox, xrefs: 00FFB7B9

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 65919190b427327331b10c8a7c3881c29a3cf7ad75a0b04122ec1d1fd5a4557a
Instruction ID: 483f75cc01d5aa77aeef8169e95d60a1629480506dbe9162262e97d0a28944e8
Opcode Fuzzy Hash: 65919190b427327331b10c8a7c3881c29a3cf7ad75a0b04122ec1d1fd5a4557a
Instruction Fuzzy Hash: 0001D871A41119ABCB04FBA4CD53EFE3369BF86350B08061DF561572E2DF785908E794

Function 00FFB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 00FFB6EB

Strings

ComboBox, xrefs: 00FFB687
ListBox, xrefs: 00FFB6B5

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: de1341ec395c002366bade062fcf5283c489b3471e81d915f01353c8d5b446dd
Instruction ID: ba22fc5c7be9ef297f8c153342df309e1e71c5cb540085ce3c18a02d3b2fa912
Opcode Fuzzy Hash: de1341ec395c002366bade062fcf5283c489b3471e81d915f01353c8d5b446dd
Instruction Fuzzy Hash: 260184B1A41009ABCB04EBA4CE53FFE73A99F45344F14001DF542A71A2EB585E18A7E5

Function 00FFB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 00FFB76C

Strings

ComboBox, xrefs: 00FFB70A
ListBox, xrefs: 00FFB738

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 423a14477a1ea7cb363a2ea07bda875230fa0e2fc77966cda8d61e4097a822bc
Instruction ID: 19e50a67f184d9f8321af0dac707d350c36870ab209ed51f3d7821b973246be1
Opcode Fuzzy Hash: 423a14477a1ea7cb363a2ea07bda875230fa0e2fc77966cda8d61e4097a822bc
Instruction Fuzzy Hash: 5B018FB6A41109ABCB00F6A4CE43FFE73A99F45344B18001DF541B31A2DB685E09A7A5

Function 01007744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 01007762
_wcscmp.LIBCMT ref: 01007774

Strings

#32770, xrefs: 0100776E

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 9a1700a8504e39ce0ba37d21f52c14b4cff2843248e6c51e7acf439dfe3c119d
Instruction ID: ae2f4394fc7546605c8d6a622f59c34995e46bff67ce13c1e8ff96c920dc0ccc
Opcode Fuzzy Hash: 9a1700a8504e39ce0ba37d21f52c14b4cff2843248e6c51e7acf439dfe3c119d
Instruction Fuzzy Hash: 06E0D877A0432427E720EAEADC49ECBFBACFB95B60F00405AF985D7141D674E60187D4

Function 00FFA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00FFA63F

Part of subcall function 00FE13F1: _doexit.LIBCMT ref: 00FE13FB

Strings

Error allocating memory., xrefs: 00FFA638
AutoIt, xrefs: 00FFA633

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 0aefb876d19eb2b42b839cdbb8a5a979e42543397171a360842831627983fafb
Instruction ID: 5657acaa11966c6cf883340a5b537bcc154890e1805565cdbfa03966c9c21809
Opcode Fuzzy Hash: 0aefb876d19eb2b42b839cdbb8a5a979e42543397171a360842831627983fafb
Instruction Fuzzy Hash: 85D0C23138031833D210269A6C07FC576488B18BA1F08002ABB489968249EA958052D9

Function 0103AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 0103ACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0103AEBD

Strings

WIN_XPe, xrefs: 0103ACD3

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: 8bef71988099d87c1fffe3fed48fde8391d87efe1d5a086c7189d8ca8dccf192
Instruction ID: fc8cbed37656a047df4b9aeb9763604160b1a8ad52e7b321e072c96a22118f2f
Opcode Fuzzy Hash: 8bef71988099d87c1fffe3fed48fde8391d87efe1d5a086c7189d8ca8dccf192
Instruction Fuzzy Hash: F5E065B0D1010DDFDB11DBA8DA849ECB7BCAB98300F048091E5C6F3154C7354645DF21

Function 01028698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 010286A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 010286B5

Part of subcall function 01007A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 01007AD0

Strings

Shell_TrayWnd, xrefs: 0102869B

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 200dce15ba93f1a7db8337f52d175c633af1287f4fd06eb529652c02ffb752c5
Instruction ID: 86479a3038da9693e33a0293e50d837f53c4f6f36fd10e11495ae909a1d91c6e
Opcode Fuzzy Hash: 200dce15ba93f1a7db8337f52d175c633af1287f4fd06eb529652c02ffb752c5
Instruction Fuzzy Hash: A9D01275794314B7F27466B09D4BFC67A18AB64B11F100819B7C9AE1C4C9E9E940C754

Function 010286CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 010286E2
PostMessageW.USER32(00000000), ref: 010286E9

Part of subcall function 01007A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 01007AD0

Strings

Shell_TrayWnd, xrefs: 010286DB

Memory Dump Source

Source File: 00000000.00000002.1275548696.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1275521672.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000104D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275614615.000000000106E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275675458.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1275696281.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_NRFQFP.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 54fa8c088cc6c24ec4038e23e73944b9d04ee04817ed0beb55f6db2b14ce64f3
Instruction ID: d223017235cb24501657509a507ecccd103bc7b7120788106d27f75b0977df26
Opcode Fuzzy Hash: 54fa8c088cc6c24ec4038e23e73944b9d04ee04817ed0beb55f6db2b14ce64f3
Instruction Fuzzy Hash: A4D022713C03147BF23462B09C4BFC23A08AB28B10F000808B3C9EE0C0C8E9F940C758

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NRFQFP.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut7D3A.tmp

C:\Users\user\AppData\Local\Temp\seskin

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
NRFQFP.exe

Function 00FEB043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 00FC3D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Function 00FDDDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 00FC406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 0100FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Function 00FC3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0100BFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Function 00FC3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00FC3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Function 01ADA5B8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00FC49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Function 00FC36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01ADA388 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
fileCOMMON

Function 00FC51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON