Edit tour

Windows Analysis Report
pmm.exe

Overview

General Information

Sample name:	pmm.exe
Analysis ID:	1560039
MD5:	19c4258489c94b50d7f6041e2ca575f1
SHA1:	712c83d1cf46aeae6ffba68fe0bc1ec373532f2f
SHA256:	f482d607663a330b6a2393c8c9850bba8eddc53a4f80012c17dfcc416df05880
Tags:	exeuser-zn03zh
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Installs a global keyboard hook

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

pmm.exe (PID: 7496 cmdline: "C:\Users\user\Desktop\pmm.exe" MD5: 19C4258489C94B50D7F6041E2CA575F1)

RegSvcs.exe (PID: 7568 cmdline: "C:\Users\user\Desktop\pmm.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.pgsu.co.id", "Username": "joko.wahyono@pgsu.co.id", "Password": "Vecls16@Vezs           "}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3799892999.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3799892999.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3800700734.00000000031CE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3800700734.00000000031F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1360848326.0000000002270000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1360848326.0000000002270000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1360848326.0000000002270000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334d7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33549:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335d3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33665:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336cf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33741:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337d7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33867:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000002.00000002.3800700734.0000000003181000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3800700734.0000000003181000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: pmm.exe PID: 7496	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: pmm.exe PID: 7496	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7568	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7568	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334d7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33549:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335d3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33665:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336cf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33741:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337d7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33867:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.pmm.exe.2270000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.pmm.exe.2270000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.pmm.exe.2270000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316d7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31749:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317d3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31865:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318cf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31941:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319d7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a67:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.pmm.exe.2270000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.pmm.exe.2270000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.pmm.exe.2270000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334d7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33549:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335d3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33665:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336cf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33741:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337d7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33867:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 107.178.108.41, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7568, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49706

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.pgsu.co.id", "Username": "joko.wahyono@pgsu.co.id", "Password": "Vecls16@Vezs "}

Multi AV Scanner detection for submitted file

Source: pmm.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: pmm.exe

Joe Sandbox ML: detected

Source: pmm.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: pmm.exe, 00000000.00000003.1359566325.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, pmm.exe, 00000000.00000003.1358959651.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: pmm.exe, 00000000.00000003.1359566325.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, pmm.exe, 00000000.00000003.1358959651.0000000003F20000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001F6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_001F6CA9
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001F60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_001F60DD
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001F63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_001F63F9
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001FEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_001FEB60
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001FF56F FindFirstFileW,FindClose,	0_2_001FF56F
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001FF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_001FF5FA
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_00201B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00201B2F
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_00201C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00201C8A
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_00201F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00201F94

Source: global traffic

TCP traffic: 192.168.2.7:49706 -> 107.178.108.41:587

Source: Joe Sandbox View

IP Address: 107.178.108.41 107.178.108.41

Source: global traffic

TCP traffic: 192.168.2.7:49706 -> 107.178.108.41:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_00204EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00204EB5

Source: global traffic

DNS traffic detected: DNS query: mail.pgsu.co.id

Source: RegSvcs.exe, 00000002.00000002.3800700734.00000000031CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.pgsu.co.id
Source: RegSvcs.exe, 00000002.00000002.3800700734.00000000031CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pgsu.co.id
Source: RegSvcs.exe, 00000002.00000002.3800700734.00000000031CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3802352397.0000000006500000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3800271147.000000000146A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3802352397.0000000006527000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0
Source: RegSvcs.exe, 00000002.00000002.3800700734.00000000031CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3802352397.0000000006500000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3800271147.000000000146A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3802352397.0000000006527000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: RegSvcs.exe, 00000002.00000002.3800700734.00000000031CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3802352397.0000000006500000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3800271147.000000000146A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3800130186.00000000013C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: RegSvcs.exe, 00000002.00000002.3800700734.00000000031CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3802352397.0000000006500000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3800271147.000000000146A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3800130186.00000000013C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: pmm.exe, 00000000.00000002.1360848326.0000000002270000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3799892999.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.pmm.exe.2270000.1.raw.unpack, cPKWk.cs

.Net Code: gdCwU6rsZ

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Jump to behavior

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_00206B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00206B0C

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_00206D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00206D07

Source: C:\Users\user\Desktop\pmm.exe

0_2_00206B0C

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_001F2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_001F2B37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.pmm.exe.2270000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.pmm.exe.2270000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1360848326.0000000002270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\pmm.exe	Code function: This is a third-party compiled AutoIt script.	0_2_001B3D19
Source: pmm.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: pmm.exe, 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7204abde-6
Source: pmm.exe, 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_fcc29301-b
Source: pmm.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d43f5039-a
Source: pmm.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0c7e4c43-a

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_001F6606: CreateFileW,DeviceIoControl,CloseHandle,

0_2_001F6606

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_001EACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_001EACC5

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_001F79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_001F79D3

Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001DB043	0_2_001DB043
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001C3200	0_2_001C3200
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001C3B70	0_2_001C3B70
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001E410F	0_2_001E410F
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001D02A4	0_2_001D02A4
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001E038E	0_2_001E038E
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001BE3B0	0_2_001BE3B0
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001E467F	0_2_001E467F
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001D06D9	0_2_001D06D9
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_0021AACE	0_2_0021AACE
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001E4BEF	0_2_001E4BEF
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001DCCC1	0_2_001DCCC1
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001B6F07	0_2_001B6F07
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001BAF50	0_2_001BAF50
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001CB11F	0_2_001CB11F
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_002131BC	0_2_002131BC
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001DD1B9	0_2_001DD1B9
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001D123A	0_2_001D123A
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001E724D	0_2_001E724D
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001F13CA	0_2_001F13CA
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001B93F0	0_2_001B93F0
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001CF563	0_2_001CF563
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001FB6CC	0_2_001FB6CC
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001B96C0	0_2_001B96C0
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001B77B0	0_2_001B77B0
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001E79C9	0_2_001E79C9
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001CFA57	0_2_001CFA57
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001B9B60	0_2_001B9B60
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001B7D19	0_2_001B7D19
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001CFE6F	0_2_001CFE6F
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001D9ED0	0_2_001D9ED0
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001B7FA3	0_2_001B7FA3
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_01810BE8	0_2_01810BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_03109380	2_2_03109380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_03109B48	2_2_03109B48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_03104AA0	2_2_03104AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_03103E88	2_2_03103E88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0310CDC8	2_2_0310CDC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_031041D0	2_2_031041D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0310F4C0	2_2_0310F4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05D4DD10	2_2_05D4DD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05D4BCF8	2_2_05D4BCF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05D48E2F	2_2_05D48E2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05D44FE8	2_2_05D44FE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05D43F40	2_2_05D43F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05D456C8	2_2_05D456C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05D40040	2_2_05D40040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05D42AF0	2_2_05D42AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05D43238	2_2_05D43238

Source: C:\Users\user\Desktop\pmm.exe	Code function: String function: 001DF8A0 appears 35 times
Source: C:\Users\user\Desktop\pmm.exe	Code function: String function: 001CEC2F appears 68 times
Source: C:\Users\user\Desktop\pmm.exe	Code function: String function: 001D6AC0 appears 42 times

Source: pmm.exe, 00000000.00000003.1349752727.0000000004043000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs pmm.exe
Source: pmm.exe, 00000000.00000003.1350409093.00000000041ED000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs pmm.exe
Source: pmm.exe, 00000000.00000002.1360848326.0000000002270000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamef1a08a05-b195-4d04-8a01-a86b7545550f.exe4 vs pmm.exe

Source: pmm.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.pmm.exe.2270000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.pmm.exe.2270000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1360848326.0000000002270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.pmm.exe.2270000.1.raw.unpack, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.pmm.exe.2270000.1.raw.unpack, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.pmm.exe.2270000.1.raw.unpack, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.pmm.exe.2270000.1.raw.unpack, 3uPsILA6U.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.pmm.exe.2270000.1.raw.unpack, 6oQOw74dfIt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.pmm.exe.2270000.1.raw.unpack, aMIWm.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.pmm.exe.2270000.1.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.pmm.exe.2270000.1.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@2/1

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_001FCE7A GetLastError,FormatMessageW,

0_2_001FCE7A

Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001EAB84 AdjustTokenPrivileges,CloseHandle,		0_2_001EAB84
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001EB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_001EB134

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_001FE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_001FE1FD

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_001F6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_001F6532

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_0020C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_0020C18C

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_001B406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001B406B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\pmm.exe

File created: C:\Users\user~1\AppData\Local\Temp\autC741.tmp

Jump to behavior

Source: pmm.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\pmm.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: pmm.exe

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\pmm.exe "C:\Users\user\Desktop\pmm.exe"
Source: C:\Users\user\Desktop\pmm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\pmm.exe"
Source: C:\Users\user\Desktop\pmm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\pmm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\pmm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pmm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\pmm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\pmm.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\pmm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\pmm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\pmm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pmm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\pmm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\pmm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pmm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\pmm.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: pmm.exe

Static file information: File size 1125376 > 1048576

Source: pmm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: pmm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: pmm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: pmm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: pmm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: pmm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: pmm.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: pmm.exe, 00000000.00000003.1359566325.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, pmm.exe, 00000000.00000003.1358959651.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: pmm.exe, 00000000.00000003.1359566325.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, pmm.exe, 00000000.00000003.1358959651.0000000003F20000.00000004.00001000.00020000.00000000.sdmp

Source: pmm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: pmm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: pmm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: pmm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: pmm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_001CE01E LoadLibraryA,GetProcAddress,

0_2_001CE01E

Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001C288A push 66001C23h; retn 0022h	0_2_001C28E1
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001D6B05 push ecx; ret	0_2_001D6B18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05D43AD7 push ebx; retf	2_2_05D43ADA

Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_00218111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00218111
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001CEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_001CEB42

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_001D123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_001D123A

Source: C:\Users\user\Desktop\pmm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pmm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\pmm.exe

API/Special instruction interceptor: Address: 181080C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2697			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7124			Jump to behavior

Source: C:\Users\user\Desktop\pmm.exe

Evaded block: after key decision

graph_0-93518

Source: C:\Users\user\Desktop\pmm.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-94171

Source: C:\Users\user\Desktop\pmm.exe

API coverage: 4.6 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001F6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_001F6CA9
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001F60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_001F60DD
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001F63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_001F63F9
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001FEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_001FEB60
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001FF56F FindFirstFileW,FindClose,	0_2_001FF56F
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001FF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_001FF5FA
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_00201B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00201B2F
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_00201C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00201C8A
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_00201F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00201F94

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_001CDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001CDDC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98431	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98175	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98034	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94907	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 93936	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 93828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 93719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 93594	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3802352397.0000000006500000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\pmm.exe

API call chain: ExitProcess graph end node

graph_0-93641

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_00206AAF BlockInput,

0_2_00206AAF

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_001B3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_001B3D19

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_001E3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_001E3920

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_001CE01E LoadLibraryA,GetProcAddress,

0_2_001CE01E

Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_0180F3F8 mov eax, dword ptr fs:[00000030h]	0_2_0180F3F8
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_01810AD8 mov eax, dword ptr fs:[00000030h]	0_2_01810AD8
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_01810A78 mov eax, dword ptr fs:[00000030h]	0_2_01810A78

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_001EA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_001EA66C

Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001D8189 SetUnhandledExceptionFilter,		0_2_001D8189
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_001D81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_001D81AC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\pmm.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\pmm.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: FCC008

Jump to behavior

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_001EB106 LogonUserW,

0_2_001EB106

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_001B3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_001B3D19

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_001F411C SendInput,keybd_event,

0_2_001F411C

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_001F74BB mouse_event,

0_2_001F74BB

Source: C:\Users\user\Desktop\pmm.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\pmm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\pmm.exe

0_2_001EA66C

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_001F71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_001F71FA

Source: pmm.exe	Binary or memory string: Shell_TrayWnd
Source: pmm.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_001D65C4 cpuid

0_2_001D65C4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_0020091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_0020091D

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_0022B340 GetUserNameW,

0_2_0022B340

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_001E1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_001E1E8E

Source: C:\Users\user\Desktop\pmm.exe

Code function: 0_2_001CDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001CDDC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pmm.exe.2270000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pmm.exe.2270000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3799892999.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3800700734.00000000031CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3800700734.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1360848326.0000000002270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3800700734.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pmm.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7568, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: pmm.exe	Binary or memory string: WIN_81
Source: pmm.exe	Binary or memory string: WIN_XP
Source: pmm.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: pmm.exe	Binary or memory string: WIN_XPe
Source: pmm.exe	Binary or memory string: WIN_VISTA
Source: pmm.exe	Binary or memory string: WIN_7
Source: pmm.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pmm.exe.2270000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pmm.exe.2270000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3799892999.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1360848326.0000000002270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3800700734.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pmm.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7568, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pmm.exe.2270000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pmm.exe.2270000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3799892999.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3800700734.00000000031CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3800700734.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1360848326.0000000002270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3800700734.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pmm.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7568, type: MEMORYSTR

Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_00208C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00208C4F
Source: C:\Users\user\Desktop\pmm.exe	Code function: 0_2_0020923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_0020923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	3 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	211 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	138 System Information Discovery	Distributed Component Object Model	211 Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	241 Security Software Discovery	SSH	4 Clipboard Data	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	121 Virtualization/Sandbox Evasion	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
pmm.exe	39%	ReversingLabs	Win32.Trojan.AutoitInject
pmm.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pgsu.co.id	107.178.108.41	true	false		high
mail.pgsu.co.id	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://pgsu.co.id	RegSvcs.exe, 00000002.00000002.3800700734.00000000031CE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://r10.o.lencr.org0#	RegSvcs.exe, 00000002.00000002.3800700734.00000000031CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3802352397.0000000006500000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3800271147.000000000146A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3802352397.0000000006527000.00000004.00000020.00020000.00000000.sdmp	false	high
https://account.dyn.com/	pmm.exe, 00000000.00000002.1360848326.0000000002270000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3799892999.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
http://mail.pgsu.co.id	RegSvcs.exe, 00000002.00000002.3800700734.00000000031CE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	RegSvcs.exe, 00000002.00000002.3800700734.00000000031CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3802352397.0000000006500000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3800271147.000000000146A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3800130186.00000000013C7000.00000004.00000020.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	RegSvcs.exe, 00000002.00000002.3800700734.00000000031CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3802352397.0000000006500000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3800271147.000000000146A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3800130186.00000000013C7000.00000004.00000020.00020000.00000000.sdmp	false	high
http://r10.i.lencr.org/0	RegSvcs.exe, 00000002.00000002.3800700734.00000000031CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3802352397.0000000006500000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3800271147.000000000146A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3802352397.0000000006527000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
107.178.108.41	pgsu.co.id	United States		53755	IOFLOODUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560039
Start date and time:	2024-11-21 10:36:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	pmm.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 59 Number of non-executed functions: 288
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: pmm.exe

Simulations

Behavior and APIs

Time	Type	Description
04:37:22	API Interceptor	10004435x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
107.178.108.41	Q7bAgeTZB8vmku7.exe	Get hash	malicious	AgentTesla	Browse
	QcgYuePXfjXfcUD.exe	Get hash	malicious	AgentTesla	Browse
	XXKPgtA6DfbWnGL.exe	Get hash	malicious	AgentTesla	Browse
	Q2EoNFhO7QQHxgS.exe	Get hash	malicious	AgentTesla	Browse
	QCP6Umel59hDYWj.exe	Get hash	malicious	AgentTesla	Browse
	kE7yGmDoMD.exe	Get hash	malicious	AgentTesla	Browse
	sdd.exe	Get hash	malicious	AgentTesla	Browse
	kk.exe	Get hash	malicious	AgentTesla	Browse
	mm.exe	Get hash	malicious	AgentTesla	Browse
	tUaGg541L8.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
IOFLOODUS	Q7bAgeTZB8vmku7.exe	Get hash	malicious	AgentTesla	Browse	107.178.108.41
	QcgYuePXfjXfcUD.exe	Get hash	malicious	AgentTesla	Browse	107.178.108.41
	XXKPgtA6DfbWnGL.exe	Get hash	malicious	AgentTesla	Browse	107.178.108.41
	Quotation request -30112024_pdf.exe	Get hash	malicious	FormBook	Browse	107.167.84.42
	botx.arm.elf	Get hash	malicious	Mirai	Browse	107.178.118.180
	Q2EoNFhO7QQHxgS.exe	Get hash	malicious	AgentTesla	Browse	107.178.108.41
	QCP6Umel59hDYWj.exe	Get hash	malicious	AgentTesla	Browse	107.178.108.41
	kE7yGmDoMD.exe	Get hash	malicious	AgentTesla	Browse	107.178.108.41
	sdd.exe	Get hash	malicious	AgentTesla	Browse	107.178.108.41
	file.exe	Get hash	malicious	WhiteSnake Stealer	Browse	104.161.33.60

Process:	C:\Users\user\Desktop\pmm.exe
File Type:	data
Category:	dropped
Size (bytes):	157114
Entropy (8bit):	7.924944721463325
Encrypted:	false
SSDEEP:	3072:h7OOW1eZiGz1bN92ds8o+0Ee9Thsjvns02hBiBdkTpl1iQAttFP74b35T:QOW1eHZbNH5Xl9TGjns02wdkTb1fuvcF
MD5:	45BF1D65AF2910E87D6D82D63BF77A00
SHA1:	0C9AA0A0F5221E686C4DF78CADB6B45122FAC412
SHA-256:	5F6399714A85B107CFA787B9857236E26A84963808BB7C99E4F503541ABF8C63
SHA-512:	439B1F8C90F7429347BB29A1D5A6E53AF3A1E4E37DF7FE2D601D5DEC7AAF62F2CF910B3452C0D0FE60AD6EDE4A2051A2C81F9AE94EB223F2893D77DCCB042F3D
Malicious:	false
Reputation:	low
Preview:	EA06.....E..9.>.0..i..v.0.U.:.mU.Vjt...gM.P....d.x..k.....i.....x.T=.......k7...+..b.Y..i9.I.r... ..'s.d.+.Vf.x.2.j......iA..-f...Ro.J....I@....i.:..W.V......)...mu..1s..b.C.[.%..2.5...x.[szl..i.u&...L).z.L.i.Vju..,H.4....qP..3P......6..J..-d.;........t.{..l.x.<..G0....G..K.......12.Z.b.Zd..9.Nj..E..xei.....x...>....y.O'29T.T.....<x.@....X..Z\|....U..<...v...V)\k-6..,R.T.............>w...a.......e.u.....]..Uar=....\...f.{..\(......Z2.mUs...g$..Ze8..2.~."_\.....z.9.Q{=......."^jm_.I.l.T..b._..l._..-{.n.Qj-....p..n.BEU..g.z.....U......Z:.NC3...;u...+z..w..&'..m.V...9......"...P.4....v..&..D....x.p.....E.<....}..'...H.8.<v...3}...e_...um...}.>...ho.....I...XF3].....Uv..L.....=..M.<y5.Q'..&..R.0..&...F.V..#.-...;.....$.[....-....vrv....G.}w....n...D....8.......R..^gd....)...>...vj..=BO4..$s..._E.H%.k].?g..&t).....J..Q...K..n.X...6}...O..4...&cG...z...J.Tl....%6.Sg.x.v.N..i.:d..0.Uo...*yW.i.Y..k>.P...UV.U.X..y.,...).YD.S...1...:..+.X...D.s.7..

C:\Users\user\AppData\Local\Temp\vehiculation

Download File

Process:	C:\Users\user\Desktop\pmm.exe
File Type:	data
Category:	modified
Size (bytes):	240128
Entropy (8bit):	6.751817285562325
Encrypted:	false
SSDEEP:	6144:MvBvzpdGTP1yqqvXwOVkNKk89mdmdQqFaeV:Mvdpdo1YvXwOVkNKk89GS5V
MD5:	D8D1659B44B745A4DB7FD5A72ABBBFBC
SHA1:	1944F36576DEA14883A7835B8A69B6B7AD43F696
SHA-256:	398BBDEB7114400811BB9949B2612CDB4FDB2FE85395058B794B75A545D51883
SHA-512:	B83D71D38E94906C0F17FA46A359178F8A6CF6E5CEFA93D992BD30FAB691E37A5EB64748B6E92B77461485136BA77A9571E6FB60C4D0D66F8BEDAB6A3843567A
Malicious:	false
Reputation:	low
Preview:	~..C3OW0]ULI.X0.WUCZJ6U.YSK9K3M8C0OW0YULI1EX0XWUCZJ6ULYSK9K.M8C>P.>Y.E...Y\|.v.+39.%>649X&..Y-^ #.;0l;D+xY6w...j[:(<}F4A.M8C0OW0..LI}D[0h.t%ZJ6ULYSK.K1L3B;OW.ZULA1EX0XWK.YJ6uLYS.:K3MxC0oW0YWLI5EX0XWUC^J6ULYSK9K7M8A0OW0YUNIq.X0HWUSZJ6U\YS[9K3M8C OW0YULI1EX0..VC.J6UL.PK.N3M8C0OW0YULI1EX0XWU.YJ:ULYSK9K3M8C0OW0YULI1EX0XWUCZJ6ULYSK9K3M8C0OW0YULI1EX.XW]CZJ6ULYSK9K;m8CxOW0YULI1EX0v#0;.J6Uh.PK9k3M8.3OW2YULI1EX0XWUCZJ.UL9}9J9PM8CvJW0Y.OI1CX0X.VCZJ6ULYSK9K3MxC0.yB<9#1ET0XWU.YJ6WLYS.:K3M8C0OW0YULIqEXrXWUCZJ6ULYSK9K3M8.3OW0YU.I1EZ0]W..XJ.eMYPK9K2M8E0OW0YULI1EX0XWUCZJ6ULYSK9K3M8C0OW0YULI1EX0XWUCZJ+...qu{0.IRH...2.J..K.....U.#.7M.r.>....pE_..I.Jh..\... .QV28....../\AW=.>.J9.E....w.!...MW.I..N}.^_q.`....{....EB....?..P"UmQ?'\<{.(W$Y.U.BZJ6U........Q;{.z3VKx[I...aQ"....-K9KWM8CBOW08ULIvEX07WUC4J6U2YSKGK3M~C0O.0YU{I1E}0XW8CZJ.ULY-K9K.07L...Y*..I1EX0m..s.'.....\|...{I.N.5....-...j]..L2.A.....7..&t.'.<6z..N0C\5ZPQ@Vw8....j;O7H:D4L[.W....d...l..G....1.73M8C0O.0Y.LI1..0.WUC.J.U..SK9..M.C.O..U

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.874523099115981
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	pmm.exe
File size:	1'125'376 bytes
MD5:	19c4258489c94b50d7f6041e2ca575f1
SHA1:	712c83d1cf46aeae6ffba68fe0bc1ec373532f2f
SHA256:	f482d607663a330b6a2393c8c9850bba8eddc53a4f80012c17dfcc416df05880
SHA512:	b5107250620af675bb73c64f94790b5312dc0ce77007eac915017b5675d515d97238b1a9b5984e134b84bc00be0805778e72b255f60fab5ed15dcc146b023b87
SSDEEP:	24576:0tb20pkaCqT5TBWgNQ7aiyEnGlxD0S3XEF6A:dVg5tQ7aiyEaDo5
TLSH:	84359C1263DD82E4C67251737A15A7016EEB783536B0BC6B2F84093CB8EF1615E1EE63
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	01449a1a796c95a9

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x673E6EBD [Wed Nov 20 23:20:29 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F190885E69Fh
jmp 00007F19088516B4h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F190885183Ah
cmp edi, eax
jc 00007F1908851B9Eh
bt dword ptr [004C0158h], 01h
jnc 00007F1908851839h
rep movsb
jmp 00007F1908851B4Ch
cmp ecx, 00000080h
jc 00007F1908851A04h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F1908851840h
bt dword ptr [004BA370h], 01h
jc 00007F1908851D10h
bt dword ptr [004C0158h], 00000000h
jnc 00007F19088519DDh
test edi, 00000003h
jne 00007F19088519EEh
test esi, 00000003h
jne 00007F19088519CDh
bt edi, 02h
jnc 00007F190885183Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F1908851843h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F1908851895h
bt esi, 03h
jnc 00007F19088518E8h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x49b80	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10e000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x49b80	0x49c00	78f469d97eaf32caba345acd5a6d8669	False	0.7640989141949153	data	7.326460552896851	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10e000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc4458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc4580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc46a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc47d0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 30236 x 30236 px/m	English	Great Britain	0.06435584999408495
RT_MENU	0xd4ff8	0x50	data	English	Great Britain	0.9
RT_STRING	0xd5048	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xd55dc	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xd5c68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xd60f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xd66f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd6d50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd71b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd7310	0x36393	data			1.000342189744213
RT_GROUP_ICON	0x10d6a4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x10d6b8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x10d6cc	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x10d6e0	0x14	data	English	Great Britain	1.25
RT_VERSION	0x10d6f4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x10d7d0	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 10:37:24.115009069 CET	49706	587	192.168.2.7	107.178.108.41
Nov 21, 2024 10:37:24.234673023 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:24.234880924 CET	49706	587	192.168.2.7	107.178.108.41
Nov 21, 2024 10:37:25.506275892 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:25.507189035 CET	49706	587	192.168.2.7	107.178.108.41
Nov 21, 2024 10:37:25.626708031 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:25.929676056 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:25.936508894 CET	49706	587	192.168.2.7	107.178.108.41
Nov 21, 2024 10:37:26.055999994 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:26.360307932 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:26.367518902 CET	49706	587	192.168.2.7	107.178.108.41
Nov 21, 2024 10:37:26.486933947 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:26.810507059 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:26.810655117 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:26.810669899 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:26.810729980 CET	49706	587	192.168.2.7	107.178.108.41
Nov 21, 2024 10:37:26.850545883 CET	49706	587	192.168.2.7	107.178.108.41
Nov 21, 2024 10:37:26.970228910 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:27.273538113 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:27.328454018 CET	49706	587	192.168.2.7	107.178.108.41
Nov 21, 2024 10:37:27.427012920 CET	49706	587	192.168.2.7	107.178.108.41
Nov 21, 2024 10:37:27.547113895 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:27.850030899 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:27.851768970 CET	49706	587	192.168.2.7	107.178.108.41
Nov 21, 2024 10:37:27.971206903 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:28.274430990 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:28.275377989 CET	49706	587	192.168.2.7	107.178.108.41
Nov 21, 2024 10:37:28.394973993 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:28.702476978 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:28.702807903 CET	49706	587	192.168.2.7	107.178.108.41
Nov 21, 2024 10:37:28.822510004 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:29.125426054 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:29.125716925 CET	49706	587	192.168.2.7	107.178.108.41
Nov 21, 2024 10:37:29.245245934 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:29.626486063 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:29.626699924 CET	49706	587	192.168.2.7	107.178.108.41
Nov 21, 2024 10:37:29.746453047 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:30.051004887 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:30.051723957 CET	49706	587	192.168.2.7	107.178.108.41
Nov 21, 2024 10:37:30.051783085 CET	49706	587	192.168.2.7	107.178.108.41
Nov 21, 2024 10:37:30.051783085 CET	49706	587	192.168.2.7	107.178.108.41
Nov 21, 2024 10:37:30.051801920 CET	49706	587	192.168.2.7	107.178.108.41
Nov 21, 2024 10:37:30.171386003 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:30.171401024 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:30.171655893 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:30.171685934 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:30.581099033 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:37:30.625305891 CET	49706	587	192.168.2.7	107.178.108.41
Nov 21, 2024 10:39:02.766705990 CET	49706	587	192.168.2.7	107.178.108.41
Nov 21, 2024 10:39:02.886276007 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:39:03.159447908 CET	587	49706	107.178.108.41	192.168.2.7
Nov 21, 2024 10:39:03.163162947 CET	49706	587	192.168.2.7	107.178.108.41

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 10:37:22.748393059 CET	49492	53	192.168.2.7	1.1.1.1
Nov 21, 2024 10:37:23.750559092 CET	49492	53	192.168.2.7	1.1.1.1
Nov 21, 2024 10:37:24.107330084 CET	53	49492	1.1.1.1	192.168.2.7
Nov 21, 2024 10:37:24.107352972 CET	53	49492	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 21, 2024 10:37:22.748393059 CET	192.168.2.7	1.1.1.1	0x7a01	Standard query (0)	mail.pgsu.co.id	A (IP address)	IN (0x0001)	false
Nov 21, 2024 10:37:23.750559092 CET	192.168.2.7	1.1.1.1	0x7a01	Standard query (0)	mail.pgsu.co.id	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 21, 2024 10:37:24.107330084 CET	1.1.1.1	192.168.2.7	0x7a01	No error (0)	mail.pgsu.co.id	pgsu.co.id		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 10:37:24.107330084 CET	1.1.1.1	192.168.2.7	0x7a01	No error (0)	pgsu.co.id		107.178.108.41	A (IP address)	IN (0x0001)	false
Nov 21, 2024 10:37:24.107352972 CET	1.1.1.1	192.168.2.7	0x7a01	No error (0)	mail.pgsu.co.id	pgsu.co.id		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 10:37:24.107352972 CET	1.1.1.1	192.168.2.7	0x7a01	No error (0)	pgsu.co.id		107.178.108.41	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 21, 2024 10:37:25.506275892 CET	587	49706	107.178.108.41	192.168.2.7	220-grogolvps.padinet.com ESMTP Exim 4.98 #2 Thu, 21 Nov 2024 16:37:25 +0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 21, 2024 10:37:25.507189035 CET	49706	587	192.168.2.7	107.178.108.41	EHLO 216041
Nov 21, 2024 10:37:25.929676056 CET	587	49706	107.178.108.41	192.168.2.7	250-grogolvps.padinet.com Hello 216041 [8.46.123.75] 250-SIZE 52428800 250-LIMITS MAILMAX=1000 RCPTMAX=50000 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Nov 21, 2024 10:37:25.936508894 CET	49706	587	192.168.2.7	107.178.108.41	STARTTLS
Nov 21, 2024 10:37:26.360307932 CET	587	49706	107.178.108.41	192.168.2.7	220 TLS go ahead

Target ID:	0
Start time:	04:37:19
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\pmm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\pmm.exe"
Imagebase:	0x1b0000
File size:	1'125'376 bytes
MD5 hash:	19C4258489C94B50D7F6041E2CA575F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1360848326.0000000002270000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1360848326.0000000002270000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1360848326.0000000002270000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:37:20
Start date:	21/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\pmm.exe"
Imagebase:	0xdf0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3799892999.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3799892999.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3800700734.00000000031CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3800700734.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3800700734.0000000003181000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3800700734.0000000003181000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	1.5%
Signature Coverage:	6.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	176

Executed Functions

Function 001DB043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69c2805bfc4fa196963c7dafd446a308938acfc6b5cd03384309e99c9c0208df
Instruction ID: b5bfb3377a910e374ee1912153a77cf7d29ede8137189478ddb4b1e28059ed9c
Opcode Fuzzy Hash: 69c2805bfc4fa196963c7dafd446a308938acfc6b5cd03384309e99c9c0208df
Instruction Fuzzy Hash: C5324A75A06229CBCB24CF18DC85AE9B7B5FB46310F5941DAE40AE7B81D7309E80CF52

Function 001B3D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,001B3AA3,?), ref: 001B3D45
IsDebuggerPresent.KERNEL32(?,?,?,?,001B3AA3,?), ref: 001B3D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,00271148,00271130,?,?,?,?,001B3AA3,?), ref: 001B3DC8

Part of subcall function 001B6430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,001B3DEE,00271148,?,?,?,?,?,001B3AA3,?), ref: 001B6471

SetCurrentDirectoryW.KERNEL32(?,?,?,001B3AA3,?), ref: 001B3E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,002628F4,00000010), ref: 00221CCE
SetCurrentDirectoryW.KERNEL32(?,00271148,?,?,?,?,?,001B3AA3,?), ref: 00221D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0024DAB4,00271148,?,?,?,?,?,001B3AA3,?), ref: 00221D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,001B3AA3), ref: 00221D90

Part of subcall function 001B3E6E: GetSysColorBrush.USER32(0000000F), ref: 001B3E79
Part of subcall function 001B3E6E: LoadCursorW.USER32(00000000,00007F00), ref: 001B3E88
Part of subcall function 001B3E6E: LoadIconW.USER32(00000063), ref: 001B3E9E
Part of subcall function 001B3E6E: LoadIconW.USER32(000000A4), ref: 001B3EB0
Part of subcall function 001B3E6E: LoadIconW.USER32(000000A2), ref: 001B3EC2
Part of subcall function 001B3E6E: RegisterClassExW.USER32(?), ref: 001B3F30

Part of subcall function 001B36B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 001B36E6
Part of subcall function 001B36B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 001B3707
Part of subcall function 001B36B8: ShowWindow.USER32(00000000,?,?,?,?,001B3AA3,?), ref: 001B371B
Part of subcall function 001B36B8: ShowWindow.USER32(00000000,?,?,?,?,001B3AA3,?), ref: 001B3724

Part of subcall function 001B4FFC: _memset.LIBCMT ref: 001B5022
Part of subcall function 001B4FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 001B50CB

Strings

runas, xrefs: 00221D84
()&, xrefs: 00221D49
This is a third-party compiled AutoIt script., xrefs: 00221CC8

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: ()&$This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-3158256250
Opcode ID: b3698c70aa22ec123e087cc50d373a03419f80b778382059938cd6a76a8ebba2
Instruction ID: edb9874201cd4b143a9125e205ded28d59377ef5c8fff2eb05f656810599b5ae
Opcode Fuzzy Hash: b3698c70aa22ec123e087cc50d373a03419f80b778382059938cd6a76a8ebba2
Instruction Fuzzy Hash: CD510830A14249FACF11BBF8FC4AEED7B75AF25740F004065F51966192DB748A79CB21

Function 001CDDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 001CDDEC
GetCurrentProcess.KERNEL32(00000000,0024DC38,?,?), ref: 001CDEAC
GetNativeSystemInfo.KERNELBASE(?,0024DC38,?,?), ref: 001CDF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 001CDF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 001CDF1F
GetSystemInfo.KERNEL32(?,0024DC38,?,?), ref: 001CDF29
GetSystemInfo.KERNEL32(?,0024DC38,?,?), ref: 001CDF35

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: c44a9734966d5e59c1fb82be298fc303f6c743f31b3652b9357127a22031df64
Instruction ID: 162f08bb0b8eddd3230e374aa388c061fdb73156d98fad1d8ea569583068701f
Opcode Fuzzy Hash: c44a9734966d5e59c1fb82be298fc303f6c743f31b3652b9357127a22031df64
Instruction Fuzzy Hash: EC6180B181A2D4DBCF15DF68A8C16EA7FB4AF39300B1949EDD8459F207C724C909CB65

Function 001B406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,001B449E,?,?,00000000,00000001), ref: 001B407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001B449E,?,?,00000000,00000001), ref: 001B4092
LoadResource.KERNEL32(?,00000000,?,?,001B449E,?,?,00000000,00000001,?,?,?,?,?,?,001B41FB), ref: 00224F1A
SizeofResource.KERNEL32(?,00000000,?,?,001B449E,?,?,00000000,00000001,?,?,?,?,?,?,001B41FB), ref: 00224F2F
LockResource.KERNEL32(001B449E,?,?,001B449E,?,?,00000000,00000001,?,?,?,?,?,?,001B41FB,00000000), ref: 00224F42

Strings

SCRIPT, xrefs: 001B4088

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: eedf2f575dec9b4e08789aeaedba42a993a102b5e928d6eab2023299e8e6c098
Instruction ID: 401c5a44118db8542549818497106a1fc9bbb1e494c416a667bdcc7162741f31
Opcode Fuzzy Hash: eedf2f575dec9b4e08789aeaedba42a993a102b5e928d6eab2023299e8e6c098
Instruction Fuzzy Hash: 34118E70210701BFE7219B65FC48FA77BB9EBC5B51F10822CFA02962A1DB71DC00CA21

Function 001C3B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON

Download Yara Rule

Strings

', xrefs: 001C40EC
', xrefs: 001C40A4
@, xrefs: 001C4176
', xrefs: 0022701F

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @$ '$ '$ '
API String ID: 3728558374-2225974472
Opcode ID: f2c39beebd020e9b638f90fd73c432df12a5904b87733e36e8e594abc3cad9fc
Instruction ID: c27cca18794ae03ff081539c9c17b4c82a1b7fd8d547e91367ca33a507d954d1
Opcode Fuzzy Hash: f2c39beebd020e9b638f90fd73c432df12a5904b87733e36e8e594abc3cad9fc
Instruction Fuzzy Hash: 2B72AB70A08209EBCB14DF94D491FAEB7B5EF68300F15C05EE91AAB291D730EE55CB91

Function 001F6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00222F49), ref: 001F6CB9
FindFirstFileW.KERNELBASE(?,?), ref: 001F6CCA
FindClose.KERNEL32(00000000), ref: 001F6CDA

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 8145b2d776c50d02327e00d3b83c2dbb01ccdd339e397e79955b5b030df09711
Instruction ID: ecdbc0e3975596c0683fd1041e4d30c9f92cf4464d259d0e089818ca41f2cb6b
Opcode Fuzzy Hash: 8145b2d776c50d02327e00d3b83c2dbb01ccdd339e397e79955b5b030df09711
Instruction Fuzzy Hash: F9E04F31814519ABC3246738FC0D8FA77ACEA16339F104716FAFAC21E0EBB0D95496D6

Function 001C3200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON

Download Yara Rule

Strings

', xrefs: 0022933E

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: BuffCharUpper
String ID: '
API String ID: 3964851224-3569288533
Opcode ID: c00462f576b0ca2d046c7e318826b9b87c8f33bb4b59ad828cebe00fa00b7096
Instruction ID: 6f051d52c53a6c6ce28c3d20f4bcd6a30c78fc47b1a0af2d51be52a52d3205a0
Opcode Fuzzy Hash: c00462f576b0ca2d046c7e318826b9b87c8f33bb4b59ad828cebe00fa00b7096
Instruction Fuzzy Hash: 95926A70608341DFD728DF18C484F6AB7E1BFA8304F14895DE99A8B262D771ED85CB92

Function 001BE8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001BE959
timeGetTime.WINMM ref: 001BEBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001BED2E
TranslateMessage.USER32(?), ref: 001BED3F
DispatchMessageW.USER32(?), ref: 001BED4A
LockWindowUpdate.USER32(00000000), ref: 001BED79
DestroyWindow.USER32 ref: 001BED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001BED9F
Sleep.KERNEL32(0000000A), ref: 00225270
TranslateMessage.USER32(?), ref: 002259F7
DispatchMessageW.USER32(?), ref: 00225A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00225A19

Strings

@GUI_WINHANDLE, xrefs: 00225360
@GUI_CTRLHANDLE, xrefs: 002253AC
@TRAY_ID, xrefs: 002254C9
@GUI_CTRLID, xrefs: 00225314

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: 626f749237232b12ec680cf7e73809c1b7c8c3a523a1f655dc9658c775ea67d3
Instruction ID: c767f48bf5d2bac15183fe41706e8905cad68fc9a479d79f7c36a4226ad0cb32
Opcode Fuzzy Hash: 626f749237232b12ec680cf7e73809c1b7c8c3a523a1f655dc9658c775ea67d3
Instruction Fuzzy Hash: 6B62E470508351DFDB24DF64E889BEA77E4BF54304F04496DF98A8B292DBB0D898CB52

Function 001E5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 001E5EC3
___createFile.LIBCMT ref: 001E5F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 001E5F2D
__dosmaperr.LIBCMT ref: 001E5F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 001E5F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 001E5F6A
__dosmaperr.LIBCMT ref: 001E5F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 001E5F7C
__set_osfhnd.LIBCMT ref: 001E5FAC
__lseeki64_nolock.LIBCMT ref: 001E6016
__close_nolock.LIBCMT ref: 001E603C
__chsize_nolock.LIBCMT ref: 001E606C
__lseeki64_nolock.LIBCMT ref: 001E607E
__lseeki64_nolock.LIBCMT ref: 001E6176
__lseeki64_nolock.LIBCMT ref: 001E618B
__close_nolock.LIBCMT ref: 001E61EB

Part of subcall function 001DEA9C: CloseHandle.KERNELBASE(00000000,0025EEF4,00000000,?,001E6041,0025EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 001DEAEC
Part of subcall function 001DEA9C: GetLastError.KERNEL32(?,001E6041,0025EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 001DEAF6
Part of subcall function 001DEA9C: __free_osfhnd.LIBCMT ref: 001DEB03
Part of subcall function 001DEA9C: __dosmaperr.LIBCMT ref: 001DEB25

Part of subcall function 001D7C0E: __getptd_noexit.LIBCMT ref: 001D7C0E

__lseeki64_nolock.LIBCMT ref: 001E620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 001E6342
___createFile.LIBCMT ref: 001E6361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 001E636E
__dosmaperr.LIBCMT ref: 001E6375
__free_osfhnd.LIBCMT ref: 001E6395
__invoke_watson.LIBCMT ref: 001E63C3
__wsopen_helper.LIBCMT ref: 001E63DD

Strings

@, xrefs: 001E5F98

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: 579287ce3096049d07963169a48bf37b6dea0d73ff1dad779cbdf58b4baaf4b4
Instruction ID: 7afa12454d72430877871544a1d1288a716a469b6376d15dd8fc6228575487e3
Opcode Fuzzy Hash: 579287ce3096049d07963169a48bf37b6dea0d73ff1dad779cbdf58b4baaf4b4
Instruction Fuzzy Hash: E4223671900E869FEF299F69DC85BAD7B62FF20368F644229F5229B2D2C3358D40C751

Function 001FFA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 001FFA96
_wcschr.LIBCMT ref: 001FFAA4
_wcscpy.LIBCMT ref: 001FFABB
_wcscat.LIBCMT ref: 001FFACA
_wcscat.LIBCMT ref: 001FFAE8
_wcscpy.LIBCMT ref: 001FFB09
__wsplitpath.LIBCMT ref: 001FFBE6
_wcscpy.LIBCMT ref: 001FFC0B
_wcscpy.LIBCMT ref: 001FFC1D
_wcscpy.LIBCMT ref: 001FFC32
_wcscat.LIBCMT ref: 001FFC47
_wcscat.LIBCMT ref: 001FFC59
_wcscat.LIBCMT ref: 001FFC6E

Part of subcall function 001FBFA4: _wcscmp.LIBCMT ref: 001FC03E
Part of subcall function 001FBFA4: __wsplitpath.LIBCMT ref: 001FC083
Part of subcall function 001FBFA4: _wcscpy.LIBCMT ref: 001FC096
Part of subcall function 001FBFA4: _wcscat.LIBCMT ref: 001FC0A9
Part of subcall function 001FBFA4: __wsplitpath.LIBCMT ref: 001FC0CE
Part of subcall function 001FBFA4: _wcscat.LIBCMT ref: 001FC0E4
Part of subcall function 001FBFA4: _wcscat.LIBCMT ref: 001FC0F7

Strings

t2&, xrefs: 001FFC97
>>>AUTOIT SCRIPT<<<, xrefs: 001FFA61

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<$t2&
API String ID: 2955681530-1583731476
Opcode ID: 18f2a451a9d4e1dfd29f3f81f6cf01106e14764d9d57c5405f5e252df9028969
Instruction ID: 5559ee287068771aecdbfbf93a5b12f49b14197ce3103fb80dd56b66e8ce4702
Opcode Fuzzy Hash: 18f2a451a9d4e1dfd29f3f81f6cf01106e14764d9d57c5405f5e252df9028969
Instruction Fuzzy Hash: 5A91C472504705AFCB10EF64C851FABB3E8BF68310F04486EFA59972A1DB70E955CB91

Function 001DEE0E Relevance: 26.2, APIs: 17, Instructions: 664COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: 10ef47bec8de65f29f1b3ab22e30c204fe376979471e344f0f85396ae7b68c2e
Instruction ID: 232abf67a46bae89da281ae87a68d066645d25af21f434fa705f644d75296b9b
Opcode Fuzzy Hash: 10ef47bec8de65f29f1b3ab22e30c204fe376979471e344f0f85396ae7b68c2e
Instruction Fuzzy Hash: 5A324871A04241DFDB218F68E880BBE7BB1AF55314F29416FE8569F392D7309A43CB61

Function 001B3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 001B3F86
RegisterClassExW.USER32(00000030), ref: 001B3FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001B3FC1
InitCommonControlsEx.COMCTL32(?), ref: 001B3FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001B3FEE
LoadIconW.USER32(000000A9), ref: 001B4004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001B4013

Strings

0, xrefs: 001B3F68
TaskbarCreated, xrefs: 001B3FB6
+, xrefs: 001B3F6F
AutoIt v3 GUI, xrefs: 001B3FA2

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 471e7735f025744852dfc3c2aa569654c2b4e4ae2478573d538779de5527c379
Instruction ID: 6fbab5bcffcbd8f94156d4ec7ae0815ad1dcae20b45b1a8baa5cd925c30bb0b5
Opcode Fuzzy Hash: 471e7735f025744852dfc3c2aa569654c2b4e4ae2478573d538779de5527c379
Instruction Fuzzy Hash: 4021A4B5910319AFDB00DFA9FC8DBCDBBB8FB08710F00421AFA15A62A0D7B545948F91

Function 001FBFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001FBDB4: __time64.LIBCMT ref: 001FBDBE

Part of subcall function 001B4517: _fseek.LIBCMT ref: 001B452F

__wsplitpath.LIBCMT ref: 001FC083

Part of subcall function 001D1DFC: __wsplitpath_helper.LIBCMT ref: 001D1E3C

_wcscpy.LIBCMT ref: 001FC096
_wcscat.LIBCMT ref: 001FC0A9
__wsplitpath.LIBCMT ref: 001FC0CE
_wcscat.LIBCMT ref: 001FC0E4
_wcscat.LIBCMT ref: 001FC0F7
_wcscmp.LIBCMT ref: 001FC03E

Part of subcall function 001FC56D: _wcscmp.LIBCMT ref: 001FC65D
Part of subcall function 001FC56D: _wcscmp.LIBCMT ref: 001FC670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 001FC2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001FC338
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001FC34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001FC35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001FC371

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 2378138488-0
Opcode ID: e6742c1b3c8137b3f81a1be47106807b5f64c761de304acc0c16071ef48926e1
Instruction ID: 8444377fa84ab2fc3bdb3135b908c87f44ab591785972685f3cc25d8578b45fb
Opcode Fuzzy Hash: e6742c1b3c8137b3f81a1be47106807b5f64c761de304acc0c16071ef48926e1
Instruction Fuzzy Hash: 44C12AB1A0021DABDF25DF94DD81EEEB7BDEF59310F0080AAF609E6151DB309A449F61

Function 001B3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 001B37B3
KillTimer.USER32(?,00000001), ref: 001B37DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001B3800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001B380B
CreatePopupMenu.USER32 ref: 001B381F
PostQuitMessage.USER32(00000000), ref: 001B382E

Strings

TaskbarCreated, xrefs: 001B3806

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 149cfdb1944b299c69aca1514085bebfa0c07dc961b727cfcd00a3480b9306ca
Instruction ID: ca43266fb96f5bb39825204a1930ffb887f4061cb3d1d157d0a8d23a46672c3e
Opcode Fuzzy Hash: 149cfdb1944b299c69aca1514085bebfa0c07dc961b727cfcd00a3480b9306ca
Instruction Fuzzy Hash: 8C41F6F5114296ABDB186FACBC4EFFA3699FB10300F450119F92692191DF709EB09761

Function 001B3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 001B3E79
LoadCursorW.USER32(00000000,00007F00), ref: 001B3E88
LoadIconW.USER32(00000063), ref: 001B3E9E
LoadIconW.USER32(000000A4), ref: 001B3EB0
LoadIconW.USER32(000000A2), ref: 001B3EC2

Part of subcall function 001B4024: LoadImageW.USER32(001B0000,00000063,00000001,00000010,00000010,00000000), ref: 001B4048

RegisterClassExW.USER32(?), ref: 001B3F30

Part of subcall function 001B3F53: GetSysColorBrush.USER32(0000000F), ref: 001B3F86
Part of subcall function 001B3F53: RegisterClassExW.USER32(00000030), ref: 001B3FB0
Part of subcall function 001B3F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001B3FC1
Part of subcall function 001B3F53: InitCommonControlsEx.COMCTL32(?), ref: 001B3FDE
Part of subcall function 001B3F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001B3FEE
Part of subcall function 001B3F53: LoadIconW.USER32(000000A9), ref: 001B4004
Part of subcall function 001B3F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001B4013

Strings

#, xrefs: 001B3F09
0, xrefs: 001B3F02
AutoIt v3, xrefs: 001B3F1F

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 68889e1802d3625bff4e4551a01fb6432742fc3a65d23aa1445b901629e6144f
Instruction ID: 6925911ac32fb7b51c2d7d1e1342ae38361ecf0e0ac839dcaa544d4f7c367035
Opcode Fuzzy Hash: 68889e1802d3625bff4e4551a01fb6432742fc3a65d23aa1445b901629e6144f
Instruction Fuzzy Hash: 0721F8B0D00314ABDB14DFADFC4EA99BBF5EF48310F50412AE61CA62A0E77546A49B91

Function 001DACB3 Relevance: 15.2, APIs: 10, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 001DACC1

Part of subcall function 001D7CF4: __mtinitlocknum.LIBCMT ref: 001D7D06
Part of subcall function 001D7CF4: EnterCriticalSection.KERNEL32(00000000,?,001D7ADD,0000000D), ref: 001D7D1F

__calloc_crt.LIBCMT ref: 001DACD2

Part of subcall function 001D6986: __calloc_impl.LIBCMT ref: 001D6995
Part of subcall function 001D6986: Sleep.KERNEL32(00000000,000003BC,001CF507,?,0000000E), ref: 001D69AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 001DACED
GetStartupInfoW.KERNEL32(?,00266E28,00000064,001D5E91,00266C70,00000014), ref: 001DAD46
__calloc_crt.LIBCMT ref: 001DAD91
GetFileType.KERNEL32(00000001), ref: 001DADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 001DAE11

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: 5ba880367cf4ada5ba83d64abd7bf642316bcd87310429a809d50c2a24f3b38f
Instruction ID: dea81ccf952154a1647759bdbdcb2f9d8fb9163776f8ad0181df0254e73b6072
Opcode Fuzzy Hash: 5ba880367cf4ada5ba83d64abd7bf642316bcd87310429a809d50c2a24f3b38f
Instruction Fuzzy Hash: 6A810471905341CFDB14CF68D8845AEBBF0AF06320BA4429EE4AAAB3D1C734D843CB56

Function 0180FBC8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0180FC99
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0180FEBF

Memory Dump Source

Source File: 00000000.00000002.1360715851.000000000180D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0180D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180d000_pmm.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction ID: 186872c9c91b63960166411e1ed21799af4aab6e3e879a2f29fa80dff479e5eb
Opcode Fuzzy Hash: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction Fuzzy Hash: 34A11870E0020DEBDB65CFA4C898BEEBBB5BF48704F208559E611BB2C1D7759A81CB54

Function 001B49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 001B4A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 002241DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0022421A
RegCloseKey.ADVAPI32(?), ref: 00224249

Strings

Include, xrefs: 002241D3, 00224212
Software\AutoIt v3\AutoIt, xrefs: 001B4A13

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 29faddfb07461707ba3120a5defcf4c087ae813914c76130c9397546ed3b626b
Instruction ID: 92164a51e74f38122ccea5225fa67672dddf984ed2d36462fcb4eb3f36cdba64
Opcode Fuzzy Hash: 29faddfb07461707ba3120a5defcf4c087ae813914c76130c9397546ed3b626b
Instruction Fuzzy Hash: 1B116D71610119BFEB08ABA4ED86EFF7BACEF15744F004059F506D6191EB709E11D750

Function 001B36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 001B36E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 001B3707
ShowWindow.USER32(00000000,?,?,?,?,001B3AA3,?), ref: 001B371B
ShowWindow.USER32(00000000,?,?,?,?,001B3AA3,?), ref: 001B3724

Strings

edit, xrefs: 001B3701
AutoIt v3, xrefs: 001B36DE, 001B36E3, 001B36E4

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 3fc6af8180eb31e5d4ec597212eef73dde597474c0b124b9a5c8f99ca6774716
Instruction ID: 97a9080e69e7a291e98728a157a7578c5cb162750e9b63ac83cc954eaa2a5c89
Opcode Fuzzy Hash: 3fc6af8180eb31e5d4ec597212eef73dde597474c0b124b9a5c8f99ca6774716
Instruction Fuzzy Hash: 24F0DA715502D07AE731676BBC0DE672E7DDBC6F20B00001EBE08A21A0D56108E5DAB1

Function 0180F938 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 164
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0180F828: Sleep.KERNELBASE(000001F4), ref: 0180F839

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0180FAAC

Strings

3M8C0OW0YULI1EX0XWUCZJ6ULYSK9K, xrefs: 0180FB15, 0180FB18

Memory Dump Source

Source File: 00000000.00000002.1360715851.000000000180D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0180D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180d000_pmm.jbxd

Similarity

API ID: CreateFileSleep
String ID: 3M8C0OW0YULI1EX0XWUCZJ6ULYSK9K
API String ID: 2694422964-2359235516
Opcode ID: 1e5dbdb15eaaea2305984833737c23eb2296e76b37911b6aade72ac30a3870c4
Instruction ID: 0b5510efc1314d236170e9ad12ce142b1620dcc22fb7c48211c0b0c779c137d5
Opcode Fuzzy Hash: 1e5dbdb15eaaea2305984833737c23eb2296e76b37911b6aade72ac30a3870c4
Instruction Fuzzy Hash: F9715230D0428CDAEB12DBE8D854BEEBB75AF15304F044199D658BB2C1D7BA0B45CBA6

Function 001B4A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 001B5374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00271148,?,001B61FF,?,00000000,00000001,00000000), ref: 001B5392

Part of subcall function 001B49FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 001B4A1D

_wcscat.LIBCMT ref: 00222D80
_wcscat.LIBCMT ref: 00222DB5

Strings

8!', xrefs: 001B4B1C
\, xrefs: 00222DA2
\Include\, xrefs: 001B4B0A

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: 8!'$\$\Include\
API String ID: 3592542968-2806627511
Opcode ID: 6da8c8db2ed0f89c68f5e2be48a20a314d701373a54a7b09ff3ef241d42724c2
Instruction ID: d3ba98e5c502ea2056adbb9b758e54ffb48978fbaeeb53e3797a6f8549b88a0f
Opcode Fuzzy Hash: 6da8c8db2ed0f89c68f5e2be48a20a314d701373a54a7b09ff3ef241d42724c2
Instruction Fuzzy Hash: 18513076414340DBC714EF59F98599AB7F8FEA9300B80492EF64D93262EB70968CCB52

Function 001B51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001B522F
_wcscpy.LIBCMT ref: 001B5283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 001B5293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00223CB0

Strings

Line: , xrefs: 00223CD9

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: 40c08cff8c301c10e550e1836abf4b64241151b6a9a7999ca2e28c7342a7893a
Instruction ID: a8002523ab575320389a8da894422ba469d8c0da2cd3a77f2f5ffd9d46686de5
Opcode Fuzzy Hash: 40c08cff8c301c10e550e1836abf4b64241151b6a9a7999ca2e28c7342a7893a
Instruction Fuzzy Hash: B4310431108740AFD325EF64EC46FDF77D8AF64300F00451EF58982191EB74A698CB92

Function 001B4139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 001B41A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,001B39FE,?,00000001), ref: 001B41DB

_free.LIBCMT ref: 002236B7
_free.LIBCMT ref: 002236FE

Part of subcall function 001BC833: __wsplitpath.LIBCMT ref: 001BC93E
Part of subcall function 001BC833: _wcscpy.LIBCMT ref: 001BC953
Part of subcall function 001BC833: _wcscat.LIBCMT ref: 001BC968
Part of subcall function 001BC833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 001BC978

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00223491
Bad directive syntax error, xrefs: 002236E4

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: 4fb5dd54c95dfea57b971c4fb44862d3015fb30a59eccbe95b612ff618686ca2
Instruction ID: 0d929d3ced9b96600bfc78a7a8976dc5c8cab7dc71001b977e047948d44a7c68
Opcode Fuzzy Hash: 4fb5dd54c95dfea57b971c4fb44862d3015fb30a59eccbe95b612ff618686ca2
Instruction Fuzzy Hash: 88917171920229AFCF04EFE4DC919FDB7B8BF28310F50442AF516AB291DB749A55CB90

Function 001B40E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00223725
GetOpenFileNameW.COMDLG32 ref: 0022376F

Part of subcall function 001B660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001B53B1,?,?,001B61FF,?,00000000,00000001,00000000), ref: 001B662F

Part of subcall function 001B40A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001B40C6

Strings

X, xrefs: 0022373E
t3&, xrefs: 00223745

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X$t3&
API String ID: 3777226403-2492427071
Opcode ID: b374c9a03260978f819b86eeb3efbe6d8fac262ce30ba677d7bc68c0a50ee019
Instruction ID: 072667019ee8b050c6246bfd5c38006167dc36a9b99af0123d41bf1ff9c11bcc
Opcode Fuzzy Hash: b374c9a03260978f819b86eeb3efbe6d8fac262ce30ba677d7bc68c0a50ee019
Instruction Fuzzy Hash: A621B771A10198AFCF01DFD8D845BEEBBF99F59304F00805AE405A7241DBB89A998FA5

Function 001D34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 001D34FE

Part of subcall function 001D7C0E: __getptd_noexit.LIBCMT ref: 001D7C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 001D3539
__wopenfile.LIBCMT ref: 001D3549

Strings

<G, xrefs: 001D34CD, 001D34F0, 001D34FC

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: a94020e83e037ba69f418a0160c7fe0bd3fa1ded16c8a588f657adc25c85b23a
Instruction ID: e86f95f80c1d99e9e6574439fd1359d1790752d1b4269efc3fce4e03b33f6be7
Opcode Fuzzy Hash: a94020e83e037ba69f418a0160c7fe0bd3fa1ded16c8a588f657adc25c85b23a
Instruction Fuzzy Hash: EA112970A00216DFDB12BF74AC4266E37E4AF16390B158527F825DB381FB38CA1197B2

Function 001CD298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,001CD28B,SwapMouseButtons,00000004,?), ref: 001CD2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,001CD28B,SwapMouseButtons,00000004,?,?,?,?,001CC865), ref: 001CD2DD
RegCloseKey.KERNELBASE(00000000,?,?,001CD28B,SwapMouseButtons,00000004,?,?,?,?,001CC865), ref: 001CD2FF

Strings

Control Panel\Mouse, xrefs: 001CD2BA

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: a1072222cdb46c177f49f394808a3a3c7151fdafdde73d65bfdfc8fcb418f3de
Instruction ID: a9af1c5bf2a48612faf12f0eb961d001c1ae4a8f26322eee1bc5a2c792551755
Opcode Fuzzy Hash: a1072222cdb46c177f49f394808a3a3c7151fdafdde73d65bfdfc8fcb418f3de
Instruction Fuzzy Hash: B01135B5611218BFDB248FA8EC88EBF7BB8EF54744F105869E805D7210E731EE419B60

Function 0180E828 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0180F055
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0180F079
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0180F09B

Memory Dump Source

Source File: 00000000.00000002.1360715851.000000000180D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0180D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180d000_pmm.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 9ff7d806dc6ef1cc8f26af8a7a5011723b62bd23310367b846ce676590f9e849
Instruction ID: 44d0c26e4953fa092066d9925a0d0a7616a05fbbce9b0fb923b7943b734f9563
Opcode Fuzzy Hash: 9ff7d806dc6ef1cc8f26af8a7a5011723b62bd23310367b846ce676590f9e849
Instruction Fuzzy Hash: 6D62F930A146189BEB65CFA4CC40BDEB776EF58300F1091A9E20DEB2D4E7759E81CB59

Function 001D365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 001D36B7
_memcpy_s.LIBCMT ref: 001D3729
__filbuf.LIBCMT ref: 001D37AA
_memset.LIBCMT ref: 001D37EE

Part of subcall function 001D7C0E: __getptd_noexit.LIBCMT ref: 001D7C0E

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
Instruction ID: ce86128800bb2acb5485dc22df1fa27bf44afaf5311662b87a825f975cb7bda4
Opcode Fuzzy Hash: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
Instruction Fuzzy Hash: 5E51C3B1A00605ABCB289FA988856AE77A1AF50320F24872BF835963D0D771DF50DB52

Function 001FC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 001B4517: _fseek.LIBCMT ref: 001B452F

Part of subcall function 001FC56D: _wcscmp.LIBCMT ref: 001FC65D
Part of subcall function 001FC56D: _wcscmp.LIBCMT ref: 001FC670

_free.LIBCMT ref: 001FC4DD
_free.LIBCMT ref: 001FC4E4
_free.LIBCMT ref: 001FC54F

Part of subcall function 001D1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,001D7A85), ref: 001D1CB1
Part of subcall function 001D1C9D: GetLastError.KERNEL32(00000000,?,001D7A85), ref: 001D1CC3

_free.LIBCMT ref: 001FC557

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: acbc9bddfc27afc87d88584c9959c104a0ea567534d53ec5d359cc2505f852cb
Instruction ID: 0d28e117091ab72f46ce31017c1c5eafa2bd3be796ee79fdb6f4fd513497fa07
Opcode Fuzzy Hash: acbc9bddfc27afc87d88584c9959c104a0ea567534d53ec5d359cc2505f852cb
Instruction Fuzzy Hash: 22516FB1904218AFDB289F64DC81AEDBBB9EF58304F10409EF259A3251DB715A90CF59

Function 001CEB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001CEBB2

Part of subcall function 001B51AF: _memset.LIBCMT ref: 001B522F
Part of subcall function 001B51AF: _wcscpy.LIBCMT ref: 001B5283
Part of subcall function 001B51AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 001B5293

KillTimer.USER32(?,00000001,?,?), ref: 001CEC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001CEC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00223C88

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: d110a30740d7a3055b3b6ce284b7de80b69d7191ec14400ddeae67f111566101
Instruction ID: c6337444a8ec0f4346f34fbfdcae3d9c16212e49597d5cb8c3afa6019ceb331d
Opcode Fuzzy Hash: d110a30740d7a3055b3b6ce284b7de80b69d7191ec14400ddeae67f111566101
Instruction Fuzzy Hash: 8521D770904794AFE732DB68EC59FE7BFEC9B15308F04048EE69E66241C3B46A848B51

Function 001FC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 001FC72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 001FC746

Strings

aut, xrefs: 001FC740

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: b3fe190ab7e1a0a443e8943ce68732d31955961182498db03db45a279cc51b3d
Instruction ID: ce236df3ce6683e6c9861db37e60d4406f8885bc83c01c8e550fbabf04cfe607
Opcode Fuzzy Hash: b3fe190ab7e1a0a443e8943ce68732d31955961182498db03db45a279cc51b3d
Instruction Fuzzy Hash: E6D05E7150030EABDB10ABA0FC0EF8B776C9700704F0001A07A50A50B2DAB0E6A98B54

Function 0020F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c40777b1b828c4c90298e7251f8799f6904bb43959c22d6586124e72f5d10b4
Instruction ID: 6585286748f74a0ddf529855b1762b7e9d8a0c45ae846a990c0e4a59cd97b0f8
Opcode Fuzzy Hash: 8c40777b1b828c4c90298e7251f8799f6904bb43959c22d6586124e72f5d10b4
Instruction Fuzzy Hash: 74F17A716083059FC720DF24C981B6EB7E5BF98314F14892EF9999B292DB70E945CF82

Function 001B4FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001B5022
Shell_NotifyIconW.SHELL32(00000000,?), ref: 001B50CB

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 52dfbac50c67daf5ee20ba9e425d7fb6688311417028dfa00157cd8852af3331
Instruction ID: cbec0fc8f67b865ea2f2835b6e3b98fbe82f8081eee6b5cfed21a52e929c98b6
Opcode Fuzzy Hash: 52dfbac50c67daf5ee20ba9e425d7fb6688311417028dfa00157cd8852af3331
Instruction Fuzzy Hash: 29317CB05047019FD721EF68E8857DBBBE4FF49308F00092EF69E86251E7716998CB92

Function 001D395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 001D3973

Part of subcall function 001D81C2: __NMSG_WRITE.LIBCMT ref: 001D81E9
Part of subcall function 001D81C2: __NMSG_WRITE.LIBCMT ref: 001D81F3

__NMSG_WRITE.LIBCMT ref: 001D397A

Part of subcall function 001D821F: GetModuleFileNameW.KERNEL32(00000000,00270312,00000104,00000000,00000001,00000000), ref: 001D82B1
Part of subcall function 001D821F: ___crtMessageBoxW.LIBCMT ref: 001D835F

Part of subcall function 001D1145: ___crtCorExitProcess.LIBCMT ref: 001D114B
Part of subcall function 001D1145: ExitProcess.KERNEL32 ref: 001D1154

Part of subcall function 001D7C0E: __getptd_noexit.LIBCMT ref: 001D7C0E

RtlAllocateHeap.NTDLL(015E0000,00000000,00000001,00000001,00000000,?,?,001CF507,?,0000000E), ref: 001D399F

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: fe1fee35ae36582fb126a802f0491fd0fa20e7e933cd8d421a4dc8bd49694c3d
Instruction ID: 469990b29ddbe4c448d60d7756dd7c878275cd717183f5e1ab6916b02ab427f9
Opcode Fuzzy Hash: fe1fee35ae36582fb126a802f0491fd0fa20e7e933cd8d421a4dc8bd49694c3d
Instruction Fuzzy Hash: 0F01B935385212EAE61A3B34EC66A2A73489B91768F21012BF515D73C1DFF09D408661

Function 001FC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,001FC385,?,?,?,?,?,00000004), ref: 001FC6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,001FC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 001FC708
CloseHandle.KERNEL32(00000000,?,001FC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 001FC70F

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 6e68f4b1f79c8ae414a5e6ecbc367ddda16b18fc8668d64e823f17f211819529
Instruction ID: f7c08b95c93e92605116d74b404b77a49b1516765bffb0aee3dea16ff241e762
Opcode Fuzzy Hash: 6e68f4b1f79c8ae414a5e6ecbc367ddda16b18fc8668d64e823f17f211819529
Instruction Fuzzy Hash: BAE08632140218B7D7212B64BC0DFCA7B19AB05B60F104210FB55690E097B129119BD8

Function 001FBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001FBB72

Part of subcall function 001D1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,001D7A85), ref: 001D1CB1
Part of subcall function 001D1C9D: GetLastError.KERNEL32(00000000,?,001D7A85), ref: 001D1CC3

_free.LIBCMT ref: 001FBB83
_free.LIBCMT ref: 001FBB95

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
Instruction ID: 91f13c41ae3ac1f65f614cebc2b592cc29143fab523db39755346167ac6145d9
Opcode Fuzzy Hash: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
Instruction Fuzzy Hash: 3FE05BB175574577DA34A579EE84EB313CC4F14352714081FB559E7246DF24F84085B4

Function 001B2322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 001B22A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,001B24F1), ref: 001B2303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 001B25A1
CoInitialize.OLE32(00000000), ref: 001B2618
CloseHandle.KERNEL32(00000000), ref: 0022503A

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: 528dc72b7a2539257f96b57cafab46e7f0c1744c7d3eee48bf94e5ae426567b2
Instruction ID: 21cadbb784e92a7e72442c7c61452e81eebe7bc9638fda540ce424199359d849
Opcode Fuzzy Hash: 528dc72b7a2539257f96b57cafab46e7f0c1744c7d3eee48bf94e5ae426567b2
Instruction Fuzzy Hash: 8A71A2B49112A18BC308EF6EBD9A595BBA4FF6934479041AED90DC7772DB3044B4CF14

Function 001FBBE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 001FBC18

Strings

EA06, xrefs: 001FBC46

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 74782ca00c91ea7db26b072ca4425626965ef3e88b4a4ab83826caca00930f2b
Instruction ID: 2c5c24f75c094cfbe94ce13705003c69cbf59e5e1488d6eac68b41378451497f
Opcode Fuzzy Hash: 74782ca00c91ea7db26b072ca4425626965ef3e88b4a4ab83826caca00930f2b
Instruction Fuzzy Hash: 2B01B5729042587EDB28C7A8C856FFEBBF89B15301F00455EF5A6D6281E6B4E7089B60

Function 001B3A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 001B3A73

Part of subcall function 001D1405: __lock.LIBCMT ref: 001D140B

Part of subcall function 001B3ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 001B3AF3
Part of subcall function 001B3ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 001B3B08

Part of subcall function 001B3D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,001B3AA3,?), ref: 001B3D45
Part of subcall function 001B3D19: IsDebuggerPresent.KERNEL32(?,?,?,?,001B3AA3,?), ref: 001B3D57
Part of subcall function 001B3D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00271148,00271130,?,?,?,?,001B3AA3,?), ref: 001B3DC8
Part of subcall function 001B3D19: SetCurrentDirectoryW.KERNEL32(?,?,?,001B3AA3,?), ref: 001B3E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 001B3AB3

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: 8b9f0d6b4b678532114cad2b13fc4c2a30042063eb9acbdc0838f537dbede253
Instruction ID: 7217e89a54dffada1cce98acd51214c56fe03774ea39d15a82e99a9c57a52217
Opcode Fuzzy Hash: 8b9f0d6b4b678532114cad2b13fc4c2a30042063eb9acbdc0838f537dbede253
Instruction Fuzzy Hash: 0B118E719143419BC310EF69FC49A4AFBE8FFA5710F00491EF888872A1DB7095A4CB92

Function 001DE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 001DEA29
__close_nolock.LIBCMT ref: 001DEA42

Part of subcall function 001D7BDA: __getptd_noexit.LIBCMT ref: 001D7BDA

Part of subcall function 001D7C0E: __getptd_noexit.LIBCMT ref: 001D7C0E

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: b33676fa744bb2d8d35d91178d439e8f118507cd7c8db09249139cd5d86dab75
Instruction ID: 55838c46e872bfd4295742b39c6b5359f80605cfa6068d70029d256cf84e8e0a
Opcode Fuzzy Hash: b33676fa744bb2d8d35d91178d439e8f118507cd7c8db09249139cd5d86dab75
Instruction Fuzzy Hash: A611E172845A22CED712BF68D8423583AE16F92336F260343E4255F3E3DBB48C4086A1

Function 001CF4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 001D395C: __FF_MSGBANNER.LIBCMT ref: 001D3973
Part of subcall function 001D395C: __NMSG_WRITE.LIBCMT ref: 001D397A
Part of subcall function 001D395C: RtlAllocateHeap.NTDLL(015E0000,00000000,00000001,00000001,00000000,?,?,001CF507,?,0000000E), ref: 001D399F

std::exception::exception.LIBCMT ref: 001CF51E
__CxxThrowException@8.LIBCMT ref: 001CF533

Part of subcall function 001D6805: RaiseException.KERNEL32(?,?,0000000E,00266A30,?,?,?,001CF538,0000000E,00266A30,?,00000001), ref: 001D6856

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: b2f373bea768a24039a3f3f9e964544782c5011e14d4f78fbeb53de4305e0b6c
Instruction ID: 9758df0e19382f4adcf9806786385acba5d8ae76153c3081647bcf872b5783dc
Opcode Fuzzy Hash: b2f373bea768a24039a3f3f9e964544782c5011e14d4f78fbeb53de4305e0b6c
Instruction Fuzzy Hash: 49F0C87110421D67D704BF98ED05EDE77AD9F20354F60402EFA04D2281DBB0D65196A5

Function 001D3839 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 001D3868
__lock_file.LIBCMT ref: 001D3889

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: e43523bf34c245ca0dd25606d92a03f31428757fb1fa1f30adc12e55a39f1f95
Instruction ID: 81a8d527ec63ef1bf2502d8283b3ec15e612a738e82025acadc3d11892716bf0
Opcode Fuzzy Hash: e43523bf34c245ca0dd25606d92a03f31428757fb1fa1f30adc12e55a39f1f95
Instruction Fuzzy Hash: B2018471800209FBCF22AFA49C0559E7B61AF51360F15431BF834573A1D7758B61EB92

Function 001D35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001D7C0E: __getptd_noexit.LIBCMT ref: 001D7C0E

__lock_file.LIBCMT ref: 001D3629

Part of subcall function 001D4E1C: __lock.LIBCMT ref: 001D4E3F

__fclose_nolock.LIBCMT ref: 001D3634

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: ff381ee9fac0a322930be9a672d3397cb8d14acc0887c5af5c6b1fe8d74d4f7d
Instruction ID: 9321e278bf9649a67dfc54a33d3e8f9953f0c48d6755bf53bda570f57444606f
Opcode Fuzzy Hash: ff381ee9fac0a322930be9a672d3397cb8d14acc0887c5af5c6b1fe8d74d4f7d
Instruction Fuzzy Hash: AFF0B471901214AADB11BB65880676E7BA06F61734F26821BE430AB3C1CB7CCB019F96

Function 0180E825 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0180F055
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0180F079
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0180F09B

Memory Dump Source

Source File: 00000000.00000002.1360715851.000000000180D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0180D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180d000_pmm.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
Instruction ID: dc9451972acb80bff5aef52a3df0ca51579a105b9e41e5847a0602659bd5a421
Opcode Fuzzy Hash: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
Instruction Fuzzy Hash: 7A12CE24E18658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 001D2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 001D2A0B

Part of subcall function 001D7C0E: __getptd_noexit.LIBCMT ref: 001D7C0E

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: f6a6917ce991b80c88e22b0aa8562c95a481f86f4934735cc1e8ec0b4e76164b
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: 2041C4307007169FDF2C8EA9C8905AEB7A6EFA4364B24852FE865C7740EB74DD408B50

Function 001CED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 001CEDC7

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 3174ad5a291795371b0f081b20a9783237dec02c12c502dd259bab2bf294db22
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: EC31E5B1A00105DBC718DF98C480A79FBF6FF69340B6586A9E40ACB256DB31EDC1CB90

Function 0021040F Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00210519

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: eff00cf3b7b89ffa27045e9e1831d47267ac17c73d21524fd9729b2aa76c189c
Instruction ID: bb7611ecc87d298ca1f92404927822ceb98222fd5621c6405c6d5bde495be4cc
Opcode Fuzzy Hash: eff00cf3b7b89ffa27045e9e1831d47267ac17c73d21524fd9729b2aa76c189c
Instruction Fuzzy Hash: C3319075214528DFCB01AF10D0D4BAE77B1FF69320F20844AEA955B386DBB4A995CFC1

Function 00229A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00229A80

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 18a7f66f38ba4d566f4927876524abffc43466c2156b04a7416af885cfb0342c
Instruction ID: f27fe91ce5cb89763ac7d094be5e76fbc66a900e48348fdf9f0e8b9d13df8acd
Opcode Fuzzy Hash: 18a7f66f38ba4d566f4927876524abffc43466c2156b04a7416af885cfb0342c
Instruction Fuzzy Hash: 10416C70608611CFDB24CF54C484F2ABBE0BF55308F19899CE9964B362C372E886CF42

Function 001DED06 Relevance: 1.6, APIs: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: 1bfb31c5d6e91f3d8b29d89e41ada1aaef0d9ffabd5394d4207425e7667cc2e9
Instruction ID: a0e92229ad2bc5bbd4146dca3a4dbde18401d6e52bbb1beb4c06e5aba847c0ed
Opcode Fuzzy Hash: 1bfb31c5d6e91f3d8b29d89e41ada1aaef0d9ffabd5394d4207425e7667cc2e9
Instruction Fuzzy Hash: AB216F72814A108FD7127FA8D8457593BA25F62736F260643E4654F3E2EB7489408BA2

Function 001B41A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B4214: FreeLibrary.KERNEL32(00000000,?), ref: 001B4247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,001B39FE,?,00000001), ref: 001B41DB

Part of subcall function 001B4291: FreeLibrary.KERNEL32(00000000), ref: 001B42C4

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: 25e824974818ff2acea14b787b7705ba89779fc009ced583760cad5e76c53468
Instruction ID: b19a64f9d17837cc33195ccb8fb1230e2568ef875e308c7c7f0ce3626b27fab7
Opcode Fuzzy Hash: 25e824974818ff2acea14b787b7705ba89779fc009ced583760cad5e76c53468
Instruction Fuzzy Hash: CE11C131610316BBDB14BB70EC06FEE77A99F90700F10C429F996A6182DB70DA10ABA1

Function 00229B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00229B51

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: ee9e84e0aff8000cfc3394883d8f7ea0ce034af2d087bb1cfd39b503e51817ef
Instruction ID: 7aa0fbe839d34b5dd1179df3778ba04bc3e37c16aa146f8e06410cadb524b8aa
Opcode Fuzzy Hash: ee9e84e0aff8000cfc3394883d8f7ea0ce034af2d087bb1cfd39b503e51817ef
Instruction Fuzzy Hash: B9212670608601CFDB25DFA4C444F6ABBF1BF99304F15496CE6964B622C731E846CF52

Function 001DAF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 001DAFC0

Part of subcall function 001D7BDA: __getptd_noexit.LIBCMT ref: 001D7BDA

Part of subcall function 001D7C0E: __getptd_noexit.LIBCMT ref: 001D7C0E

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: 87db526574af9fef5ed6e05e6f56d94f4097cac7aee06f5a47b9715042fc451e
Instruction ID: 47ef35824a87905404e4255371033b72512ae76964a661ee137ebae884fcea0f
Opcode Fuzzy Hash: 87db526574af9fef5ed6e05e6f56d94f4097cac7aee06f5a47b9715042fc451e
Instruction Fuzzy Hash: F5119072809610DFD7126FA4988575A36609F62331F564342F4364B3E2D7B589408BA2

Function 001B39DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
Instruction ID: 4afb7d5e66022731c64263fde1a4da961fd1d3f57b14ab7ae12f29211d4b1d90
Opcode Fuzzy Hash: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
Instruction Fuzzy Hash: B201623140010EBFCB04EFA4C9818EEBB74AA20344F108065F52297196EB319A59DB60

Function 001D2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 001D2AED

Part of subcall function 001D7C0E: __getptd_noexit.LIBCMT ref: 001D7C0E

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: f1ce4e8c8ab6808fb872c4e10b538e2a265f71852686085f276a2dbfe3c2187b
Instruction ID: ab9b1e23b69c3fd8b3d2d7f45be571e943f8873832184d8e25bf21d206dbb37f
Opcode Fuzzy Hash: f1ce4e8c8ab6808fb872c4e10b538e2a265f71852686085f276a2dbfe3c2187b
Instruction Fuzzy Hash: C8F09031A00216EBDF26AF748C067DF3BA5BF21324F158517F4249B391D7B88A62DB51

Function 001B4252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,001B39FE,?,00000001), ref: 001B4286

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 508b80743155b5f9c2bea4124f6b9834a3ebc42a310d3bc3739d5d9e175a4e2b
Instruction ID: 98919d118eefaa4bf995c6bf9524806983b40832654af8753c82fca8946006e5
Opcode Fuzzy Hash: 508b80743155b5f9c2bea4124f6b9834a3ebc42a310d3bc3739d5d9e175a4e2b
Instruction Fuzzy Hash: 69F01571505702CFCB389F64F894896BBE4AF14325325CABEF1D682612C7729840EB50

Function 001B40A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001B40C6

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 7bd8a5f97ab0b38c559d7252b474ecf18361895d6d4bf14f60d068911333879f
Instruction ID: ccc886f2fb5e74220f54289aac4de93c34544d450208474909eaec9b74eed995
Opcode Fuzzy Hash: 7bd8a5f97ab0b38c559d7252b474ecf18361895d6d4bf14f60d068911333879f
Instruction Fuzzy Hash: 14E0C2366002245BCB11A668DC46FEB77ADDFC86A0F0901B5F909E7244DBA4AE819690

Function 001FBCF4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 001FBD16

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
Instruction ID: 3f7c378b0294cfb51b645c7ca4b0a93cb3bb6f517ecd637589239cb2e16891d3
Opcode Fuzzy Hash: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
Instruction Fuzzy Hash: 71E012B1508B449BD7398A24D851BF377E1EB05319F04095DF6AA93241EB627841865A

Function 0180F824 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0180F839

Memory Dump Source

Source File: 00000000.00000002.1360715851.000000000180D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0180D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180d000_pmm.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 4f3e20a8d4dc32dfcffc4b2917cf183fa4166b43fcc2f1e400281900f56745f0
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 61E0BF7494010DEFDB10DFA4D9496DD7BB4EF04701F1045A5FE05D7680DB309E549A62

Function 0180F828 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0180F839

Memory Dump Source

Source File: 00000000.00000002.1360715851.000000000180D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0180D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180d000_pmm.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 8c3be573769758dd37bc63b0bfa1685ce80b0251c8736d60b14252e2670c990e
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 10E0E67494010DDFDB00DFB4D9496DD7BB4EF04701F104165FD01D2280D6309E509A62

Non-executed Functions

Function 0021AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0021B1CD

Strings

%d/%02d/%02d, xrefs: 0021AEFC

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: b27cf6904f9d2a8e1a1ab01b73a361c795bd2a39567d4ba3d071bd9d6f1d88ee
Instruction ID: 8e25b7e99a9579e456b6ef5d0c29b118a424ee8390836c757aad9f5a80dceaa7
Opcode Fuzzy Hash: b27cf6904f9d2a8e1a1ab01b73a361c795bd2a39567d4ba3d071bd9d6f1d88ee
Instruction Fuzzy Hash: BC12FE71520209ABEB258F68EC49FEE7BF8FF55310F104129F919DA2D0DBB18992CB51

Function 001CEB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 001CEB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00223AEA
IsIconic.USER32(000000FF), ref: 00223AF3
ShowWindow.USER32(000000FF,00000009), ref: 00223B00
SetForegroundWindow.USER32(000000FF), ref: 00223B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00223B20
GetCurrentThreadId.KERNEL32 ref: 00223B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00223B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00223B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00223B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 00223B54
SetForegroundWindow.USER32(000000FF), ref: 00223B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 00223B6C
keybd_event.USER32(00000012,00000000), ref: 00223B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 00223B81
keybd_event.USER32(00000012,00000000), ref: 00223B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 00223B8F
keybd_event.USER32(00000012,00000000), ref: 00223B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 00223B9E
keybd_event.USER32(00000012,00000000), ref: 00223BA3
SetForegroundWindow.USER32(000000FF), ref: 00223BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 00223BCD

Strings

Shell_TrayWnd, xrefs: 00223AE5

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 2cb3fe2c8b2848ce6ba5388ffcf97760ce5128643d27168298ccbcf70de8832b
Instruction ID: a94e4cb60a0361bf9edbbbf6c887107177b348dbea0eeba185b29c5500357c53
Opcode Fuzzy Hash: 2cb3fe2c8b2848ce6ba5388ffcf97760ce5128643d27168298ccbcf70de8832b
Instruction Fuzzy Hash: 5031A371A502287BEB205FB5BC4EF7F7E6CEB44B54F104015FA05EA1D0DAB45D11AAA0

Function 001EACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 001EB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001EB180
Part of subcall function 001EB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001EB1AD
Part of subcall function 001EB134: GetLastError.KERNEL32 ref: 001EB1BA

_memset.LIBCMT ref: 001EAD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 001EAD5A
CloseHandle.KERNEL32(?), ref: 001EAD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001EAD82
GetProcessWindowStation.USER32 ref: 001EAD9B
SetProcessWindowStation.USER32(00000000), ref: 001EADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 001EADBF

Part of subcall function 001EAB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001EACC0), ref: 001EAB99
Part of subcall function 001EAB84: CloseHandle.KERNEL32(?,?,001EACC0), ref: 001EABAB

Strings

default, xrefs: 001EADBA
winsta0, xrefs: 001EAD7D
H*&, xrefs: 001EAE40
, xrefs: 001EAD17

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $H*&$default$winsta0
API String ID: 2063423040-3663051182
Opcode ID: ca0242e728014384496c9d725e8d3383099ccc878a910bc0191253800150bf0f
Instruction ID: f6bee415ef8413831f2d19ff56aa65baae20d6b90aa76a2343e8432aabe46355
Opcode Fuzzy Hash: ca0242e728014384496c9d725e8d3383099ccc878a910bc0191253800150bf0f
Instruction Fuzzy Hash: CC81BBB1900689AFDF11DFA5EC49AEEBBBCFF18304F444119F820A2161D731AE94DB61

Function 001F60DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001F6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001F5FA6,?), ref: 001F6ED8

Part of subcall function 001F6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001F5FA6,?), ref: 001F6EF1

Part of subcall function 001F725E: __wsplitpath.LIBCMT ref: 001F727B
Part of subcall function 001F725E: __wsplitpath.LIBCMT ref: 001F728E

Part of subcall function 001F72CB: GetFileAttributesW.KERNEL32(?,001F6019), ref: 001F72CC

_wcscat.LIBCMT ref: 001F6149
_wcscat.LIBCMT ref: 001F6167
__wsplitpath.LIBCMT ref: 001F618E
FindFirstFileW.KERNEL32(?,?), ref: 001F61A4
_wcscpy.LIBCMT ref: 001F6209
_wcscat.LIBCMT ref: 001F621C
_wcscat.LIBCMT ref: 001F622F
lstrcmpiW.KERNEL32(?,?), ref: 001F625D
DeleteFileW.KERNEL32(?), ref: 001F626E
MoveFileW.KERNEL32(?,?), ref: 001F6289
MoveFileW.KERNEL32(?,?), ref: 001F6298
CopyFileW.KERNEL32(?,?,00000000), ref: 001F62AD
DeleteFileW.KERNEL32(?), ref: 001F62BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 001F62E1
FindClose.KERNEL32(00000000), ref: 001F62FD
FindClose.KERNEL32(00000000), ref: 001F630B

Strings

\*.*, xrefs: 001F6138, 001F6147, 001F6165

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*
API String ID: 1917200108-1173974218
Opcode ID: beef0bdd84b9622a21e7e10d7212de9fe40735220b06a3c88e2e3b4626cff9d2
Instruction ID: d53d3390df8f45f43348856cd21b3341b0089b0c2e772475e44a36bf90f0982e
Opcode Fuzzy Hash: beef0bdd84b9622a21e7e10d7212de9fe40735220b06a3c88e2e3b4626cff9d2
Instruction Fuzzy Hash: 3951107290811C6ACB21EBA5DC44DEF77BCAF15310F0901EAE689E3141DF7697898FA4

Function 00206B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0024DC00), ref: 00206B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 00206B44
GetClipboardData.USER32(0000000D), ref: 00206B4C
CloseClipboard.USER32 ref: 00206B58
GlobalLock.KERNEL32(00000000), ref: 00206B74
CloseClipboard.USER32 ref: 00206B7E
GlobalUnlock.KERNEL32(00000000), ref: 00206B93
IsClipboardFormatAvailable.USER32(00000001), ref: 00206BA0
GetClipboardData.USER32(00000001), ref: 00206BA8
GlobalLock.KERNEL32(00000000), ref: 00206BB5
GlobalUnlock.KERNEL32(00000000), ref: 00206BE9
CloseClipboard.USER32 ref: 00206CF6

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 7b583b06c24c5de61136d5abca6cac299404ad44f0a8dbbba9c7327b673abb85
Instruction ID: 57c0e99a419883781ce667afdd53da23cf91f913d1ddc72cea7d57d9fbc3b817
Opcode Fuzzy Hash: 7b583b06c24c5de61136d5abca6cac299404ad44f0a8dbbba9c7327b673abb85
Instruction Fuzzy Hash: 64517171214306ABD300AF65FD8EF6E77B8AF94B01F00442AFA56D61D2DF70D9258A62

Function 001FF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001FF62B
FindClose.KERNEL32(00000000), ref: 001FF67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001FF6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001FF6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 001FF6E2
__swprintf.LIBCMT ref: 001FF72E
__swprintf.LIBCMT ref: 001FF767
__swprintf.LIBCMT ref: 001FF7BB

Part of subcall function 001D172B: __woutput_l.LIBCMT ref: 001D1784

__swprintf.LIBCMT ref: 001FF809
__swprintf.LIBCMT ref: 001FF858
__swprintf.LIBCMT ref: 001FF8A7
__swprintf.LIBCMT ref: 001FF8F6

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 001FF728
%02d, xrefs: 001FF7B0, 001FF7B9, 001FF807, 001FF856, 001FF8A5, 001FF8F4
%4d, xrefs: 001FF761

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: 72d43a3df95cfc97b3ba28f83582337e247b22ba28a625f2f637f3458bd8cf51
Instruction ID: 20366f31e6797ebfaafe2fcad5cd5ab2d9da747abb92d86aae7bfdd582b599c4
Opcode Fuzzy Hash: 72d43a3df95cfc97b3ba28f83582337e247b22ba28a625f2f637f3458bd8cf51
Instruction Fuzzy Hash: 52A101B2408344ABC314EBA5C985EEFB7ECBFA8704F44092EF595C2151EB34D949CB62

Function 00201B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00201B50
_wcscmp.LIBCMT ref: 00201B65
_wcscmp.LIBCMT ref: 00201B7C
GetFileAttributesW.KERNEL32(?), ref: 00201B8E
SetFileAttributesW.KERNEL32(?,?), ref: 00201BA8
FindNextFileW.KERNEL32(00000000,?), ref: 00201BC0
FindClose.KERNEL32(00000000), ref: 00201BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 00201BE7
_wcscmp.LIBCMT ref: 00201C0E
_wcscmp.LIBCMT ref: 00201C25
SetCurrentDirectoryW.KERNEL32(?), ref: 00201C37
SetCurrentDirectoryW.KERNEL32(002639FC), ref: 00201C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 00201C5F
FindClose.KERNEL32(00000000), ref: 00201C6C
FindClose.KERNEL32(00000000), ref: 00201C7C

Strings

*.*, xrefs: 00201BE2

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 498d3bc5411c52713898a0ff14f03dbd25107db268796ddfdd8c04b1e32f7dd1
Instruction ID: c47f91fc4f325179874ebc160b4842bc9476d69f9728b4565e96bb6f6e0e2473
Opcode Fuzzy Hash: 498d3bc5411c52713898a0ff14f03dbd25107db268796ddfdd8c04b1e32f7dd1
Instruction Fuzzy Hash: 2931C23261131A7BDB14EFB0EC49ADE77AC9F06324F104196E805E20D1EB74DAA58E64

Function 00201C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00201CAB
_wcscmp.LIBCMT ref: 00201CC0
_wcscmp.LIBCMT ref: 00201CD7

Part of subcall function 001F6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 001F6BEF

FindNextFileW.KERNEL32(00000000,?), ref: 00201D06
FindClose.KERNEL32(00000000), ref: 00201D11
FindFirstFileW.KERNEL32(*.*,?), ref: 00201D2D
_wcscmp.LIBCMT ref: 00201D54
_wcscmp.LIBCMT ref: 00201D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 00201D7D
SetCurrentDirectoryW.KERNEL32(002639FC), ref: 00201D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00201DA5
FindClose.KERNEL32(00000000), ref: 00201DB2
FindClose.KERNEL32(00000000), ref: 00201DC2

Strings

*.*, xrefs: 00201D28

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: bbc0271b239116a21075a092a1000967097cef38086ea190d6ab18810bab0ff3
Instruction ID: 655baf89f88e183b9d1f5cfed8bf4908e0a985ca0b4e0522afb0862d0b421606
Opcode Fuzzy Hash: bbc0271b239116a21075a092a1000967097cef38086ea190d6ab18810bab0ff3
Instruction Fuzzy Hash: A131F03291071ABBDF10EFA0EC49AEE37AD9F06320F104556E801E31D2DB70DAB58E60

Function 001B7D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001B7DBD

Strings

[:<:]], xrefs: 001B7D1D
\, xrefs: 001B7E1D
\b(?<=\w), xrefs: 0022F877
[:>:]], xrefs: 001B7D37
], xrefs: 001B7D9F
Q\E, xrefs: 001B86D6
[, xrefs: 001B7E14
\b(?=\w), xrefs: 0022F85E
^, xrefs: 001B7D96
\, xrefs: 0022F95B
\, xrefs: 001B7D89

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
API String ID: 2102423945-2023335898
Opcode ID: fe30b03d377529bf39cf06922c2ad7c0120acb7acfebb9c3fcbc5d650cfcb6ed
Instruction ID: 00da3f5ea75d51cd2b14d5f9758bf70b94a80ddf5a48106eac3936bb48574e4f
Opcode Fuzzy Hash: fe30b03d377529bf39cf06922c2ad7c0120acb7acfebb9c3fcbc5d650cfcb6ed
Instruction Fuzzy Hash: EC82D171D1422ADBCF28CF98C9807EDB7B1BF88314F258169D819AB391E7709D95CB90

Function 0020091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 002009DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 002009EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 002009FB
__wsplitpath.LIBCMT ref: 00200A59
_wcscat.LIBCMT ref: 00200A71
_wcscat.LIBCMT ref: 00200A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00200A98
SetCurrentDirectoryW.KERNEL32(?), ref: 00200AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 00200ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 00200AFF
_wcscpy.LIBCMT ref: 00200B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00200B4A

Strings

*.*, xrefs: 00200B05

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 1dce28e13f05d863b2eb8394fdb7b50922af31cbc69408409dedaaea7d2dd2d9
Instruction ID: 446acb57274bce3619a5f898e8b02466860579003cd01b31a2b49af73aaecbbd
Opcode Fuzzy Hash: 1dce28e13f05d863b2eb8394fdb7b50922af31cbc69408409dedaaea7d2dd2d9
Instruction Fuzzy Hash: 7A61A9721143059FD710EF60C885AAEB3E8FF99314F04481EF989C7292EB31EA15CB92

Function 001EA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001EABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 001EABD7
Part of subcall function 001EABBB: GetLastError.KERNEL32(?,001EA69F,?,?,?), ref: 001EABE1
Part of subcall function 001EABBB: GetProcessHeap.KERNEL32(00000008,?,?,001EA69F,?,?,?), ref: 001EABF0
Part of subcall function 001EABBB: HeapAlloc.KERNEL32(00000000,?,001EA69F,?,?,?), ref: 001EABF7
Part of subcall function 001EABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 001EAC0E

Part of subcall function 001EAC56: GetProcessHeap.KERNEL32(00000008,001EA6B5,00000000,00000000,?,001EA6B5,?), ref: 001EAC62
Part of subcall function 001EAC56: HeapAlloc.KERNEL32(00000000,?,001EA6B5,?), ref: 001EAC69
Part of subcall function 001EAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,001EA6B5,?), ref: 001EAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001EA6D0
_memset.LIBCMT ref: 001EA6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001EA704
GetLengthSid.ADVAPI32(?), ref: 001EA715
GetAce.ADVAPI32(?,00000000,?), ref: 001EA752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001EA76E
GetLengthSid.ADVAPI32(?), ref: 001EA78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 001EA79A
HeapAlloc.KERNEL32(00000000), ref: 001EA7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 001EA7C2
CopySid.ADVAPI32(00000000), ref: 001EA7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001EA7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001EA820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001EA834

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 58096cc5d0a9258c9f4769f1a02a7cf19692ec87585ce7c6e1928a03f80e0fe6
Instruction ID: 2363625abfc1769233997228e64e7ddb831a8a8fa1fb2f9ac59abf812c297984
Opcode Fuzzy Hash: 58096cc5d0a9258c9f4769f1a02a7cf19692ec87585ce7c6e1928a03f80e0fe6
Instruction Fuzzy Hash: A2515D71900649ABDF14DFA6EC48EEEBBB9FF04700F448129F915AB290D735AE05CB61

Function 001B6F07 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

UTF), xrefs: 00232C7C
UCP), xrefs: 00232C8F
UTF16), xrefs: 00232C56
CRLF), xrefs: 00232E43
LIMIT_RECURSION=, xrefs: 00232D7E
NO_START_OPT), xrefs: 00232CD1
CR), xrefs: 00232E09
ANY), xrefs: 00232E60
BSR_UNICODE), xrefs: 00232EBA
%%% %, xrefs: 001B7096, 001B709C
LIMIT_MATCH=, xrefs: 00232CF2
LF), xrefs: 00232E26
%, xrefs: 001B6F77
BSR_ANYCRLF), xrefs: 00232EA0
NO_AUTO_POSSESS), xrefs: 00232CB0
ANYCRLF), xrefs: 00232E7D

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID:
String ID: %$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$%%% %
API String ID: 0-2144770909
Opcode ID: b2a4f86dbd0368e00f11e381a49051525f41e1fc9dcdb1097597af34ae0913a7
Instruction ID: 7f411632abc216a01050cbb5ca54d5353b6c43f7cd770ae9053cbfeb8f6d5abe
Opcode Fuzzy Hash: b2a4f86dbd0368e00f11e381a49051525f41e1fc9dcdb1097597af34ae0913a7
Instruction Fuzzy Hash: D67280B1E14219DBDB28DF58C8817EEB7B5FF58310F14816AE845EB280DB709E91DB90

Function 001F63F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001F6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001F5FA6,?), ref: 001F6ED8

Part of subcall function 001F72CB: GetFileAttributesW.KERNEL32(?,001F6019), ref: 001F72CC

_wcscat.LIBCMT ref: 001F6441
__wsplitpath.LIBCMT ref: 001F645F
FindFirstFileW.KERNEL32(?,?), ref: 001F6474
_wcscpy.LIBCMT ref: 001F64A3
_wcscat.LIBCMT ref: 001F64B8
_wcscat.LIBCMT ref: 001F64CA
DeleteFileW.KERNEL32(?), ref: 001F64DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 001F64EB
FindClose.KERNEL32(00000000), ref: 001F6506

Strings

\*.*, xrefs: 001F643B

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: 7463aef46358c7cd3cce53b512bc5cf75a114cb78d6475e52672c38b39e7d668
Instruction ID: 8c890c1bc90e841ca97a2d540997bdbc99aa78ced73eca9a13d2ce0c3f0a667c
Opcode Fuzzy Hash: 7463aef46358c7cd3cce53b512bc5cf75a114cb78d6475e52672c38b39e7d668
Instruction Fuzzy Hash: 773164B2408388AAC721EBE49889AEBB7DCAF55310F44095FF6D9C3141EB35D50D8767

Function 002131BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00213C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00212BB5,?,?), ref: 00213C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0021328E

Part of subcall function 001B936C: __swprintf.LIBCMT ref: 001B93AB
Part of subcall function 001B936C: __itow.LIBCMT ref: 001B93DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0021332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 002133C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00213604
RegCloseKey.ADVAPI32(00000000), ref: 00213611

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: c5a8fab5b7eb89bab8eb04d6d947c3b446c5c6a0d151e972d1736ba0d73729f3
Instruction ID: 1bd75fb2c1e38027832158245191fa322e5f78ec11f12df5fdc37eba4635231e
Opcode Fuzzy Hash: c5a8fab5b7eb89bab8eb04d6d947c3b446c5c6a0d151e972d1736ba0d73729f3
Instruction Fuzzy Hash: 5EE17D31614200AFCB14DF28C995EAABBEAFF98710F04846DF54AD7261DB30ED55CB91

Function 001F2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 001F2B5F
GetAsyncKeyState.USER32(000000A0), ref: 001F2BE0
GetKeyState.USER32(000000A0), ref: 001F2BFB
GetAsyncKeyState.USER32(000000A1), ref: 001F2C15
GetKeyState.USER32(000000A1), ref: 001F2C2A
GetAsyncKeyState.USER32(00000011), ref: 001F2C42
GetKeyState.USER32(00000011), ref: 001F2C54
GetAsyncKeyState.USER32(00000012), ref: 001F2C6C
GetKeyState.USER32(00000012), ref: 001F2C7E
GetAsyncKeyState.USER32(0000005B), ref: 001F2C96
GetKeyState.USER32(0000005B), ref: 001F2CA8

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 916ec90272944c13e984dc6f558ef58248482cf41c0acae085e09415c27d2f1f
Instruction ID: c62f093952fefabba664031f76e91488e50eba0ed8a7988a9ad04c9089741723
Opcode Fuzzy Hash: 916ec90272944c13e984dc6f558ef58248482cf41c0acae085e09415c27d2f1f
Instruction Fuzzy Hash: 3941C5746047CE6DFF359B6498143F9BEA0AF11344F48805ADBC6572C2EBB499C8C7A2

Function 00206D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00206D2E
EmptyClipboard.USER32 ref: 00206D34
GlobalAlloc.KERNEL32(00000002,?), ref: 00206D49
CloseClipboard.USER32 ref: 00206DE8

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: e21438f3b07b421c4a8fd62874dfe317ccce4f40a1e99333a34ff24b421b2dc4
Instruction ID: b7efb81b2ef10af91f430dc1feb67b27a6171eb882af96046c5474ce5a199e49
Opcode Fuzzy Hash: e21438f3b07b421c4a8fd62874dfe317ccce4f40a1e99333a34ff24b421b2dc4
Instruction Fuzzy Hash: 53219F313102109FDB01AF64FC4EB2DB7A8EF14710F04841AF91ADB2A2DB70E8218B94

Function 0020C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 001E9ABF: CLSIDFromProgID.OLE32 ref: 001E9ADC
Part of subcall function 001E9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 001E9AF7
Part of subcall function 001E9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 001E9B05
Part of subcall function 001E9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 001E9B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0020C235
_memset.LIBCMT ref: 0020C242
_memset.LIBCMT ref: 0020C360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0020C38C
CoTaskMemFree.OLE32(?), ref: 0020C397

Strings

NULL Pointer assignment, xrefs: 0020C3E5

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 8e2fe3387a8da94410c29b450690329834084cd117050755d4b632c366a21d1f
Instruction ID: 743118c3e27465116543f5a0c8825a903552cfb408e09cbe07a26b73b1a9e5f7
Opcode Fuzzy Hash: 8e2fe3387a8da94410c29b450690329834084cd117050755d4b632c366a21d1f
Instruction Fuzzy Hash: 59915E71D10218ABDB10DF94DC95EDEBBB9FF18310F20815AF919A7281DB706A55CFA0

Function 001F79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 001EB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001EB180
Part of subcall function 001EB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001EB1AD
Part of subcall function 001EB134: GetLastError.KERNEL32 ref: 001EB1BA

ExitWindowsEx.USER32(?,00000000), ref: 001F7A0F

Strings

@, xrefs: 001F7A02
SeShutdownPrivilege, xrefs: 001F79DD
, xrefs: 001F79FD

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: edab03c8b7669eb13ea866e003a46a20fee6fa7b839c4e6535f8f4bafcf2afcb
Instruction ID: 500ae4753af19190cff6304f962d1dcd9ddb50244ae38a508ed0b3617a5523a2
Opcode Fuzzy Hash: edab03c8b7669eb13ea866e003a46a20fee6fa7b839c4e6535f8f4bafcf2afcb
Instruction Fuzzy Hash: 8801A7716592196AF72C5674AC5EFBF72589B14750F2A0424FF43A30D2E7A15E1081A0

Function 00208C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00208CA8
WSAGetLastError.WSOCK32(00000000), ref: 00208CB7
bind.WSOCK32(00000000,?,00000010), ref: 00208CD3
listen.WSOCK32(00000000,00000005), ref: 00208CE2
WSAGetLastError.WSOCK32(00000000), ref: 00208CFC
closesocket.WSOCK32(00000000,00000000), ref: 00208D10

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 96e9cd0781938f305e2336c4a981a9e2d1e91b3385a46c1c1ee6d6c110e23490
Instruction ID: cd1192b6875be77c2c1b74edc614eb00d3324b019f01a80d9497e9798ade0fc6
Opcode Fuzzy Hash: 96e9cd0781938f305e2336c4a981a9e2d1e91b3385a46c1c1ee6d6c110e23490
Instruction Fuzzy Hash: E421E131600205AFCB14EF28E949B6EB7B9EF58310F108159F956A73E2CB70ED018B51

Function 001F6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 001F6554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 001F6564
Process32NextW.KERNEL32(00000000,0000022C), ref: 001F6583
__wsplitpath.LIBCMT ref: 001F65A7
_wcscat.LIBCMT ref: 001F65BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 001F65F9

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 25a63b47184944c741768348d3a21943c86c07a652347e01a4f3bea1b4fcd6c3
Instruction ID: 1c4e9e1e26a9bf6948d3b5a32a002355833fddfe8aa7f0398f0905b2e8002270
Opcode Fuzzy Hash: 25a63b47184944c741768348d3a21943c86c07a652347e01a4f3bea1b4fcd6c3
Instruction Fuzzy Hash: 7721A77190021CABDB10ABA4DC88FEEB7BCAB19340F5000E5F645E7151DB719F85CB60

Function 001B9B60 Relevance: 8.6, Strings: 6, Instructions: 1055COMMON

Download Yara Rule

Strings

VUUU, xrefs: 001B9E95
VUUU, xrefs: 001B9EA7
VUUU, xrefs: 001B9ED4
%, xrefs: 001B9CF3
ERCP, xrefs: 001B9C32
VUUU, xrefs: 0023BE14

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$%
API String ID: 0-3570810846
Opcode ID: 78dbe0ea7ebfd2c6b5bd48ba4a366fe2a58d439243e391a518a6c0dc3b016450
Instruction ID: 4d8b66cf7ac7e1dbed69c84c2b808127886fee5e73ab02cbe71f678602f217e2
Opcode Fuzzy Hash: 78dbe0ea7ebfd2c6b5bd48ba4a366fe2a58d439243e391a518a6c0dc3b016450
Instruction Fuzzy Hash: D7929CB1E0021ACBDF28CF58C8907FDB7B1BF54314F65819AE95AAB280D7709D91CB91

Function 001F13CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 001F13DC

Strings

<2&, xrefs: 001F16FA
(, xrefs: 001F1422
,2&, xrefs: 001F16B1
|, xrefs: 001F140C

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: lstrlen
String ID: ($,2&$<2&$|
API String ID: 1659193697-679186859
Opcode ID: 12226ab7d692ae34c680b082e39d67568b58806a8f62d2c8092ef636e17bc0fc
Instruction ID: e7910fa27e6dbf3870b0c29ba0e20d936fd9239f4e726112d59927654cf3bc4f
Opcode Fuzzy Hash: 12226ab7d692ae34c680b082e39d67568b58806a8f62d2c8092ef636e17bc0fc
Instruction Fuzzy Hash: 56321575A00605EFC728CF69C490A6AB7F1FF88320B15C56EE59ADB3A1E770E941CB44

Function 0020923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0020A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0020A84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00209296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 002092B9

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 76c80cd330e2e7ec4f4a5d27599fc4e7fdedf030ba0b98d2b693f201b68b83e7
Instruction ID: c522130d6e7267aae92e920106daf03893815b5dae368e37c0cad3226d46072a
Opcode Fuzzy Hash: 76c80cd330e2e7ec4f4a5d27599fc4e7fdedf030ba0b98d2b693f201b68b83e7
Instruction Fuzzy Hash: BF41CE70600204AFDB10AB28C886F7EB7EDEF64724F04844CF956AB2D3CB749D018B91

Function 001FEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001FEB8A
_wcscmp.LIBCMT ref: 001FEBBA
_wcscmp.LIBCMT ref: 001FEBCF
FindNextFileW.KERNEL32(00000000,?), ref: 001FEBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 001FEC0E

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: d0fd8b425e238292a1c31eba53dc318712c3c969fe2a7508ad3da842e7f524cf
Instruction ID: 74f5c0398e57987b52b2a4d245e71f4213f7a6d1d46e08ff13aee85b819a6ba4
Opcode Fuzzy Hash: d0fd8b425e238292a1c31eba53dc318712c3c969fe2a7508ad3da842e7f524cf
Instruction Fuzzy Hash: 8841BB356043069FCB18DF28D491EAAB3E4FF5A324F10455EFA5A8B3A1DB31E941CB91

Function 00218111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00218160
IsWindowEnabled.USER32 ref: 0021816E
GetForegroundWindow.USER32(?,?,00000001), ref: 0021817B
IsIconic.USER32 ref: 00218189
IsZoomed.USER32 ref: 00218197

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 9ec51a4a6d162aec5375b98293dd5f6eff4a8b226b5dc00203b604b269f2dc90
Instruction ID: 2748ba90887de271658ceffb93bb1eac6de4367fee3c6cb6bb0b0d15ed346a1e
Opcode Fuzzy Hash: 9ec51a4a6d162aec5375b98293dd5f6eff4a8b226b5dc00203b604b269f2dc90
Instruction Fuzzy Hash: 3D11B2323101117BE7211F26EC89EAFBBDCEF65760B040429F84DD7241CF70D95286A4

Function 001CE01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,001CE014,771B0AE0,001CDEF1,0024DC38,?,?), ref: 001CE02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 001CE03E

Strings

GetNativeSystemInfo, xrefs: 001CE038
kernel32.dll, xrefs: 001CE027

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 0ebde39fcd9a6e0568f3463243fc9bc52c8b5324cf00264e1d3c08f35cb5e3e0
Instruction ID: f4625c12e040931cc973a9fd3146a434ef3148094a4f82cca942542a7c4fd03b
Opcode Fuzzy Hash: 0ebde39fcd9a6e0568f3463243fc9bc52c8b5324cf00264e1d3c08f35cb5e3e0
Instruction Fuzzy Hash: 63D0C970A50B12DFD7315F65FC4CB5276E8AB15712F18842EF8DAD2250EBB4E8E48A90

Function 001CB11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 001CB34E: GetWindowLongW.USER32(?,000000EB), ref: 001CB35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 001CB22F

Part of subcall function 001CB55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 001CB5A5

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: e3844745db13391fcff56c5b056d2ccd2f3a38d308df763a667bc00493989d80
Instruction ID: 51e5fa3b71e742e01f4e624ae2e7bc2c906ccab0ea4d37604b6afb5574cf325b
Opcode Fuzzy Hash: e3844745db13391fcff56c5b056d2ccd2f3a38d308df763a667bc00493989d80
Instruction Fuzzy Hash: CAA1366013C016BADB2CAE696CCAFBF396CEB71744F56411DF405D6191CB28EC20E672

Function 00204EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,002043BF,00000000), ref: 00204FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00204FD2

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 0311d5bcdce4f735cb4b57839db05410e4d81a0f34067f9a441666df39d4cb18
Instruction ID: d0cc205e9cd98d844fe5fd295eaf022f083868c7b6912ca7169a77afd71ef37d
Opcode Fuzzy Hash: 0311d5bcdce4f735cb4b57839db05410e4d81a0f34067f9a441666df39d4cb18
Instruction Fuzzy Hash: 9B41F9B1514306BFEB20AE90DC85EBF77BDEB40754F10402EF705A65C2DBB19E519A60

Function 001B77B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 001B7921

Strings

\Q&, xrefs: 00231028

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: _memmove
String ID: \Q&
API String ID: 4104443479-3947554606
Opcode ID: e884bb9ed935ad2d1ce6cc32cff945600a4c4f51bd6c095d61a6d7b2bf82aca3
Instruction ID: 46a9adba9e1889839c8ea862b5a818898f56b705545aa733dc4df2ad98e08e24
Opcode Fuzzy Hash: e884bb9ed935ad2d1ce6cc32cff945600a4c4f51bd6c095d61a6d7b2bf82aca3
Instruction Fuzzy Hash: 6FA24B70A1421ADFDB28CF68C5806EDBBB1FF88314F2581A9D859AB390D7349E91DF50

Function 001FE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001FE20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 001FE267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 001FE2B4

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 00dd366e8f9591a701c48ef86a417732e86058c442fb2cd590a0cc2a1804e7ed
Instruction ID: 41dc01ce035a0a71e902f42612db3dcb6779d7fb8e6ee9eecd8ddf3704b0fd93
Opcode Fuzzy Hash: 00dd366e8f9591a701c48ef86a417732e86058c442fb2cd590a0cc2a1804e7ed
Instruction Fuzzy Hash: DC213C35A00518EFCB00EFA5E885EADFBF8FF59310F0484A9E945A7251DB319915CB54

Function 001EB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 001CF4EA: std::exception::exception.LIBCMT ref: 001CF51E
Part of subcall function 001CF4EA: __CxxThrowException@8.LIBCMT ref: 001CF533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001EB180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001EB1AD
GetLastError.KERNEL32 ref: 001EB1BA

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 4626aa4bd72015877e048662aa95265d16f6cdf5c9736b367f7a7bafd1983723
Instruction ID: 1cfd2657ab6275f5c3b5c5885cda57ebc3179a380c47becee5c88cfe9577e3d2
Opcode Fuzzy Hash: 4626aa4bd72015877e048662aa95265d16f6cdf5c9736b367f7a7bafd1983723
Instruction Fuzzy Hash: A6118CB2508605AFE718AF65ECC9D6BB7BDEB54720B20852EE45697240DB70FC428A60

Function 001F6606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001F6623
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 001F6664
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001F666F

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 6771b2d2ab96363dc2ae1bada771fb9d4f76f8eb81d1e5d17be0a9d6c60695b9
Instruction ID: 8aa411808832f5087dc8d1b71b81e8efdba57291fb1c0d28ea6b654232e760df
Opcode Fuzzy Hash: 6771b2d2ab96363dc2ae1bada771fb9d4f76f8eb81d1e5d17be0a9d6c60695b9
Instruction Fuzzy Hash: 2B111EB1E01228BFDB108FA5EC45BBEBBBCEB45B10F104156F904E7290D7B05E059BA5

Function 001F71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 001F7223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001F723A
FreeSid.ADVAPI32(?), ref: 001F724A

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: c35da37a5ab4c882cd189080130bdd9b9289ae89a0e1e2025ddd0f5cb862a285
Instruction ID: 7648a8e83486ed4c85151f069e0b0db06eb6b2da20976123314eea4799db3814
Opcode Fuzzy Hash: c35da37a5ab4c882cd189080130bdd9b9289ae89a0e1e2025ddd0f5cb862a285
Instruction Fuzzy Hash: 6BF01279914219BFDF04DFF4ED89AEDBBB8EF08701F104469A602E2191E37056448B10

Function 001FF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001FF599
FindClose.KERNEL32(00000000), ref: 001FF5C9

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 366d0b53370addb19df08c32cab432da3a34eb8a5980951f5516f3d2e585a09a
Instruction ID: 85034f20cfff8ef91ba4a19abbee6095554daedde43426e133fbd73214a3b799
Opcode Fuzzy Hash: 366d0b53370addb19df08c32cab432da3a34eb8a5980951f5516f3d2e585a09a
Instruction Fuzzy Hash: 6E1161716046049FD710EF28D849A2EF7E9FF95324F048A1EF9A9D7291DB70E9018B85

Function 001FCE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0020BE6A,?,?,00000000,?), ref: 001FCEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0020BE6A,?,?,00000000,?), ref: 001FCEB9

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 357a7c27b4426ea97b747ed56fa3e23136c3c62879083ee67aebd9b5d0135546
Instruction ID: fe86b2cce32024c74498c0679988c5964095b641fcdbed8b1ab85d270597ff80
Opcode Fuzzy Hash: 357a7c27b4426ea97b747ed56fa3e23136c3c62879083ee67aebd9b5d0135546
Instruction Fuzzy Hash: 1EF0823110022DEBDB10ABA4EC49FFA776DBF08351F004165F915D6182D730DA54DBA1

Function 001F411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 001F4153
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 001F4166

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 281608089b538d9c4e97880fa35bfd8544275377e598cc28975e9ee9bd914ebb
Instruction ID: 06abed09c92bec4af575dd97502a62ef31fcdaf0444000d953ad98fde0e166b9
Opcode Fuzzy Hash: 281608089b538d9c4e97880fa35bfd8544275377e598cc28975e9ee9bd914ebb
Instruction Fuzzy Hash: F3F0677080424DAFDB058FA0D809BBEBBB0EF00305F04800AF966A6192D77996129FA0

Function 001EAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001EACC0), ref: 001EAB99
CloseHandle.KERNEL32(?,?,001EACC0), ref: 001EABAB

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: f1ac7526a3cf1f28b44c96619a132fb557d6f4eb520dfb9470fa6284408a1675
Instruction ID: f5c4d5d3c702137b3f6969a3c600736c4409f4e3cbf88ae7f3c1cdba05d44f70
Opcode Fuzzy Hash: f1ac7526a3cf1f28b44c96619a132fb557d6f4eb520dfb9470fa6284408a1675
Instruction Fuzzy Hash: 60E0E671004510AFE7252F55FC0DDB777EAEF14321710846DF55AC1470D762AC91DB50

Function 001D81AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,001D6DB3,-0000031A,?,?,00000001), ref: 001D81B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 001D81BA

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9137069fa6a32e858405bf66ad98d6c31966f905f19e94b8bc7bcbc7c3ce2cc8
Instruction ID: 76a0693f32e7fb89c0feff4c7210bdaa46b277a5b290596cacd8d7aaa2afb16d
Opcode Fuzzy Hash: 9137069fa6a32e858405bf66ad98d6c31966f905f19e94b8bc7bcbc7c3ce2cc8
Instruction Fuzzy Hash: 35B09231084608ABDB002BA1FC0DB987F68EB08652F004090F60D450618B7258208E92

Function 001DD1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6bfbca25df9296b1f296fb69af09291b2e78599872df335e8f99eda527b10df
Instruction ID: 8156c8de48028436e22a63e01c73794cc46c6d8263b047ad12aed91c45464449
Opcode Fuzzy Hash: a6bfbca25df9296b1f296fb69af09291b2e78599872df335e8f99eda527b10df
Instruction Fuzzy Hash: 3A322522D28F014DD7279639E836335A298AFB73C4F55D727F819B5EA6EB29C4C34100

Function 001B96C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 8b15c3b41769d7b4a8e4aaf36c151bcfd5797913af596e4c65f5b0544da81b91
Instruction ID: 7604f98b3e78ff8d6c21b4a23705078128d127655b21f379e0454eb5780b0a86
Opcode Fuzzy Hash: 8b15c3b41769d7b4a8e4aaf36c151bcfd5797913af596e4c65f5b0544da81b91
Instruction Fuzzy Hash: 0622BC716083119FD728DF24C890BAFB7E4BF94314F20491DFA9A9B291DB71E945CB82

Function 001E038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a76328dfac65d1e1c857f9149e8d0e7aea67ba35595ec21eb851bee5ad94ddd6
Instruction ID: a5bff43092781b41fbf53fd3c4a211ba4cc1847a61e3259fc8c8c6d23e1f7098
Opcode Fuzzy Hash: a76328dfac65d1e1c857f9149e8d0e7aea67ba35595ec21eb851bee5ad94ddd6
Instruction Fuzzy Hash: A1B11224D2AF504ED32396399835336B75CAFBB2D5F92E71BFC5A74D22EB2185834180

Function 001FB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 001FB6DF

Part of subcall function 001D344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,001FBDC3,00000000,?,?,?,?,001FBF70,00000000,?), ref: 001D3453
Part of subcall function 001D344A: __aulldiv.LIBCMT ref: 001D3473

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 32c423fc96f8ab5bd2ebd4c2804eebfa3916cc783f436119374809c5287dbb79
Instruction ID: 9e3b8e76edfcd191172a78171a18be1638a7c3def2601d0aa6c8cb550f9b1238
Opcode Fuzzy Hash: 32c423fc96f8ab5bd2ebd4c2804eebfa3916cc783f436119374809c5287dbb79
Instruction Fuzzy Hash: 162175766345108BC729CF28D481A52B7E1EB95310B248E6DE4E5CF2C0CB74B945DB94

Function 00206AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00206ACA

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 25a6bb44370ea304eeba2aea59f96970c8f4bab0699ea33bb296e9176b242bfe
Instruction ID: 0706d62b88bc3dbcf4fafee0ce04b93fde246145fbcb9905a1d9f5a02b8a6b44
Opcode Fuzzy Hash: 25a6bb44370ea304eeba2aea59f96970c8f4bab0699ea33bb296e9176b242bfe
Instruction Fuzzy Hash: B6E048353102046FC700EF69E409D96B7EDAF74761F04C456F945D7291DBB0F8148B90

Function 001F74BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 001F74DE

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 468e9f187cdcf86c9e03aa84113c3a05e6814dcdc7bbf839a0d00ce2a4f92563
Instruction ID: e583fa628f9e96625ffb6b397c5a6b3e198ebac4427f72f60d2cd37c2a21c680
Opcode Fuzzy Hash: 468e9f187cdcf86c9e03aa84113c3a05e6814dcdc7bbf839a0d00ce2a4f92563
Instruction Fuzzy Hash: 3FD09EA566C70D79ED2D47249C2FF761949F3007C1FD59189B782C94C1BA9058459132

Function 001EB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,001EAD3E), ref: 001EB124

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: f917620caa012fec3771a9e23026004aba72b1d1b6ca68e260b50a70c1542ec2
Instruction ID: 6139131ebe9a7a4d83b6bab257d436aed2165e8f5536ed472adb1ad2b002600f
Opcode Fuzzy Hash: f917620caa012fec3771a9e23026004aba72b1d1b6ca68e260b50a70c1542ec2
Instruction Fuzzy Hash: 3DD05E320A460EAEDF024FA4EC06EAE3F6AEB04B00F408110FA11C50A0C771D531AB50

Function 0022B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 0022B352

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: fb08ec5d278617b028a2e3aafd90039a2de717b4c1c2e97575987faee2fa4708
Instruction ID: d86625e420071419a9763d6e9e18c3a6b26d8792d45be1712f479feb6a725030
Opcode Fuzzy Hash: fb08ec5d278617b028a2e3aafd90039a2de717b4c1c2e97575987faee2fa4708
Instruction Fuzzy Hash: 58C04CB1410119DFC755DBC0E948AEEB7BCAB04701F104092A105F1110D7709B459B72

Function 001D8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 001D818F

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 338780f79de9aa128bc3b86aa4ddd1102e120674afdbc1cfc23058e5b55a448e
Instruction ID: fcb222ee69e47c4a5b11738f71680e8cc2938d77c5e0471738a27212f7af3daa
Opcode Fuzzy Hash: 338780f79de9aa128bc3b86aa4ddd1102e120674afdbc1cfc23058e5b55a448e
Instruction Fuzzy Hash: ACA0113008020CABCF002B82FC088883F2CEA002A0B0000A0F80C000208B22A8208A82

Function 001BE3B0 Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175c8c9f6e2e778943a3d0e6ca5ee5379dae819640c6247ea09914c1a3caca3a
Instruction ID: f80efbd7e335476ed2eab55a53e4ffa3e4d95544a7599236bf951f0e159c09e6
Opcode Fuzzy Hash: 175c8c9f6e2e778943a3d0e6ca5ee5379dae819640c6247ea09914c1a3caca3a
Instruction Fuzzy Hash: FF22BC74A0421ADFDB28DF58C480BEAB7F1FF28304F148169E95A9B351E735AD81CB91

Function 001B93F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab8bd02f113219485627776fe64dee32aa5786c72adbc7198fb2b81ca424ca2e
Instruction ID: 4cb56ecd90748d29d2565f8bee4c1be27250c2534e5f7ed2be16f1ef745d8d82
Opcode Fuzzy Hash: ab8bd02f113219485627776fe64dee32aa5786c72adbc7198fb2b81ca424ca2e
Instruction Fuzzy Hash: E1127C70A00619EFDF14DFA9D985AEEB7F5FF58300F108529E806E7250EB36A925CB50

Function 001BAF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: a1c06164b5c51892b21d13a074a1f03f905f0e5c92c20203f5315362e28c863d
Instruction ID: b8a28fc02ee51098849e0f59fac5fe4c4cf30b24d58e9d478229398f11045463
Opcode Fuzzy Hash: a1c06164b5c51892b21d13a074a1f03f905f0e5c92c20203f5315362e28c863d
Instruction Fuzzy Hash: CD02C270A00109EFDF18DF68E991AAEB7B5FF58300F108069F806DB255EB75DA25CB91

Function 001D02A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 75768e47c5fbb9333690a65d381bb6cecca79991e8b1103da2a72b72593e76ff
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: 66C1B8322051970ADF2E463AC474A3EFBA15EA17B171B076ED8B3CB6D5EF20C525D620

Function 001D06D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: e665a31469d2cfea71624fd65b7d8378e4f5ea2f3efe07216620096bc9c23c48
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: F2C1C43320519709DF2E463AC43463EBBA15AA2BB571B076ED4B3CF6D5EF20D524D620

Function 001CFA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 85131109547c998569e1799409f0072f9537de0b0e485cb5551a98449f8b1589
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 52C1803220509709DF2D463AC474A3EBBA25AB2BB131B177DD4B3CB5D5EF20C566D620

Function 0020A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0020A2FE
DeleteObject.GDI32(00000000), ref: 0020A310
DestroyWindow.USER32 ref: 0020A31E
GetDesktopWindow.USER32 ref: 0020A338
GetWindowRect.USER32(00000000), ref: 0020A33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0020A480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0020A490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0020A4D8
GetClientRect.USER32(00000000,?), ref: 0020A4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0020A51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0020A540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0020A553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0020A55E
GlobalLock.KERNEL32(00000000), ref: 0020A567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0020A576
GlobalUnlock.KERNEL32(00000000), ref: 0020A57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0020A586
GlobalFree.KERNEL32(00000000), ref: 0020A591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0020A5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0023D9BC,00000000), ref: 0020A5B9
GlobalFree.KERNEL32(00000000), ref: 0020A5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0020A5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0020A60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0020A630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0020A81D

Strings

static, xrefs: 0020A518, 0020A66F
DISPLAY, xrefs: 0020A680
, xrefs: 0020A7A3
AutoIt v3, xrefs: 0020A4D0

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 3b56aa135490a8bf709fe74f0d4af9fb046ef02239be943732f5cc35a4a5538f
Instruction ID: 872fd506f308a289458c566d6c1985045b634bbcb95845250e4b791dff71ba51
Opcode Fuzzy Hash: 3b56aa135490a8bf709fe74f0d4af9fb046ef02239be943732f5cc35a4a5538f
Instruction Fuzzy Hash: E8028B75910205EFDB14DFA8ED89EAEBBB9FF48310F008158F915AB2A1D770AD51CB60

Function 0021D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0021D2DB
GetSysColorBrush.USER32(0000000F), ref: 0021D30C
GetSysColor.USER32(0000000F), ref: 0021D318
SetBkColor.GDI32(?,000000FF), ref: 0021D332
SelectObject.GDI32(?,00000000), ref: 0021D341
InflateRect.USER32(?,000000FF,000000FF), ref: 0021D36C
GetSysColor.USER32(00000010), ref: 0021D374
CreateSolidBrush.GDI32(00000000), ref: 0021D37B
FrameRect.USER32(?,?,00000000), ref: 0021D38A
DeleteObject.GDI32(00000000), ref: 0021D391
InflateRect.USER32(?,000000FE,000000FE), ref: 0021D3DC
FillRect.USER32(?,?,00000000), ref: 0021D40E
GetWindowLongW.USER32(?,000000F0), ref: 0021D439

Part of subcall function 0021D575: GetSysColor.USER32(00000012), ref: 0021D5AE
Part of subcall function 0021D575: SetTextColor.GDI32(?,?), ref: 0021D5B2
Part of subcall function 0021D575: GetSysColorBrush.USER32(0000000F), ref: 0021D5C8
Part of subcall function 0021D575: GetSysColor.USER32(0000000F), ref: 0021D5D3
Part of subcall function 0021D575: GetSysColor.USER32(00000011), ref: 0021D5F0
Part of subcall function 0021D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0021D5FE
Part of subcall function 0021D575: SelectObject.GDI32(?,00000000), ref: 0021D60F
Part of subcall function 0021D575: SetBkColor.GDI32(?,00000000), ref: 0021D618
Part of subcall function 0021D575: SelectObject.GDI32(?,?), ref: 0021D625
Part of subcall function 0021D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0021D644
Part of subcall function 0021D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0021D65B
Part of subcall function 0021D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0021D670
Part of subcall function 0021D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0021D698

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: a035e233599f3de4517903173adcff1ff5998fab3a1be1ec00395e2af38e501e
Instruction ID: 267568d9bf342145c9ce3e79168a495f1be0663d01be09e035d0f7630c032a19
Opcode Fuzzy Hash: a035e233599f3de4517903173adcff1ff5998fab3a1be1ec00395e2af38e501e
Instruction Fuzzy Hash: 65918D72408301FFCB109F64EC48AABBBE9FB85325F500A19F9A6961A0C771E955CF52

Function 001CB8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 001CB98B
DeleteObject.GDI32(00000000), ref: 001CB9CD
DeleteObject.GDI32(00000000), ref: 001CB9D8
DestroyIcon.USER32(00000000), ref: 001CB9E3
DestroyWindow.USER32(00000000), ref: 001CB9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 0022D2AA
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0022D2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0022D711

Part of subcall function 001CB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,001CB759,?,00000000,?,?,?,?,001CB72B,00000000,?), ref: 001CBA58

SendMessageW.USER32 ref: 0022D758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0022D76F
ImageList_Destroy.COMCTL32(00000000), ref: 0022D785
ImageList_Destroy.COMCTL32(00000000), ref: 0022D790

Strings

0, xrefs: 0022D5A5

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 5f0bd9bb78bf72e276633e14766827e8da650d237176b1a55217dc91b5e53a12
Instruction ID: 2fe85e4b6060ef25292482dcb3a1cefeaf6ea13a1cc46359de087efcbc1251aa
Opcode Fuzzy Hash: 5f0bd9bb78bf72e276633e14766827e8da650d237176b1a55217dc91b5e53a12
Instruction Fuzzy Hash: F612AC70614222EFDB24DF68E889BA9B7E5FF14304F14456DE989CB262C731EC61CB91

Function 001FDBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001FDBD6
GetDriveTypeW.KERNEL32(?,0024DC54,?,\\.\,0024DC00), ref: 001FDCC3
SetErrorMode.KERNEL32(00000000,0024DC54,?,\\.\,0024DC00), ref: 001FDE29

Strings

Network, xrefs: 001FDD01
MMC, xrefs: 001FDDE7
CDROM, xrefs: 001FDCF7
SSD, xrefs: 001FDD50
SSA, xrefs: 001FDDAF
RAMDisk, xrefs: 001FDCED
Fibre, xrefs: 001FDDB6
Fixed, xrefs: 001FDD0B
Removable, xrefs: 001FDD15
ATAPI, xrefs: 001FDD9A
SAS, xrefs: 001FDDD2
iSCSI, xrefs: 001FDDCB
1394, xrefs: 001FDDA8
SATA, xrefs: 001FDDD9
Unknown, xrefs: 001FDCE3, 001FDD8C
ATA, xrefs: 001FDDA1
FileBackedVirtual, xrefs: 001FDDF5
PhysicalDrive, xrefs: 001FDC67
RAID, xrefs: 001FDDC4
SCSI, xrefs: 001FDD93
Virtual, xrefs: 001FDDEE
\\.\, xrefs: 001FDC2B
USB, xrefs: 001FDDBD

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 3aa048045d03b2b74150f1c65996df7c19cd88fbf3e387a218c13aa6043c82a8
Instruction ID: 726f48ccc5db7c72875fafe9e6625fd9c0acd229f7e3e018c5e780a419ecbb56
Opcode Fuzzy Hash: 3aa048045d03b2b74150f1c65996df7c19cd88fbf3e387a218c13aa6043c82a8
Instruction Fuzzy Hash: 8D51F93021830AEBC308DF60E881979B7A2FBA6744B14495EF607D72D1DB70D996D742

Function 001BCC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 001BCC68
__wcsnicmp.LIBCMT ref: 001BCC80
__wcsnicmp.LIBCMT ref: 001BCC98
__wcsnicmp.LIBCMT ref: 001BCCB0
__wcsnicmp.LIBCMT ref: 001BCCC8
__wcsnicmp.LIBCMT ref: 001BCCE0
__wcsnicmp.LIBCMT ref: 001BCCF8
__wcsnicmp.LIBCMT ref: 001BCD0C
__wcsnicmp.LIBCMT ref: 001BCD4D
__wcsnicmp.LIBCMT ref: 001BCD61
__wcsnicmp.LIBCMT ref: 001BCD75
__wcsnicmp.LIBCMT ref: 001BCD89

Strings

#OnAutoItStartRegister, xrefs: 001BCCAA
#pragma compile, xrefs: 001BCC62
#notrayicon, xrefs: 001BCC7A
#ce, xrefs: 001BCD83
Bad directive syntax error, xrefs: 00222ECB
#comments-start, xrefs: 001BCCF2, 001BCD47
Unterminated group of comments, xrefs: 00222FB4
#cs, xrefs: 001BCD06, 001BCD5B
#include, xrefs: 001BCCDA
#requireadmin, xrefs: 001BCC92
#include-once, xrefs: 001BCCC2
#comments-end, xrefs: 001BCD6F
Cannot parse #include, xrefs: 00222FA1

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 3c1ec8b60a13de85aba38c7523fde1c4d44774a8b063d400260e84da88745d1a
Instruction ID: ee05fbe89c9e895445506c266051438c243a1c240c0943ae38e32b9fe73bcf65
Opcode Fuzzy Hash: 3c1ec8b60a13de85aba38c7523fde1c4d44774a8b063d400260e84da88745d1a
Instruction Fuzzy Hash: 30812631640216BBDB25AEA4DD82FFE7B68AF35300F044029F905AB186EB61E965D2D1

Function 0021C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0021C788
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0021C83E
SendMessageW.USER32(?,00001102,00000002,?), ref: 0021C859
SendMessageW.USER32(?,000000F1,?,00000000), ref: 0021CB15

Strings

0, xrefs: 0021C89C

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 9665f57dce962d9c800c618b8d9d86bcd0d7981a53379ceb0aa67dbafb3bd2a7
Instruction ID: 17bbba9329273171461e5978a06effb01b3724d9a3325ac484e4d01ea7ef7c3e
Opcode Fuzzy Hash: 9665f57dce962d9c800c618b8d9d86bcd0d7981a53379ceb0aa67dbafb3bd2a7
Instruction Fuzzy Hash: 41F1F678168302AFD7118F24D889BEABBE8FF65714F24051DF598D62A1C774C9A0CF91

Function 0021638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0024DC00), ref: 00216449

Strings

TABLEFT, xrefs: 002164A7
FINDSTRING, xrefs: 00216596
SENDCOMMANDID, xrefs: 002167CA
DELSTRING, xrefs: 00216569
SHOWDROPDOWN, xrefs: 00216500
GETSELECTED, xrefs: 002166C1
ISVISIBLE, xrefs: 00216455
TABRIGHT, xrefs: 002164BD
GETCURRENTSELECTION, xrefs: 00216603
GETCURRENTLINE, xrefs: 00216704
CURRENTTAB, xrefs: 002164DD
ISENABLED, xrefs: 0021648C
UNCHECK, xrefs: 002166A1
SELECTSTRING, xrefs: 00216626
GETCURRENTCOL, xrefs: 00216724
SETCURRENTSELECTION, xrefs: 002165D6
HIDEDROPDOWN, xrefs: 00216520
GETLINE, xrefs: 0021678B
ISCHECKED, xrefs: 00216659
CHECK, xrefs: 0021668B
GETLINECOUNT, xrefs: 002166E4
ADDSTRING, xrefs: 00216536
EDITPASTE, xrefs: 0021675B

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 100180b0882e3b6df6ec3a8a6297cb5d4745a1096261f94c72d375421fe41600
Instruction ID: c1108a3652f7b15fb4c005bd821ecb8c1e2ee04dddbe7225186cb8cf5542aef6
Opcode Fuzzy Hash: 100180b0882e3b6df6ec3a8a6297cb5d4745a1096261f94c72d375421fe41600
Instruction Fuzzy Hash: 48C194302242468BCB04EF10C555EAEB7E5AFB5344F14485DF89A5B2E2DB30ED9BCB85

Function 0021D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0021D5AE
SetTextColor.GDI32(?,?), ref: 0021D5B2
GetSysColorBrush.USER32(0000000F), ref: 0021D5C8
GetSysColor.USER32(0000000F), ref: 0021D5D3
CreateSolidBrush.GDI32(?), ref: 0021D5D8
GetSysColor.USER32(00000011), ref: 0021D5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0021D5FE
SelectObject.GDI32(?,00000000), ref: 0021D60F
SetBkColor.GDI32(?,00000000), ref: 0021D618
SelectObject.GDI32(?,?), ref: 0021D625
InflateRect.USER32(?,000000FF,000000FF), ref: 0021D644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0021D65B
GetWindowLongW.USER32(00000000,000000F0), ref: 0021D670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0021D698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0021D6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 0021D6DD
DrawFocusRect.USER32(?,?), ref: 0021D6E8
GetSysColor.USER32(00000011), ref: 0021D6F6
SetTextColor.GDI32(?,00000000), ref: 0021D6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0021D712
SelectObject.GDI32(?,0021D2A5), ref: 0021D729
DeleteObject.GDI32(?), ref: 0021D734
SelectObject.GDI32(?,?), ref: 0021D73A
DeleteObject.GDI32(?), ref: 0021D73F
SetTextColor.GDI32(?,?), ref: 0021D745
SetBkColor.GDI32(?,?), ref: 0021D74F

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 9bb00eef1029eac24dda6ca0fecaa94d9cc5aea553f72db55a6149b6a28d10d2
Instruction ID: d604f2d4dfd54b3457a9f4ac02ff6e5933de9a02f8a66c59d6f11fafe67b548f
Opcode Fuzzy Hash: 9bb00eef1029eac24dda6ca0fecaa94d9cc5aea553f72db55a6149b6a28d10d2
Instruction Fuzzy Hash: 74513B71900218FFDF109FA8EC48EEEBBBAEB08320F204515F915AB2A1D7719A50DF50

Function 0021B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0021B7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0021B7C1
CharNextW.USER32(0000014E), ref: 0021B7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0021B831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0021B847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0021B858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0021B875
SetWindowTextW.USER32(?,0000014E), ref: 0021B8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0021B8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 0021B90E
_memset.LIBCMT ref: 0021B933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0021B97C
_memset.LIBCMT ref: 0021B9DB
SendMessageW.USER32 ref: 0021BA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 0021BA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 0021BB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 0021BB2C
GetMenuItemInfoW.USER32(?), ref: 0021BB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0021BBA3
DrawMenuBar.USER32(?), ref: 0021BBB2
SetWindowTextW.USER32(?,0000014E), ref: 0021BBDA

Strings

0, xrefs: 0021BB4F

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 791eb237c06baee1ce9df080bb1e5418866ba69ec85c71e73260c6c4853047f2
Instruction ID: b096d80304f3286bf5c26c7f040253efa1af9c1ca3005a466903789a63a6f307
Opcode Fuzzy Hash: 791eb237c06baee1ce9df080bb1e5418866ba69ec85c71e73260c6c4853047f2
Instruction Fuzzy Hash: 24E1C471910209ABDF118F65DC89EEE7BBCFF25714F10815AF919AA190D7708AA1CF60

Function 001B2EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 001B2F7A
IsWindow.USER32(?), ref: 002222FD

Strings

TITLE, xrefs: 00222292
LAST, xrefs: 002220B6
REGEXPTITLE, xrefs: 002220F8
ACTIVE, xrefs: 002220CC
H+&, xrefs: 00222184
T+&, xrefs: 0022220E
L+&, xrefs: 002221B2
INSTANCE, xrefs: 0022223C
REGEXPCLASS, xrefs: 00222149
CLASS, xrefs: 00222128
ALL, xrefs: 00222264
HANDLE, xrefs: 002220E2
P+&, xrefs: 002221E0

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$H+&$HANDLE$INSTANCE$L+&$LAST$P+&$REGEXPCLASS$REGEXPTITLE$T+&$TITLE
API String ID: 62970417-1842488429
Opcode ID: 5ffdee075e186172e336d634a9dae380635847d8e5ed111fca74693d7d5f5f8a
Instruction ID: 4d61b89f6969faa54cf42308b7dec25df990d3227bb2b90754b768d829df2f71
Opcode Fuzzy Hash: 5ffdee075e186172e336d634a9dae380635847d8e5ed111fca74693d7d5f5f8a
Instruction Fuzzy Hash: 34D1B530114642FBCB04EFA0D881AAABBB4FF64344F404A1DF459575A1DB72E9AECB91

Function 0021764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0021778A
GetDesktopWindow.USER32 ref: 0021779F
GetWindowRect.USER32(00000000), ref: 002177A6
GetWindowLongW.USER32(?,000000F0), ref: 00217808
DestroyWindow.USER32(?), ref: 00217834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0021785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0021787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 002178A1
SendMessageW.USER32(?,00000421,?,?), ref: 002178B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 002178C9
IsWindowVisible.USER32(?), ref: 002178E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00217904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00217918
GetWindowRect.USER32(?,?), ref: 00217930
MonitorFromPoint.USER32(?,?,00000002), ref: 00217956
GetMonitorInfoW.USER32 ref: 00217970
CopyRect.USER32(?,?), ref: 00217987
SendMessageW.USER32(?,00000412,00000000), ref: 002179F2

Strings

tooltips_class32, xrefs: 00217856
(, xrefs: 00217965
0, xrefs: 00217735

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 6c164b4eb8a3ac8248617a59eaae6ea5fcff2eda21f90d8753377fb5fab93f72
Instruction ID: d9b88e2c3d5d2a30c6eb3f157c191b964d08c893cbfff4846224c73458f60ddb
Opcode Fuzzy Hash: 6c164b4eb8a3ac8248617a59eaae6ea5fcff2eda21f90d8753377fb5fab93f72
Instruction Fuzzy Hash: 1DB1DB71618301AFDB04DF64D989BAABBF4FF98310F00891CF5999B291DB70E854CB92

Function 001F6CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 001F6CFB
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 001F6D21
_wcscpy.LIBCMT ref: 001F6D4F
_wcscmp.LIBCMT ref: 001F6D5A
_wcscat.LIBCMT ref: 001F6D70
_wcsstr.LIBCMT ref: 001F6D7B
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 001F6D97
_wcscat.LIBCMT ref: 001F6DE0
_wcscat.LIBCMT ref: 001F6DE7
_wcsncpy.LIBCMT ref: 001F6E12

Strings

StringFileInfo\, xrefs: 001F6D6A
\VarFileInfo\Translation, xrefs: 001F6D8F
%u.%u.%u.%u, xrefs: 001F6E75
DefaultLangCodepage, xrefs: 001F6DFA
04090000, xrefs: 001F6DCD

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: d7f6e602743433ea8b318c43096461ebadbc0d9d2c5d50aad963d979374c4ce3
Instruction ID: 472092805b40a5afb1db076adf2c7faec4f28253a391f025879b18a2702ca165
Opcode Fuzzy Hash: d7f6e602743433ea8b318c43096461ebadbc0d9d2c5d50aad963d979374c4ce3
Instruction Fuzzy Hash: 4C41E572A04214BBEB05EB64DC47EBF777CEF65710F04006AFA01E6282EB74DA11D6A5

Function 001CA856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001CA939
GetSystemMetrics.USER32(00000007), ref: 001CA941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001CA96C
GetSystemMetrics.USER32(00000008), ref: 001CA974
GetSystemMetrics.USER32(00000004), ref: 001CA999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001CA9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 001CA9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 001CA9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 001CAA0D
GetClientRect.USER32(00000000,000000FF), ref: 001CAA2B
GetStockObject.GDI32(00000011), ref: 001CAA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 001CAA52

Part of subcall function 001CB63C: GetCursorPos.USER32(000000FF), ref: 001CB64F
Part of subcall function 001CB63C: ScreenToClient.USER32(00000000,000000FF), ref: 001CB66C
Part of subcall function 001CB63C: GetAsyncKeyState.USER32(00000001), ref: 001CB691
Part of subcall function 001CB63C: GetAsyncKeyState.USER32(00000002), ref: 001CB69F

SetTimer.USER32(00000000,00000000,00000028,001CAB87), ref: 001CAA79

Strings

AutoIt v3 GUI, xrefs: 001CA9F1

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: f72ffaa138f3361e3cfc96c5daa325e25c503931bc0426da88ffbae311530601
Instruction ID: 0152c61f545477c35cb5a500e8c2c5af0a1d9215639582c39b26c5dc5ea5567b
Opcode Fuzzy Hash: f72ffaa138f3361e3cfc96c5daa325e25c503931bc0426da88ffbae311530601
Instruction Fuzzy Hash: B4B15971A0020AAFDB14DFA8EC4AFAE7BB8EF18315F114219FA15A7290DB74D851CF51

Function 00213639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00213735
RegCreateKeyExW.ADVAPI32(?,?,00000000,0024DC00,00000000,?,00000000,?,?), ref: 002137A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 002137EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00213874
RegCloseKey.ADVAPI32(?), ref: 00213B94
RegCloseKey.ADVAPI32(00000000), ref: 00213BA1

Strings

REG_QWORD, xrefs: 00213AE2
REG_DWORD, xrefs: 00213A65
REG_EXPAND_SZ, xrefs: 00213811
REG_MULTI_SZ, xrefs: 0021395C
REG_SZ, xrefs: 002138B2
REG_BINARY, xrefs: 00213B2F

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: cd6c2f43d96502bc466f451ce236d4e91e3a15ea63ed35c12c06c581af7348c4
Instruction ID: e1e61de4e57faf7951b4e46e5ce1f82ee4d50d2cfb8f396807462f56c6fac028
Opcode Fuzzy Hash: cd6c2f43d96502bc466f451ce236d4e91e3a15ea63ed35c12c06c581af7348c4
Instruction Fuzzy Hash: 220279752146019FCB14EF24C885E6AB7E6FFA9720F04845DF98A9B3A1DB30ED51CB81

Function 00216BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00216C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00216D16

Strings

GETTEXT, xrefs: 00216CBF
ISSELECTED, xrefs: 00216D21
GETSELECTEDCOUNT, xrefs: 00216CF9
SELECT, xrefs: 00216DA8
SELECTINVERT, xrefs: 00216DDE
GETSELECTED, xrefs: 00216E3C
GETSUBITEMCOUNT, xrefs: 00216CA1
SELECTALL, xrefs: 00216D75
DESELECT, xrefs: 00216DFC
FINDITEM, xrefs: 00216E81
SELECTCLEAR, xrefs: 00216D8D
VIEWCHANGE, xrefs: 00216ECD
GETITEMCOUNT, xrefs: 00216C84

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 12096f4a86cc02c0555fbfba2ce076a6b52e55b6371f0ee6c786a421e139b11c
Instruction ID: 268be7dd6f91bf6cfa79248536daa5e7d3e2c95dd5267be67a867cbbe84e2591
Opcode Fuzzy Hash: 12096f4a86cc02c0555fbfba2ce076a6b52e55b6371f0ee6c786a421e139b11c
Instruction Fuzzy Hash: E3A18F302242419BCB18EF20D956EAEB3E5BF74314F14496DF89A5B2D2DB31EC56CB81

Function 001ECF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 001ECF91
__swprintf.LIBCMT ref: 001ED032
_wcscmp.LIBCMT ref: 001ED045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 001ED09A
_wcscmp.LIBCMT ref: 001ED0D6
GetClassNameW.USER32(?,?,00000400), ref: 001ED10D
GetDlgCtrlID.USER32(?), ref: 001ED15F
GetWindowRect.USER32(?,?), ref: 001ED195
GetParent.USER32(?), ref: 001ED1B3
ScreenToClient.USER32(00000000), ref: 001ED1BA
GetClassNameW.USER32(?,?,00000100), ref: 001ED234
_wcscmp.LIBCMT ref: 001ED248
GetWindowTextW.USER32(?,?,00000400), ref: 001ED26E
_wcscmp.LIBCMT ref: 001ED282

Strings

%s%u, xrefs: 001ED02C

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: 804f922b33694a9cb355af682e6cb1586df4a6b8adfb063a95cbe04dc85d4241
Instruction ID: e0144eb2f06734d829a675ba361530dda85a201d7349c0717710a8d52e3da260
Opcode Fuzzy Hash: 804f922b33694a9cb355af682e6cb1586df4a6b8adfb063a95cbe04dc85d4241
Instruction Fuzzy Hash: 51A1E331604B46AFD718DF65E884FEEB7A8FF54350F00851AFAA9D2180DB30EA45CB91

Function 001ED8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 001ED8EB
_wcscmp.LIBCMT ref: 001ED8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 001ED924
CharUpperBuffW.USER32(?,00000000), ref: 001ED941
_wcscmp.LIBCMT ref: 001ED95F
_wcsstr.LIBCMT ref: 001ED970
GetClassNameW.USER32(00000018,?,00000400), ref: 001ED9A8
_wcscmp.LIBCMT ref: 001ED9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 001ED9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 001EDA28
_wcscmp.LIBCMT ref: 001EDA38
GetClassNameW.USER32(00000010,?,00000400), ref: 001EDA60
GetWindowRect.USER32(00000004,?), ref: 001EDAC9

Strings

@, xrefs: 001ED8C6
ThumbnailClass, xrefs: 001ED9B3, 001EDA33

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 930f749d98b4135a74b63cb9c292ae3a4ebf73e38f1b93bac12b9570ae2adc5c
Instruction ID: 610d3353a884aef03f36617f6453b3a740a18a70bf4ba134fd8fd17b395ea211
Opcode Fuzzy Hash: 930f749d98b4135a74b63cb9c292ae3a4ebf73e38f1b93bac12b9570ae2adc5c
Instruction Fuzzy Hash: 7681D4310087859FDB04DF11E885FAE7BE8EF94314F04846AFD899A096EB30DE45CBA1

Function 001ED6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 001ED753

Strings

LAST, xrefs: 001ED718
HANDLE=, xrefs: 001ED74C
[LAST, xrefs: 001ED800
ACTIVE, xrefs: 001ED72E
[ACTIVE, xrefs: 001ED740
[CLASS:, xrefs: 001ED7A3
[REGEXPTITLE:, xrefs: 001ED77B
ALL, xrefs: 001ED7E7
CLASSNAME=, xrefs: 001ED790
[ALL, xrefs: 001ED7F9
REGEXP=, xrefs: 001ED768
[HANDLE:, xrefs: 001ED75F

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: ee41bc7dc3ca138f50066e74308215f25119c8615382bc404f5a5b3b4194125e
Instruction ID: 19ebef54f0374b8d38e1c0af974182937e40200dbd13512e4460fd53ddb38411
Opcode Fuzzy Hash: ee41bc7dc3ca138f50066e74308215f25119c8615382bc404f5a5b3b4194125e
Instruction Fuzzy Hash: 98318D31A44A45EAEB18FB61EE43FEEB3759F31748F20002AF441B20D5EB51AE98C651

Function 001EEA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 001EEAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 001EEAC2
SetWindowTextW.USER32(?,?), ref: 001EEAD9
GetDlgItem.USER32(?,000003EA), ref: 001EEAEE
SetWindowTextW.USER32(00000000,?), ref: 001EEAF4
GetDlgItem.USER32(?,000003E9), ref: 001EEB04
SetWindowTextW.USER32(00000000,?), ref: 001EEB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 001EEB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 001EEB45
GetWindowRect.USER32(?,?), ref: 001EEB4E
SetWindowTextW.USER32(?,?), ref: 001EEBB9
GetDesktopWindow.USER32 ref: 001EEBBF
GetWindowRect.USER32(00000000), ref: 001EEBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 001EEC12
GetClientRect.USER32(?,?), ref: 001EEC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 001EEC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 001EEC6F

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 770d8991b4d07ecfb58ac1e81d1d5ad0439c9d110cc767d10b1fe0f8dccd3930
Instruction ID: f1002c9469c248de21ae87c6a7c6d240b6ea9121f000fca26887dabc723d4199
Opcode Fuzzy Hash: 770d8991b4d07ecfb58ac1e81d1d5ad0439c9d110cc767d10b1fe0f8dccd3930
Instruction Fuzzy Hash: D7515E71900B49EFDB209FA9ED8AF6EBBF9FF44704F004928E556A25A0D774A944CF10

Function 002079B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 002079C6
LoadCursorW.USER32(00000000,00007F00), ref: 002079D1
LoadCursorW.USER32(00000000,00007F03), ref: 002079DC
LoadCursorW.USER32(00000000,00007F8B), ref: 002079E7
LoadCursorW.USER32(00000000,00007F01), ref: 002079F2
LoadCursorW.USER32(00000000,00007F81), ref: 002079FD
LoadCursorW.USER32(00000000,00007F88), ref: 00207A08
LoadCursorW.USER32(00000000,00007F80), ref: 00207A13
LoadCursorW.USER32(00000000,00007F86), ref: 00207A1E
LoadCursorW.USER32(00000000,00007F83), ref: 00207A29
LoadCursorW.USER32(00000000,00007F85), ref: 00207A34
LoadCursorW.USER32(00000000,00007F82), ref: 00207A3F
LoadCursorW.USER32(00000000,00007F84), ref: 00207A4A
LoadCursorW.USER32(00000000,00007F04), ref: 00207A55
LoadCursorW.USER32(00000000,00007F02), ref: 00207A60
LoadCursorW.USER32(00000000,00007F89), ref: 00207A6B
GetCursorInfo.USER32(?), ref: 00207A7B

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: b7529f6dc044deb7a65d185141d0ed7c46501b57902efab519ff2bb19a285af0
Instruction ID: af3327514879f6ae0eac350c527a9a237ce5cccc4d795667a9c31d1cfb45aa87
Opcode Fuzzy Hash: b7529f6dc044deb7a65d185141d0ed7c46501b57902efab519ff2bb19a285af0
Instruction Fuzzy Hash: B03105B1E4831A6ADB109FB69C8995FBFE8FF04750F50452AE50DE7281DB78A5008FA1

Function 001BC833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 001CE968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,001BC8B7,?,00002000,?,?,00000000,?,001B419E,?,?,?,0024DC00), ref: 001CE984

Part of subcall function 001B660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001B53B1,?,?,001B61FF,?,00000000,00000001,00000000), ref: 001B662F

__wsplitpath.LIBCMT ref: 001BC93E

Part of subcall function 001D1DFC: __wsplitpath_helper.LIBCMT ref: 001D1E3C

_wcscpy.LIBCMT ref: 001BC953
_wcscat.LIBCMT ref: 001BC968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 001BC978
SetCurrentDirectoryW.KERNEL32(?), ref: 001BCABE

Part of subcall function 001BB337: _wcscpy.LIBCMT ref: 001BB36F

Strings

AU3!, xrefs: 001BC90C
>>>AUTOIT SCRIPT<<<, xrefs: 0022311B
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00223098
Bad directive syntax error, xrefs: 00223429
Error opening the file, xrefs: 002230B4, 0022313D
EA06, xrefs: 002230C9
Unterminated string, xrefs: 00223470

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: bd5904afcf27364c2c6df0ac9d99044e681f34e72d65fd6fa389d446b0da2fd7
Instruction ID: 709a537b055532bbb9715b2c8bbf4ecdcd8d62f2f7413754e8ec2560774044d0
Opcode Fuzzy Hash: bd5904afcf27364c2c6df0ac9d99044e681f34e72d65fd6fa389d446b0da2fd7
Instruction Fuzzy Hash: 8812B171508341AFC724EF64D881AEFBBE5BFA9304F00491EF58993251DB30DA59CB92

Function 0021CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0021CEFB
DestroyWindow.USER32(?,?), ref: 0021CF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0021CFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0021D016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0021D025
DestroyWindow.USER32(?), ref: 0021D042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,001B0000,00000000), ref: 0021D075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0021D094
GetDesktopWindow.USER32 ref: 0021D0A9
GetWindowRect.USER32(00000000), ref: 0021D0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0021D0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0021D0DA

Part of subcall function 001CB526: GetWindowLongW.USER32(?,000000EB), ref: 001CB537

Strings

0, xrefs: 0021CF1B
tooltips_class32, xrefs: 0021CFED, 0021D06E

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: 56535cf470ca8213e31e367598fdce49da78b55d355e2e893861da4eac4fda75
Instruction ID: 99ae5333573ed69a39b7794b23435f153c5e956e3c05d14f882bdc9cb9f74961
Opcode Fuzzy Hash: 56535cf470ca8213e31e367598fdce49da78b55d355e2e893861da4eac4fda75
Instruction Fuzzy Hash: 9A71E070160306AFD724CF28EC89FA677E9EB9C704F14461DF985872A1D770E9A2CB12

Function 0021F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 001CB34E: GetWindowLongW.USER32(?,000000EB), ref: 001CB35F

DragQueryPoint.SHELL32(?,?), ref: 0021F37A

Part of subcall function 0021D7DE: ClientToScreen.USER32(?,?), ref: 0021D807
Part of subcall function 0021D7DE: GetWindowRect.USER32(?,?), ref: 0021D87D
Part of subcall function 0021D7DE: PtInRect.USER32(?,?,0021ED5A), ref: 0021D88D

SendMessageW.USER32(?,000000B0,?,?), ref: 0021F3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0021F3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0021F411
_wcscat.LIBCMT ref: 0021F441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0021F458
SendMessageW.USER32(?,000000B0,?,?), ref: 0021F471
SendMessageW.USER32(?,000000B1,?,?), ref: 0021F488
SendMessageW.USER32(?,000000B1,?,?), ref: 0021F4AA
DragFinish.SHELL32(?), ref: 0021F4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0021F59C

Strings

@GUI_DRAGFILE, xrefs: 0021F54B
@GUI_DRAGID, xrefs: 0021F510
@GUI_DROPID, xrefs: 0021F4D1

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: a414622b33d342de630d68dbd578adc8da0765484f14b03ede710e1f4d578810
Instruction ID: f54df6d5bfe2d1239dd1e3ef751453c943b03fd55aec166953048e9306d533ea
Opcode Fuzzy Hash: a414622b33d342de630d68dbd578adc8da0765484f14b03ede710e1f4d578810
Instruction Fuzzy Hash: A8612B71108301AFC315DF64EC89E9BBBF8BF99710F004A1EF6A5921A1DB70D559CB52

Function 001FAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 001FAB3D
VariantCopy.OLEAUT32(?,?), ref: 001FAB46
VariantClear.OLEAUT32(?), ref: 001FAB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001FAC40
__swprintf.LIBCMT ref: 001FAC70
VarR8FromDec.OLEAUT32(?,?), ref: 001FAC9C
VariantInit.OLEAUT32(?), ref: 001FAD4D
SysFreeString.OLEAUT32(00000016), ref: 001FADDF
VariantClear.OLEAUT32(?), ref: 001FAE35
VariantClear.OLEAUT32(?), ref: 001FAE44
VariantInit.OLEAUT32(00000000), ref: 001FAE80

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 001FAC6A
Default, xrefs: 001FACFD

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: aa71b4d1018670548d07de5d5360473c36ff337c9b57f169211ec90eb4d4f89e
Instruction ID: 9183ca96ad9e3702db2666c35e7818569a5c09b2065ed5f630d7c7dc647afae5
Opcode Fuzzy Hash: aa71b4d1018670548d07de5d5360473c36ff337c9b57f169211ec90eb4d4f89e
Instruction Fuzzy Hash: BBD1F3F1A04109DBCB289F65D885BBDB7B5FF05700F558099E60D9B281DB78EC40DBA2

Function 0021716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002171FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00217247

Strings

GETTEXT, xrefs: 00217382
UNCHECK, xrefs: 0021740B
GETTOTALCOUNT, xrefs: 0021722A
ISCHECKED, xrefs: 002173B2
SELECT, xrefs: 002173E0
CHECK, xrefs: 00217267
COLLAPSE, xrefs: 0021728D
EXPAND, xrefs: 002172E1
GETSELECTED, xrefs: 0021733F
GETITEMCOUNT, xrefs: 00217311
EXISTS, xrefs: 002172B0

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: b04801460e5009e1857b39f662e296179f3282831d54263ab37166a3f6bc59e7
Instruction ID: 109468dad1ee1a7d8f65602a0faae3797421e95a94100293e642f24c0b6bfb11
Opcode Fuzzy Hash: b04801460e5009e1857b39f662e296179f3282831d54263ab37166a3f6bc59e7
Instruction Fuzzy Hash: A59140342186019BCB04EF20C851AAEB7F5BFB4314F14485DF99A573A2DB70ED96CB85

Function 001ECB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,001ECF50), ref: 001ECE90

Strings

TEXT, xrefs: 001ECDC7
INSTANCE, xrefs: 001ECD9E
REGEXPCLASS, xrefs: 001ECC56
NAME, xrefs: 001ECCC2
CLASS, xrefs: 001ECC10
T+&, xrefs: 001ECD72
4+&, xrefs: 001ECC96
CLASSNN, xrefs: 001ECC33
L+&, xrefs: 001ECD14
P+&, xrefs: 001ECD43
H+&, xrefs: 001ECCE8

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ChildEnumWindows
String ID: 4+&$CLASS$CLASSNN$H+&$INSTANCE$L+&$NAME$P+&$REGEXPCLASS$T+&$TEXT
API String ID: 3555792229-4083848647
Opcode ID: e4aa09cd1a90eb728e65918cd89af993b03e741c7b9f9d803f18a1005dc2ff87
Instruction ID: 94336d28f9279dcb53952d003db9129a862a57b4a4665af59ec31c1271cca05d
Opcode Fuzzy Hash: e4aa09cd1a90eb728e65918cd89af993b03e741c7b9f9d803f18a1005dc2ff87
Instruction Fuzzy Hash: 37916630600986AACB18DF61CC82BEEFB75FF24344F548519E859A7151DF30A99ADBD0

Function 0021E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0021E5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0021BEAF), ref: 0021E607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0021E647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0021E68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0021E6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0021BEAF), ref: 0021E6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0021E6DF
DestroyIcon.USER32(?,?,?,?,?,0021BEAF), ref: 0021E6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0021E70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0021E717

Part of subcall function 001D0FA7: __wcsicmp_l.LIBCMT ref: 001D1030

Strings

.dll, xrefs: 0021E564
.exe, xrefs: 0021E541
.icl, xrefs: 0021E521

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: faf9502fb0376065af2f84e2e64939041f08d267448e7c06f3ff0875ef082cb7
Instruction ID: 1f04cf0420ba744db0d612f7a0564324d7f95bb672a1a1a3f82bedf59ac43e0b
Opcode Fuzzy Hash: faf9502fb0376065af2f84e2e64939041f08d267448e7c06f3ff0875ef082cb7
Instruction Fuzzy Hash: E761CF71520215BAEF24DF64DC46FFE7BACBB28724F504105F915D61D0EBB099A0CBA0

Function 001FD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 001B936C: __swprintf.LIBCMT ref: 001B93AB
Part of subcall function 001B936C: __itow.LIBCMT ref: 001B93DF

CharLowerBuffW.USER32(?,?), ref: 001FD292
GetDriveTypeW.KERNEL32 ref: 001FD2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001FD327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001FD35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001FD38C

Strings

open , xrefs: 001FD2EE
closed, xrefs: 001FD2A6, 001FD2AF
close, xrefs: 001FD298
type cdaudio alias cd wait, xrefs: 001FD30A
close cd wait, xrefs: 001FD377
wait, xrefs: 001FD349
open, xrefs: 001FD2B9
set cd door , xrefs: 001FD32D

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: 9954937d4e78927493aebed2e13d3584b7873932c3a2e533f0f9026e53259d16
Instruction ID: 6d91f789b51488b0abad7612782ab20f2539839eda6d5e8d2370d7dce3265153
Opcode Fuzzy Hash: 9954937d4e78927493aebed2e13d3584b7873932c3a2e533f0f9026e53259d16
Instruction Fuzzy Hash: C2513A715042059FC700EF20D9819AEB7E5FFA9758F00485DF999672A1DB31EE06CB82

Function 001F26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00223973,00000016,0000138C,00000016,?,00000016,0024DDB4,00000000,?), ref: 001F26F1
LoadStringW.USER32(00000000,?,00223973,00000016), ref: 001F26FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00223973,00000016,0000138C,00000016,?,00000016,0024DDB4,00000000,?,00000016), ref: 001F271C
LoadStringW.USER32(00000000,?,00223973,00000016), ref: 001F271F
__swprintf.LIBCMT ref: 001F276F
__swprintf.LIBCMT ref: 001F2780
_wprintf.LIBCMT ref: 001F2829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 001F2840

Strings

Line %d (File "%s"):, xrefs: 001F2769
Line %d:, xrefs: 001F277A
%s (%d) : ==> %s: %s %s, xrefs: 001F2824
^ ERROR, xrefs: 001F27D5
Error: , xrefs: 001F27F7

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: 8eb417f62ee808475a4802765de9534619d233e2e55d5f5d05123cbe6d89df42
Instruction ID: 95e92e3e3a651a865526c26b68827e3adab0118e78f46576c9a4d9d2c535b7e1
Opcode Fuzzy Hash: 8eb417f62ee808475a4802765de9534619d233e2e55d5f5d05123cbe6d89df42
Instruction Fuzzy Hash: 8B41507280021DBACB14FBE0DE86EEEB779AF65340F500065F60572092EB706F59CBA1

Function 001FD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001FD0D8
__swprintf.LIBCMT ref: 001FD0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 001FD137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 001FD15C
_memset.LIBCMT ref: 001FD17B
_wcsncpy.LIBCMT ref: 001FD1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 001FD1EC
CloseHandle.KERNEL32(00000000), ref: 001FD1F7
RemoveDirectoryW.KERNEL32(?), ref: 001FD200
CloseHandle.KERNEL32(00000000), ref: 001FD20A

Strings

\??\%s, xrefs: 001FD0F4
:, xrefs: 001FD11B
\, xrefs: 001FD110

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: a986bb01b4bf01a731199a37d831f31675a64727b7aab07e071f8ae52cfb44fd
Instruction ID: 18d089d9ee7256c4746301ff0eb595416b551d9ec353c9272ccb4723663be511
Opcode Fuzzy Hash: a986bb01b4bf01a731199a37d831f31675a64727b7aab07e071f8ae52cfb44fd
Instruction Fuzzy Hash: 5C318FB6900109ABDB21DFA4EC49FFB77BDEF89740F1040B6FA09D2161EB7096458B24

Function 0021E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0021BEF4,?,?), ref: 0021E754
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0021BEF4,?,?,00000000,?), ref: 0021E76B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0021BEF4,?,?,00000000,?), ref: 0021E776
CloseHandle.KERNEL32(00000000,?,?,?,?,0021BEF4,?,?,00000000,?), ref: 0021E783
GlobalLock.KERNEL32(00000000), ref: 0021E78C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0021BEF4,?,?,00000000,?), ref: 0021E79B
GlobalUnlock.KERNEL32(00000000), ref: 0021E7A4
CloseHandle.KERNEL32(00000000,?,?,?,?,0021BEF4,?,?,00000000,?), ref: 0021E7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0021BEF4,?,?,00000000,?), ref: 0021E7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,0023D9BC,?), ref: 0021E7D5
GlobalFree.KERNEL32(00000000), ref: 0021E7E5
GetObjectW.GDI32(00000000,00000018,?), ref: 0021E809
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0021E834
DeleteObject.GDI32(00000000), ref: 0021E85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0021E872

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: a6fff1874cc598cee74ca994c45b1116123173b06667e429476590fe2cfbe830
Instruction ID: 5b4620233ef839c0f39a776cc8790bced5b91666d8f355c2328d02e3a724ccc0
Opcode Fuzzy Hash: a6fff1874cc598cee74ca994c45b1116123173b06667e429476590fe2cfbe830
Instruction Fuzzy Hash: A3415775600205EFDB119F65EC8CEABBBB8EF89B11F118058F90A972A0C730AD51DB60

Function 002005F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0020076F
_wcscat.LIBCMT ref: 00200787
_wcscat.LIBCMT ref: 00200799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002007AE
SetCurrentDirectoryW.KERNEL32(?), ref: 002007C2
GetFileAttributesW.KERNEL32(?), ref: 002007DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 002007F4
SetCurrentDirectoryW.KERNEL32(?), ref: 00200806

Strings

*.*, xrefs: 00200845

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 290e9adf8032997384d794931426e0973b5a7f0232856a85d497541f8a5e9c07
Instruction ID: b0ddc215d34a6a8dc410ff9f9c46020c855adfa064cb9374338b0bc1507295f5
Opcode Fuzzy Hash: 290e9adf8032997384d794931426e0973b5a7f0232856a85d497541f8a5e9c07
Instruction Fuzzy Hash: CE81B6715243419FDB24DF64C485A6EB3E9BBD8300F14882EF489C7292EB75DD648B52

Function 0021EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001CB34E: GetWindowLongW.USER32(?,000000EB), ref: 001CB35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0021EF3B
GetFocus.USER32 ref: 0021EF4B
GetDlgCtrlID.USER32(00000000), ref: 0021EF56
_memset.LIBCMT ref: 0021F081
GetMenuItemInfoW.USER32 ref: 0021F0AC
GetMenuItemCount.USER32(00000000), ref: 0021F0CC
GetMenuItemID.USER32(?,00000000), ref: 0021F0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0021F113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0021F15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0021F193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0021F1C8

Strings

0, xrefs: 0021F079

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: e1847adf05178b39745cdd26a95cb7cebf79dc43716dbcc4c9e98f7ec6268da1
Instruction ID: 44f0cd81bd87a5beb887064c859c55a910a38310a6d7f68934ab38ab4dccc23a
Opcode Fuzzy Hash: e1847adf05178b39745cdd26a95cb7cebf79dc43716dbcc4c9e98f7ec6268da1
Instruction Fuzzy Hash: D7819E71118302AFDB10CF14D984AABBBE9FF98314F00452EF9A897291D771D8A1CF92

Function 001EA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001EABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 001EABD7
Part of subcall function 001EABBB: GetLastError.KERNEL32(?,001EA69F,?,?,?), ref: 001EABE1
Part of subcall function 001EABBB: GetProcessHeap.KERNEL32(00000008,?,?,001EA69F,?,?,?), ref: 001EABF0
Part of subcall function 001EABBB: HeapAlloc.KERNEL32(00000000,?,001EA69F,?,?,?), ref: 001EABF7
Part of subcall function 001EABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 001EAC0E

Part of subcall function 001EAC56: GetProcessHeap.KERNEL32(00000008,001EA6B5,00000000,00000000,?,001EA6B5,?), ref: 001EAC62
Part of subcall function 001EAC56: HeapAlloc.KERNEL32(00000000,?,001EA6B5,?), ref: 001EAC69
Part of subcall function 001EAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,001EA6B5,?), ref: 001EAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001EA8CB
_memset.LIBCMT ref: 001EA8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001EA8FF
GetLengthSid.ADVAPI32(?), ref: 001EA910
GetAce.ADVAPI32(?,00000000,?), ref: 001EA94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001EA969
GetLengthSid.ADVAPI32(?), ref: 001EA986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 001EA995
HeapAlloc.KERNEL32(00000000), ref: 001EA99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 001EA9BD
CopySid.ADVAPI32(00000000), ref: 001EA9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001EA9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001EAA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001EAA2F

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 7e315d7dfbf78d988000e4172b5677bc0fb51670978bb35afa11a9930d5b531a
Instruction ID: a401d2f6d18b09a0cfb92dca0196e67c138b5f7eec06f7875408fa37e5adbca4
Opcode Fuzzy Hash: 7e315d7dfbf78d988000e4172b5677bc0fb51670978bb35afa11a9930d5b531a
Instruction Fuzzy Hash: 29518071900649AFDF14CFA1ED89EEEBB7AFF44700F448129F815AB290D770AA05CB61

Function 001FCC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 001FCCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 001FCCC5
__swprintf.LIBCMT ref: 001FCD1E
__swprintf.LIBCMT ref: 001FCD37
_wprintf.LIBCMT ref: 001FCDED
_wprintf.LIBCMT ref: 001FCE0B

Strings

Line %d (File "%s"):, xrefs: 001FCD18, 001FCD31
"%s" (%d) : ==> %s:, xrefs: 001FCE06
"%s" (%d) : ==> %s:%s%s, xrefs: 001FCDE8
^ ERROR, xrefs: 001FCD8F
Error: , xrefs: 001FCDB5

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: 8a483513f4dc06cc3ce3bf0fe5245c8e6da5f51276957830bc8e2a46f6fff8c7
Instruction ID: f1d4f0e573d6c8405484c833ce66e965514cc2979b8bf7f1c1d3276249cc4cb8
Opcode Fuzzy Hash: 8a483513f4dc06cc3ce3bf0fe5245c8e6da5f51276957830bc8e2a46f6fff8c7
Instruction Fuzzy Hash: 4351933190010DBACB15EBE4DE86EEEB779AF25340F100165F505721A2EB316F69DFA0

Function 001FCA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 001FCA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001FCAB0
__swprintf.LIBCMT ref: 001FCB09
__swprintf.LIBCMT ref: 001FCB22
_wprintf.LIBCMT ref: 001FCBCD
_wprintf.LIBCMT ref: 001FCBEB

Strings

Line %d (File "%s"):, xrefs: 001FCB03, 001FCB1C
"%s" (%d) : ==> %s:, xrefs: 001FCBE6
"%s" (%d) : ==> %s:%s%s, xrefs: 001FCBC8
^ ERROR , xrefs: 001FCB64
Error: , xrefs: 001FCB95

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: 994236e47934922011c9ab49a0f34c66dfd2eb8b7539a564722ae15bad46fb78
Instruction ID: c69c39965be7ed6e17f05700e6e30381471e305e3917ff89f990a343c4fa3134
Opcode Fuzzy Hash: 994236e47934922011c9ab49a0f34c66dfd2eb8b7539a564722ae15bad46fb78
Instruction Fuzzy Hash: 76518F3190010DBACB15EBE4DE86EEEB779AF25340F100065F505721A2EB316FA9DFA1

Function 00213C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00212BB5,?,?), ref: 00213C1D

Strings

HKCU, xrefs: 00213CF3
$E&, xrefs: 00213C36
HKEY_USERS, xrefs: 00213D04
HKLM, xrefs: 00213C81
HKEY_CURRENT_CONFIG, xrefs: 00213CC0
HKEY_CLASSES_ROOT, xrefs: 00213C96
HKU, xrefs: 00213D15
HKCR, xrefs: 00213CAB
HKEY_CURRENT_USER, xrefs: 00213CE2
HKEY_LOCAL_MACHINE, xrefs: 00213C6C
HKCC, xrefs: 00213CD1

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: BuffCharUpper
String ID: $E&$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-425661772
Opcode ID: 96db7146ec882f70b98f091296b54fd5cea072bf17dcfab0c6ffcc6f1c2f9eec
Instruction ID: 748ed6cbdef9fe7a53ba36c93523765edc06efcb88b91b9e3f8c85880349626a
Opcode Fuzzy Hash: 96db7146ec882f70b98f091296b54fd5cea072bf17dcfab0c6ffcc6f1c2f9eec
Instruction Fuzzy Hash: 2541467112024A8BDF04FF14E951AEB37A6BF72340F504459FC961B292EB70DEAACB50

Function 001F55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001F55D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 001F5664
GetMenuItemCount.USER32(00271708), ref: 001F56ED
DeleteMenu.USER32(00271708,00000005,00000000,000000F5,?,?), ref: 001F577D
DeleteMenu.USER32(00271708,00000004,00000000), ref: 001F5785
DeleteMenu.USER32(00271708,00000006,00000000), ref: 001F578D
DeleteMenu.USER32(00271708,00000003,00000000), ref: 001F5795
GetMenuItemCount.USER32(00271708), ref: 001F579D
SetMenuItemInfoW.USER32(00271708,00000004,00000000,00000030), ref: 001F57D3
GetCursorPos.USER32(?), ref: 001F57DD
SetForegroundWindow.USER32(00000000), ref: 001F57E6
TrackPopupMenuEx.USER32(00271708,00000000,?,00000000,00000000,00000000), ref: 001F57F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001F5805

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: a810767cbc879442f4080c198f69c49a81db03bcb9ecc1e429157053cce95f03
Instruction ID: b398999f468e0651daf1aa8eef7e109f1c746e0e328f15cb4a99ae0c6eb34508
Opcode Fuzzy Hash: a810767cbc879442f4080c198f69c49a81db03bcb9ecc1e429157053cce95f03
Instruction Fuzzy Hash: C771E370640A0DBFEB259B55DC89FBABF66FF00368F640205F729AA1D1C7715810DB94

Function 001EA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001EA1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001EA211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001EA22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001EA249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 001EA273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 001EA29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001EA2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001EA2AB

Strings

SOFTWARE\Classes\, xrefs: 001EA17D
\CLSID, xrefs: 001EA193
\IPC$, xrefs: 001EA1F3

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: 3ed53093802182304bdacab693a1d13df6bdaf59d3e964f2c8eac95331c0e061
Instruction ID: 5ade351d799708f10218732da62b9fc1e9345a6b04b23ca360c18b9fe585cd7a
Opcode Fuzzy Hash: 3ed53093802182304bdacab693a1d13df6bdaf59d3e964f2c8eac95331c0e061
Instruction Fuzzy Hash: D8410876C10629ABCB15EBA4EC95DEDB778BF14740F404069F901B31A1EB70AE15CB90

Function 001F67E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 001F67FD
__swprintf.LIBCMT ref: 001F680A

Part of subcall function 001D172B: __woutput_l.LIBCMT ref: 001D1784

FindResourceW.KERNEL32(?,?,0000000E), ref: 001F6834
LoadResource.KERNEL32(?,00000000), ref: 001F6840
LockResource.KERNEL32(00000000), ref: 001F684D
FindResourceW.KERNEL32(?,?,00000003), ref: 001F686D
LoadResource.KERNEL32(?,00000000), ref: 001F687F
SizeofResource.KERNEL32(?,00000000), ref: 001F688E
LockResource.KERNEL32(?), ref: 001F689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 001F68F9

Strings

5&, xrefs: 001F67F6

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID: 5&
API String ID: 1433390588-2483934167
Opcode ID: bea50d0af370e3b89196021244d3b6806c841744e4e20583774bef82d6c7c21b
Instruction ID: 8d5e36d9ba0635d26c83719d2a4502e3cc9b3457eb0cc7012d7c3d9fbac6754e
Opcode Fuzzy Hash: bea50d0af370e3b89196021244d3b6806c841744e4e20583774bef82d6c7c21b
Instruction Fuzzy Hash: 03316E7190021AAFDB119FA0ED59ABB7BA8FF08380F004429FE16E2151E734D961DBA0

Function 001F25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,002236F4,00000010,?,Bad directive syntax error,0024DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 001F25D6
LoadStringW.USER32(00000000,?,002236F4,00000010), ref: 001F25DD
_wprintf.LIBCMT ref: 001F2610
__swprintf.LIBCMT ref: 001F2632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 001F26A1

Strings

Line %d (File "%s"):, xrefs: 001F2647
Line %d:, xrefs: 001F262C
Error: , xrefs: 001F266F
., xrefs: 001F2687
%s (%d) : ==> %s.: %s %s, xrefs: 001F260B

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: 3331cbf898b60217dfedacd4644f5a98372f21ffa992c113d31e50221afa5ede
Instruction ID: c24d1744393dd75e688e455f6f8561266368fd8018443290a902fec028601751
Opcode Fuzzy Hash: 3331cbf898b60217dfedacd4644f5a98372f21ffa992c113d31e50221afa5ede
Instruction Fuzzy Hash: 17215C3181021EBFCF11EB90DC4AFEE7B39BF29704F040456F915661A2EB71AA68DB50

Function 001F7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 001F7B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 001F7B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001F7B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 001F7B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 001F7B8C

Strings

alias PlayMe, xrefs: 001F7B1B
open , xrefs: 001F7AF1
close PlayMe, xrefs: 001F7B53, 001F7B80
play PlayMe, xrefs: 001F7B87
status PlayMe mode, xrefs: 001F7B3D
play PlayMe wait, xrefs: 001F7B76

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: 089a4f5547308b79bf5d33c31165c2773721bc0347da634555b3cf949c0f1015
Instruction ID: 6e2b62cd99826e8d3dc260e9a47438cd00ad8b366e3124d9988eb28a21ef43e9
Opcode Fuzzy Hash: 089a4f5547308b79bf5d33c31165c2773721bc0347da634555b3cf949c0f1015
Instruction Fuzzy Hash: 90118FB1A6026979D721F765DC8ADFFBA7CEBE3B10F000419B411A20D1EFA01A85C6A0

Function 001F778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 001F7794

Part of subcall function 001CDC38: timeGetTime.WINMM(?,75A4B400,002258AB), ref: 001CDC3C

Sleep.KERNEL32(0000000A), ref: 001F77C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 001F77E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 001F7806
SetActiveWindow.USER32 ref: 001F7825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 001F7833
SendMessageW.USER32(00000010,00000000,00000000), ref: 001F7852
Sleep.KERNEL32(000000FA), ref: 001F785D
IsWindow.USER32 ref: 001F7869
EndDialog.USER32(00000000), ref: 001F787A

Strings

BUTTON, xrefs: 001F77F8

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 05f2f657bb96c4649d2b3f972d66786893a73d7a610621a8ff9e7108a7be6d75
Instruction ID: edef8abcfd1abcd82d1ea5c64326e58f58ee88c515147604c50645c36589c907
Opcode Fuzzy Hash: 05f2f657bb96c4649d2b3f972d66786893a73d7a610621a8ff9e7108a7be6d75
Instruction Fuzzy Hash: D6215E71604209AFE711AF60FC8DB363F6AFB45388F040168F60A861F2CB719D50EB65

Function 002002EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 001B936C: __swprintf.LIBCMT ref: 001B93AB
Part of subcall function 001B936C: __itow.LIBCMT ref: 001B93DF

CoInitialize.OLE32(00000000), ref: 0020034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 002003DE
SHGetDesktopFolder.SHELL32(?), ref: 002003F2
CoCreateInstance.OLE32(0023DA8C,00000000,00000001,00263CF8,?), ref: 0020043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 002004AD
CoTaskMemFree.OLE32(?,?), ref: 00200505
_memset.LIBCMT ref: 00200542
SHBrowseForFolderW.SHELL32(?), ref: 0020057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 002005A1
CoTaskMemFree.OLE32(00000000), ref: 002005A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 002005DF
CoUninitialize.OLE32(00000001,00000000), ref: 002005E1

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: dcb550cba647e19dccafc0a91d57c401957024cd81f70abd4e8bbf9216ef2f48
Instruction ID: f20b8656282e8c02c2915158580d9695e15e0561bfe410d752fa75ff6ae786f3
Opcode Fuzzy Hash: dcb550cba647e19dccafc0a91d57c401957024cd81f70abd4e8bbf9216ef2f48
Instruction Fuzzy Hash: E1B1D775A10209AFDB14DFA4D889EAEBBB9FF48304F1484A9F905EB251DB70ED41CB50

Function 001F2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 001F2ED6
SetKeyboardState.USER32(?), ref: 001F2F41
GetAsyncKeyState.USER32(000000A0), ref: 001F2F61
GetKeyState.USER32(000000A0), ref: 001F2F78
GetAsyncKeyState.USER32(000000A1), ref: 001F2FA7
GetKeyState.USER32(000000A1), ref: 001F2FB8
GetAsyncKeyState.USER32(00000011), ref: 001F2FE4
GetKeyState.USER32(00000011), ref: 001F2FF2
GetAsyncKeyState.USER32(00000012), ref: 001F301B
GetKeyState.USER32(00000012), ref: 001F3029
GetAsyncKeyState.USER32(0000005B), ref: 001F3052
GetKeyState.USER32(0000005B), ref: 001F3060

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4e55191faa8f5b2da6bcde316cae9c828b2357fd97cf661c07c27ff26928a1fc
Instruction ID: 50853abd025246f74c35291c71ef72ea187610ec9fa19d09045fb04c3ceacda4
Opcode Fuzzy Hash: 4e55191faa8f5b2da6bcde316cae9c828b2357fd97cf661c07c27ff26928a1fc
Instruction Fuzzy Hash: F5519660A0879C29FB35EBA488517FABBB45F11344F08459AD7C2561C3DB649B8CC762

Function 001EED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 001EED1E
GetWindowRect.USER32(00000000,?), ref: 001EED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 001EED8E
GetDlgItem.USER32(?,00000002), ref: 001EED99
GetWindowRect.USER32(00000000,?), ref: 001EEDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 001EEE01
GetDlgItem.USER32(?,000003E9), ref: 001EEE0F
GetWindowRect.USER32(00000000,?), ref: 001EEE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 001EEE63
GetDlgItem.USER32(?,000003EA), ref: 001EEE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 001EEE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 001EEE9B

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: d37fd19b2a1d61a4310bfb36d75407a7e471117dc3ba70380b3af51c8d28a3ef
Instruction ID: 4bfb9fa4e7adac526288c2ac01042efc953e2fb02f30af8a3a3177ebf761bdb8
Opcode Fuzzy Hash: d37fd19b2a1d61a4310bfb36d75407a7e471117dc3ba70380b3af51c8d28a3ef
Instruction Fuzzy Hash: 71510371B00605AFDB18CF69ED8AAAEBBFAFB88700F148129F519D7290D7709D008B10

Function 001CB73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 001CB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,001CB759,?,00000000,?,?,?,?,001CB72B,00000000,?), ref: 001CBA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,001CB72B), ref: 001CB7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,001CB72B,00000000,?,?,001CB2EF,?,?), ref: 001CB88D
DestroyAcceleratorTable.USER32(00000000), ref: 0022D8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001CB72B,00000000,?,?,001CB2EF,?,?), ref: 0022D8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001CB72B,00000000,?,?,001CB2EF,?,?), ref: 0022D8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001CB72B,00000000,?,?,001CB2EF,?,?), ref: 0022D90A
DeleteObject.GDI32(00000000), ref: 0022D91C

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: f3ecd83af63aecc966ad6669fc57e1e190918588607cf33926719c672c0de283
Instruction ID: 39c7bf9bd6908518b441f0c5a6186dee4142fe86a3c4638df1fceb2e1460f170
Opcode Fuzzy Hash: f3ecd83af63aecc966ad6669fc57e1e190918588607cf33926719c672c0de283
Instruction Fuzzy Hash: 90618830524711DFDB299F68F88AB25B7B9FFA0711F15451DE48A86AA0C730E8E0CF80

Function 001CB40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 001CB526: GetWindowLongW.USER32(?,000000EB), ref: 001CB537

GetSysColor.USER32(0000000F), ref: 001CB438

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: f1948289afe34db111da8491d3b2341aedfa6196cfc97b2aafbebb003bfd2b3b
Instruction ID: a5039f0219b84621e7aa58c197f8790f8964279c00cab1b46b9735fe0d972298
Opcode Fuzzy Hash: f1948289afe34db111da8491d3b2341aedfa6196cfc97b2aafbebb003bfd2b3b
Instruction Fuzzy Hash: E541A430108150AFDB285F68F88AFB93B65AB15731F154259FDA6CE1E6D731CC42DB21

Function 001F690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 001F6923
_wcscpy.LIBCMT ref: 001F6934
__wsplitpath.LIBCMT ref: 001F6958
__wsplitpath.LIBCMT ref: 001F6979
_wcscpy.LIBCMT ref: 001F699B
_wcscpy.LIBCMT ref: 001F69B9
_wcscpy.LIBCMT ref: 001F69C7
_wcscat.LIBCMT ref: 001F69D6
_wcscat.LIBCMT ref: 001F6A2B
_wcscat.LIBCMT ref: 001F6A61
_wcscat.LIBCMT ref: 001F6A73

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: 11c3389878693f9079647324b67577c2523ab6db711cb02a8acfab4f97d2caf6
Instruction ID: 1b5bb1fcd9532b7e2f1f2383f372483e0006b9cf2439e094dfe0fcec773fc0fe
Opcode Fuzzy Hash: 11c3389878693f9079647324b67577c2523ab6db711cb02a8acfab4f97d2caf6
Instruction Fuzzy Hash: B0413B7784511CAECF62EB90CC86DDA73BDEB58310F0041E7B659A2141EB70ABE88F50

Function 001FD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(0024DC00,0024DC00,0024DC00), ref: 001FD7CE
GetDriveTypeW.KERNEL32(?,00263A70,00000061), ref: 001FD898
_wcscpy.LIBCMT ref: 001FD8C2

Strings

all, xrefs: 001FD7D4
cdrom, xrefs: 001FD7EA
fixed, xrefs: 001FD816
unknown, xrefs: 001FD859
removable, xrefs: 001FD800
network, xrefs: 001FD82C
ramdisk, xrefs: 001FD842

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 067b2227e9e3b5ae17a1a64975d1a5bf3bfd11a1dde7bd352dd6994db76c517f
Instruction ID: 71791e9b13b13507b1816e21b1d77d4c31a0247c756a4f41d41f0f9d84c16114
Opcode Fuzzy Hash: 067b2227e9e3b5ae17a1a64975d1a5bf3bfd11a1dde7bd352dd6994db76c517f
Instruction Fuzzy Hash: FA51C231104304AFC704EF14E882BBEB7A6FFA4354F50892DFA9A572A2DB71DD05CA42

Function 001B936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 001B93AB
__itow.LIBCMT ref: 001B93DF

Part of subcall function 001D1557: _xtow@16.LIBCMT ref: 001D1578

Strings

0x%p, xrefs: 00224CAD
True, xrefs: 00224C8C
%.15g, xrefs: 001B93A5
False, xrefs: 00224C93

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: e632f11fee4aeb3ee04be87af585edf6e4aeccd8dce2b174a9f1b64ddcdd2b3a
Instruction ID: 78c86723d5155451612f39b4d0f27afce6d7c7659cef5419ecf3f76910fea27a
Opcode Fuzzy Hash: e632f11fee4aeb3ee04be87af585edf6e4aeccd8dce2b174a9f1b64ddcdd2b3a
Instruction Fuzzy Hash: 0B410431514215ABDB28EF78E982FAAB3E4FF59300F20446FE54AC7291EB31D952CB10

Function 0021A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0021A259
CreateCompatibleDC.GDI32(00000000), ref: 0021A260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0021A273
SelectObject.GDI32(00000000,00000000), ref: 0021A27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0021A286
DeleteDC.GDI32(00000000), ref: 0021A28F
GetWindowLongW.USER32(?,000000EC), ref: 0021A299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0021A2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0021A2B9

Strings

static, xrefs: 0021A1F1

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: c523e2b2044de7600a73bc964e3d9b6e82cee3c35d1c0458637714c3adfbd600
Instruction ID: 8d2e1975322dda7e52e9b6ea73b204c456f04ff84d920e5d50617764f04a57d6
Opcode Fuzzy Hash: c523e2b2044de7600a73bc964e3d9b6e82cee3c35d1c0458637714c3adfbd600
Instruction Fuzzy Hash: A9316C31111215ABDF215FB4EC49FEA3BADFF19760F110214FA29A60A0C735D861DBA5

Function 001F6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001F6F1D
gethostname.WSOCK32(?,00000100), ref: 001F6F37
gethostbyname.WSOCK32(?), ref: 001F6F44
_wcscpy.LIBCMT ref: 001F6F6C
inet_ntoa.WSOCK32(?), ref: 001F6F8A
_strcat.LIBCMT ref: 001F6F98
_wcscpy.LIBCMT ref: 001F6FAF
WSACleanup.WSOCK32 ref: 001F6FBD
_wcscpy.LIBCMT ref: 001F6FCB

Strings

0.0.0.0, xrefs: 001F6F66

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: 2b8bb4336b5f762ae7f188d170675b14a387d89ccf2af6b53137635a1d646460
Instruction ID: 5a87b864a23c9bcbadd34028c4adfd784b6d464b9f587c6d4d5fe8438bb8df7c
Opcode Fuzzy Hash: 2b8bb4336b5f762ae7f188d170675b14a387d89ccf2af6b53137635a1d646460
Instruction Fuzzy Hash: 2E110672504219ABCB25AB70FC4EEEA77ACEF54720F00016AF245E6081EF70DE818B50

Function 001D500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001D5047

Part of subcall function 001D7C0E: __getptd_noexit.LIBCMT ref: 001D7C0E

__gmtime64_s.LIBCMT ref: 001D50E0
__gmtime64_s.LIBCMT ref: 001D5116
__gmtime64_s.LIBCMT ref: 001D5133
__allrem.LIBCMT ref: 001D5189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001D51A5
__allrem.LIBCMT ref: 001D51BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001D51DA
__allrem.LIBCMT ref: 001D51F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001D520F
__invoke_watson.LIBCMT ref: 001D5280

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: 96e32b6e8b6f6c638893d10a036300c70ab65d3c4e7622bc4439d01c664ae702
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: 1D71C672A00F16EBE714AE69CC51BAE73AAAF24764F14422BF511D7382E770DD448BD0

Function 001F4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001F4DF8
GetMenuItemInfoW.USER32(00271708,000000FF,00000000,00000030), ref: 001F4E59
SetMenuItemInfoW.USER32(00271708,00000004,00000000,00000030), ref: 001F4E8F
Sleep.KERNEL32(000001F4), ref: 001F4EA1
GetMenuItemCount.USER32(?), ref: 001F4EE5
GetMenuItemID.USER32(?,00000000), ref: 001F4F01
GetMenuItemID.USER32(?,-00000001), ref: 001F4F2B
GetMenuItemID.USER32(?,?), ref: 001F4F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001F4FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001F4FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001F4FEB

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 5b107f686b357693a561d353e036bfd5aca09565f94b317b637ad2b558124f80
Instruction ID: e37658d8bf1effe469b0d4615bc9ee9e6eac11255facedd2831373b2ebc48433
Opcode Fuzzy Hash: 5b107f686b357693a561d353e036bfd5aca09565f94b317b637ad2b558124f80
Instruction Fuzzy Hash: B361A1B190024DAFDB21CFA8EC88ABF7BB9FB45318F140159FA46A7251D731AD45CB60

Function 00219C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00219C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00219C9B
GetWindowLongW.USER32(?,000000F0), ref: 00219CBF
_memset.LIBCMT ref: 00219CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00219CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00219D5A

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 6f7102fc1233c175d76cc512250058cebabdd2b934fca9fcb8dd58a04967e481
Instruction ID: 59c082ad7ea832f8103eb5feb5441d45562a53955d0539dfab8ec579b58677d2
Opcode Fuzzy Hash: 6f7102fc1233c175d76cc512250058cebabdd2b934fca9fcb8dd58a04967e481
Instruction Fuzzy Hash: B7617C75910208AFDB10DFA8DC81EEE77F8EF19704F14415AFA18A7291D770AAA2DF50

Function 001E94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 001E94FE
SafeArrayAllocData.OLEAUT32(?), ref: 001E9549
VariantInit.OLEAUT32(?), ref: 001E955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 001E957B
VariantCopy.OLEAUT32(?,?), ref: 001E95BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 001E95D2
VariantClear.OLEAUT32(?), ref: 001E95E7
SafeArrayDestroyData.OLEAUT32(?), ref: 001E95F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001E95FD
VariantClear.OLEAUT32(?), ref: 001E960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001E961A

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 840b5b14196b184d63220054eada05bf3604f1abc543c6d54540082c4053e7bb
Instruction ID: c7a44392b8f980743ae93e86263b7a002d218f8658285dc9e2ebb605a17010d0
Opcode Fuzzy Hash: 840b5b14196b184d63220054eada05bf3604f1abc543c6d54540082c4053e7bb
Instruction Fuzzy Hash: D1416F75A00219AFCB01EFA5E848DDEBBB9FF18354F008069F505A3251DB30EA45CBA0

Function 0020BB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0020BB5C
VariantInit.OLEAUT32(?), ref: 0020BC2D
VariantInit.OLEAUT32(?), ref: 0020BD2E
VariantClear.OLEAUT32(?), ref: 0020BD38
VariantClear.OLEAUT32(?), ref: 0020BD99

Strings

h?&, xrefs: 0020BB2D
Null Object assignment in FOR..IN loop, xrefs: 0020BBBD, 0020BCEB, 0020BDA7
Incorrect Object type in FOR..IN loop, xrefs: 0020BD11
|?&, xrefs: 0020BB34

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?&$|?&
API String ID: 2862541840-3721328457
Opcode ID: cd59cffc8bcefcefe93fa53adcc9951a5b1d7e26e8f01fde0059664932d3e9ac
Instruction ID: db47fe06e30d873d298255f628b27194cb2ec6c66d99a605bc7d5b5d87970dc5
Opcode Fuzzy Hash: cd59cffc8bcefcefe93fa53adcc9951a5b1d7e26e8f01fde0059664932d3e9ac
Instruction Fuzzy Hash: 6A91AF71A20319AFDF31CFA4D848FAEB7B8EF55710F10855AF515AB282DB709950CBA0

Function 0020ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 001B936C: __swprintf.LIBCMT ref: 001B93AB
Part of subcall function 001B936C: __itow.LIBCMT ref: 001B93DF

CoInitialize.OLE32 ref: 0020ADF6
CoUninitialize.OLE32 ref: 0020AE01
CoCreateInstance.OLE32(?,00000000,00000017,0023D8FC,?), ref: 0020AE61
IIDFromString.OLE32(?,?), ref: 0020AED4
VariantInit.OLEAUT32(?), ref: 0020AF6E
VariantClear.OLEAUT32(?), ref: 0020AFCF

Strings

Failed to create object, xrefs: 0020AE6C, 0020AF22
Invalid parameter, xrefs: 0020AEED
NULL Pointer assignment, xrefs: 0020AEA6

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: fbb7705491e387b6ac2fe677ee7cbdeef1d81dd24e36fa155cd317fa268ebc4b
Instruction ID: 199bab04ba2fbb519f9d4e37342d74ae98c322e079571fe6b39f94853a023e20
Opcode Fuzzy Hash: fbb7705491e387b6ac2fe677ee7cbdeef1d81dd24e36fa155cd317fa268ebc4b
Instruction Fuzzy Hash: 6861CE71228302AFD710EF64D888B6EB7E8AF48700F404819FA859B2D2C770ED54CB93

Function 00208107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00208168
inet_addr.WSOCK32(?,?,?), ref: 002081AD
gethostbyname.WSOCK32(?), ref: 002081B9
IcmpCreateFile.IPHLPAPI ref: 002081C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00208237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0020824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 002082C2
WSACleanup.WSOCK32 ref: 002082C8

Strings

Ping, xrefs: 002081EB

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: cedb13c92fce1e990bdc37299f4ed3fddf47d9ca43b903c5ab56eb144b4341ed
Instruction ID: de3f0e79ebf951af2249e6fd6b140ab11bee517425e00dca8311d9248f258511
Opcode Fuzzy Hash: cedb13c92fce1e990bdc37299f4ed3fddf47d9ca43b903c5ab56eb144b4341ed
Instruction Fuzzy Hash: 8A519E316147019FD720EF24DD49B6BBBE5AF58710F048829FA99DB2E2DB70E911CB41

Function 001FE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001FE396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 001FE40C
GetLastError.KERNEL32 ref: 001FE416
SetErrorMode.KERNEL32(00000000,READY), ref: 001FE483

Strings

UNKNOWN, xrefs: 001FE43B
READONLY, xrefs: 001FE44E
NOTREADY, xrefs: 001FE442
READY, xrefs: 001FE45C
INVALID, xrefs: 001FE455

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 556b3f37d580dc39539755d44a5bfc3245c7d595c22c8cbfa2e81ff3c1333308
Instruction ID: 456c5152db0ec79c3c89a190ce73395ba89c2910329d3012cc4d1501a3c0b767
Opcode Fuzzy Hash: 556b3f37d580dc39539755d44a5bfc3245c7d595c22c8cbfa2e81ff3c1333308
Instruction Fuzzy Hash: 45316435A0020D9FDB05EFA8D945ABDB7F4EF55300F14806AFA15E72A1DB709A41CB91

Function 001EB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 001EB98C
GetDlgCtrlID.USER32 ref: 001EB997
GetParent.USER32 ref: 001EB9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 001EB9B6
GetDlgCtrlID.USER32(?), ref: 001EB9BF
GetParent.USER32(?), ref: 001EB9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 001EB9DE

Strings

ComboBox, xrefs: 001EB911
ListBox, xrefs: 001EB949

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 1cf3ecfbf9b7247918963e8ea0bb24af6c148338241bd8b6451bdc6df397a7f5
Instruction ID: b2cb20ed006c597b775f27dcd14cc766d55a3faf35f38e4f859b2d5be9d0f30f
Opcode Fuzzy Hash: 1cf3ecfbf9b7247918963e8ea0bb24af6c148338241bd8b6451bdc6df397a7f5
Instruction Fuzzy Hash: 5521A4B4900104AFDB05ABA5ECC6EFEBBB9EF55300B100115F561972D2DB7598159F60

Function 001EB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 001EBA73
GetDlgCtrlID.USER32 ref: 001EBA7E
GetParent.USER32 ref: 001EBA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 001EBA9D
GetDlgCtrlID.USER32(?), ref: 001EBAA6
GetParent.USER32(?), ref: 001EBAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 001EBAC5

Strings

ComboBox, xrefs: 001EB9FA
ListBox, xrefs: 001EBA32

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 1dfd42b7c09173160090820b36c380fe0050f9dd6a09d5164895b6ac2ad3cb98
Instruction ID: 9d33cfeb949c346df286b82094009a97aef61298e8a0bcd8d10cf9480d7c3dc8
Opcode Fuzzy Hash: 1dfd42b7c09173160090820b36c380fe0050f9dd6a09d5164895b6ac2ad3cb98
Instruction Fuzzy Hash: 6C21B0B4A00148BFDF04ABA5EC86EFEBB79EF95300F100015F961A3191DBB599299F60

Function 001EBAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 001EBAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 001EBAF8
_wcscmp.LIBCMT ref: 001EBB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 001EBB85

Strings

smallicons, xrefs: 001EBB4D
SHELLDLL_DefView, xrefs: 001EBB04
list, xrefs: 001EBB67
largeicons, xrefs: 001EBB19
details, xrefs: 001EBB33

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: cc6077813df65aaebbc90cea3ef9782d9c056495699e73f70ad9d0be2085e9b5
Instruction ID: 2971adbd3082570e479fc1ce979b205b4892f78cce1c7496be370388ffc850f0
Opcode Fuzzy Hash: cc6077813df65aaebbc90cea3ef9782d9c056495699e73f70ad9d0be2085e9b5
Instruction Fuzzy Hash: 9A11067660CB43FAFA256631FC47DAB379C9B26724F200022F954E40D5EBA1ACA14514

Function 0020B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0020B2D5
CoInitialize.OLE32(00000000), ref: 0020B302
CoUninitialize.OLE32 ref: 0020B30C
GetRunningObjectTable.OLE32(00000000,?), ref: 0020B40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 0020B539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0020B56D
CoGetObject.OLE32(?,00000000,0023D91C,?), ref: 0020B590
SetErrorMode.KERNEL32(00000000), ref: 0020B5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0020B623
VariantClear.OLEAUT32(0023D91C), ref: 0020B633

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 397dbe00d46cdc6391c733cb8c7b0dd19b149a4da3a7613609efe6e9e8367ced
Instruction ID: c5b087804c5b3795ee9e8c69a0f759ada8f14d74fc5d7adf23423809e606fb10
Opcode Fuzzy Hash: 397dbe00d46cdc6391c733cb8c7b0dd19b149a4da3a7613609efe6e9e8367ced
Instruction Fuzzy Hash: C9C13371618301AFC711DF64D884A6BBBE9FF88304F00495DF58A9B292DB71ED15CB92

Function 001F4025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001F4047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,001F30A5,?,00000001), ref: 001F405B
GetWindowThreadProcessId.USER32(00000000), ref: 001F4062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001F30A5,?,00000001), ref: 001F4071
GetWindowThreadProcessId.USER32(?,00000000), ref: 001F4083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,001F30A5,?,00000001), ref: 001F409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001F30A5,?,00000001), ref: 001F40AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,001F30A5,?,00000001), ref: 001F40F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,001F30A5,?,00000001), ref: 001F4108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,001F30A5,?,00000001), ref: 001F4113

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 62ab42b61c4400ecd93acb6fcbd137177a1d1147cb4c4780d27881d1f2ac4e7f
Instruction ID: bc21648ca6200002c77adb390937b3565cec69c985a9d33907f0a048ab0b8f35
Opcode Fuzzy Hash: 62ab42b61c4400ecd93acb6fcbd137177a1d1147cb4c4780d27881d1f2ac4e7f
Instruction Fuzzy Hash: 1B319571600209AFEB11DF54FC4EB7A77BDAB94311F10811AFA08D6264DB74A9808F51

Function 001B3093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 001B30DC
CoUninitialize.OLE32(?,00000000), ref: 001B3181
UnregisterHotKey.USER32(?), ref: 001B32A9
DestroyWindow.USER32(?), ref: 00225079
FreeLibrary.KERNEL32(?), ref: 002250F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00225125

Strings

close all, xrefs: 001B30D7

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 97343954a2fde41f602393523fce6cd706490e6ffc1c28db993e5dcb92f6dfaf
Instruction ID: 992ce2de7acead11682a788d3ef5471756bb08a3c08149ebbac399230b8632b5
Opcode Fuzzy Hash: 97343954a2fde41f602393523fce6cd706490e6ffc1c28db993e5dcb92f6dfaf
Instruction Fuzzy Hash: 23915C302102129FC709EF54D899BA8F3B4FF24304F5482A9E51AA7262DF30AE66CF54

Function 001CCB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 001CCC15

Part of subcall function 001CCCCD: GetClientRect.USER32(?,?), ref: 001CCCF6
Part of subcall function 001CCCCD: GetWindowRect.USER32(?,?), ref: 001CCD37
Part of subcall function 001CCCCD: ScreenToClient.USER32(?,?), ref: 001CCD5F

GetDC.USER32 ref: 0022D137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0022D14A
SelectObject.GDI32(00000000,00000000), ref: 0022D158
SelectObject.GDI32(00000000,00000000), ref: 0022D16D
ReleaseDC.USER32(?,00000000), ref: 0022D175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0022D200

Strings

U, xrefs: 0022D0D5

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 29bc1d20cf2683d598a6a0c3483ed3373df3ebb0c067f8e2292a818f0aae85a6
Instruction ID: e1415eff3ae80a4ead0d91f59bba1eb3bc7c5644fb5c8d7aa997c3e991f7034c
Opcode Fuzzy Hash: 29bc1d20cf2683d598a6a0c3483ed3373df3ebb0c067f8e2292a818f0aae85a6
Instruction Fuzzy Hash: 7671D230410206EFCF259FA4E885EEA7BB5FF58350F144269ED595A2A6C731CCA1DF50

Function 0021ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001CB34E: GetWindowLongW.USER32(?,000000EB), ref: 001CB35F

Part of subcall function 001CB63C: GetCursorPos.USER32(000000FF), ref: 001CB64F
Part of subcall function 001CB63C: ScreenToClient.USER32(00000000,000000FF), ref: 001CB66C
Part of subcall function 001CB63C: GetAsyncKeyState.USER32(00000001), ref: 001CB691
Part of subcall function 001CB63C: GetAsyncKeyState.USER32(00000002), ref: 001CB69F

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0021ED3C
ImageList_EndDrag.COMCTL32 ref: 0021ED42
ReleaseCapture.USER32 ref: 0021ED48
SetWindowTextW.USER32(?,00000000), ref: 0021EDF0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0021EE03
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0021EEDC

Strings

@GUI_DRAGFILE, xrefs: 0021EE77
@GUI_DROPID, xrefs: 0021EE33

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: ec82653b467b23d969e4304be3f5a8f7fb4d87ed5135976335eebffaa38b2c0d
Instruction ID: 47e46e5459c1f6ba55297072f9744522a2ae6922b685d258535453de8010a284
Opcode Fuzzy Hash: ec82653b467b23d969e4304be3f5a8f7fb4d87ed5135976335eebffaa38b2c0d
Instruction Fuzzy Hash: 4C519A70214304AFD714DF24EC8AFAA77E8BFA8714F00491DF995972E1DB7099A4CB52

Function 002045C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002045FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0020462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0020466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00204682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0020468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 002046BF
InternetCloseHandle.WININET(00000000), ref: 00204706

Part of subcall function 00205052: GetLastError.KERNEL32(?,?,002043CC,00000000,00000000,00000001), ref: 00205067

Strings

, xrefs: 002046B8

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: 64d073bfceb846de79a3e50f9410903bce3c77f0b94eff7ebe31c558956dfcc9
Instruction ID: a32c3e8ca27f73e16e8a9d33da1f377ad740afd322bb9481530e4001a0b7af1f
Opcode Fuzzy Hash: 64d073bfceb846de79a3e50f9410903bce3c77f0b94eff7ebe31c558956dfcc9
Instruction Fuzzy Hash: 03417DB1511315BFEB02AF50DC89FBB7BACFF09344F008116FA059A192E7B19D548BA4

Function 0020B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0024DC00), ref: 0020B715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0024DC00), ref: 0020B749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0020B8C1
SysFreeString.OLEAUT32(?), ref: 0020B8EB

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 6d2baf69455966908466b4710497eea9ba45c333b16b4fe46bf1239671d340a5
Instruction ID: aa0689a4de81881c3ae9fdc18e10dca0090c637c9debe255bce18c9c57f9fb21
Opcode Fuzzy Hash: 6d2baf69455966908466b4710497eea9ba45c333b16b4fe46bf1239671d340a5
Instruction Fuzzy Hash: B6F15B75A10209EFCF15DF94C888EAEB7B9FF49311F108458F905AB291DB71AE52CB90

Function 002124D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002124F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00212688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002126AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002126EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0021270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0021286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 002128A1
CloseHandle.KERNEL32(?), ref: 002128D0
CloseHandle.KERNEL32(?), ref: 00212947

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 54b3ec12df420ed60ddbd681b765b0622357b6ce33de6545743aff95758db9c0
Instruction ID: 9ff8608f253bb2071d38d60345272c804142fab9c655ec628228bde3e38076ac
Opcode Fuzzy Hash: 54b3ec12df420ed60ddbd681b765b0622357b6ce33de6545743aff95758db9c0
Instruction Fuzzy Hash: 8DD1C131614241DFCB14EF24C491BAEBBE5BFA4310F14845DF9899B2A2DB31DC55CB92

Function 0021B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0021B3F4

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 03f6f74f5d456aee21abf1b98f2650d6598b35bb2d7ef2f6165f413049b784b5
Instruction ID: 41487f7abf5b16b5adbafcb4e1d419a5bd359ec56dbf6b474912853ccc295ebf
Opcode Fuzzy Hash: 03f6f74f5d456aee21abf1b98f2650d6598b35bb2d7ef2f6165f413049b784b5
Instruction Fuzzy Hash: 3551B230620205BBEF229F28DC8ABED3BF9AB25314F644155F625D61E2C771E9F08B50

Function 001CA699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0022DB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0022DB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0022DB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0022DB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0022DB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,001CA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0022DBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0022DBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,001CA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0022DBC8

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 70c98bd08441a329049db5cbaac0b233bb63facb3aa159d38d6b8cd0391f9762
Instruction ID: 0b13daf89fab9e9a2413799b8412b074a585afe4abf5c6987afd820dbeb569b4
Opcode Fuzzy Hash: 70c98bd08441a329049db5cbaac0b233bb63facb3aa159d38d6b8cd0391f9762
Instruction Fuzzy Hash: 85518730610309EFDB24DF68EC96FAA77B8BF28758F110518F94696290D7B0ECA0DB50

Function 001F7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001F6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001F5FA6,?), ref: 001F6ED8

Part of subcall function 001F6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001F5FA6,?), ref: 001F6EF1

Part of subcall function 001F72CB: GetFileAttributesW.KERNEL32(?,001F6019), ref: 001F72CC

lstrcmpiW.KERNEL32(?,?), ref: 001F75CA
_wcscmp.LIBCMT ref: 001F75E2
MoveFileW.KERNEL32(?,?), ref: 001F75FB

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: d716f437ef400ca361e22c44ce76985a98c040541ed933f03c8c0a9677c7afe6
Instruction ID: 1cbc4ec9860550923371fc5753f0e673c2d69d2dacd15faf21b0283ecc842ce4
Opcode Fuzzy Hash: d716f437ef400ca361e22c44ce76985a98c040541ed933f03c8c0a9677c7afe6
Instruction Fuzzy Hash: 7F5111B290922D9ADF55EB94E845DEE73BCAF1C320F0041EAF605E3181EB7496C5CB60

Function 001CEA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0022DAD1,00000004,00000000,00000000), ref: 001CEAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0022DAD1,00000004,00000000,00000000), ref: 001CEB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0022DAD1,00000004,00000000,00000000), ref: 0022DC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0022DAD1,00000004,00000000,00000000), ref: 0022DCF2

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 6e3e0ee50713664ac1f050d42e4c2f60518380e2ed4500ded3989bb5a27b964d
Instruction ID: 46b58bae7f7d8371ae6cbc9ae91458f1ae62477f994077a72bf057f0020e07a4
Opcode Fuzzy Hash: 6e3e0ee50713664ac1f050d42e4c2f60518380e2ed4500ded3989bb5a27b964d
Instruction Fuzzy Hash: D141D5B1219680AAD7394B38AE8EF7A7EDAAB65304F5A080EF04787561C770FC90D711

Function 001EB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,001EAEF1,00000B00,?,?), ref: 001EB26C
HeapAlloc.KERNEL32(00000000,?,001EAEF1,00000B00,?,?), ref: 001EB273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001EAEF1,00000B00,?,?), ref: 001EB288
GetCurrentProcess.KERNEL32(?,00000000,?,001EAEF1,00000B00,?,?), ref: 001EB290
DuplicateHandle.KERNEL32(00000000,?,001EAEF1,00000B00,?,?), ref: 001EB293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,001EAEF1,00000B00,?,?), ref: 001EB2A3
GetCurrentProcess.KERNEL32(001EAEF1,00000000,?,001EAEF1,00000B00,?,?), ref: 001EB2AB
DuplicateHandle.KERNEL32(00000000,?,001EAEF1,00000B00,?,?), ref: 001EB2AE
CreateThread.KERNEL32(00000000,00000000,001EB2D4,00000000,00000000,00000000), ref: 001EB2C8

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 8dc0d95816889ab3db4e1cf46e2dcf851da9b2451aee80b0f78c9d324b7df273
Instruction ID: 79d5a875d07307cb3d80561a1049cdf77cb4d078aed915096db258233d180e53
Opcode Fuzzy Hash: 8dc0d95816889ab3db4e1cf46e2dcf851da9b2451aee80b0f78c9d324b7df273
Instruction Fuzzy Hash: 450158B5640344BFE710ABA5ED4DF6B7BACEB89711F018451FA05DB1A1CA759C008B61

Function 0020C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 0020C49E
NULL Pointer assignment, xrefs: 0020C876, 0020C887

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 7848b40163e85cb009fe53cf708cea324faca039e3289d55d9fcede6a3b6b565
Instruction ID: 8492ae7d2a402dd50cf1f1a811b4a4945ad1cd572fc9961a6b2f597bf30cf1ac
Opcode Fuzzy Hash: 7848b40163e85cb009fe53cf708cea324faca039e3289d55d9fcede6a3b6b565
Instruction Fuzzy Hash: 0FE1D7B1A1031A9FDF14DFA4D884BAEB7B9EF48314F248129F905A72D2D770AD51CB90

Function 002016DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 001B936C: __swprintf.LIBCMT ref: 001B93AB
Part of subcall function 001B936C: __itow.LIBCMT ref: 001B93DF

Part of subcall function 001CC6F4: _wcscpy.LIBCMT ref: 001CC717

_wcstok.LIBCMT ref: 0020184E
_wcscpy.LIBCMT ref: 002018DD
_memset.LIBCMT ref: 00201910

Strings

X, xrefs: 00201948
p2&l2&, xrefs: 00201920

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X$p2&l2&
API String ID: 774024439-4080656280
Opcode ID: c372d763da61202f9c17e9cda3df09fb856d2f0f0aff954be4ea554c871d6d52
Instruction ID: e2ae65a30e561b97c6d4f8f641e266d0257f73403bdc8d2f19145a8d914a25f4
Opcode Fuzzy Hash: c372d763da61202f9c17e9cda3df09fb856d2f0f0aff954be4ea554c871d6d52
Instruction Fuzzy Hash: F6C1A0306143419FC724EF64C981A9EB7E4FFA5350F04496DF99A972A2DB30ED15CB82

Function 00219A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00219B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 00219B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00219B47
_wcscat.LIBCMT ref: 00219BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 00219BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00219BE7

Strings

SysListView32, xrefs: 00219AEB

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: b8c6826587821af92351547c48f1f5d9a75d032fba6c08af4f64a9b31bcb2824
Instruction ID: 0c4bdd24b4b16e60accc2b04a6add73b34f8ed3531d93d761c99b5915ddcddeb
Opcode Fuzzy Hash: b8c6826587821af92351547c48f1f5d9a75d032fba6c08af4f64a9b31bcb2824
Instruction Fuzzy Hash: C141AE71A20309ABDB21DFA4DC89BEA77E8EF18354F10442AF589A7291C7719DD4CB60

Function 0021172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 001F6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 001F6554
Part of subcall function 001F6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 001F6564
Part of subcall function 001F6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 001F65F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0021179A
GetLastError.KERNEL32 ref: 002117AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 002117D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 00211855
GetLastError.KERNEL32(00000000), ref: 00211860
CloseHandle.KERNEL32(00000000), ref: 00211895

Strings

SeDebugPrivilege, xrefs: 002117B8

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: e023b5fa9a323c1517c9c0a45511ad10f07e6fda1177e0092787a1b776aba56f
Instruction ID: 653e70364a48f2d6b5e3a938847d865cb06433f363301a0dbd6ea10805e01e23
Opcode Fuzzy Hash: e023b5fa9a323c1517c9c0a45511ad10f07e6fda1177e0092787a1b776aba56f
Instruction Fuzzy Hash: 9841BE71600205AFDB05EF54D896FBEB7E1AF64300F058059FA069F2D2DBB4A951CB91

Function 001F5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 001F58B8

Strings

question, xrefs: 001F5871
warning, xrefs: 001F58A1
stop, xrefs: 001F5889
blank, xrefs: 001F583A
info, xrefs: 001F5859

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 79d8f2bbeaa633d676564b4a8533ad20f32d1068ac48cfc34744103c68cd6f9d
Instruction ID: b272d76ed8cd79e91675f351dd613275b7fda37e3edb97c7a147d1fdb5fc5513
Opcode Fuzzy Hash: 79d8f2bbeaa633d676564b4a8533ad20f32d1068ac48cfc34744103c68cd6f9d
Instruction Fuzzy Hash: 1E110D3260974ABBE7055B56EC82DBB679D9F26364F30003BF751E5281E7A0AA504268

Function 001FA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 001FA806

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 90549772d66ae44f0656f6e9879f2f09a8bce8289c1e46304521209701883e3c
Instruction ID: a71bcc25a8d4e842e3fad38c5f255156028727548b0c468456d885a9b8c35ceb
Opcode Fuzzy Hash: 90549772d66ae44f0656f6e9879f2f09a8bce8289c1e46304521209701883e3c
Instruction Fuzzy Hash: 1EC1ACB1A0020ADFDB04DF98D481BBEB7F4FF08315F248469E60AE7241C779A945CB91

Function 001F6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 001F6B63
LoadStringW.USER32(00000000), ref: 001F6B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 001F6B80
LoadStringW.USER32(00000000), ref: 001F6B87
_wprintf.LIBCMT ref: 001F6BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 001F6BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 001F6BA8

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 2565c7d0c75852fd1d6d6034eebefce4a74f355a81c073647eba6230145ab53b
Instruction ID: b4fa2d7e70d4265d4f58ec2dcf6e462535eb94bfadd714109232c4d2896b8ff6
Opcode Fuzzy Hash: 2565c7d0c75852fd1d6d6034eebefce4a74f355a81c073647eba6230145ab53b
Instruction Fuzzy Hash: 17011DF6900218BFEB11ABE4AD8DEF6766CD708704F4044A2B746E2141EA749E848F71

Function 00212B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00213C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00212BB5,?,?), ref: 00213C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00212BF6

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: 0780e6f928ff54b22133402c5ee25ced38dadfa1af038508b93b0ed77fa4c9e4
Instruction ID: f2f889b81cad8e78a3074edcd927fa91640e4d3b374cf14671799cb41724d994
Opcode Fuzzy Hash: 0780e6f928ff54b22133402c5ee25ced38dadfa1af038508b93b0ed77fa4c9e4
Instruction Fuzzy Hash: 4B917971214201DFCB04EF14D885BAEB7E5FFA8310F14885DF996972A1DB30E969CB82

Function 002095BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 00209691
WSAGetLastError.WSOCK32(00000000), ref: 0020969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 002096C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 002096E9
WSAGetLastError.WSOCK32(00000000), ref: 002096F8
htons.WSOCK32(?,?,?,00000000,?), ref: 002097AA
inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,0024DC00), ref: 00209765

Part of subcall function 001ED2FF: _strlen.LIBCMT ref: 001ED309

_strlen.LIBCMT ref: 00209800

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ErrorLast_strlen$htonsinet_ntoaselect
String ID:
API String ID: 3480843537-0
Opcode ID: 021948f1170111d668db04d28048c857e76e224afbc2bd142666598462544dd1
Instruction ID: 2211f373b19021283a8f04eff2201376ba15cb703a4113bec1e0ef1e7255b906
Opcode Fuzzy Hash: 021948f1170111d668db04d28048c857e76e224afbc2bd142666598462544dd1
Instruction Fuzzy Hash: 2381CA31504340ABC314EF64DC86FABB7B8EFA9710F104A1DF5569B2A2EB30D944CB92

Function 001DA979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 001DA991

Part of subcall function 001D7D7C: __FF_MSGBANNER.LIBCMT ref: 001D7D91
Part of subcall function 001D7D7C: __NMSG_WRITE.LIBCMT ref: 001D7D98
Part of subcall function 001D7D7C: __malloc_crt.LIBCMT ref: 001D7DB8

__lock.LIBCMT ref: 001DA9A4
__lock.LIBCMT ref: 001DA9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00266DE0,00000018,001E5E7B,?,00000000,00000109), ref: 001DAA0C
EnterCriticalSection.KERNEL32(8000000C,00266DE0,00000018,001E5E7B,?,00000000,00000109), ref: 001DAA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 001DAA39

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 7d781308686d62a1c9a2b2fbbbcb6634296a64a2b82cc41ecb8ce541b9a81a50
Instruction ID: 6a4575911e12d40dd6b274448d13e99266e4267d36c12aa122ac7128e91ea69d
Opcode Fuzzy Hash: 7d781308686d62a1c9a2b2fbbbcb6634296a64a2b82cc41ecb8ce541b9a81a50
Instruction Fuzzy Hash: 19414971A00201DBEB14DF68EA8475DB7B0AF11735F51831BE529AB3D1D7B49D40CB82

Function 00218ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00218EE4
GetDC.USER32(00000000), ref: 00218EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00218EF7
ReleaseDC.USER32(00000000,00000000), ref: 00218F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00218F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00218F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0021BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00218F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00218FAA

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 8a1086fb54ff169ce01382feb7e6079e5d970f474cde669ab5a0e371235ad261
Instruction ID: 478b158bb478733c8873666055c5f7d382866719d71bff26b7934e0a3d72fe9c
Opcode Fuzzy Hash: 8a1086fb54ff169ce01382feb7e6079e5d970f474cde669ab5a0e371235ad261
Instruction Fuzzy Hash: EA318072200614BFEB108F50EC8AFEB3BADEF59715F044065FE08DA191C6759852CB70

Function 00220133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001CB34E: GetWindowLongW.USER32(?,000000EB), ref: 001CB35F

GetSystemMetrics.USER32(0000000F), ref: 0022016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0022038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 002203AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 002203D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 002203FF
ShowWindow.USER32(00000003,00000000), ref: 00220421
DefDlgProcW.USER32(?,00000005,?,?), ref: 00220440

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: e784cc0daf59a14744e0a5a58babc7934229f79bf3c57bdc95a7eaf8aa1fe04b
Instruction ID: 56d4997a8d71e42ae19f9dbc449f79f56834c336c14b1ca1750849d1b7d1f5f8
Opcode Fuzzy Hash: e784cc0daf59a14744e0a5a58babc7934229f79bf3c57bdc95a7eaf8aa1fe04b
Instruction Fuzzy Hash: 2EA19E35610626EFDB18CFA8E9C97BDBBB1BF08700F148255EC58A7291D774AD60CB90

Function 001CAE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe3d13e23b3396ddf149f572729201b564f9f9e9cb085f4e219f4c98816a616
Instruction ID: 23de272d32da1dbf61982a2a6fdf5efd22d9b8389c25fd8bd28ae63453c02a73
Opcode Fuzzy Hash: 1fe3d13e23b3396ddf149f572729201b564f9f9e9cb085f4e219f4c98816a616
Instruction Fuzzy Hash: EC715AB1904119EFCB19CF98CC89EAEBB78FF95314F24814DF915AA251C730EA51CBA1

Function 00212230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0021225A
_memset.LIBCMT ref: 00212323
ShellExecuteExW.SHELL32(?), ref: 00212368

Part of subcall function 001B936C: __swprintf.LIBCMT ref: 001B93AB
Part of subcall function 001B936C: __itow.LIBCMT ref: 001B93DF

Part of subcall function 001CC6F4: _wcscpy.LIBCMT ref: 001CC717

CloseHandle.KERNEL32(00000000), ref: 0021242F
FreeLibrary.KERNEL32(00000000), ref: 0021243E

Strings

@, xrefs: 00212334

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: 4c0d28ab0d462371da917ad3b48833c5261b0c962c7dd1b21e95db4171954e35
Instruction ID: 651b061eed9d851d852a3134d108b3d07e267a739cd6ecf6ee963c84459c8190
Opcode Fuzzy Hash: 4c0d28ab0d462371da917ad3b48833c5261b0c962c7dd1b21e95db4171954e35
Instruction Fuzzy Hash: 40716970A10619DFCB04EFA4D885AAEB7F5FF68310F108059E859AB351CB34AD65CB94

Function 001F3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 001F3C02
GetKeyboardState.USER32(?), ref: 001F3C17
SetKeyboardState.USER32(?), ref: 001F3C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 001F3CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 001F3CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 001F3D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 001F3D26

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9f4b182f2cee0a52a321a2a7bb90624227618ddebb97bb78160ed0d92e345ce0
Instruction ID: 64bd48662e44df22919358b711b9f0f270b32443a45e614f0d90515d2d826e03
Opcode Fuzzy Hash: 9f4b182f2cee0a52a321a2a7bb90624227618ddebb97bb78160ed0d92e345ce0
Instruction Fuzzy Hash: 825108A05087D93DFB368374CC55BBABF996B06300F088489E2E9564C2D395EE84E760

Function 00213D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00213DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00213DCB
FreeLibrary.KERNEL32(00000000), ref: 00213E80

Part of subcall function 00213D72: RegCloseKey.ADVAPI32(?), ref: 00213DE8
Part of subcall function 00213D72: FreeLibrary.KERNEL32(?), ref: 00213E3A
Part of subcall function 00213D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00213E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 00213E25

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: f07403623e5c79d0afe7d8179740fe68aeb9af9429dc2d0011cd238c5b956161
Instruction ID: 23b6918f0de12089c06e657d5e84f59d90ca8a62e2fffce1780c3ac6d1c41c91
Opcode Fuzzy Hash: f07403623e5c79d0afe7d8179740fe68aeb9af9429dc2d0011cd238c5b956161
Instruction Fuzzy Hash: 7631DCB1921209BFDB15DF94EC89AFFB7BDEF18310F00016AE512E2150D6749F999BA0

Function 00218FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00218FE7
GetWindowLongW.USER32(015FD3D8,000000F0), ref: 0021901A
GetWindowLongW.USER32(015FD3D8,000000F0), ref: 0021904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00219081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 002190AB
GetWindowLongW.USER32(00000000,000000F0), ref: 002190BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 002190D6

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: daa15249d94d42abeab98378ad19f4242d1782c2a44c3cfa8713f310950cff43
Instruction ID: bb84d31b3f0131d2c2e611f6087a6d5c64f410271b9741dd74a76a932d5dcf09
Opcode Fuzzy Hash: daa15249d94d42abeab98378ad19f4242d1782c2a44c3cfa8713f310950cff43
Instruction Fuzzy Hash: F6312835620216DFDB208F58EC99FA537E9FB59714F140168F5198B2B1CB72A8E0DF41

Function 001F08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001F08F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001F0918
SysAllocString.OLEAUT32(00000000), ref: 001F091B
SysAllocString.OLEAUT32(?), ref: 001F0939
SysFreeString.OLEAUT32(?), ref: 001F0942
StringFromGUID2.OLE32(?,?,00000028), ref: 001F0967
SysAllocString.OLEAUT32(?), ref: 001F0975

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b50f43eb1d4854777aaf2331eb94aa5fca9c66f71269196bb9e2d444a1abd14b
Instruction ID: 53e138ccca9dd942f14ef3b56625e36351b71d55e0a8df680a0996b2dde434a4
Opcode Fuzzy Hash: b50f43eb1d4854777aaf2331eb94aa5fca9c66f71269196bb9e2d444a1abd14b
Instruction Fuzzy Hash: 85215676601219AFDB119F68DC88DBB73ACFB0D364B408125FA59DB152E7B0EC458760

Function 001F2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 001F2485
__wcsnicmp.LIBCMT ref: 001F24A6
__wcsnicmp.LIBCMT ref: 001F24C0

Strings

#OnAutoItStartRegister, xrefs: 001F24BA
#requireadmin, xrefs: 001F24A0
#notrayicon, xrefs: 001F247D

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: fb70b8158d6d582bced288a4878c75dfa28aa22fa91a1bf8302e03ec51d4547c
Instruction ID: ecc96c8df852f3d805e4aea866ce4171138d04190865e28da438bb86de752817
Opcode Fuzzy Hash: fb70b8158d6d582bced288a4878c75dfa28aa22fa91a1bf8302e03ec51d4547c
Instruction Fuzzy Hash: 5121267230421977D325AA349C12FFB7398EF75310F60402AF64A97192E7B59942C3A5

Function 001F0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001F09CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001F09F1
SysAllocString.OLEAUT32(00000000), ref: 001F09F4
SysAllocString.OLEAUT32 ref: 001F0A15
SysFreeString.OLEAUT32 ref: 001F0A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 001F0A38
SysAllocString.OLEAUT32(?), ref: 001F0A46

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2c99bec0b4a3e6837b90af820991f1704164d8b87f7be3b7c203db02b366384a
Instruction ID: 5f5ade13c509811503567ac34499a0cdf74c821991d2cdd58d7cd7a813d4fabe
Opcode Fuzzy Hash: 2c99bec0b4a3e6837b90af820991f1704164d8b87f7be3b7c203db02b366384a
Instruction Fuzzy Hash: 70214475604208AFDB15DFA8EC89DBAB7EDEF0D3607418125FA09CB261E770EC418764

Function 0021A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001CD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 001CD1BA
Part of subcall function 001CD17C: GetStockObject.GDI32(00000011), ref: 001CD1CE
Part of subcall function 001CD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 001CD1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0021A32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0021A33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0021A345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0021A354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0021A360

Strings

Msctls_Progress32, xrefs: 0021A2FE

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 12aad3547764de80da59fb793cfb6b5eda7afe3430654c80ebd24738c913f486
Instruction ID: 09c555502a1164d897f30ec71a7834a148895c9360c3c6f8b67077aaeae1631d
Opcode Fuzzy Hash: 12aad3547764de80da59fb793cfb6b5eda7afe3430654c80ebd24738c913f486
Instruction Fuzzy Hash: 6A1190B1150219BEEF115FA4DC86EEB7F6DFF09798F014114BA18A60A0C7729C61DBA4

Function 001CCCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 001CCCF6
GetWindowRect.USER32(?,?), ref: 001CCD37
ScreenToClient.USER32(?,?), ref: 001CCD5F
GetClientRect.USER32(?,?), ref: 001CCE8C
GetWindowRect.USER32(?,?), ref: 001CCEA5

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 3a6d2c2d6f47bd7605abf2639b5b0fa8222728e826236b645290643d021af5e2
Instruction ID: e4c7062c379b8e6d394933a44135d94a05765e9a619a5f5522a636c5d64b1be5
Opcode Fuzzy Hash: 3a6d2c2d6f47bd7605abf2639b5b0fa8222728e826236b645290643d021af5e2
Instruction Fuzzy Hash: B6B13A7990024ADBDF14CFA8D480BEDBBB1FF18310F158129EC59AB250DB30AE51DB94

Function 00211BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00211C18
Process32FirstW.KERNEL32(00000000,?), ref: 00211C26
__wsplitpath.LIBCMT ref: 00211C54

Part of subcall function 001D1DFC: __wsplitpath_helper.LIBCMT ref: 001D1E3C

_wcscat.LIBCMT ref: 00211C69
Process32NextW.KERNEL32(00000000,?), ref: 00211CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00211CF1

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: bad320fd57277cd5df9c1b47d31468a56c00eb7369eb49fa39f6a7503e1d755f
Instruction ID: 089aadf0383a2551691c7969b69c6030eb33ba86509ae127c6503f6d8adb537d
Opcode Fuzzy Hash: bad320fd57277cd5df9c1b47d31468a56c00eb7369eb49fa39f6a7503e1d755f
Instruction Fuzzy Hash: C1517E71104340AFD720EF24D885FABB7E8EF98754F00491EF58997251EB70D954CB92

Function 00212FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00213C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00212BB5,?,?), ref: 00213C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002130AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002130EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00213112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0021313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0021317E
RegCloseKey.ADVAPI32(00000000), ref: 0021318B

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: 1bc0b96489bd4399721598acae35c0528f5ccd6bcb57ba85a5572d75539f5406
Instruction ID: 6885f83f1387d7e4774128e9b6ad8b0df9e07190ac2ab2b7695fb03227952bbd
Opcode Fuzzy Hash: 1bc0b96489bd4399721598acae35c0528f5ccd6bcb57ba85a5572d75539f5406
Instruction Fuzzy Hash: 44516631218204AFC704EF64C885EAEBBEAFFA8300F04495DF555872A1DB71EA15CB92

Function 002184DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00218540
GetMenuItemCount.USER32(00000000), ref: 00218577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0021859F
GetMenuItemID.USER32(?,?), ref: 0021860E
GetSubMenu.USER32(?,?), ref: 0021861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 0021866D

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: e3ec2d05524c6f48968a08755871cb4e42447901a6e58ff0d6c63588d3394ad2
Instruction ID: c5b2d686f8aafca9a069cdb7b9a2b00c3437eeb23aaf5a63ab00296e3c108860
Opcode Fuzzy Hash: e3ec2d05524c6f48968a08755871cb4e42447901a6e58ff0d6c63588d3394ad2
Instruction Fuzzy Hash: 0151B031A00219AFCF11EF64D885AEEB7F9FF68310F114499E915B7351DB70AE818B90

Function 001F4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001F4B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001F4B5B
IsMenu.USER32(00000000), ref: 001F4B7B
CreatePopupMenu.USER32 ref: 001F4BAF
GetMenuItemCount.USER32(000000FF), ref: 001F4C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 001F4C3E

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 598931c16db404da57d205e808755e3f37eca57651daa89c35ec61d590225399
Instruction ID: 28e175b6c78c5ef12491fab400ed61759aadaae10c5b7046f981c9e0c77cc9de
Opcode Fuzzy Hash: 598931c16db404da57d205e808755e3f37eca57651daa89c35ec61d590225399
Instruction Fuzzy Hash: A151FC7060120DEFDF24CFA8D888BBFBBF4AF54318F144119E6699B291E3B19A40CB51

Function 00208DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0024DC00), ref: 00208E7C
WSAGetLastError.WSOCK32(00000000), ref: 00208E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00208EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 00208EC5
_strlen.LIBCMT ref: 00208EF7
WSAGetLastError.WSOCK32(00000000), ref: 00208F6A

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: bd2409ffa506e1d0bea100d764e4eb56f462258d6571aee01d8fb6859a28682a
Instruction ID: 4732fe969524a1b457175e050173d428f2540e839bbc9d4e5b9fb3819d52a5ef
Opcode Fuzzy Hash: bd2409ffa506e1d0bea100d764e4eb56f462258d6571aee01d8fb6859a28682a
Instruction Fuzzy Hash: 2D41A271510205ABCB14EFA4DD8AEEEB7B9AF68310F104559F556972D2DF70AE00CB60

Function 001CABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 001CB34E: GetWindowLongW.USER32(?,000000EB), ref: 001CB35F

BeginPaint.USER32(?,?,?), ref: 001CAC2A
GetWindowRect.USER32(?,?), ref: 001CAC8E
ScreenToClient.USER32(?,?), ref: 001CACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001CACBC
EndPaint.USER32(?,?,?,?,?), ref: 001CAD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0022E673

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: ca1ed37b4a41a49a6fef769fd668a70294bd167fe8174b6b19957709bf5112d7
Instruction ID: b22458526161acc45c5440780be1db5c5e3a05a131350f46e2549161af5052d4
Opcode Fuzzy Hash: ca1ed37b4a41a49a6fef769fd668a70294bd167fe8174b6b19957709bf5112d7
Instruction Fuzzy Hash: B241C170104205AFC711DF68EC89FBA7BACEF65724F04022DF9A9872A1C330D895DB62

Function 0021E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00271628,00000000,00271628,00000000,00000000,00271628,?,0022DC5D,00000000,?,00000000,00000000,00000000,?,0022DAD1,00000004), ref: 0021E40B
EnableWindow.USER32(00000000,00000000), ref: 0021E42F
ShowWindow.USER32(00271628,00000000), ref: 0021E48F
ShowWindow.USER32(00000000,00000004), ref: 0021E4A1
EnableWindow.USER32(00000000,00000001), ref: 0021E4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0021E4E8

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: b146db4935cc4303b51d427b27b3f61a5f572fa3cf45d4ff24af52346f261b3b
Instruction ID: 75520e77d45072e9d49e2697c7ee5e675c36d566aa41fa122ba6a195cb9d46f5
Opcode Fuzzy Hash: b146db4935cc4303b51d427b27b3f61a5f572fa3cf45d4ff24af52346f261b3b
Instruction Fuzzy Hash: F3419230601156EFDF22CF24D889BD57BE0BF15304F5941A9EE598F1A2C731E891CB61

Function 001F98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 001F98D1

Part of subcall function 001CF4EA: std::exception::exception.LIBCMT ref: 001CF51E
Part of subcall function 001CF4EA: __CxxThrowException@8.LIBCMT ref: 001CF533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 001F9908
EnterCriticalSection.KERNEL32(?), ref: 001F9924
LeaveCriticalSection.KERNEL32(?), ref: 001F999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 001F99B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 001F99D2

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: 7d5ef912455b0419765a2c7fa0cfcd6559e0df7a305dc710bb98cc8d6b697171
Instruction ID: 8dfb48d476b42323ad0cb9465d2aba832eee252a59ebbf08f8bf1812a28a64de
Opcode Fuzzy Hash: 7d5ef912455b0419765a2c7fa0cfcd6559e0df7a305dc710bb98cc8d6b697171
Instruction Fuzzy Hash: FB317031A00105EBDB10EFA4EC89EAFB7B9FF55710B1580A9F904AB246D770DE15DBA0

Function 00209B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,002077F4,?,?,00000000,00000001), ref: 00209B53

Part of subcall function 00206544: GetWindowRect.USER32(?,?), ref: 00206557

GetDesktopWindow.USER32 ref: 00209B7D
GetWindowRect.USER32(00000000), ref: 00209B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00209BB6

Part of subcall function 001F7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 001F7AD0

GetCursorPos.USER32(?), ref: 00209BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00209C44

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: fa8df250d6b071631854b185f4c662a38f09fdcf987ec04b2b12df5c24ffbc9b
Instruction ID: a2a487c112cd3dcc4e87300cfbc7b7fb223e9be23c5d45a43d55704346fb2b77
Opcode Fuzzy Hash: fa8df250d6b071631854b185f4c662a38f09fdcf987ec04b2b12df5c24ffbc9b
Instruction Fuzzy Hash: 0331C07250430AABC710DF18E849B9AB7E9FF89314F00091AF595D71C2D671E954CB92

Function 001EAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001EAFAE
OpenProcessToken.ADVAPI32(00000000), ref: 001EAFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 001EAFC4
CloseHandle.KERNEL32(00000004), ref: 001EAFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001EAFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 001EB012

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 97a2393a7e5de784d419d57ac830f38e737629119e5526d60fa8d8ae64e9f8c3
Instruction ID: 60739dddd1465dd08c9fe9930a62eaa3fbdef7faf427ff5e1e217a963faefb5e
Opcode Fuzzy Hash: 97a2393a7e5de784d419d57ac830f38e737629119e5526d60fa8d8ae64e9f8c3
Instruction Fuzzy Hash: B6219D7210464DAFCF028FA5ED09FEE7BA9EF44304F144055FA01A2161C376ED20EB61

Function 0021EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 001CAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 001CAFE3
Part of subcall function 001CAF83: SelectObject.GDI32(?,00000000), ref: 001CAFF2
Part of subcall function 001CAF83: BeginPath.GDI32(?), ref: 001CB009
Part of subcall function 001CAF83: SelectObject.GDI32(?,00000000), ref: 001CB033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0021EC20
LineTo.GDI32(00000000,00000003,?), ref: 0021EC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0021EC42
LineTo.GDI32(00000000,00000000,?), ref: 0021EC52
EndPath.GDI32(00000000), ref: 0021EC62
StrokePath.GDI32(00000000), ref: 0021EC72

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: c925f59bd0ffa98f7e7f494623a700a5434643e8ffbdb88e9231dd5ce031ad48
Instruction ID: c27e0db425e4e430e8e9a204587566e914d69ee0b8dea03d0d48cba89a7cba9b
Opcode Fuzzy Hash: c925f59bd0ffa98f7e7f494623a700a5434643e8ffbdb88e9231dd5ce031ad48
Instruction Fuzzy Hash: 6011097200014DBFEF029FA4EC88EEA7F6DEF08354F048112BE0889160D7719DA5DBA0

Function 001EE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001EE1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 001EE1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001EE1D8
ReleaseDC.USER32(00000000,00000000), ref: 001EE1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 001EE1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 001EE209

Part of subcall function 001E9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,001E9A05,00000000,00000000,?,001E9DDB), ref: 001EA53A

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: 445e36824f0693020685794f3e182192a0d86bf6be4f3b7bfffee3bd3bf63767
Instruction ID: bb376e8aaa44f5ad7564dd701ce34ac4272490adbe883a1b83774beff29ec0ca
Opcode Fuzzy Hash: 445e36824f0693020685794f3e182192a0d86bf6be4f3b7bfffee3bd3bf63767
Instruction Fuzzy Hash: 760184B5A00754BFEB109BA6AC49B5EBFB8EB48751F004066FE08A7290D6719C01CF60

Function 001D7B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 001D7B47

Part of subcall function 001D123A: __initp_misc_winsig.LIBCMT ref: 001D125E
Part of subcall function 001D123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 001D7F51
Part of subcall function 001D123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 001D7F65
Part of subcall function 001D123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 001D7F78
Part of subcall function 001D123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 001D7F8B
Part of subcall function 001D123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 001D7F9E
Part of subcall function 001D123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 001D7FB1
Part of subcall function 001D123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 001D7FC4
Part of subcall function 001D123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 001D7FD7
Part of subcall function 001D123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 001D7FEA
Part of subcall function 001D123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 001D7FFD
Part of subcall function 001D123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 001D8010
Part of subcall function 001D123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 001D8023
Part of subcall function 001D123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 001D8036
Part of subcall function 001D123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 001D8049
Part of subcall function 001D123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 001D805C
Part of subcall function 001D123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 001D806F

__mtinitlocks.LIBCMT ref: 001D7B4C

Part of subcall function 001D7E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0026AC68,00000FA0,?,?,001D7B51,001D5E77,00266C70,00000014), ref: 001D7E41

__mtterm.LIBCMT ref: 001D7B55

Part of subcall function 001D7BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,001D7B5A,001D5E77,00266C70,00000014), ref: 001D7D3F
Part of subcall function 001D7BBD: _free.LIBCMT ref: 001D7D46
Part of subcall function 001D7BBD: DeleteCriticalSection.KERNEL32(0026AC68,?,?,001D7B5A,001D5E77,00266C70,00000014), ref: 001D7D68

__calloc_crt.LIBCMT ref: 001D7B7A
GetCurrentThreadId.KERNEL32 ref: 001D7BA3

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: d524c91c8d45309abf69766e0a84b2c1314b0099b5dccb3e997ca5ae9150fc7e
Instruction ID: 52e558e8309398d635df498c0c05531e6af781f7bc12984eef9da26b5b3c2cbc
Opcode Fuzzy Hash: d524c91c8d45309abf69766e0a84b2c1314b0099b5dccb3e997ca5ae9150fc7e
Instruction Fuzzy Hash: 6AF0E93210D3121EE73877347C0BA5B27C49F11734B20469BF8A4D63D2FF3198418560

Function 001B27EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 001B281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 001B2825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 001B2830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 001B283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 001B2843
MapVirtualKeyW.USER32(00000012,00000000), ref: 001B284B

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 3655ec74cbe0db94166e72608601bb7f10b3eeb6d23c8e8abd39e7715f33397b
Instruction ID: d4f1a17dceaec19f60b3685ab10d5ce0c54a5699b22203ead68622461012637b
Opcode Fuzzy Hash: 3655ec74cbe0db94166e72608601bb7f10b3eeb6d23c8e8abd39e7715f33397b
Instruction Fuzzy Hash: 7D0167B0902B5ABDE3008F6A9C85B52FFA8FF19354F00411BA15C47A42C7F5A864CFE5

Function 001F9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 8e52f4f03c7ca8c7c9b0b8c95143e78c356ac13f695a4696b849fcd3be555388
Instruction ID: a09c91f4834331246c84bfd76eabe63a9f5ef7d2c7af3eb94fb64575b3b673ca
Opcode Fuzzy Hash: 8e52f4f03c7ca8c7c9b0b8c95143e78c356ac13f695a4696b849fcd3be555388
Instruction Fuzzy Hash: 68018132202226ABD7252B64FC5CEFB776AFF88701B04046AFA03920A1DB64AC10DB50

Function 001F7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 001F7C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 001F7C1D
GetWindowThreadProcessId.USER32(?,?), ref: 001F7C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001F7C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001F7C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001F7C4C

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: a4713ebdcf75e2bc2ba1c9071a5a39bfb2d173d2cdd6a9498ef15357477b8d4c
Instruction ID: 314701cd3c9a7b64c932ce3c013c53531101929534562470fb9d8d61e84909c9
Opcode Fuzzy Hash: a4713ebdcf75e2bc2ba1c9071a5a39bfb2d173d2cdd6a9498ef15357477b8d4c
Instruction Fuzzy Hash: 76F03A72241158BBE7215B62BC0EEEF7B7CEFC6B11F000059FA1591091D7A05A41DAB5

Function 001F9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 001F9A33
EnterCriticalSection.KERNEL32(?,?,?,?,00225DEE,?,?,?,?,?,001BED63), ref: 001F9A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,00225DEE,?,?,?,?,?,001BED63), ref: 001F9A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00225DEE,?,?,?,?,?,001BED63), ref: 001F9A5E

Part of subcall function 001F93D1: CloseHandle.KERNEL32(?,?,001F9A6B,?,?,?,00225DEE,?,?,?,?,?,001BED63), ref: 001F93DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 001F9A71
LeaveCriticalSection.KERNEL32(?,?,?,?,00225DEE,?,?,?,?,?,001BED63), ref: 001F9A78

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: ed4f02406edd7ebcb7ecadf06ae03dc96a3134cab459eebf3dfd75c37e746320
Instruction ID: 528d6d1c4c675844a25da2671c39ccf5e564306fd0951236af208db428e0357d
Opcode Fuzzy Hash: ed4f02406edd7ebcb7ecadf06ae03dc96a3134cab459eebf3dfd75c37e746320
Instruction Fuzzy Hash: 0AF0A732141211ABD7112BA4FC8DEFF773AFF84301B140425FA03910A1DBB59C11DB51

Function 001B1CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 001CF4EA: std::exception::exception.LIBCMT ref: 001CF51E
Part of subcall function 001CF4EA: __CxxThrowException@8.LIBCMT ref: 001CF533

__swprintf.LIBCMT ref: 001B1EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 001B1D49

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: bebe666c6f63d5a0772ccb81afec033b7326bf986e4551565824b42b1c2c643c
Instruction ID: b8a99c78ad98e848cac523bbf8fa2fce8513a874675d1029a7e488c19091c79e
Opcode Fuzzy Hash: bebe666c6f63d5a0772ccb81afec033b7326bf986e4551565824b42b1c2c643c
Instruction Fuzzy Hash: 09917B71118211AFC724EF64D896CAFB7B4BFA9700F50492DF885972A1DB70EE14CB92

Function 0020AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0020B006
CharUpperBuffW.USER32(?,?), ref: 0020B115
VariantClear.OLEAUT32(?), ref: 0020B298

Part of subcall function 001F9DC5: VariantInit.OLEAUT32(00000000), ref: 001F9E05
Part of subcall function 001F9DC5: VariantCopy.OLEAUT32(?,?), ref: 001F9E0E
Part of subcall function 001F9DC5: VariantClear.OLEAUT32(?), ref: 001F9E1A

Strings

AUTOIT.ERROR, xrefs: 0020B11B
Incorrect Parameter format, xrefs: 0020B03E, 0020B20B

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 9e702b3e34d4ae4c37f398a16f8bbee3a237e1db89d7255e02074898f6d22874
Instruction ID: 61993ef43f54e398bd265bf0200a3c64e0ac215c6ffda8fec42cb4d99246a77c
Opcode Fuzzy Hash: 9e702b3e34d4ae4c37f398a16f8bbee3a237e1db89d7255e02074898f6d22874
Instruction Fuzzy Hash: 3A917C706183019FCB20DF24D48599AB7F5FF99704F04486DF89A9B3A2DB31E945CB92

Function 001F5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001CC6F4: _wcscpy.LIBCMT ref: 001CC717

_memset.LIBCMT ref: 001F5438
GetMenuItemInfoW.USER32(?), ref: 001F5467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001F5513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 001F553D

Strings

0, xrefs: 001F5430

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 8101229febe9b508007408d5f139adda1f1860757f912405e7aa567c33d03a94
Instruction ID: b7ee061a5c0be163a68d02cfc65f26129c75024b53b3c0f5ebbe7134f8828949
Opcode Fuzzy Hash: 8101229febe9b508007408d5f139adda1f1860757f912405e7aa567c33d03a94
Instruction Fuzzy Hash: 2D5123712147099BD718DB2CC8456BBBBEAAF95314F04062EFB99D31A1EB70CD44CB52

Function 001F0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 001F027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 001F02B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 001F02C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001F0344

Strings

DllGetClassObject, xrefs: 001F02B7

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 070adfbe31420b682a58ed6c988e7899d45b09828cd98e02764fa90cba79b738
Instruction ID: 48c666426b3e4b287d840901a049d96d9f0ac8c3db67b95495eb9afd5bc95506
Opcode Fuzzy Hash: 070adfbe31420b682a58ed6c988e7899d45b09828cd98e02764fa90cba79b738
Instruction Fuzzy Hash: D2415EB1600208EFDB06CF54D984BAA7BB9FF48310F1580A9EA09DF206D7B1D944CBA0

Function 001F5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001F5075
GetMenuItemInfoW.USER32 ref: 001F5091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 001F50D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00271708,00000000), ref: 001F5120

Strings

0, xrefs: 001F506D

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 6c9fd884e838fee2b9e4e1194958f26923af28d646005d9cbaf9bffffaf9cc10
Instruction ID: 9cb85d1299ad37c463bcd5df59980a133930ab6dcd8e3730e27e4cdd87e5e813
Opcode Fuzzy Hash: 6c9fd884e838fee2b9e4e1194958f26923af28d646005d9cbaf9bffffaf9cc10
Instruction Fuzzy Hash: 2741D2702087059FD720DF28EC85B7ABBEAAF85314F04461EFB6997291D730E804CB62

Function 00210567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 00210587

Strings

cdecl, xrefs: 002105DE
winapi, xrefs: 002105F8
none, xrefs: 00210662
stdcall, xrefs: 00210609

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: ca14d5be74a8e65899f77d737f7a8a8fb0f646b1f0bd47ffe55195f9f4aa5d43
Instruction ID: 1bcab3ac40f573e13ddcfcab6c021201fd9d4a0128845992058b5a1ce8f78931
Opcode Fuzzy Hash: ca14d5be74a8e65899f77d737f7a8a8fb0f646b1f0bd47ffe55195f9f4aa5d43
Instruction Fuzzy Hash: 7831A330510256AFCF00EF54CD819EEB3F8FF65314B108629E866A76D1DBB1E9A5CB80

Function 001EB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 001EB88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 001EB8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 001EB8D1

Strings

ComboBox, xrefs: 001EB815
ListBox, xrefs: 001EB84D

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 032e25f92c98fc1aee7a1c6088da9ae29b5bafb795209b30405582b6b21dcb1c
Instruction ID: 5160a4f04205d1975cfd926bc941408a1030759aa4875dd4fdbc9efdc58e6bcc
Opcode Fuzzy Hash: 032e25f92c98fc1aee7a1c6088da9ae29b5bafb795209b30405582b6b21dcb1c
Instruction Fuzzy Hash: 7521F371A00548BFDB08ABB5E886DFF777CDF66350B104129F521A32E1DB744D0A9B60

Function 002043E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00204401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00204427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00204457
InternetCloseHandle.WININET(00000000), ref: 0020449E

Part of subcall function 00205052: GetLastError.KERNEL32(?,?,002043CC,00000000,00000000,00000001), ref: 00205067

Strings

, xrefs: 00204450

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: a6f98aca59e0418c3759620e379c74d79bfe158b935447a137a0a9fa1445e929
Instruction ID: c877c036c6481c69d988e4fc176b3b3db6416933c06239d5d2ed5704a94f1b91
Opcode Fuzzy Hash: a6f98aca59e0418c3759620e379c74d79bfe158b935447a137a0a9fa1445e929
Instruction Fuzzy Hash: F42180F5510308BEE711AF54DC85EBFB6FCEB48744F10801AF205A2181EAA48D159B70

Function 002190E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 001CD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 001CD1BA
Part of subcall function 001CD17C: GetStockObject.GDI32(00000011), ref: 001CD1CE
Part of subcall function 001CD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 001CD1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0021915C
LoadLibraryW.KERNEL32(?), ref: 00219163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00219178
DestroyWindow.USER32(?), ref: 00219180

Strings

SysAnimate32, xrefs: 00219137

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: ff0bcf5afe7f3b3ab5b7bc62ee0ce10a07cf915238bf20d618dcb62af7494d37
Instruction ID: 2c03f576ff19d22cffa781c2d021f13a14a4caec850e8f452ad91b759f8bc56b
Opcode Fuzzy Hash: ff0bcf5afe7f3b3ab5b7bc62ee0ce10a07cf915238bf20d618dcb62af7494d37
Instruction Fuzzy Hash: E9214F71620207BBEF104F64AC99EFA37EDEB69364F140628F95892190C771DCE1AB60

Function 001F9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 001F9588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001F95B9
GetStdHandle.KERNEL32(0000000C), ref: 001F95CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 001F9605

Strings

nul, xrefs: 001F9600

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 7a606a2fefc1504e256413459dfc6b6971931483b4a6d8523b1e3d7655a75981
Instruction ID: 22b680759fa9cd991c8bac3bd7eb13c7d8f3dbb152a25cc65e6d2c5c94b4dd46
Opcode Fuzzy Hash: 7a606a2fefc1504e256413459dfc6b6971931483b4a6d8523b1e3d7655a75981
Instruction Fuzzy Hash: 8321627050020DABDB25AF65DC05BAAB7F4AF55720F204A1AFEA1D72E0D770D945CB10

Function 001F9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001F9653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001F9683
GetStdHandle.KERNEL32(000000F6), ref: 001F9694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 001F96CE

Strings

nul, xrefs: 001F96C9

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: c946ac3c2fc7560f4af7db7c579d14013f7ec13c540cdd69417cb2e01a77b9e6
Instruction ID: a681094bac47eb4ca96dcfdbfd6d8b69668da7ccfd5d3e2ab8fb746e70158355
Opcode Fuzzy Hash: c946ac3c2fc7560f4af7db7c579d14013f7ec13c540cdd69417cb2e01a77b9e6
Instruction Fuzzy Hash: BE2192716002099BDB24AF69DC54FAAB7E8AF55734F200B19FEA1E72D0E770D841CB50

Function 001FDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001FDB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 001FDB5E
__swprintf.LIBCMT ref: 001FDB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,0024DC00), ref: 001FDBB5

Strings

%lu, xrefs: 001FDB71

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: b17b8a2f2b5b82c98841928f9a94482cc42480c38a40b3f4ee150d0ff4517a5d
Instruction ID: 4558303e75bbe057050424ce3d300855ec56807ba5894b6b426e773ba374e713
Opcode Fuzzy Hash: b17b8a2f2b5b82c98841928f9a94482cc42480c38a40b3f4ee150d0ff4517a5d
Instruction Fuzzy Hash: 63216535600108AFCB10EFA4DD85EEEB7B8EF59704B144069FA09D7251DB71EA41DBA1

Function 001EC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001EC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 001EC84A
Part of subcall function 001EC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001EC85D
Part of subcall function 001EC82D: GetCurrentThreadId.KERNEL32 ref: 001EC864
Part of subcall function 001EC82D: AttachThreadInput.USER32(00000000), ref: 001EC86B

GetFocus.USER32 ref: 001ECA05

Part of subcall function 001EC876: GetParent.USER32(?), ref: 001EC884

GetClassNameW.USER32(?,?,00000100), ref: 001ECA4E
EnumChildWindows.USER32(?,001ECAC4), ref: 001ECA76
__swprintf.LIBCMT ref: 001ECA90

Strings

%s%d, xrefs: 001ECA8A

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: 2c29e5b72a09e9c1b05e935b43318ec6760f4d65bc26d6c6b8b8e6ce1aaa0e96
Instruction ID: 4a28b315ffcff064f34d7a0ed350ded3104c9274a919a3c7eb7d8804be214f12
Opcode Fuzzy Hash: 2c29e5b72a09e9c1b05e935b43318ec6760f4d65bc26d6c6b8b8e6ce1aaa0e96
Instruction Fuzzy Hash: 121172716002057BCF15BFA1EC8AFED376DAB94714F004066FE19AB182DB749946DBB0

Function 001D7A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 001D7AD8

Part of subcall function 001D7CF4: __mtinitlocknum.LIBCMT ref: 001D7D06
Part of subcall function 001D7CF4: EnterCriticalSection.KERNEL32(00000000,?,001D7ADD,0000000D), ref: 001D7D1F

InterlockedIncrement.KERNEL32(?), ref: 001D7AE5
__lock.LIBCMT ref: 001D7AF9
___addlocaleref.LIBCMT ref: 001D7B17

Strings

`#, xrefs: 001D7AA3

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID: `#
API String ID: 1687444384-3959605652
Opcode ID: 8a0e49fb7526373531bf77dab7336c41b70f40cb932873dc6296bc1ddf8dca28
Instruction ID: f2aaff0f302ddcc4c0489a332cb5fcd74b65a1c58de3ba555afe4fedd55d5e0e
Opcode Fuzzy Hash: 8a0e49fb7526373531bf77dab7336c41b70f40cb932873dc6296bc1ddf8dca28
Instruction Fuzzy Hash: 22015772505B01AFD720DF75D90A74ABBF0AF60325F20890FE49A973E0DBB0A684CB01

Function 0021E32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0021E33D
_memset.LIBCMT ref: 0021E34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00273D00,00273D44), ref: 0021E37B
CloseHandle.KERNEL32 ref: 0021E38D

Strings

D=', xrefs: 0021E346

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: D='
API String ID: 3277943733-1194328539
Opcode ID: e844db3b43361247ab17a09a6a15b7c255bf7f2dfcca1cce4f8bb9e4e16692c2
Instruction ID: 2ee62df3f28cd8108213179ef772f6a59bb3159e23364ecfe1a4ac422490de2d
Opcode Fuzzy Hash: e844db3b43361247ab17a09a6a15b7c255bf7f2dfcca1cce4f8bb9e4e16692c2
Instruction Fuzzy Hash: 91F082F1550314BEE3209B60BC4DF7B7E5CDB19754F004422FE0CD61A2D3769E50A6A9

Function 00211945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 002119F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00211A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00211B49
CloseHandle.KERNEL32(?), ref: 00211BBF

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: dcb11c4311731d1d580108d4bd29cd80b782e31c00bc0ec8ddc9b8b37b24f9c4
Instruction ID: c48453feaef5083aced70654b962c09ee25a8180e32476e5be9fbaa67002d60a
Opcode Fuzzy Hash: dcb11c4311731d1d580108d4bd29cd80b782e31c00bc0ec8ddc9b8b37b24f9c4
Instruction Fuzzy Hash: 51818270650205ABDF109F64C886FADBBF5AF24720F148459FA09AF382DBB5ED518F90

Function 0021E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0021E1D5
SendMessageW.USER32(?,000000B0,?,?), ref: 0021E20D
IsDlgButtonChecked.USER32(?,00000001), ref: 0021E248
GetWindowLongW.USER32(?,000000EC), ref: 0021E269
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0021E281

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID:
API String ID: 3188977179-0
Opcode ID: 0f3b041fdcb3f80197c9635f21fcd3f7de6f9a04965c945d2c547e1adc8c123a
Instruction ID: 996c4d67be6641e712004a71f6035f5a8dc89a36235d54d301b7d69f5610072d
Opcode Fuzzy Hash: 0f3b041fdcb3f80197c9635f21fcd3f7de6f9a04965c945d2c547e1adc8c123a
Instruction Fuzzy Hash: 26619E34A20205AFDF259F18DC95FEA77FAAFA9300F164059FC59972A1C771ADA0CB10

Function 001F1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001F1CB4
VariantClear.OLEAUT32(00000013), ref: 001F1D26
VariantClear.OLEAUT32(00000000), ref: 001F1D81
VariantClear.OLEAUT32(?), ref: 001F1DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 001F1E26

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 50a6f905bb41785cd1307244887601fc8a2df03ca3913072c3bd432d928e86de
Instruction ID: 23d0001a9e9634e1e69199c34f249b4191dfd8b9937ffe7fd7e657b3810704d8
Opcode Fuzzy Hash: 50a6f905bb41785cd1307244887601fc8a2df03ca3913072c3bd432d928e86de
Instruction Fuzzy Hash: 005158B5A00209EFDB14CF58D884AAAB7B8FF4C314B158559EE59DB301E330EA51CFA0

Function 00210688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 001B936C: __swprintf.LIBCMT ref: 001B93AB
Part of subcall function 001B936C: __itow.LIBCMT ref: 001B93DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 002106EE
GetProcAddress.KERNEL32(00000000,?), ref: 0021077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0021079B
GetProcAddress.KERNEL32(00000000,?), ref: 002107E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 002107FB

Part of subcall function 001CE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,001FA574,?,?,00000000,00000008), ref: 001CE675
Part of subcall function 001CE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,001FA574,?,?,00000000,00000008), ref: 001CE699

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 123c7fbe496d430621adc81205e899751dcad0b11e163ca380699a59e67eaafc
Instruction ID: 82dbd00411686ce7e2fb1a9e8cf0279d9936a2ebcd9f27dde1c7c8a043238ece
Opcode Fuzzy Hash: 123c7fbe496d430621adc81205e899751dcad0b11e163ca380699a59e67eaafc
Instruction Fuzzy Hash: 4F514875A00206DFCB04EFA8D585DEDB7F5BF68310B048059EA15AB392DB70ED96CB90

Function 00212E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00213C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00212BB5,?,?), ref: 00213C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00212EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00212F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00212F75
RegCloseKey.ADVAPI32(?,?), ref: 00212FA1
RegCloseKey.ADVAPI32(00000000), ref: 00212FAE

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: aa1a88a3ec71f17885a12edd9fe8aa3156ad556f6ac5ea2bb53c52aa9fad24c6
Instruction ID: 67d99d472e609d38fdda47df5567163a6a6a1e4a23f606ae68c43255a95bea5a
Opcode Fuzzy Hash: aa1a88a3ec71f17885a12edd9fe8aa3156ad556f6ac5ea2bb53c52aa9fad24c6
Instruction Fuzzy Hash: 8A517931218204AFC704EF64C981EAEB7F9FF98304F00481DF595972A1DB70E969CB92

Function 0021CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d253cf9e38480c3fa4c88ab090eb17f57394d4fca19b54a5ea9d6dc761cf31c9
Instruction ID: 90ee6adb8eabe7f9fdfc16ceb543d0e95c22e236084d3835548a96eb89e1f5e0
Opcode Fuzzy Hash: d253cf9e38480c3fa4c88ab090eb17f57394d4fca19b54a5ea9d6dc761cf31c9
Instruction Fuzzy Hash: 9041E43D960245ABC724DF78EC48FE9BBE8EB19310F240125F959A72E1C770ADA1CA50

Function 00201206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 002012B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 002012DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0020131C

Part of subcall function 001B936C: __swprintf.LIBCMT ref: 001B93AB
Part of subcall function 001B936C: __itow.LIBCMT ref: 001B93DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00201341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00201349

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: e314b19e5ee850f14995b9e20824f1faaf10133b5237874e299af3a2b3686cb7
Instruction ID: 7337c6a22676f6d87afc62530489897844a73860b9a308fbd3b195cddc159fc7
Opcode Fuzzy Hash: e314b19e5ee850f14995b9e20824f1faaf10133b5237874e299af3a2b3686cb7
Instruction Fuzzy Hash: 2B410E35A00205DFCB05EF64C995AAEBBF5FF19310B148099F909AB3A2DB31ED11DB51

Function 001CB63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 001CB64F
ScreenToClient.USER32(00000000,000000FF), ref: 001CB66C
GetAsyncKeyState.USER32(00000001), ref: 001CB691
GetAsyncKeyState.USER32(00000002), ref: 001CB69F

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 95222ee2f40742e240326c338eae77998c56fb8663f15c7e79c82a17b17c7bba
Instruction ID: 456f1c937e28f4178aa9a62e30aff2187c4459c29b281280895ff44d479025a6
Opcode Fuzzy Hash: 95222ee2f40742e240326c338eae77998c56fb8663f15c7e79c82a17b17c7bba
Instruction Fuzzy Hash: 40416E35918125BBCF159F64D885FE9BBB4BB15324F204319F82996290CB30A9A4DFA1

Function 001EB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001EB369
PostMessageW.USER32(?,00000201,00000001), ref: 001EB413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 001EB41B
PostMessageW.USER32(?,00000202,00000000), ref: 001EB429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 001EB431

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: d768e58af38dc0a4633cf664897dc28e024f38f4a307d2939e9c5fd69903d182
Instruction ID: 765633936fd6878d4c70e1b626b6e34a6a68b3c10da1290ef17249b88f209e4c
Opcode Fuzzy Hash: d768e58af38dc0a4633cf664897dc28e024f38f4a307d2939e9c5fd69903d182
Instruction Fuzzy Hash: CF31ECB1904659EBDF04CFA9E98EADF3BB5FB00319F004229F821AA1D1C3B0D950CB90

Function 001EDBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 001EDBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 001EDBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 001EDC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 001EDC52
_wcsstr.LIBCMT ref: 001EDC5C

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 19ddb7ef1f7c23ce639c8c8303446b6787ffe1d572440648339e147c364a303a
Instruction ID: b7e035df23cec1d1b2dcd50992cda6555b4867a06df2183334f209e887d5a6ae
Opcode Fuzzy Hash: 19ddb7ef1f7c23ce639c8c8303446b6787ffe1d572440648339e147c364a303a
Instruction Fuzzy Hash: 3621F571204584BBEB195F3ABC4AE7F7BADDF55760F20402EF909CB191EBA1D801D660

Function 001EBC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001EBC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001EBCC2
__itow.LIBCMT ref: 001EBCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001EBD00
__itow.LIBCMT ref: 001EBD11

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: ab2b3b76b373b7770b64a0bea0445df206fae064a3b25b641a9040e9b3ce2084
Instruction ID: 66ad9999cb494d28bb35d8b942f09c35fe8e8982813d35ac537421f899b16715
Opcode Fuzzy Hash: ab2b3b76b373b7770b64a0bea0445df206fae064a3b25b641a9040e9b3ce2084
Instruction Fuzzy Hash: C6210831704A08BBDB10AFA69CC6FDF7A68AF6A310F100025F905EB181DB74CD4587A1

Function 001F6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 001B50E6: _wcsncpy.LIBCMT ref: 001B50FA

GetFileAttributesW.KERNEL32(?,?,?,?,001F60C3), ref: 001F6369
GetLastError.KERNEL32(?,?,?,001F60C3), ref: 001F6374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,001F60C3), ref: 001F6388
_wcsrchr.LIBCMT ref: 001F63AA

Part of subcall function 001F6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,001F60C3), ref: 001F63E0

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: c5f17af3f81bcd61ddfb54803f2e0c3e623ece43cb143f33a14fc5d505db61f6
Instruction ID: 7f57a4d285f09ad5a92453aada97c9e78d81f42b39cd234d41097d9201a21728
Opcode Fuzzy Hash: c5f17af3f81bcd61ddfb54803f2e0c3e623ece43cb143f33a14fc5d505db61f6
Instruction Fuzzy Hash: C121273190421D8BDB15AB78AC46FFA33ACFF25360F10006AF24EC31C1EB60DD858A65

Function 00208B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0020A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0020A84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00208BD3
WSAGetLastError.WSOCK32(00000000), ref: 00208BE2
connect.WSOCK32(00000000,?,00000010), ref: 00208BFE

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: 143dadf373cc9ad8dddd83ad0d05741a6235d53e7c1b20c6839ac2dc816d8641
Instruction ID: e0ead8781e6ec2889f0169a1e96cf1bbe6919d7f44d773f1fdbaef29c70fead4
Opcode Fuzzy Hash: 143dadf373cc9ad8dddd83ad0d05741a6235d53e7c1b20c6839ac2dc816d8641
Instruction Fuzzy Hash: FE21C0312002149FDB14AF28ED89F7EB7A9AF58710F044449F946AB2D2CF70EC018B51

Function 00208420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00208441
GetForegroundWindow.USER32 ref: 00208458
GetDC.USER32(00000000), ref: 00208494
GetPixel.GDI32(00000000,?,00000003), ref: 002084A0
ReleaseDC.USER32(00000000,00000003), ref: 002084DB

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 02da9338165835db72f18f0c65eb68e3e6dbc0d1e49eaa53b807fa6aedce257a
Instruction ID: 8d610af986438260d6012d6dce03e430b6ed1fc9d9c606e21f93be6291803b4c
Opcode Fuzzy Hash: 02da9338165835db72f18f0c65eb68e3e6dbc0d1e49eaa53b807fa6aedce257a
Instruction Fuzzy Hash: 4E216375A00204AFD704DFA4ED89AAEBBF9EF48301F148479F95997252DB74ED01CB60

Function 001CAF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 001CAFE3
SelectObject.GDI32(?,00000000), ref: 001CAFF2
BeginPath.GDI32(?), ref: 001CB009
SelectObject.GDI32(?,00000000), ref: 001CB033

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 4f277ea1e422c512d1e63eb4e2c30f80e4571f0474c67fc196288a31b0b492c8
Instruction ID: 231c4db141a81b5491b574a889a07877375d4a7c73a1b95df011ec46410dc42c
Opcode Fuzzy Hash: 4f277ea1e422c512d1e63eb4e2c30f80e4571f0474c67fc196288a31b0b492c8
Instruction Fuzzy Hash: 92216DB0804209AFDB11DFA9FC8DBAA7B7CBF20755F14421EF429961A0C370C8A5DB91

Function 001D217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 001D21A9
CreateThread.KERNEL32(?,?,001D22DF,00000000,?,?), ref: 001D21ED
GetLastError.KERNEL32 ref: 001D21F7
_free.LIBCMT ref: 001D2200
__dosmaperr.LIBCMT ref: 001D220B

Part of subcall function 001D7C0E: __getptd_noexit.LIBCMT ref: 001D7C0E

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: 084cd715118a256516e815fb951cbfd97b76571037605a21816a1557bb24f463
Instruction ID: 5a44b8180ad855d8c9e6db2581c19b79803de74a87cb06d7ebd84de45763ecea
Opcode Fuzzy Hash: 084cd715118a256516e815fb951cbfd97b76571037605a21816a1557bb24f463
Instruction Fuzzy Hash: CC11DB33104706AFDB11BF65EC41D9B3799EF65770710052BF92487391EB71D8118BA1

Function 001EABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 001EABD7
GetLastError.KERNEL32(?,001EA69F,?,?,?), ref: 001EABE1
GetProcessHeap.KERNEL32(00000008,?,?,001EA69F,?,?,?), ref: 001EABF0
HeapAlloc.KERNEL32(00000000,?,001EA69F,?,?,?), ref: 001EABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 001EAC0E

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: c80c643f482168364e8630de63f492c6cb163350c61dfc23a7445ef97754b116
Instruction ID: 4ff69e8fd84a45e055f7e2409e6e69510c102cfbab3ce92bbd22c53a3c855a42
Opcode Fuzzy Hash: c80c643f482168364e8630de63f492c6cb163350c61dfc23a7445ef97754b116
Instruction Fuzzy Hash: D8014670200244BFDB104FAAFC48DAB3ABCEF8A3547200429F949C3260DB71AC40CE60

Function 001F7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 001F7A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001F7A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001F7A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001F7A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 001F7AD0

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 932f0ec86d5482d4558fe359b3cc4eedd3dcc9c877cde452d92569bf1b0f1b95
Instruction ID: 4435bdaef3d8d1e15ab8b8167e9b69d08a377bc6e20f86a0b50aefd83945b135
Opcode Fuzzy Hash: 932f0ec86d5482d4558fe359b3cc4eedd3dcc9c877cde452d92569bf1b0f1b95
Instruction Fuzzy Hash: 1C012971C0462DEBCF00AFE4EC5CAEDBB78FB08711F060455EA42B3190DB30966487A1

Function 001E9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 001E9ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 001E9AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 001E9B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 001E9B15
CLSIDFromString.OLE32(?,?), ref: 001E9B21

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: d4ae28c7144a103de878f1dfa57415f8f940adc5492db604ad0e4335bfa758a2
Instruction ID: e7b754edd72085282af033b02f4bd928699680bbdae5a361b759e3d145da35f2
Opcode Fuzzy Hash: d4ae28c7144a103de878f1dfa57415f8f940adc5492db604ad0e4335bfa758a2
Instruction Fuzzy Hash: 0A018BB6600608BFDB104F6AFC48FAEBAEDEF84752F148464F905D2210D770ED029BA0

Function 001EAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001EAA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001EAA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001EAA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001EAA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001EAAAF

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 98857f887e13dc429cde62a988380c1c162537907b5f3b0a7c8b6a0e883c77f1
Instruction ID: d7899b3076f60961b3fed5746cfcba149febba892d043e3566a6f2bbc825ac59
Opcode Fuzzy Hash: 98857f887e13dc429cde62a988380c1c162537907b5f3b0a7c8b6a0e883c77f1
Instruction Fuzzy Hash: 7BF04F752003046FEB115FA5BC8DEAB3BACFF89754F400429F946C7190DB60EC51DA61

Function 001EAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001EAADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001EAAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001EAAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001EAAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001EAB10

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b5c9381817487b120f99065cd18825d4926333eaa291da48fda34a45c4fd842e
Instruction ID: f265889f5c2a1535face92b23a4deb0872efe468af7412a4f4d60e055ada0cb4
Opcode Fuzzy Hash: b5c9381817487b120f99065cd18825d4926333eaa291da48fda34a45c4fd842e
Instruction Fuzzy Hash: FFF04F752002086FEB111FA5FC88EAB3BADFF45754F400029F985C7190CB60EC129A61

Function 001EEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 001EEC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 001EECAB
MessageBeep.USER32(00000000), ref: 001EECC3
KillTimer.USER32(?,0000040A), ref: 001EECDF
EndDialog.USER32(?,00000001), ref: 001EECF9

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 72800f9e9f8e64127a88913edda8660773a93980fa1804928d9a89b6c2162c71
Instruction ID: 496890c92cde03bd733f423bec448784be727e49df07c99ff37fe24d53d8d361
Opcode Fuzzy Hash: 72800f9e9f8e64127a88913edda8660773a93980fa1804928d9a89b6c2162c71
Instruction Fuzzy Hash: 05018130500B44ABEB245B21FE4EB9A77FCFB10705F100559B693A24E0DBF4AA94CB80

Function 001CB0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001CB0BA
StrokeAndFillPath.GDI32(?,?,0022E680,00000000,?,?,?), ref: 001CB0D6
SelectObject.GDI32(?,00000000), ref: 001CB0E9
DeleteObject.GDI32 ref: 001CB0FC
StrokePath.GDI32(?), ref: 001CB117

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 4f13487060ffed3cb880fb766c6daf2e0c20b686f6b38798b2213dcb1c99b2e4
Instruction ID: a57eedc835b60dda46a0bf74cce0bf564c331dfc422893ffee5c608cac603c8b
Opcode Fuzzy Hash: 4f13487060ffed3cb880fb766c6daf2e0c20b686f6b38798b2213dcb1c99b2e4
Instruction Fuzzy Hash: 54F0C930004244EFDB259F6AFC4DB593B69BB10762F088319F469850F0C731C9A9DF50

Function 001FF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001FF2DA
CoCreateInstance.OLE32(0023DA7C,00000000,00000001,0023D8EC,?), ref: 001FF2F2
CoUninitialize.OLE32 ref: 001FF555

Strings

.lnk, xrefs: 001FF28B, 001FF290, 001FF29E

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: f16731c42aeda08b83fbe9f4fe8b618a249fb884f40066d005fb71f8ae32d30f
Instruction ID: aa459804c402ef304f4a75265573133f2d0d71ad4746629fc8ad1be6921c4fa1
Opcode Fuzzy Hash: f16731c42aeda08b83fbe9f4fe8b618a249fb884f40066d005fb71f8ae32d30f
Instruction Fuzzy Hash: 1BA11B71104205AFD300EF64C891EAFB7ECEFA9714F00491DF555971A2EB70EA4ACB92

Function 001FE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 001B660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001B53B1,?,?,001B61FF,?,00000000,00000001,00000000), ref: 001B662F

CoInitialize.OLE32(00000000), ref: 001FE85D
CoCreateInstance.OLE32(0023DA7C,00000000,00000001,0023D8EC,?), ref: 001FE876
CoUninitialize.OLE32 ref: 001FE893

Part of subcall function 001B936C: __swprintf.LIBCMT ref: 001B93AB
Part of subcall function 001B936C: __itow.LIBCMT ref: 001B93DF

Strings

.lnk, xrefs: 001FE83B, 001FE84D

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 17cbec858b6cdf823a3e3616eb1b526b32fa47dce6eeed98de182acdac6c59c9
Instruction ID: ddfa937dd20a780b74b6862a19790e635cb2d3c91e29da6c78f54b7efdd1cd6c
Opcode Fuzzy Hash: 17cbec858b6cdf823a3e3616eb1b526b32fa47dce6eeed98de182acdac6c59c9
Instruction Fuzzy Hash: 0BA155356043059FCB14DF24C884E6EBBE5BF89314F048988FA9A9B3A1CB31EC45CB91

Function 001D325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 001D32ED

Part of subcall function 001DE0D0: __87except.LIBCMT ref: 001DE10B

Strings

pow, xrefs: 001D32C5, 001D32E2

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 2fcd0af18a72ef00201c2a17519b788e4edcf830d9a3f6b8184d8e170600cd28
Instruction ID: 2acfa6d91088aa1436fc4751fdbc7b188e0fe430fc40b5f48e19caff395ea998
Opcode Fuzzy Hash: 2fcd0af18a72ef00201c2a17519b788e4edcf830d9a3f6b8184d8e170600cd28
Instruction Fuzzy Hash: 0C517831A08201E2CB157718DA4537E7BE4AB51711F308D2BF0E68A3A9DF748ED8DA43

Function 001F4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0024DC50,?,0000000F,0000000C,00000016,0024DC50,?), ref: 001F4645

Part of subcall function 001B936C: __swprintf.LIBCMT ref: 001B93AB
Part of subcall function 001B936C: __itow.LIBCMT ref: 001B93DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 001F46C5

Strings

THIS, xrefs: 001F4703
REMOVE, xrefs: 001F4676

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: 94ebaf741d999dc3c6ff281002f4f6b8e12912bc9410ea617de99d03b50c857f
Instruction ID: 6955d69a10c7174f6073058d53be1ac61abd42f56a0f6c64e94fd8d68429ad9f
Opcode Fuzzy Hash: 94ebaf741d999dc3c6ff281002f4f6b8e12912bc9410ea617de99d03b50c857f
Instruction Fuzzy Hash: 3D417F34A0021D9FCF05EFA4C881ABEB7B5FF59314F148069EA16AB2A2DB34DD45CB50

Function 001EC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001F430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001EBC08,?,?,00000034,00000800,?,00000034), ref: 001F4335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 001EC1D3

Part of subcall function 001F42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001EBC37,?,?,00000800,?,00001073,00000000,?,?), ref: 001F4300

Part of subcall function 001F422F: GetWindowThreadProcessId.USER32(?,?), ref: 001F425A
Part of subcall function 001F422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,001EBBCC,00000034,?,?,00001004,00000000,00000000), ref: 001F426A
Part of subcall function 001F422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,001EBBCC,00000034,?,?,00001004,00000000,00000000), ref: 001F4280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001EC240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001EC28D

Strings

@, xrefs: 001EC2A5

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 81c78e9f1c10014f871cd68e1dc00917b3d07715b13d137a9181356f26cd8124
Instruction ID: 3298c656527d2e390f752466d963aa479516e0725adef56a87e4f5850fdb7a44
Opcode Fuzzy Hash: 81c78e9f1c10014f871cd68e1dc00917b3d07715b13d137a9181356f26cd8124
Instruction Fuzzy Hash: C7413A7290021DAFDB10DFA4DC82AEEB7B8BF19300F004095FA55B7181DB71AE45CBA1

Function 0021A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0024DC00,00000000,?,?,?,?), ref: 0021A6D8
GetWindowLongW.USER32 ref: 0021A6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0021A705

Strings

SysTreeView32, xrefs: 0021A6AA

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: ee2ae93fe061524da164f91d1fb61b8a2da626366ee185f76128e5dbedcbbc24
Instruction ID: 4ac47d606c334937dee3d4fb65da0b0cbfb2b6d6a359265763293ec89bae803f
Opcode Fuzzy Hash: ee2ae93fe061524da164f91d1fb61b8a2da626366ee185f76128e5dbedcbbc24
Instruction Fuzzy Hash: 9E31CE31211206ABDF118E38DC45BEA77A9FB69324F244325F875932E0C730E8A18B90

Function 00205180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00205190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 002051C6

Strings

|, xrefs: 002051B5
D , xrefs: 0020522E

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |$D
API String ID: 1413715105-2817649481
Opcode ID: 1f88794927b8e773ee828ef857585e0824347214d98e0e346ad7fc98c82de5d0
Instruction ID: cc97f9e16d4a5412aba38174fda0c250c310fb655ab08982eb716b046dd3e852
Opcode Fuzzy Hash: 1f88794927b8e773ee828ef857585e0824347214d98e0e346ad7fc98c82de5d0
Instruction Fuzzy Hash: 33312A71C11119AFCF01EFA4CC85AEEBFB9FF28710F100055F915A6166DB31A916DBA0

Function 0021A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0021A15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0021A172
SendMessageW.USER32(?,00001002,00000000,?), ref: 0021A196

Strings

SysMonthCal32, xrefs: 0021A129

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 11f925eb43664c72763e608ecc5df21fb228b20b08b10a62d82861bd32899bc4
Instruction ID: b9ae628ab76207e0650e0b54d7cbe189d008ea81904f7797274bb8e900d2abb7
Opcode Fuzzy Hash: 11f925eb43664c72763e608ecc5df21fb228b20b08b10a62d82861bd32899bc4
Instruction Fuzzy Hash: 1A21A032510219BBDF119F94DC46FEA3BB9EF58714F110114FE596B1D0D6B5A8A08BA0

Function 0021A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0021A941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0021A94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0021A956

Strings

msctls_updown32, xrefs: 0021A8BB

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 65a613acbb50a6020de6bf177550da6cc71ff0f72d782ed76247227b95edd3ba
Instruction ID: c3a145602709deb5ee001aa63841f1cbb4e0a939c6d8702e937c6efa05ddb9e0
Opcode Fuzzy Hash: 65a613acbb50a6020de6bf177550da6cc71ff0f72d782ed76247227b95edd3ba
Instruction Fuzzy Hash: E12195B5610209AFDB10DF28DC96DB737EDEF6A354B050059F91497251CB30ECA18B61

Function 002199A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00219A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00219A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00219A65

Strings

Listbox, xrefs: 002199FD

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 8558e22ce6705a66b892cb94bc6151f1a69d1068d043699867a39ef60b8b9984
Instruction ID: 9a1ecd7eed29095b21e09f4be6a0d60f4e7f3069f69913af00c5a37adb2f0fec
Opcode Fuzzy Hash: 8558e22ce6705a66b892cb94bc6151f1a69d1068d043699867a39ef60b8b9984
Instruction Fuzzy Hash: FC21B032620119BFDB218F54DC95EFB3BEEEF99750F118128F9549B190C671ACA18BA0

Function 0021A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0021A46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0021A482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0021A48F

Strings

msctls_trackbar32, xrefs: 0021A444

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c25c474b1aa967074509622da248e0fc11c0606666dc94a99e0da1256e5cbbe7
Instruction ID: 10202709ca222f7bf89120a7e25df2dcb9dfedeb1502630bfa1dcabf93f234ac
Opcode Fuzzy Hash: c25c474b1aa967074509622da248e0fc11c0606666dc94a99e0da1256e5cbbe7
Instruction Fuzzy Hash: 4E110A71210209BEEF205F64DC49FEB37ADFF99754F024118FA55A6091D2B1E861DB20

Function 001D2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,001D2350,?), ref: 001D22A1
GetProcAddress.KERNEL32(00000000), ref: 001D22A8

Strings

RoInitialize, xrefs: 001D2290
combase.dll, xrefs: 001D229C

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: 9998dc301e3311af105e5b51efb7a3a4932e6c2e233c2dc2536783b3c54c5529
Instruction ID: 4cc3c5d3a488fbf7919585d005121133d05af9cd971314445a463334672b8d2d
Opcode Fuzzy Hash: 9998dc301e3311af105e5b51efb7a3a4932e6c2e233c2dc2536783b3c54c5529
Instruction Fuzzy Hash: E2E046B0AA4300EBDF205F70FD8EB153A68BB11B02F808020F14AE61E0CBF444A8DF04

Function 001D235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,001D2276), ref: 001D2376
GetProcAddress.KERNEL32(00000000), ref: 001D237D

Strings

combase.dll, xrefs: 001D2371
RoUninitialize, xrefs: 001D2365

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: 62b1de96924b40316e0cda4aab8ac10f8801f7ee17ac37ce8f994d40435a75c3
Instruction ID: afb7f05db2858417001e9da75d11e73678e0a80231ac6a69193401fb80fb7a41
Opcode Fuzzy Hash: 62b1de96924b40316e0cda4aab8ac10f8801f7ee17ac37ce8f994d40435a75c3
Instruction Fuzzy Hash: 46E0BDB0698300EBDB206F60FD4EB053A69B724702F504424F10DE21B0CBF994A89A14

Function 0022AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0022AC60
__swprintf.LIBCMT ref: 0022AC94

Strings

WIN_XPe, xrefs: 0022ACD3
%.3d, xrefs: 0022AC6E

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 66596538faa5ecaf96a4ed51b42e10a4e7041b6ff4b9cd020e6ecdcfd55a377b
Instruction ID: 68a5f6413939af0a356dd05ddd49c9b24fb818ad013b1d9d6b9eb5ad2d3bbf29
Opcode Fuzzy Hash: 66596538faa5ecaf96a4ed51b42e10a4e7041b6ff4b9cd020e6ecdcfd55a377b
Instruction Fuzzy Hash: AFE01271824628FBCB11ABD0FD45DFA737CAB04741F5004D3F906A1510D7759BA4AA13

Function 00212205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,002121FB,?,002123EF), ref: 00212213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00212225

Strings

GetProcessId, xrefs: 0021221F
kernel32.dll, xrefs: 0021220E

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: e3fb8ccc9addd63b617b06e57837348616a26b3719de60d1ce8f6340a4f51c6d
Instruction ID: dd7889ea8874332826ecd44af02d0b64f44b372f74f910b63d3f65466052a894
Opcode Fuzzy Hash: e3fb8ccc9addd63b617b06e57837348616a26b3719de60d1ce8f6340a4f51c6d
Instruction Fuzzy Hash: 0ED0A734420713DFC7215F30F80C64576E4EB15304B00442AFCC6E2150D770D8E48650

Function 001B42F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,001B42EC,?,001B42AA,?), ref: 001B4304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001B4316

Strings

kernel32.dll, xrefs: 001B42FF
Wow64RevertWow64FsRedirection, xrefs: 001B4310

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 41a51cb0eeb455b2ee51eaf5b47d90854229f1b831fc33df9627b81bf091440f
Instruction ID: 27d466827cd612f2421234a6a35cda440dc6a35c77095af04d367a5b2b1c7187
Opcode Fuzzy Hash: 41a51cb0eeb455b2ee51eaf5b47d90854229f1b831fc33df9627b81bf091440f
Instruction Fuzzy Hash: D3D0A930860B22AFC7208F22F84C68276F8BB05301B04842AE88AD2271EBB0CCC08A50

Function 001B434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,001B41BB,001B4341,?,001B422F,?,001B41BB,?,?,?,?,001B39FE,?,00000001), ref: 001B4359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001B436B

Strings

Wow64DisableWow64FsRedirection, xrefs: 001B4365
kernel32.dll, xrefs: 001B4354

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: eab1a34efe59218eb533871f65ac5e5a7c4159b2529e6e3c8814087124eea3b2
Instruction ID: 727f2957e51052e8acd4122fc1ec913f6b016f9589cdbfa5c16e9ca0eaad48f8
Opcode Fuzzy Hash: eab1a34efe59218eb533871f65ac5e5a7c4159b2529e6e3c8814087124eea3b2
Instruction Fuzzy Hash: 18D0A7304507329FC7208F30F80CA4176E4BB11715B04842AE4C5D2160D7B0D8C08A50

Function 001F0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,001F051D,?,001F05FE), ref: 001F0547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 001F0559

Strings

oleaut32.dll, xrefs: 001F0542
RegisterTypeLibForUser, xrefs: 001F0553

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: b4c807b27812727c82d51b2ddc7a2cb7a5f9439c73b678722e52dc114e6b092d
Instruction ID: af06560b67909f67bf9b8907ea368c6cee3c846b21f08e8067ea6d9fbfcbd37b
Opcode Fuzzy Hash: b4c807b27812727c82d51b2ddc7a2cb7a5f9439c73b678722e52dc114e6b092d
Instruction Fuzzy Hash: A3D0A770450B12DFC7208F20FC0C61176F4AB05301B10C41DE48AD2561D7F0C8C48A50

Function 001F0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,001F052F,?,001F06D7), ref: 001F0572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 001F0584

Strings

oleaut32.dll, xrefs: 001F056D
UnRegisterTypeLibForUser, xrefs: 001F057E

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 3cdc9b36bcc788cc651a4ac8effdcb59e6ead13a7dd2bc775c55f80bb4bac4c4
Instruction ID: e9c23e6e03d1b9dcf26176bd0e62edeeb7b548a59318e3df9bfb2795aab8c440
Opcode Fuzzy Hash: 3cdc9b36bcc788cc651a4ac8effdcb59e6ead13a7dd2bc775c55f80bb4bac4c4
Instruction Fuzzy Hash: 52D0A730410712DFC7209F30F80CB1277F4AB09301B10841DE985D2560D7F0C5C88A60

Function 0020ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0020ECBE,?,0020EBBB), ref: 0020ECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0020ECE8

Strings

GetSystemWow64DirectoryW, xrefs: 0020ECE2
kernel32.dll, xrefs: 0020ECD1

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: b5874311b595962dd37341bc61d9a2149ecfc3ef1e8a04fd1ae75a754494f2c2
Instruction ID: faa0f72063b468c7dc838f87e8f574c224a63870be1def4412b4f08a772e3217
Opcode Fuzzy Hash: b5874311b595962dd37341bc61d9a2149ecfc3ef1e8a04fd1ae75a754494f2c2
Instruction Fuzzy Hash: 8AD0A730421723DFDF205F60F84C60277E4AB01300B05882BF8C9D2191DF70D8D08650

Function 0020BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,0020BAD3,00000001,0020B6EE,?,0024DC00), ref: 0020BAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0020BAFD

Strings

kernel32.dll, xrefs: 0020BAE6
GetModuleHandleExW, xrefs: 0020BAF7

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: de7c0ead4099e84309cc569ef1ee064a7593a1a54947f7fbba4be701a184f452
Instruction ID: 9b4fc3468a69b3afc6b1db3166387973fdf11e6b0310af18268490406695e947
Opcode Fuzzy Hash: de7c0ead4099e84309cc569ef1ee064a7593a1a54947f7fbba4be701a184f452
Instruction Fuzzy Hash: 93D05E308207139FC7315F20B848A1177E4AB01304B00442AA887D2190E770D8A0C650

Function 00213BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00213BD1,?,00213E06), ref: 00213BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00213BFB

Strings

advapi32.dll, xrefs: 00213BE4
RegDeleteKeyExW, xrefs: 00213BF5

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 5766c2221b93af0ac5c6fbeaebf4a91136f2279e8c784be51bbd88d4f8308aca
Instruction ID: 0089dd2fb107334ff48d216a3941b80dcddd7ad9c64b564ae1a0c56067e0ec08
Opcode Fuzzy Hash: 5766c2221b93af0ac5c6fbeaebf4a91136f2279e8c784be51bbd88d4f8308aca
Instruction Fuzzy Hash: 54D0C7745607539FD720AF65F80C643FAF9AB16715B10441BE4DAF2150D6B0D4D08E90

Function 001E9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3346f027aba8486088bf9a730592a4b1148f10a65e2a8057af20265d4cfe153f
Instruction ID: aefcae14b45e9c3fa31a31c1d237fbcad27573785f6b33d566de846836ccac16
Opcode Fuzzy Hash: 3346f027aba8486088bf9a730592a4b1148f10a65e2a8057af20265d4cfe153f
Instruction Fuzzy Hash: 71C16E75A0065AEFCB14DF95C884EAEB7B5FF48704F208598E906EB251D730EE41DB90

Function 0020AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0020AAB4
CoUninitialize.OLE32 ref: 0020AABF

Part of subcall function 001F0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 001F027B

VariantInit.OLEAUT32(?), ref: 0020AACA
VariantClear.OLEAUT32(?), ref: 0020AD9D

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: c634d9bf14927cdd0124864543baec9f9d7208ac263330db23a1bbb7f51ccc62
Instruction ID: 11821c4d4324d7e6f3d8013c90bec660d5d5ed3f2a4af13d9e0612ba5629d501
Opcode Fuzzy Hash: c634d9bf14927cdd0124864543baec9f9d7208ac263330db23a1bbb7f51ccc62
Instruction Fuzzy Hash: 9CA169352147019FDB10EF24C481B5AB7E5BFA9710F148449FA9A9B3A2CB70ED15CB86

Function 001E91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001E91DD
SysAllocString.OLEAUT32(?), ref: 001E9286
VariantCopy.OLEAUT32 ref: 001E92B5
VariantClear.OLEAUT32(?), ref: 001E92DC

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 380fd8eb62a4d8c9fb4447677866c8911e483cc74a3067750cb54701e7fd2edd
Instruction ID: 6aa2115d3671037d783373ca00ce5962e8ae5510f6f734b7a887d72960d07c8b
Opcode Fuzzy Hash: 380fd8eb62a4d8c9fb4447677866c8911e483cc74a3067750cb54701e7fd2edd
Instruction Fuzzy Hash: 1151A270A04B86ABDB289F77D495A6EB3E5FF55310F20881FE696CB2D1DB7498808701

Function 0021C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(016066E0,?), ref: 0021C544
ScreenToClient.USER32(?,00000002), ref: 0021C574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0021C5DA

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 4f888c2c9506cd1065ca4d1408d8e6371ade1e6ce3f2b2d72e131e1fb4c526e9
Instruction ID: c4781395ee416396a2c5c42d8c648d168777b2609fc0323e29a9efa6b3b391db
Opcode Fuzzy Hash: 4f888c2c9506cd1065ca4d1408d8e6371ade1e6ce3f2b2d72e131e1fb4c526e9
Instruction Fuzzy Hash: B0515D79910105AFCF10DF68D8859EE77FAAF65320F208259F96997290D730ED91CB90

Function 001EC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 001EC462
__itow.LIBCMT ref: 001EC49C

Part of subcall function 001EC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 001EC753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 001EC505
__itow.LIBCMT ref: 001EC55A

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 65ea6318e52d9174c6b217d49ef8312b28d4ae48e8a6beffc3f286685499fb24
Instruction ID: 80a13984f7f55949f111f8bd929406e579b7795b0b59a80c3b13027e54a2da7d
Opcode Fuzzy Hash: 65ea6318e52d9174c6b217d49ef8312b28d4ae48e8a6beffc3f286685499fb24
Instruction Fuzzy Hash: C841E771700A48AFDF15EF59DC52BEE7BB9AF59700F000019F905A3281DB749A46CBD1

Function 001F390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 001F3966
SetKeyboardState.USER32(00000080,?,00000001), ref: 001F3982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 001F39EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 001F3A4D

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a138a3e782eaae9a4e915ea0a08532dae36d57a1dcecb9f717539369aa335478
Instruction ID: 53eb127e61dbf387bdd0fac3ec57faeb54c6ffb86e594dfe2122ca5d8f68c234
Opcode Fuzzy Hash: a138a3e782eaae9a4e915ea0a08532dae36d57a1dcecb9f717539369aa335478
Instruction Fuzzy Hash: 7C414630A0420CAEEF248B65D80ABFDBBB9AB55314F04010AF6E1972C1C7F48E85DB61

Function 001FE698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 001FE742
GetLastError.KERNEL32(?,00000000), ref: 001FE768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001FE78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001FE7B9

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 32859017902c69982d7ba4d0efb1bca67d8b439adff0aff0c92d78aa637d3ee7
Instruction ID: 1991da073d3debfb17dadc2f4c166ab95b6a57442e87e946f0246b1d303412da
Opcode Fuzzy Hash: 32859017902c69982d7ba4d0efb1bca67d8b439adff0aff0c92d78aa637d3ee7
Instruction Fuzzy Hash: 2C4105396006149FCB11AF25C545A5DBBE5BF69720B098498FA46AB3B2CB34FD018B91

Function 0021B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0021B5D1

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 469f848e6acfec53b2bb0b3451cb053aec0e451bcfc736dd0ecd6887a0bc0281
Instruction ID: 292484b1ca32fac2a6c9cc1729fa1a6de0ba007aef8284876fd0d801897af4b3
Opcode Fuzzy Hash: 469f848e6acfec53b2bb0b3451cb053aec0e451bcfc736dd0ecd6887a0bc0281
Instruction Fuzzy Hash: F331EF34620249BBEB229F28DC89FE837FAEB35350F904105FA11D61E1C770A9F08A91

Function 0021D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0021D807
GetWindowRect.USER32(?,?), ref: 0021D87D
PtInRect.USER32(?,?,0021ED5A), ref: 0021D88D
MessageBeep.USER32(00000000), ref: 0021D8FE

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f2788cc755d17804933db95278b0bf4bcaf1903c52edfa2abdee7edc9599f7c8
Instruction ID: e2447913af49b8dff4b183c86beef674cd7a6e7dcfd236d3056a81cdc6381aa0
Opcode Fuzzy Hash: f2788cc755d17804933db95278b0bf4bcaf1903c52edfa2abdee7edc9599f7c8
Instruction Fuzzy Hash: 9F418E70A20219DFCB11DF58E885BE97BF9FF54315F1A81A9E4149B250D330E9A2CF50

Function 001F3A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 001F3AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 001F3AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 001F3B34
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 001F3B92

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 384665c81d2956c7b35622a421bd9e652eb615be570b6af1c17ecbf76241f22c
Instruction ID: a637548bc5a292da886f96153b9d8af9077d747c6c0d6e52eaa75c5cf887db54
Opcode Fuzzy Hash: 384665c81d2956c7b35622a421bd9e652eb615be570b6af1c17ecbf76241f22c
Instruction Fuzzy Hash: A8318730A0024CAEEF358B64D82DBFEBBB99B55310F04015AEA96932D1C7748F45C761

Function 001E4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 001E4038
__isleadbyte_l.LIBCMT ref: 001E4066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 001E4094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 001E40CA

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: f0b2dbf7106dc1f76d190ad163de4505a76499ae952eee8466f10130fea4a9c3
Instruction ID: fde47f59fbb587152d7843349fb87311de0230b59c2571d66904b731c1b7445b
Opcode Fuzzy Hash: f0b2dbf7106dc1f76d190ad163de4505a76499ae952eee8466f10130fea4a9c3
Instruction Fuzzy Hash: 5831AF31600A86AFDB219F66C844BAE7BA5BF41320F154539F6658B1A1E731E890DB90

Function 00217CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00217CB9

Part of subcall function 001F5F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 001F5F6F
Part of subcall function 001F5F55: GetCurrentThreadId.KERNEL32 ref: 001F5F76
Part of subcall function 001F5F55: AttachThreadInput.USER32(00000000,?,001F781F), ref: 001F5F7D

GetCaretPos.USER32(?), ref: 00217CCA
ClientToScreen.USER32(00000000,?), ref: 00217D03
GetForegroundWindow.USER32 ref: 00217D09

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 46144410c4b7601bbf00e44a9dcafaeac256015937932f8047047ecb6683e8cc
Instruction ID: 458a40849740415a5069cb3efbbb45b1040ccd8d22cb63ed1252a5701d37f6a6
Opcode Fuzzy Hash: 46144410c4b7601bbf00e44a9dcafaeac256015937932f8047047ecb6683e8cc
Instruction Fuzzy Hash: 44311E75900108AFDB00EFA5D845DEFFBF9EFA8314B10846AE915E3211DB319E158BA0

Function 0021F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001CB34E: GetWindowLongW.USER32(?,000000EB), ref: 001CB35F

GetCursorPos.USER32(?), ref: 0021F211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0022E4C0,?,?,?,?,?), ref: 0021F226
GetCursorPos.USER32(?), ref: 0021F270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0022E4C0,?,?,?), ref: 0021F2A6

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: ef7894107d34ddea63e9d5aa3a31dbda388974cadd463fefa3da473e6c3ce5d3
Instruction ID: 3b6cc3a1e834c288b5b9ac98e0dd59113262fde4226722ad6a5c9a1e67331332
Opcode Fuzzy Hash: ef7894107d34ddea63e9d5aa3a31dbda388974cadd463fefa3da473e6c3ce5d3
Instruction Fuzzy Hash: B2219139510028AFCB258F98E959EEE7BB9FF1A710F448069FD19872A1D3309DA1DB50

Function 0020431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00204358

Part of subcall function 002043E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00204401
Part of subcall function 002043E2: InternetCloseHandle.WININET(00000000), ref: 0020449E

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 5724eeb7ba782905470d8999c3e32169a0c0d8a6d1ceec5552ba2ed60016c4ef
Instruction ID: 732027957edffdc6e0351d49b4eaba872db70b5436e624f9e1a3d933729e9462
Opcode Fuzzy Hash: 5724eeb7ba782905470d8999c3e32169a0c0d8a6d1ceec5552ba2ed60016c4ef
Instruction Fuzzy Hash: 6921A4B5210705BBDB11AF60EC01F7BB7A9FF48710F20901AFB1596592D77198319B90

Function 00218A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00218AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00218AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00218ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00218ADC

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: c9ebb9c0db9e3fdca08f749aa93f929adcced0461f07664636fc1ee24973bc63
Instruction ID: e82785afe5cf39abbf11041a6fc3b60936b81d362a222d695d64d88de6a6d995
Opcode Fuzzy Hash: c9ebb9c0db9e3fdca08f749aa93f929adcced0461f07664636fc1ee24973bc63
Instruction Fuzzy Hash: 79119031315115AFD704AB28EC4AFFA77DDAFA5320F14411AF916C72E1DBB0AC508B94

Function 00208A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00208AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00208AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 00208AFF
WSAGetLastError.WSOCK32(00000000), ref: 00208B16

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: 07b703841b3c5d5b04c3b24bdade62452fbb347861d685f043248951d49d3fb7
Instruction ID: 0ce1ee6aa65f06a4779ef6b308af9bf3f5ead97f5deeb8c6e415236df4e43d38
Opcode Fuzzy Hash: 07b703841b3c5d5b04c3b24bdade62452fbb347861d685f043248951d49d3fb7
Instruction Fuzzy Hash: F5217572A001249FC7219F69DC89AAEBBFCEF5A354F00416AF849D7291DB74DA418F90

Function 001F0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 001F1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,001F0ABB,?,?,?,001F187A,00000000,000000EF,00000119,?,?), ref: 001F1E77
Part of subcall function 001F1E68: lstrcpyW.KERNEL32(00000000,?,?,001F0ABB,?,?,?,001F187A,00000000,000000EF,00000119,?,?,00000000), ref: 001F1E9D
Part of subcall function 001F1E68: lstrcmpiW.KERNEL32(00000000,?,001F0ABB,?,?,?,001F187A,00000000,000000EF,00000119,?,?), ref: 001F1ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,001F187A,00000000,000000EF,00000119,?,?,00000000), ref: 001F0AD4
lstrcpyW.KERNEL32(00000000,?,?,001F187A,00000000,000000EF,00000119,?,?,00000000), ref: 001F0AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,001F187A,00000000,000000EF,00000119,?,?,00000000), ref: 001F0B2E

Strings

cdecl, xrefs: 001F0B25

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: c10689d8d5a814e671c48aef23128c17e1a2d4efe9f713bc6b53073b4cefab5c
Instruction ID: 98c219d002e1e4ad82c859c77958555b53eb8bcf875da661feb3a985db068af7
Opcode Fuzzy Hash: c10689d8d5a814e671c48aef23128c17e1a2d4efe9f713bc6b53073b4cefab5c
Instruction Fuzzy Hash: 4411E63A210309EFDB26AF34DC05E7A77A9FF59310B80406AF906CB291EB71D851C7A0

Function 001E2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001E2FB5

Part of subcall function 001D395C: __FF_MSGBANNER.LIBCMT ref: 001D3973
Part of subcall function 001D395C: __NMSG_WRITE.LIBCMT ref: 001D397A
Part of subcall function 001D395C: RtlAllocateHeap.NTDLL(015E0000,00000000,00000001,00000001,00000000,?,?,001CF507,?,0000000E), ref: 001D399F

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: e665f0d8fc0a92d09ea696e9ed6b68fa487dcb48be0b368d74772ac27880413e
Instruction ID: 6dcdd2df472bcc26655f5da2a75cf60ea192b00d66b3b7e56039ec0204469313
Opcode Fuzzy Hash: e665f0d8fc0a92d09ea696e9ed6b68fa487dcb48be0b368d74772ac27880413e
Instruction Fuzzy Hash: 42112C31409A52FFDB363F71BC5966E7B98AF20360F204826F819D7291DB30CD408A90

Function 001F058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 001F05AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 001F05C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001F05DD
FreeLibrary.KERNEL32(?), ref: 001F0632

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: aa11791b05c4eeeca8a711b047ceedd0c9ce79d24c95bfb00dfc62eb6071d51c
Instruction ID: c44dbb67e0b942a365776b38d43e2f8d5b99b5a8cb6a4bd6aebaaf055de96c48
Opcode Fuzzy Hash: aa11791b05c4eeeca8a711b047ceedd0c9ce79d24c95bfb00dfc62eb6071d51c
Instruction Fuzzy Hash: 32218E7190020DEFDB22CF91EC88AEABBB8EF48710F1084ADE616D2151D7B0EA55DF50

Function 001F6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 001F6733
_memset.LIBCMT ref: 001F6754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 001F67A6
CloseHandle.KERNEL32(00000000), ref: 001F67AF

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: a523b2f4ed785dfcd504f5110cdd98b48f490cc799bb16beee2ea462c5065d06
Instruction ID: 38e72fe8f120a82747ee4d05dcbeb15aec521939ead668d49d9228da03002db8
Opcode Fuzzy Hash: a523b2f4ed785dfcd504f5110cdd98b48f490cc799bb16beee2ea462c5065d06
Instruction Fuzzy Hash: A411CA75901228BAE72067A5BC4DFABBABCEF44764F10429AF505E71D0D3745E808B64

Function 001EB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001EAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001EAA79
Part of subcall function 001EAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001EAA83
Part of subcall function 001EAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001EAA92
Part of subcall function 001EAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001EAA99
Part of subcall function 001EAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001EAAAF

GetLengthSid.ADVAPI32(?,00000000,001EADE4,?,?), ref: 001EB21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 001EB227
HeapAlloc.KERNEL32(00000000), ref: 001EB22E
CopySid.ADVAPI32(?,00000000,?), ref: 001EB247

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: 1d4a3f3b8cafc3baf4699460e887dbdaf4171dca4c70bec2fc21ca5ae95703b7
Instruction ID: a6b68723b7df39dfaffdfa85645aa2cd4b4944b8fcffb8e00155f565ec5b1ecf
Opcode Fuzzy Hash: 1d4a3f3b8cafc3baf4699460e887dbdaf4171dca4c70bec2fc21ca5ae95703b7
Instruction Fuzzy Hash: 8B119175A05606EFDB049FA5ED85AAFB7A9EF85304F14802DEA4397210D731AE44DB10

Function 001EB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 001EB498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001EB4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001EB4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001EB4DB

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d577b416dbe317c26ef4a84c90c7c3115d3cc24251169d33ba66b675c053d2e5
Instruction ID: 26e6d227df3a083eb3fdd39c00d7e5172791d41cfc0204b750675afb12a8e507
Opcode Fuzzy Hash: d577b416dbe317c26ef4a84c90c7c3115d3cc24251169d33ba66b675c053d2e5
Instruction Fuzzy Hash: 01115A7A900218FFEB11DFA9C885E9EBBB8FB08700F204091E605B7290D771AE10DB94

Function 001CB55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 001CB34E: GetWindowLongW.USER32(?,000000EB), ref: 001CB35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 001CB5A5
GetClientRect.USER32(?,?), ref: 0022E69A
GetCursorPos.USER32(?), ref: 0022E6A4
ScreenToClient.USER32(?,?), ref: 0022E6AF

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 2a198e2d0d01d80c54bac7fdb8973e5776eaffc550094967eb8224d0551255f5
Instruction ID: 97c73e86e2b99a197e3bbb460e1c396ba4d783b688d77859a17bcace6ee6ee33
Opcode Fuzzy Hash: 2a198e2d0d01d80c54bac7fdb8973e5776eaffc550094967eb8224d0551255f5
Instruction Fuzzy Hash: 1211283190002ABBCB14DF98E88ADAE77B9EB19305F410455E911E6140D334AA96CBA1

Function 001F732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001F7352
MessageBoxW.USER32(?,?,?,?), ref: 001F7385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 001F739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 001F73A2

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 6733505243ca4ec553bf73eb969d3cf0d4b497e69107df4a092a39d584da9d1a
Instruction ID: 2b388c4846eb6e0a8cd98d63eee6c4be9589a575c03cc04824f2aeea944f6213
Opcode Fuzzy Hash: 6733505243ca4ec553bf73eb969d3cf0d4b497e69107df4a092a39d584da9d1a
Instruction Fuzzy Hash: 3B11C472A04219BFD701DBACFC0DAAE7BADAB45310F144355FD25D32A2D7708D109BA1

Function 001CD17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 001CD1BA
GetStockObject.GDI32(00000011), ref: 001CD1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 001CD1D8

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: eb58ab603bc4e0b079358d0acf509e6f4c54f7eccf3385a019862586c5c30467
Instruction ID: bac628c9d74a41bffdc33191e81239094718430041fd4791a444f8c94a7bdc8d
Opcode Fuzzy Hash: eb58ab603bc4e0b079358d0acf509e6f4c54f7eccf3385a019862586c5c30467
Instruction Fuzzy Hash: 0411AD72101549BFEF024FA0BC59EEABB6DFF29364F090129FA1452150C731DC60EBA0

Function 001E4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 001E4E16

Part of subcall function 001E54F5: __fltout2.LIBCMT ref: 001E551E

__cftog_l.LIBCMT ref: 001E4E3C
__cftoe_l.LIBCMT ref: 001E4E6E

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 6fb1728886fab964654927ca6d5532828c285abb8998924e52bb855978021064
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 4C015E3600098EBBCF165E85DC06CEE3F23BF18354B598455FE2859131D33ACAB1AB81

Function 001D7452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001D7A0D: __getptd_noexit.LIBCMT ref: 001D7A0E

__lock.LIBCMT ref: 001D748F
InterlockedDecrement.KERNEL32(?), ref: 001D74AC
_free.LIBCMT ref: 001D74BF
InterlockedIncrement.KERNEL32(015F2C80), ref: 001D74D7

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: 655fb2768e049cd319b0929e3cde570f7685770887a39099790e3466471181f4
Instruction ID: da3e85e386d46b71648bd89c84289fc75e28a15ca251132729435c7c40946e20
Opcode Fuzzy Hash: 655fb2768e049cd319b0929e3cde570f7685770887a39099790e3466471181f4
Instruction Fuzzy Hash: 3601923290A621ABDB13AF64A50A75DBB60BF04710F15814BF814777D0EB746D51CFD2

Function 0021EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 001CAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 001CAFE3
Part of subcall function 001CAF83: SelectObject.GDI32(?,00000000), ref: 001CAFF2
Part of subcall function 001CAF83: BeginPath.GDI32(?), ref: 001CB009
Part of subcall function 001CAF83: SelectObject.GDI32(?,00000000), ref: 001CB033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0021EA8E
LineTo.GDI32(00000000,?,?), ref: 0021EA9B
EndPath.GDI32(00000000), ref: 0021EAAB
StrokePath.GDI32(00000000), ref: 0021EAB9

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 9baefe7772f0c51db82ee1429649ef6004493acafe686cdcdbf608467bbd97a3
Instruction ID: f5c09f60a712f9a938c20350e79e4fdbb63de7cb6a7db655d475dc1daba8863f
Opcode Fuzzy Hash: 9baefe7772f0c51db82ee1429649ef6004493acafe686cdcdbf608467bbd97a3
Instruction Fuzzy Hash: 11F08231045259BBDB129FA4BC0DFCE3F69AF16711F044101FE15610E187B595A5CB95

Function 001EC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 001EC84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 001EC85D
GetCurrentThreadId.KERNEL32 ref: 001EC864
AttachThreadInput.USER32(00000000), ref: 001EC86B

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 79a544bbc61cbdb3bc33edcb6967842d8d4a142b953a5f2fc76a9600f9c64adf
Instruction ID: c2942c26a38391dfeb54457c7f1bc8fc820d63a8373ea8f75722102777f6f539
Opcode Fuzzy Hash: 79a544bbc61cbdb3bc33edcb6967842d8d4a142b953a5f2fc76a9600f9c64adf
Instruction Fuzzy Hash: 15E06D71141268BBDB201BA2FC0EEDB7F2CEF167A1F008021B60D84460C7B1C581DBE0

Function 001EB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 001EB0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,001EAC9D), ref: 001EB0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001EAC9D), ref: 001EB0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,001EAC9D), ref: 001EB0F1

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: f045a27be3edb837d6379a2e0aa99fecb0c0a09b1c3697b4ea2c6adfd8fec7b1
Instruction ID: 1c37cc231949b66a94f746ac0323847e408343f9aa4b1887a2cfd89011489d4b
Opcode Fuzzy Hash: f045a27be3edb837d6379a2e0aa99fecb0c0a09b1c3697b4ea2c6adfd8fec7b1
Instruction Fuzzy Hash: 8FE086327012119BD7201FB27D0CB4B3BBCEF55B91F018818F281D6040DB349441CB60

Function 001CB47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 001CB496
SetTextColor.GDI32(?,000000FF), ref: 001CB4A0
SetBkMode.GDI32(?,00000001), ref: 001CB4B5
GetStockObject.GDI32(00000005), ref: 001CB4BD
GetWindowDC.USER32(?,00000000), ref: 0022DE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0022DE38
GetPixel.GDI32(00000000,?,00000000), ref: 0022DE51
GetPixel.GDI32(00000000,00000000,?), ref: 0022DE6A
GetPixel.GDI32(00000000,?,?), ref: 0022DE8A
ReleaseDC.USER32(?,00000000), ref: 0022DE95

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 5ab3899922d4442a1a015f789796d3c1d603f3ceae904654d64ad9fdc9f599ef
Instruction ID: 1e835208b2e521c2a52b547048e8186e1804f55e55d7d8944f5d71cb26e31882
Opcode Fuzzy Hash: 5ab3899922d4442a1a015f789796d3c1d603f3ceae904654d64ad9fdc9f599ef
Instruction Fuzzy Hash: 69E06D31114240BBDB211FB4BC0DBD83B21AB11335F00C266F6AA980E1C7718591CB11

Function 0022B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0022B29A
GetDC.USER32(00000000), ref: 0022B2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0022B2C3
ReleaseDC.USER32 ref: 0022B2E2

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 0f169c73679df29453a3a06b7b6119280c65e282b14f1b363b551e7500e192b0
Instruction ID: fde09ca3a18e657627e0bdd969129580587a0c426ee12d9cb9f941ea17bbc380
Opcode Fuzzy Hash: 0f169c73679df29453a3a06b7b6119280c65e282b14f1b363b551e7500e192b0
Instruction Fuzzy Hash: 79E012B1500204EFDB015FB0B84DA2E7BA8EB5C351F12881AFC6A8B210CBB598418F40

Function 001EB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001EB2DF
UnloadUserProfile.USERENV(?,?), ref: 001EB2EB
CloseHandle.KERNEL32(?), ref: 001EB2F4
CloseHandle.KERNEL32(?), ref: 001EB2FC

Part of subcall function 001EAB24: GetProcessHeap.KERNEL32(00000000,?,001EA848), ref: 001EAB2B
Part of subcall function 001EAB24: HeapFree.KERNEL32(00000000), ref: 001EAB32

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: c2789eb472b1e6c47772b24fa216ec77b89616654d4f7803e8b1e7c78d57a4f9
Instruction ID: 0fded8d0e370fde88d1d4d3a5cd1239ce27629a5918fe637c6914f38ac05662f
Opcode Fuzzy Hash: c2789eb472b1e6c47772b24fa216ec77b89616654d4f7803e8b1e7c78d57a4f9
Instruction Fuzzy Hash: E2E0263A104405BBDB016BA6FC0C859FBB6FF997213508621F62682575CB32A871EF91

Function 0022B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0022B2AE
GetDC.USER32(00000000), ref: 0022B2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0022B2C3
ReleaseDC.USER32 ref: 0022B2E2

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a341674242eaa406c6247dd57fff101b199f0d460ee5ea1432ac115c88ed7f4e
Instruction ID: b015bb7b3245f49361ab7ed0c1dcbb9d64af11ad766da2c1ab235adb8b00022c
Opcode Fuzzy Hash: a341674242eaa406c6247dd57fff101b199f0d460ee5ea1432ac115c88ed7f4e
Instruction Fuzzy Hash: 4BE046B1500200EFDB005F70F84DA2D7BA8EB5C350F12881AF96E8B210CB7A98018F00

Function 001EDCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 001EDEAA

Strings

Container, xrefs: 001EDE29
AutoIt3GUI, xrefs: 001EDE22

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 79f77d60cfbf3ef2ca4afd122be331f7d5ed525fd28cba66e97d674e6de992bb
Instruction ID: 488e076b5b1a2fdbfadd538f61f193fed3797794c2cbd79931161b5f44fe2e62
Opcode Fuzzy Hash: 79f77d60cfbf3ef2ca4afd122be331f7d5ed525fd28cba66e97d674e6de992bb
Instruction Fuzzy Hash: A2912674600A01AFDB14DF65D888F6AB7F9BF49710F20856DF94ACB291DB71E841CB60

Function 001F290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 001F2A72

Strings

I/", xrefs: 001F29FC, 001F2A64, 001F2A12
I/", xrefs: 001F297F

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: _wcscpy
String ID: I/"$I/"
API String ID: 3048848545-2523124732
Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction ID: 025c4ebde1ffbac33604f46fef5b17a09cba011908e72cc3231f6d4543a4cd36
Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction Fuzzy Hash: BB41E83190022EAACF25EF98D451AFDB7B0FF68714F54505BEA81B7191DB709E82C7A0

Function 001CBCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 001CBCDA
GlobalMemoryStatusEx.KERNEL32 ref: 001CBCF3

Strings

@, xrefs: 001CBCE8

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 425ae75a2d6e051ade80d882e682810e61433640c730aab5aa2118408e33efe0
Instruction ID: a5d3c303f7cc66f1aa60b103bc43a9322647f474b9cf48ce97d38505914fcb00
Opcode Fuzzy Hash: 425ae75a2d6e051ade80d882e682810e61433640c730aab5aa2118408e33efe0
Instruction Fuzzy Hash: 555125714087449BE320AF54E88AFAFBBECFBA5354F41484EF1C8410A6DF7085A88796

Function 001FC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 001B44ED: __fread_nolock.LIBCMT ref: 001B450B

_wcscmp.LIBCMT ref: 001FC65D
_wcscmp.LIBCMT ref: 001FC670

Strings

FILE, xrefs: 001FC5A5

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 1fa0a05603793419cb974fe52f0f25c1495034a6984c45cf98993c03ad2bfc12
Instruction ID: bcd403cbb4fe40fded5c06e0fc734d545cb7e096881820ae869a50472da53332
Opcode Fuzzy Hash: 1fa0a05603793419cb974fe52f0f25c1495034a6984c45cf98993c03ad2bfc12
Instruction Fuzzy Hash: 3741D372A0420EBBDF209AA4DC81FEF77B9AF99714F004069F605EB181D7709A04DBA1

Function 0021A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0021A85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0021A86F

Strings

', xrefs: 0021A7C3

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 938b8508060dbbc7a185172a3d62794d0f01eb00854300a9dcbd03c8c19bee6c
Instruction ID: fe51e111b7790592fc197ece47d1112cf31848289593595ee13bd7a8cb146724
Opcode Fuzzy Hash: 938b8508060dbbc7a185172a3d62794d0f01eb00854300a9dcbd03c8c19bee6c
Instruction Fuzzy Hash: 71410974A1120A9FDB14CF68D881BDABBF9FF18300F11006AE905AB381D770A992CF91

Function 0021975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 0021980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0021984A

Strings

static, xrefs: 002197AA

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 6a1d6542738b9b2bff0762c5376efe14a0406ccc2b9a8fc39bff20bb54c6be7f
Instruction ID: 526db5e2f525e8f95d7438352535cb50972379c747cf101cc81617baa03cf239
Opcode Fuzzy Hash: 6a1d6542738b9b2bff0762c5376efe14a0406ccc2b9a8fc39bff20bb54c6be7f
Instruction Fuzzy Hash: 02318C71120205AEEB109F38DC91BFB73A9FF69764F018619F8A987190CB30ACD1CB60

Function 001F5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001F51C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 001F5201

Strings

0, xrefs: 001F51BF

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 7cd6b8b30272ae1145ce2d9f067ed58a96b6e2b13adef1e3e6f67d88c747ad38
Instruction ID: 69a25d6300ccd45a13874b9b0feeb3a323acf17ae031a0c5e05933f498d90212
Opcode Fuzzy Hash: 7cd6b8b30272ae1145ce2d9f067ed58a96b6e2b13adef1e3e6f67d88c747ad38
Instruction Fuzzy Hash: 5731C331600608DBEB28CF99D845BBEBBB6AF85354F144119EB86A61A1D7709A44CB10

Function 0020658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00206608

Strings

AUTOITCALLVARIABLE%d, xrefs: 002065FA
, $, xrefs: 00206648

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 54707cce3d01b3cee5fbd991356e99d4ecd77985c628d578cb05dbfc6cad9064
Instruction ID: af3fd144909cf6515324d25aea373d3365afec42a66ea730736a1b112fda7ab3
Opcode Fuzzy Hash: 54707cce3d01b3cee5fbd991356e99d4ecd77985c628d578cb05dbfc6cad9064
Instruction Fuzzy Hash: A1219E71610218AFCF10EFA4C892FEE77B9AF59740F000459F405AB182DB75EE65CBA1

Function 002193CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0021945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00219467

Strings

Combobox, xrefs: 00219429

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 92ba6b0a28c10fa162040e88698308f5672ea0da529b26ea8ca045b71445a322
Instruction ID: c5222e1295ee6a8f10bafbcb59ed6458affa3130ed61b73038866811fe9d7144
Opcode Fuzzy Hash: 92ba6b0a28c10fa162040e88698308f5672ea0da529b26ea8ca045b71445a322
Instruction Fuzzy Hash: 9611B271320209AFEF15DE54DC90EFB37AEEB683A4F110125F95997290D6719CE28BA0

Function 0021DA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 001CB34E: GetWindowLongW.USER32(?,000000EB), ref: 001CB35F

GetActiveWindow.USER32 ref: 0021DA7B
EnumChildWindows.USER32(?,0021D75F,00000000), ref: 0021DAF5

Strings

T1 , xrefs: 0021DAFB

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: T1
API String ID: 3814560230-1774680068
Opcode ID: 8c191d46e9d0f3c74069668773a8ac38e82f03029b8191ca904866c2a02963b4
Instruction ID: bcd39f1d157ba4f22485b13673cc32820ba781da66bcf4e8f58608e617d34060
Opcode Fuzzy Hash: 8c191d46e9d0f3c74069668773a8ac38e82f03029b8191ca904866c2a02963b4
Instruction Fuzzy Hash: 1E21F879215201DBC714DF28E895AA677E9EF69720F250619E96A873E0D730B8A0CF60

Function 002198FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 001CD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 001CD1BA
Part of subcall function 001CD17C: GetStockObject.GDI32(00000011), ref: 001CD1CE
Part of subcall function 001CD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 001CD1D8

GetWindowRect.USER32(00000000,?), ref: 00219968
GetSysColor.USER32(00000012), ref: 00219982

Strings

static, xrefs: 00219945

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 1ea84115880054b132ff1c35b3a62488fe85c2615c1c591f8768f833e8979c4b
Instruction ID: 4add4b7ede1a339669949431320e8a9835ee4c3a56fe6ce123ccd717461bdfde
Opcode Fuzzy Hash: 1ea84115880054b132ff1c35b3a62488fe85c2615c1c591f8768f833e8979c4b
Instruction Fuzzy Hash: BE11297252020AAFDB04DFB8DC45AEA7BA8FF18344F054629F955D3150D734E8A0DB60

Function 00219617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00219699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002196A8

Strings

edit, xrefs: 0021967D

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 70874f47390724620ac45aeb533a7851ad60a1fb7f03f093953362c674c11739
Instruction ID: 2a6ae74038f1367ca4a4fd2c1e9342e6e126fd73d6c6fa9dd9f375a0c88a0ba1
Opcode Fuzzy Hash: 70874f47390724620ac45aeb533a7851ad60a1fb7f03f093953362c674c11739
Instruction Fuzzy Hash: 9D119A71520149AAEB105F64EC64EEB3BAEEB253A8F100314F925931E0C771DCE09B60

Function 001F5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001F52D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 001F52F4

Strings

0, xrefs: 001F52CE

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 489f84eea1d7eacd2a7ce21d95648337b80a56a06b902cc98468e75107cf1496
Instruction ID: 00075609c064cac54dd9b118c8129d07444f2594e1e2d81b6616971005603523
Opcode Fuzzy Hash: 489f84eea1d7eacd2a7ce21d95648337b80a56a06b902cc98468e75107cf1496
Instruction Fuzzy Hash: 2211E272901628EBDB24DB9CE944BBD77BAAB05754F090125EB09E7290D3B0ED04C791

Function 00204D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00204DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00204E1E

Strings

<local>, xrefs: 00204DE6

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 7b53979ce79b6907da22904b5fc2207ac7c702314dbe14cd4ceefa073eecae28
Instruction ID: 1feaf7e61410b270175261d88d4a08faa2a0b06f1df9d9e6d944600959551f2c
Opcode Fuzzy Hash: 7b53979ce79b6907da22904b5fc2207ac7c702314dbe14cd4ceefa073eecae28
Instruction Fuzzy Hash: 941170B0521322FBDB259F51C889EFBFBA8FF16755F10C22AF61556181D3B059A0C6E0

Function 001DA70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 001E37A7
___raise_securityfailure.LIBCMT ref: 001E388E

Strings

(', xrefs: 001E3889

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: ('
API String ID: 3761405300-3652912492
Opcode ID: 65e77ba556d7bb0e00b1e3be0576a46bc4f315b11b45c5498d4aeec5fce1fb29
Instruction ID: 9d1836d64908b8806a900a61a8affd4b411bdab2874cb80c1955ab2e33a04f61
Opcode Fuzzy Hash: 65e77ba556d7bb0e00b1e3be0576a46bc4f315b11b45c5498d4aeec5fce1fb29
Instruction Fuzzy Hash: 3121DBB5510704DBD714DF19F9CEA057BB4FB48310F20982AE9098B2A0E3F1A9C8CF45

Function 0020A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0020A84E
htons.WSOCK32(00000000,?,00000000), ref: 0020A88B

Strings

255.255.255.255, xrefs: 0020A866

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: f51c15bcf53b48088f7fe9fff89e96d4e614ec7e3631d287d04d3ccd1397dd29
Instruction ID: 552539adea34fa5b332d9157013e5e16c814442306123cc24120588d6e61c114
Opcode Fuzzy Hash: f51c15bcf53b48088f7fe9fff89e96d4e614ec7e3631d287d04d3ccd1397dd29
Instruction Fuzzy Hash: DF01F575210305ABCB10DF68D88AFADF364FF55750F10852AF5169B2D2D771E822C792

Function 001EB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 001EB7EF

Strings

ComboBox, xrefs: 001EB78B
ListBox, xrefs: 001EB7B9

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 66e5d0116ebc14bd22414e845527892ecdb1809c3ab7291f8257ddcab1f21640
Instruction ID: 5c7262e0e4f907c7477e7e94089dfc240d0b11ea4ca2c4db650fbfb4d9ad3e18
Opcode Fuzzy Hash: 66e5d0116ebc14bd22414e845527892ecdb1809c3ab7291f8257ddcab1f21640
Instruction Fuzzy Hash: AC012471600554EBCB08EBA4DC92DFE3379BF56350B00061CF472632D2EB705C188B90

Function 001EB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 001EB6EB

Strings

ComboBox, xrefs: 001EB687
ListBox, xrefs: 001EB6B5

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 2fac4b72e4485c0b4513d3496044bf05eb2448275674a35c9d03b48bd51dacbe
Instruction ID: 69ea4d0332549e3f125984e92fa24feea6803bbe92e94f88deb943baf96b75fb
Opcode Fuzzy Hash: 2fac4b72e4485c0b4513d3496044bf05eb2448275674a35c9d03b48bd51dacbe
Instruction Fuzzy Hash: 0F01A271641444ABCB04EBA5D993BFF73B89F5A344F100029F402B32C1DB909E188BF5

Function 001EB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 001EB76C

Strings

ComboBox, xrefs: 001EB70A
ListBox, xrefs: 001EB738

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 9d968f16a524c2ac8a7c49f8f3827617ad4d5999a3ee7966eeca2e9c36b3f18d
Instruction ID: 1bc97a1eb9c29c4972ee351846e85724ffb12f595f6ed26b2eaf0ad4d93008de
Opcode Fuzzy Hash: 9d968f16a524c2ac8a7c49f8f3827617ad4d5999a3ee7966eeca2e9c36b3f18d
Instruction Fuzzy Hash: 9F01AD75A41544ABCB04EBA5DA93BFF73AC9F66340B100019B802B32D2DB609E198BB5

Function 001D4D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 001D4D9E
__calloc_crt.LIBCMT ref: 001D4DB7

Strings

"', xrefs: 001D4DCE

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: __calloc_crt
String ID: "'
API String ID: 3494438863-3867764695
Opcode ID: fb4935248940e3f48d4ce7f50c33b26062ea0ff902b9252f5f4f04e9dbb41e42
Instruction ID: 5f1956f4312cad70027692f42dd3288a3f11057bf4e5ce2f4d1c50d7ba7d8f5e
Opcode Fuzzy Hash: fb4935248940e3f48d4ce7f50c33b26062ea0ff902b9252f5f4f04e9dbb41e42
Instruction Fuzzy Hash: 79F0F671249B01DFE7289FA9BC557A667D6F724724F10012BFA08CA396F730C8C18B94

Function 001F7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 001F7762
_wcscmp.LIBCMT ref: 001F7774

Strings

#32770, xrefs: 001F776E

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 1bce78e6e0992a670fb67514b8af0cbb2bd47840d0a4d98c106e6735184b25f8
Instruction ID: 8390d5a706b42cc28ee4e6408abd6c2ac79edec867e3457f5a1e703ce829fdc4
Opcode Fuzzy Hash: 1bce78e6e0992a670fb67514b8af0cbb2bd47840d0a4d98c106e6735184b25f8
Instruction Fuzzy Hash: 61E09277A0422827D720EAA5FC0AE97FBACAB55760F000156B915D3181D670A6418BE4

Function 001EA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001EA63F

Part of subcall function 001D13F1: _doexit.LIBCMT ref: 001D13FB

Strings

Error allocating memory., xrefs: 001EA638
AutoIt, xrefs: 001EA633

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: ee6c5e2675348c21a49622e3644c8975a83b11adc4f7cfc691b81b5c15b5243d
Instruction ID: 0b1cd95cfdc67b1b0a4a18bffdf05308e08f2c23b6118c677b7b384a38b3c8b8
Opcode Fuzzy Hash: ee6c5e2675348c21a49622e3644c8975a83b11adc4f7cfc691b81b5c15b5243d
Instruction Fuzzy Hash: B6D05B323C5B1833D31437A97D1BFC9754C9F66BA5F14001AFB48D55D24BE2D59041D9

Function 0022AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 0022ACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0022AEBD

Strings

WIN_XPe, xrefs: 0022ACD3

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: eba75dc8251ca9b4813cf19e5fbdd2155a3050e9c3da874b2507aad8b2f9bacc
Instruction ID: 992b1d3a00bd24e9c868231d21b746406f23d0e4b66fc5cfec458bd3166966fe
Opcode Fuzzy Hash: eba75dc8251ca9b4813cf19e5fbdd2155a3050e9c3da874b2507aad8b2f9bacc
Instruction Fuzzy Hash: 62E06D70C20619EFCF11DFE4F948AECB7B8AB48300F108086E006B2571CBB04A94DF22

Function 00218698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002186A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 002186B5

Part of subcall function 001F7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 001F7AD0

Strings

Shell_TrayWnd, xrefs: 0021869B

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 342dd1b27d886a80d2b879e05c36d87d3d7e11eb7c39cdf08593f8d3d7c5c527
Instruction ID: ea564ee8e54f7a5e7c2c054fa4b121b3c1af3dbf1f7c046743ad5612d1c48359
Opcode Fuzzy Hash: 342dd1b27d886a80d2b879e05c36d87d3d7e11eb7c39cdf08593f8d3d7c5c527
Instruction Fuzzy Hash: D6D01231794318B7E264A770BC4FFD67E589B54B11F510815B74AAB1D0CAE0E950CB54

Function 002186CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002186E2
PostMessageW.USER32(00000000), ref: 002186E9

Part of subcall function 001F7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 001F7AD0

Strings

Shell_TrayWnd, xrefs: 002186DB

Memory Dump Source

Source File: 00000000.00000002.1359949655.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1359891695.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360033608.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360082044.000000000026A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360108156.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_pmm.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 6c79c37f761e960feefa8e29e6ba1d1dbefa089a4a54fb8b14ce85bfac468f9e
Instruction ID: 906bf73d32baf035b3873070191bd7f54b30f9638d1a5180f308d1439e0d57ea
Opcode Fuzzy Hash: 6c79c37f761e960feefa8e29e6ba1d1dbefa089a4a54fb8b14ce85bfac468f9e
Instruction Fuzzy Hash: 8FD012317853187BF264A770BC4FFC67A589B59B11F510815B746EB1D0CAE0E950CB54

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report pmm.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autC741.tmp

C:\Users\user\AppData\Local\Temp\vehiculation

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

Windows Analysis Report
pmm.exe

Function 001DB043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 001B3D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Function 001CDDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 001B406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 001FFA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Function 001B3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 001FBFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Function 001B3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 001B3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Function 001DACB3 Relevance: 15.2, APIs: 10, Instructions: 219
COMMON

Function 0180FBC8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 001B49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Function 001B36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 0180F938 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 164
fileCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre