Edit tour

Windows Analysis Report
A2028041200SD..exe

Overview

General Information

Sample name:	A2028041200SD..exe
Analysis ID:	1562199
MD5:	c986b78a1a48072903516a2d652d0159
SHA1:	182d579839cb6bfdc9201785df3c04bde927a720
SHA256:	1f34277db210da7c0c6523afe19d14c436d995fe37165665f11cb2c23204b2e6
Tags:	exeFormbookuser-cocaman
Infos:

Detection

FormBook

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

A2028041200SD..exe (PID: 4944 cmdline: "C:\Users\user\Desktop\A2028041200SD..exe" MD5: C986B78A1A48072903516A2D652D0159)

svchost.exe (PID: 6912 cmdline: "C:\Users\user\Desktop\A2028041200SD..exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.1372712193.0000000002F80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1372556382.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\A2028041200SD..exe", CommandLine: "C:\Users\user\Desktop\A2028041200SD..exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\A2028041200SD..exe", ParentImage: C:\Users\user\Desktop\A2028041200SD..exe, ParentProcessId: 4944, ParentProcessName: A2028041200SD..exe, ProcessCommandLine: "C:\Users\user\Desktop\A2028041200SD..exe", ProcessId: 6912, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\A2028041200SD..exe", CommandLine: "C:\Users\user\Desktop\A2028041200SD..exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\A2028041200SD..exe", ParentImage: C:\Users\user\Desktop\A2028041200SD..exe, ParentProcessId: 4944, ParentProcessName: A2028041200SD..exe, ProcessCommandLine: "C:\Users\user\Desktop\A2028041200SD..exe", ProcessId: 6912, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: A2028041200SD..exe

ReversingLabs: Detection: 42%

Yara detected FormBook

Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1372712193.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1372556382.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: A2028041200SD..exe

Joe Sandbox ML: detected

Source: A2028041200SD..exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: A2028041200SD..exe, 00000001.00000003.1329494085.0000000004130000.00000004.00001000.00020000.00000000.sdmp, A2028041200SD..exe, 00000001.00000003.1327635525.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1372865632.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1336419356.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1338851593.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1372865632.0000000003A00000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: A2028041200SD..exe, 00000001.00000003.1329494085.0000000004130000.00000004.00001000.00020000.00000000.sdmp, A2028041200SD..exe, 00000001.00000003.1327635525.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.1372865632.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1336419356.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1338851593.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1372865632.0000000003A00000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DF6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00DF6CA9
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DF60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	1_2_00DF60DD
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DF63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	1_2_00DF63F9
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DFEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_00DFEB60
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DFF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_00DFF5FA
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DFF56F FindFirstFileW,FindClose,	1_2_00DFF56F
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00E01B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00E01B2F
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00E01C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00E01C8A
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00E01F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_00E01F94

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00E04EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

1_2_00E04EB5

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00E06B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

1_2_00E06B0C

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00E06D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_00E06D07

Source: C:\Users\user\Desktop\A2028041200SD..exe

1_2_00E06B0C

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00DF2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

1_2_00DF2B37

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1372712193.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1372556382.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: This is a third-party compiled AutoIt script.	1_2_00DB3D19
Source: A2028041200SD..exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: A2028041200SD..exe, 00000001.00000000.1312103050.0000000000E5E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ce47d28f-6
Source: A2028041200SD..exe, 00000001.00000000.1312103050.0000000000E5E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a6eb26cd-1
Source: A2028041200SD..exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2b79e95a-1
Source: A2028041200SD..exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_eb1c7b0f-1

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0042C403 NtClose,	3_2_0042C403
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72B60 NtClose,LdrInitializeThunk,	3_2_03A72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_03A72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A735C0 NtCreateMutant,LdrInitializeThunk,	3_2_03A735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A74340 NtSetContextThread,	3_2_03A74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A74650 NtSuspendThread,	3_2_03A74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72BA0 NtEnumerateValueKey,	3_2_03A72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72B80 NtQueryInformationFile,	3_2_03A72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72BE0 NtQueryValueKey,	3_2_03A72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72BF0 NtAllocateVirtualMemory,	3_2_03A72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72AB0 NtWaitForSingleObject,	3_2_03A72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72AF0 NtWriteFile,	3_2_03A72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72AD0 NtReadFile,	3_2_03A72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72FA0 NtQuerySection,	3_2_03A72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72FB0 NtResumeThread,	3_2_03A72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72F90 NtProtectVirtualMemory,	3_2_03A72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72FE0 NtCreateFile,	3_2_03A72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72F30 NtCreateSection,	3_2_03A72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72F60 NtCreateProcessEx,	3_2_03A72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72EA0 NtAdjustPrivilegesToken,	3_2_03A72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72E80 NtReadVirtualMemory,	3_2_03A72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72EE0 NtQueueApcThread,	3_2_03A72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72E30 NtWriteVirtualMemory,	3_2_03A72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72DB0 NtEnumerateKey,	3_2_03A72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72DD0 NtDelayExecution,	3_2_03A72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72D30 NtUnmapViewOfSection,	3_2_03A72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72D00 NtSetInformationFile,	3_2_03A72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72D10 NtMapViewOfSection,	3_2_03A72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72CA0 NtQueryInformationToken,	3_2_03A72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72CF0 NtOpenProcess,	3_2_03A72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72CC0 NtQueryVirtualMemory,	3_2_03A72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72C00 NtQueryInformationProcess,	3_2_03A72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72C60 NtCreateKey,	3_2_03A72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72C70 NtFreeVirtualMemory,	3_2_03A72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A73090 NtSetValueKey,	3_2_03A73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A73010 NtOpenDirectoryObject,	3_2_03A73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A739B0 NtGetContextThread,	3_2_03A739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A73D10 NtOpenProcessToken,	3_2_03A73D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A73D70 NtOpenThread,	3_2_03A73D70

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00DF6685: CreateFileW,DeviceIoControl,CloseHandle,

1_2_00DF6685

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00DEACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

1_2_00DEACC5

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00DF79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

1_2_00DF79D3

Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DDB043	1_2_00DDB043
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DC3200	1_2_00DC3200
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DE410F	1_2_00DE410F
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DD02A4	1_2_00DD02A4
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DE038E	1_2_00DE038E
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DBE3B0	1_2_00DBE3B0
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DD06D9	1_2_00DD06D9
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DE467F	1_2_00DE467F
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00E1AACE	1_2_00E1AACE
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DE4BEF	1_2_00DE4BEF
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DDCCC1	1_2_00DDCCC1
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DBAF50	1_2_00DBAF50
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DB6F07	1_2_00DB6F07
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00E131BC	1_2_00E131BC
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DDD1B9	1_2_00DDD1B9
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DCB11F	1_2_00DCB11F
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DE724D	1_2_00DE724D
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DD123A	1_2_00DD123A
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DF13CA	1_2_00DF13CA
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DB93F0	1_2_00DB93F0
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DCF563	1_2_00DCF563
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DFB6CC	1_2_00DFB6CC
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DB96C0	1_2_00DB96C0
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DB77B0	1_2_00DB77B0
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DE79C9	1_2_00DE79C9
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DCFA57	1_2_00DCFA57
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DC3B70	1_2_00DC3B70
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DB9B60	1_2_00DB9B60
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DB7D19	1_2_00DB7D19
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DD9ED0	1_2_00DD9ED0
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DCFE6F	1_2_00DCFE6F
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DB7FA3	1_2_00DB7FA3
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_01678308	1_2_01678308
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00401250	3_2_00401250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0042EA03	3_2_0042EA03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004042CC	3_2_004042CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004023F9	3_2_004023F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00402400	3_2_00402400
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040FC2A	3_2_0040FC2A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040FC33	3_2_0040FC33
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004165B0	3_2_004165B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004165B3	3_2_004165B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040FE53	3_2_0040FE53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040DE33	3_2_0040DE33
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040DF79	3_2_0040DF79
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040DF83	3_2_0040DF83
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A4E3F0	3_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03B003E6	3_2_03B003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AFA352	3_2_03AFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AC02C0	3_2_03AC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AE0274	3_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AF41A2	3_2_03AF41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03B001AA	3_2_03B001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AF81CC	3_2_03AF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A30100	3_2_03A30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ADA118	3_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AC8158	3_2_03AC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AD2000	3_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3C7C0	3_2_03A3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40770	3_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A64750	3_2_03A64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5C6E0	3_2_03A5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03B00591	3_2_03B00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40535	3_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AEE4F6	3_2_03AEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AE4420	3_2_03AE4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AF2446	3_2_03AF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AF6BD7	3_2_03AF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AFAB40	3_2_03AFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3EA80	3_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A429A0	3_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03B0A9A6	3_2_03B0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A56962	3_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A268B8	3_2_03A268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6E8F0	3_2_03A6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A4A840	3_2_03A4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A42840	3_2_03A42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ABEFA0	3_2_03ABEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A4CFE0	3_2_03A4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A32FC8	3_2_03A32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A82F28	3_2_03A82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A60F30	3_2_03A60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AE2F30	3_2_03AE2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB4F40	3_2_03AB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A52E90	3_2_03A52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AFCE93	3_2_03AFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AFEEDB	3_2_03AFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AFEE26	3_2_03AFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40E59	3_2_03A40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A58DBF	3_2_03A58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3ADE0	3_2_03A3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A4AD00	3_2_03A4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ADCD1F	3_2_03ADCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AE0CB5	3_2_03AE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A30CF2	3_2_03A30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40C00	3_2_03A40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A8739A	3_2_03A8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AF132D	3_2_03AF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A2D34C	3_2_03A2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A452A0	3_2_03A452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AE12ED	3_2_03AE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5B2C0	3_2_03A5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A4B1B0	3_2_03A4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A7516C	3_2_03A7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A2F172	3_2_03A2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03B0B16B	3_2_03B0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AF70E9	3_2_03AF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AFF0E0	3_2_03AFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AEF0CC	3_2_03AEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A470C0	3_2_03A470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AFF7B0	3_2_03AFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AF16CC	3_2_03AF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ADD5B0	3_2_03ADD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AF7571	3_2_03AF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AFF43F	3_2_03AFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A31460	3_2_03A31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5FB80	3_2_03A5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB5BF0	3_2_03AB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A7DBF9	3_2_03A7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AFFB76	3_2_03AFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ADDAAC	3_2_03ADDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A85AA0	3_2_03A85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AE1AA3	3_2_03AE1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AEDAC6	3_2_03AEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB3A6C	3_2_03AB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AFFA49	3_2_03AFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AF7A46	3_2_03AF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AD5910	3_2_03AD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A49950	3_2_03A49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5B950	3_2_03A5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A438E0	3_2_03A438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AAD800	3_2_03AAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AFFFB1	3_2_03AFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A41F92	3_2_03A41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A03FD2	3_2_03A03FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A03FD5	3_2_03A03FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AFFF09	3_2_03AFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A49EB0	3_2_03A49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5FDC0	3_2_03A5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AF7D73	3_2_03AF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A43D40	3_2_03A43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AF1D5A	3_2_03AF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AFFCF2	3_2_03AFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB9C32	3_2_03AB9C32

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03AAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A2B970 appears 277 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A87E54 appears 102 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03ABF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A75130 appears 58 times
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: String function: 00DCEC2F appears 68 times
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: String function: 00DDF8A0 appears 35 times
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: String function: 00DD6AC0 appears 42 times

Source: A2028041200SD..exe, 00000001.00000003.1328201605.000000000425D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs A2028041200SD..exe
Source: A2028041200SD..exe, 00000001.00000003.1333015133.00000000040B3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs A2028041200SD..exe

Source: A2028041200SD..exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@3/2@0/0

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00DFCE7A GetLastError,FormatMessageW,

1_2_00DFCE7A

Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DEAB84 AdjustTokenPrivileges,CloseHandle,		1_2_00DEAB84
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DEB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		1_2_00DEB134

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00DFE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

1_2_00DFE1FD

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00DF6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

1_2_00DF6532

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00E0C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

1_2_00E0C18C

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00DB406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

1_2_00DB406B

Source: C:\Users\user\Desktop\A2028041200SD..exe

File created: C:\Users\user~1\AppData\Local\Temp\aut164B.tmp

Jump to behavior

Source: A2028041200SD..exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\A2028041200SD..exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: A2028041200SD..exe

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\A2028041200SD..exe "C:\Users\user\Desktop\A2028041200SD..exe"
Source: C:\Users\user\Desktop\A2028041200SD..exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\A2028041200SD..exe"
Source: C:\Users\user\Desktop\A2028041200SD..exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\A2028041200SD..exe"	Jump to behavior

Source: C:\Users\user\Desktop\A2028041200SD..exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2028041200SD..exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2028041200SD..exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2028041200SD..exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2028041200SD..exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2028041200SD..exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2028041200SD..exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2028041200SD..exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2028041200SD..exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2028041200SD..exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2028041200SD..exe	Section loaded: ntmarta.dll	Jump to behavior

Source: A2028041200SD..exe

Static file information: File size 1207808 > 1048576

Source: A2028041200SD..exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: A2028041200SD..exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: A2028041200SD..exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: A2028041200SD..exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: A2028041200SD..exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: A2028041200SD..exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: A2028041200SD..exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: A2028041200SD..exe, 00000001.00000003.1329494085.0000000004130000.00000004.00001000.00020000.00000000.sdmp, A2028041200SD..exe, 00000001.00000003.1327635525.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1372865632.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1336419356.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1338851593.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1372865632.0000000003A00000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: A2028041200SD..exe, 00000001.00000003.1329494085.0000000004130000.00000004.00001000.00020000.00000000.sdmp, A2028041200SD..exe, 00000001.00000003.1327635525.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.1372865632.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1336419356.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1338851593.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1372865632.0000000003A00000.00000040.00001000.00020000.00000000.sdmp

Source: A2028041200SD..exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: A2028041200SD..exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: A2028041200SD..exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: A2028041200SD..exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: A2028041200SD..exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00DCE01E LoadLibraryA,GetProcAddress,

1_2_00DCE01E

Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DD6B05 push ecx; ret	1_2_00DD6B18
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041A972 push edx; retf	3_2_0041A973
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004051D0 push es; iretd	3_2_004051D2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040A9DB push edx; retf	3_2_0040A9DC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00403220 push eax; ret	3_2_00403222
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00404A20 push esi; retf	3_2_00404A2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00404A23 push esi; retf	3_2_00404A2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040D376 push ds; ret	3_2_0040D388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00415BF3 push esi; retf	3_2_00415BFE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00423413 pushfd ; ret	3_2_00423437
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00406415 push edx; retf	3_2_0040641C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00414675 push ebp; retf	3_2_00414688
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040161B push E588A11Fh; iretd	3_2_00401623
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004087CB push es; ret	3_2_004087CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A0225F pushad ; ret	3_2_03A027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A027FA pushad ; ret	3_2_03A027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A309AD push ecx; mov dword ptr [esp], ecx	3_2_03A309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A0283D push eax; iretd	3_2_03A02858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A01366 push eax; iretd	3_2_03A01369

Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00E18111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		1_2_00E18111
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DCEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		1_2_00DCEB42

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00DD123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00DD123A

Source: C:\Users\user\Desktop\A2028041200SD..exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\A2028041200SD..exe

API/Special instruction interceptor: Address: 1677F2C

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_03A7096E rdtsc

3_2_03A7096E

Source: C:\Users\user\Desktop\A2028041200SD..exe	Evaded block: after key decision			graph_1-93963
Source: C:\Users\user\Desktop\A2028041200SD..exe	Evaded block: after key decision			graph_1-95006

Source: C:\Users\user\Desktop\A2028041200SD..exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_1-94504

Source: C:\Users\user\Desktop\A2028041200SD..exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 6444

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DF6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00DF6CA9
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DF60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	1_2_00DF60DD
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DF63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	1_2_00DF63F9
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DFEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_00DFEB60
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DFF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_00DFF5FA
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DFF56F FindFirstFileW,FindClose,	1_2_00DFF56F
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00E01B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00E01B2F
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00E01C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00E01C8A
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00E01F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_00E01F94

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00DCDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_00DCDDC0

Source: C:\Users\user\Desktop\A2028041200SD..exe

API call chain: ExitProcess graph end node

graph_1-93727

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_03A7096E rdtsc

3_2_03A7096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_00417543 LdrLoadDll,

3_2_00417543

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00E06AAF BlockInput,

1_2_00E06AAF

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00DB3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00DB3D19

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00DE3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

1_2_00DE3920

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00DCE01E LoadLibraryA,GetProcAddress,

1_2_00DCE01E

Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_016781F8 mov eax, dword ptr fs:[00000030h]	1_2_016781F8
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_01678198 mov eax, dword ptr fs:[00000030h]	1_2_01678198
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_01676B58 mov eax, dword ptr fs:[00000030h]	1_2_01676B58
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A2E388 mov eax, dword ptr fs:[00000030h]	3_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A2E388 mov eax, dword ptr fs:[00000030h]	3_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A2E388 mov eax, dword ptr fs:[00000030h]	3_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5438F mov eax, dword ptr fs:[00000030h]	3_2_03A5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5438F mov eax, dword ptr fs:[00000030h]	3_2_03A5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A28397 mov eax, dword ptr fs:[00000030h]	3_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A28397 mov eax, dword ptr fs:[00000030h]	3_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A28397 mov eax, dword ptr fs:[00000030h]	3_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A403E9 mov eax, dword ptr fs:[00000030h]	3_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A403E9 mov eax, dword ptr fs:[00000030h]	3_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A403E9 mov eax, dword ptr fs:[00000030h]	3_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A403E9 mov eax, dword ptr fs:[00000030h]	3_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A403E9 mov eax, dword ptr fs:[00000030h]	3_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A403E9 mov eax, dword ptr fs:[00000030h]	3_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A403E9 mov eax, dword ptr fs:[00000030h]	3_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A403E9 mov eax, dword ptr fs:[00000030h]	3_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	3_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	3_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	3_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A663FF mov eax, dword ptr fs:[00000030h]	3_2_03A663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AEC3CD mov eax, dword ptr fs:[00000030h]	3_2_03AEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A383C0 mov eax, dword ptr fs:[00000030h]	3_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A383C0 mov eax, dword ptr fs:[00000030h]	3_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A383C0 mov eax, dword ptr fs:[00000030h]	3_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A383C0 mov eax, dword ptr fs:[00000030h]	3_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB63C0 mov eax, dword ptr fs:[00000030h]	3_2_03AB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ADE3DB mov eax, dword ptr fs:[00000030h]	3_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ADE3DB mov eax, dword ptr fs:[00000030h]	3_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ADE3DB mov ecx, dword ptr fs:[00000030h]	3_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ADE3DB mov eax, dword ptr fs:[00000030h]	3_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AD43D4 mov eax, dword ptr fs:[00000030h]	3_2_03AD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AD43D4 mov eax, dword ptr fs:[00000030h]	3_2_03AD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6A30B mov eax, dword ptr fs:[00000030h]	3_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6A30B mov eax, dword ptr fs:[00000030h]	3_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6A30B mov eax, dword ptr fs:[00000030h]	3_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A2C310 mov ecx, dword ptr fs:[00000030h]	3_2_03A2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A50310 mov ecx, dword ptr fs:[00000030h]	3_2_03A50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AD437C mov eax, dword ptr fs:[00000030h]	3_2_03AD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]	3_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]	3_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]	3_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]	3_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]	3_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]	3_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]	3_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]	3_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]	3_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]	3_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]	3_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]	3_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]	3_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]	3_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]	3_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB035C mov eax, dword ptr fs:[00000030h]	3_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB035C mov eax, dword ptr fs:[00000030h]	3_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB035C mov eax, dword ptr fs:[00000030h]	3_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB035C mov ecx, dword ptr fs:[00000030h]	3_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB035C mov eax, dword ptr fs:[00000030h]	3_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB035C mov eax, dword ptr fs:[00000030h]	3_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AFA352 mov eax, dword ptr fs:[00000030h]	3_2_03AFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AD8350 mov ecx, dword ptr fs:[00000030h]	3_2_03AD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A402A0 mov eax, dword ptr fs:[00000030h]	3_2_03A402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A402A0 mov eax, dword ptr fs:[00000030h]	3_2_03A402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	3_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AC62A0 mov ecx, dword ptr fs:[00000030h]	3_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	3_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	3_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	3_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	3_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6E284 mov eax, dword ptr fs:[00000030h]	3_2_03A6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6E284 mov eax, dword ptr fs:[00000030h]	3_2_03A6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB0283 mov eax, dword ptr fs:[00000030h]	3_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB0283 mov eax, dword ptr fs:[00000030h]	3_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB0283 mov eax, dword ptr fs:[00000030h]	3_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A402E1 mov eax, dword ptr fs:[00000030h]	3_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A402E1 mov eax, dword ptr fs:[00000030h]	3_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A402E1 mov eax, dword ptr fs:[00000030h]	3_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	3_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	3_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	3_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	3_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	3_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A2823B mov eax, dword ptr fs:[00000030h]	3_2_03A2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A34260 mov eax, dword ptr fs:[00000030h]	3_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A34260 mov eax, dword ptr fs:[00000030h]	3_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A34260 mov eax, dword ptr fs:[00000030h]	3_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A2826B mov eax, dword ptr fs:[00000030h]	3_2_03A2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AE0274 mov eax, dword ptr fs:[00000030h]	3_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AE0274 mov eax, dword ptr fs:[00000030h]	3_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AE0274 mov eax, dword ptr fs:[00000030h]	3_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AE0274 mov eax, dword ptr fs:[00000030h]	3_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AE0274 mov eax, dword ptr fs:[00000030h]	3_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AE0274 mov eax, dword ptr fs:[00000030h]	3_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AE0274 mov eax, dword ptr fs:[00000030h]	3_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AE0274 mov eax, dword ptr fs:[00000030h]	3_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AE0274 mov eax, dword ptr fs:[00000030h]	3_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AE0274 mov eax, dword ptr fs:[00000030h]	3_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AE0274 mov eax, dword ptr fs:[00000030h]	3_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AE0274 mov eax, dword ptr fs:[00000030h]	3_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB8243 mov eax, dword ptr fs:[00000030h]	3_2_03AB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB8243 mov ecx, dword ptr fs:[00000030h]	3_2_03AB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A2A250 mov eax, dword ptr fs:[00000030h]	3_2_03A2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A36259 mov eax, dword ptr fs:[00000030h]	3_2_03A36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AEA250 mov eax, dword ptr fs:[00000030h]	3_2_03AEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AEA250 mov eax, dword ptr fs:[00000030h]	3_2_03AEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A70185 mov eax, dword ptr fs:[00000030h]	3_2_03A70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AEC188 mov eax, dword ptr fs:[00000030h]	3_2_03AEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AEC188 mov eax, dword ptr fs:[00000030h]	3_2_03AEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AD4180 mov eax, dword ptr fs:[00000030h]	3_2_03AD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AD4180 mov eax, dword ptr fs:[00000030h]	3_2_03AD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB019F mov eax, dword ptr fs:[00000030h]	3_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB019F mov eax, dword ptr fs:[00000030h]	3_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB019F mov eax, dword ptr fs:[00000030h]	3_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB019F mov eax, dword ptr fs:[00000030h]	3_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A2A197 mov eax, dword ptr fs:[00000030h]	3_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A2A197 mov eax, dword ptr fs:[00000030h]	3_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A2A197 mov eax, dword ptr fs:[00000030h]	3_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03B061E5 mov eax, dword ptr fs:[00000030h]	3_2_03B061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A601F8 mov eax, dword ptr fs:[00000030h]	3_2_03A601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AF61C3 mov eax, dword ptr fs:[00000030h]	3_2_03AF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AF61C3 mov eax, dword ptr fs:[00000030h]	3_2_03AF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	3_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	3_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AAE1D0 mov ecx, dword ptr fs:[00000030h]	3_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	3_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	3_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A60124 mov eax, dword ptr fs:[00000030h]	3_2_03A60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ADE10E mov eax, dword ptr fs:[00000030h]	3_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ADE10E mov ecx, dword ptr fs:[00000030h]	3_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ADE10E mov eax, dword ptr fs:[00000030h]	3_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ADE10E mov eax, dword ptr fs:[00000030h]	3_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ADE10E mov ecx, dword ptr fs:[00000030h]	3_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ADE10E mov eax, dword ptr fs:[00000030h]	3_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ADE10E mov eax, dword ptr fs:[00000030h]	3_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ADE10E mov ecx, dword ptr fs:[00000030h]	3_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ADE10E mov eax, dword ptr fs:[00000030h]	3_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ADE10E mov ecx, dword ptr fs:[00000030h]	3_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ADA118 mov ecx, dword ptr fs:[00000030h]	3_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ADA118 mov eax, dword ptr fs:[00000030h]	3_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ADA118 mov eax, dword ptr fs:[00000030h]	3_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ADA118 mov eax, dword ptr fs:[00000030h]	3_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AF0115 mov eax, dword ptr fs:[00000030h]	3_2_03AF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AC4144 mov eax, dword ptr fs:[00000030h]	3_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AC4144 mov eax, dword ptr fs:[00000030h]	3_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AC4144 mov ecx, dword ptr fs:[00000030h]	3_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AC4144 mov eax, dword ptr fs:[00000030h]	3_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AC4144 mov eax, dword ptr fs:[00000030h]	3_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A2C156 mov eax, dword ptr fs:[00000030h]	3_2_03A2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AC8158 mov eax, dword ptr fs:[00000030h]	3_2_03AC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A36154 mov eax, dword ptr fs:[00000030h]	3_2_03A36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A36154 mov eax, dword ptr fs:[00000030h]	3_2_03A36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AC80A8 mov eax, dword ptr fs:[00000030h]	3_2_03AC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AF60B8 mov eax, dword ptr fs:[00000030h]	3_2_03AF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AF60B8 mov ecx, dword ptr fs:[00000030h]	3_2_03AF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3208A mov eax, dword ptr fs:[00000030h]	3_2_03A3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A2A0E3 mov ecx, dword ptr fs:[00000030h]	3_2_03A2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A380E9 mov eax, dword ptr fs:[00000030h]	3_2_03A380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB60E0 mov eax, dword ptr fs:[00000030h]	3_2_03AB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A2C0F0 mov eax, dword ptr fs:[00000030h]	3_2_03A2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A720F0 mov ecx, dword ptr fs:[00000030h]	3_2_03A720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB20DE mov eax, dword ptr fs:[00000030h]	3_2_03AB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A2A020 mov eax, dword ptr fs:[00000030h]	3_2_03A2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A2C020 mov eax, dword ptr fs:[00000030h]	3_2_03A2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AC6030 mov eax, dword ptr fs:[00000030h]	3_2_03AC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB4000 mov ecx, dword ptr fs:[00000030h]	3_2_03AB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AD2000 mov eax, dword ptr fs:[00000030h]	3_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AD2000 mov eax, dword ptr fs:[00000030h]	3_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AD2000 mov eax, dword ptr fs:[00000030h]	3_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AD2000 mov eax, dword ptr fs:[00000030h]	3_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AD2000 mov eax, dword ptr fs:[00000030h]	3_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AD2000 mov eax, dword ptr fs:[00000030h]	3_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AD2000 mov eax, dword ptr fs:[00000030h]	3_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AD2000 mov eax, dword ptr fs:[00000030h]	3_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A4E016 mov eax, dword ptr fs:[00000030h]	3_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A4E016 mov eax, dword ptr fs:[00000030h]	3_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A4E016 mov eax, dword ptr fs:[00000030h]	3_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A4E016 mov eax, dword ptr fs:[00000030h]	3_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5C073 mov eax, dword ptr fs:[00000030h]	3_2_03A5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A32050 mov eax, dword ptr fs:[00000030h]	3_2_03A32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB6050 mov eax, dword ptr fs:[00000030h]	3_2_03AB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A307AF mov eax, dword ptr fs:[00000030h]	3_2_03A307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AE47A0 mov eax, dword ptr fs:[00000030h]	3_2_03AE47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AD678E mov eax, dword ptr fs:[00000030h]	3_2_03AD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A527ED mov eax, dword ptr fs:[00000030h]	3_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A527ED mov eax, dword ptr fs:[00000030h]	3_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A527ED mov eax, dword ptr fs:[00000030h]	3_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ABE7E1 mov eax, dword ptr fs:[00000030h]	3_2_03ABE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A347FB mov eax, dword ptr fs:[00000030h]	3_2_03A347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A347FB mov eax, dword ptr fs:[00000030h]	3_2_03A347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3C7C0 mov eax, dword ptr fs:[00000030h]	3_2_03A3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB07C3 mov eax, dword ptr fs:[00000030h]	3_2_03AB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6C720 mov eax, dword ptr fs:[00000030h]	3_2_03A6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6C720 mov eax, dword ptr fs:[00000030h]	3_2_03A6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6273C mov eax, dword ptr fs:[00000030h]	3_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6273C mov ecx, dword ptr fs:[00000030h]	3_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6273C mov eax, dword ptr fs:[00000030h]	3_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AAC730 mov eax, dword ptr fs:[00000030h]	3_2_03AAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6C700 mov eax, dword ptr fs:[00000030h]	3_2_03A6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A30710 mov eax, dword ptr fs:[00000030h]	3_2_03A30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A60710 mov eax, dword ptr fs:[00000030h]	3_2_03A60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A38770 mov eax, dword ptr fs:[00000030h]	3_2_03A38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40770 mov eax, dword ptr fs:[00000030h]	3_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40770 mov eax, dword ptr fs:[00000030h]	3_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40770 mov eax, dword ptr fs:[00000030h]	3_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40770 mov eax, dword ptr fs:[00000030h]	3_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40770 mov eax, dword ptr fs:[00000030h]	3_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40770 mov eax, dword ptr fs:[00000030h]	3_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40770 mov eax, dword ptr fs:[00000030h]	3_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40770 mov eax, dword ptr fs:[00000030h]	3_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40770 mov eax, dword ptr fs:[00000030h]	3_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40770 mov eax, dword ptr fs:[00000030h]	3_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40770 mov eax, dword ptr fs:[00000030h]	3_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40770 mov eax, dword ptr fs:[00000030h]	3_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6674D mov esi, dword ptr fs:[00000030h]	3_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6674D mov eax, dword ptr fs:[00000030h]	3_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6674D mov eax, dword ptr fs:[00000030h]	3_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A30750 mov eax, dword ptr fs:[00000030h]	3_2_03A30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ABE75D mov eax, dword ptr fs:[00000030h]	3_2_03ABE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72750 mov eax, dword ptr fs:[00000030h]	3_2_03A72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72750 mov eax, dword ptr fs:[00000030h]	3_2_03A72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB4755 mov eax, dword ptr fs:[00000030h]	3_2_03AB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6C6A6 mov eax, dword ptr fs:[00000030h]	3_2_03A6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A666B0 mov eax, dword ptr fs:[00000030h]	3_2_03A666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A34690 mov eax, dword ptr fs:[00000030h]	3_2_03A34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A34690 mov eax, dword ptr fs:[00000030h]	3_2_03A34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	3_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	3_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	3_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	3_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB06F1 mov eax, dword ptr fs:[00000030h]	3_2_03AB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB06F1 mov eax, dword ptr fs:[00000030h]	3_2_03AB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6A6C7 mov ebx, dword ptr fs:[00000030h]	3_2_03A6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6A6C7 mov eax, dword ptr fs:[00000030h]	3_2_03A6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A4E627 mov eax, dword ptr fs:[00000030h]	3_2_03A4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A66620 mov eax, dword ptr fs:[00000030h]	3_2_03A66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A68620 mov eax, dword ptr fs:[00000030h]	3_2_03A68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3262C mov eax, dword ptr fs:[00000030h]	3_2_03A3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AAE609 mov eax, dword ptr fs:[00000030h]	3_2_03AAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A4260B mov eax, dword ptr fs:[00000030h]	3_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A4260B mov eax, dword ptr fs:[00000030h]	3_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A4260B mov eax, dword ptr fs:[00000030h]	3_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A4260B mov eax, dword ptr fs:[00000030h]	3_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A4260B mov eax, dword ptr fs:[00000030h]	3_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A4260B mov eax, dword ptr fs:[00000030h]	3_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A4260B mov eax, dword ptr fs:[00000030h]	3_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A72619 mov eax, dword ptr fs:[00000030h]	3_2_03A72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AF866E mov eax, dword ptr fs:[00000030h]	3_2_03AF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AF866E mov eax, dword ptr fs:[00000030h]	3_2_03AF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6A660 mov eax, dword ptr fs:[00000030h]	3_2_03A6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6A660 mov eax, dword ptr fs:[00000030h]	3_2_03A6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A62674 mov eax, dword ptr fs:[00000030h]	3_2_03A62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A4C640 mov eax, dword ptr fs:[00000030h]	3_2_03A4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	3_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	3_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	3_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A545B1 mov eax, dword ptr fs:[00000030h]	3_2_03A545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A545B1 mov eax, dword ptr fs:[00000030h]	3_2_03A545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A32582 mov eax, dword ptr fs:[00000030h]	3_2_03A32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A32582 mov ecx, dword ptr fs:[00000030h]	3_2_03A32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A64588 mov eax, dword ptr fs:[00000030h]	3_2_03A64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6E59C mov eax, dword ptr fs:[00000030h]	3_2_03A6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A325E0 mov eax, dword ptr fs:[00000030h]	3_2_03A325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6C5ED mov eax, dword ptr fs:[00000030h]	3_2_03A6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6C5ED mov eax, dword ptr fs:[00000030h]	3_2_03A6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6E5CF mov eax, dword ptr fs:[00000030h]	3_2_03A6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6E5CF mov eax, dword ptr fs:[00000030h]	3_2_03A6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A365D0 mov eax, dword ptr fs:[00000030h]	3_2_03A365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]	3_2_03A6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]	3_2_03A6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40535 mov eax, dword ptr fs:[00000030h]	3_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40535 mov eax, dword ptr fs:[00000030h]	3_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40535 mov eax, dword ptr fs:[00000030h]	3_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40535 mov eax, dword ptr fs:[00000030h]	3_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40535 mov eax, dword ptr fs:[00000030h]	3_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40535 mov eax, dword ptr fs:[00000030h]	3_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5E53E mov eax, dword ptr fs:[00000030h]	3_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5E53E mov eax, dword ptr fs:[00000030h]	3_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5E53E mov eax, dword ptr fs:[00000030h]	3_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5E53E mov eax, dword ptr fs:[00000030h]	3_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5E53E mov eax, dword ptr fs:[00000030h]	3_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AC6500 mov eax, dword ptr fs:[00000030h]	3_2_03AC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03B04500 mov eax, dword ptr fs:[00000030h]	3_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03B04500 mov eax, dword ptr fs:[00000030h]	3_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03B04500 mov eax, dword ptr fs:[00000030h]	3_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03B04500 mov eax, dword ptr fs:[00000030h]	3_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03B04500 mov eax, dword ptr fs:[00000030h]	3_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03B04500 mov eax, dword ptr fs:[00000030h]	3_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03B04500 mov eax, dword ptr fs:[00000030h]	3_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6656A mov eax, dword ptr fs:[00000030h]	3_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6656A mov eax, dword ptr fs:[00000030h]	3_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6656A mov eax, dword ptr fs:[00000030h]	3_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A38550 mov eax, dword ptr fs:[00000030h]	3_2_03A38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A38550 mov eax, dword ptr fs:[00000030h]	3_2_03A38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A364AB mov eax, dword ptr fs:[00000030h]	3_2_03A364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A644B0 mov ecx, dword ptr fs:[00000030h]	3_2_03A644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ABA4B0 mov eax, dword ptr fs:[00000030h]	3_2_03ABA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AEA49A mov eax, dword ptr fs:[00000030h]	3_2_03AEA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A304E5 mov ecx, dword ptr fs:[00000030h]	3_2_03A304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A2E420 mov eax, dword ptr fs:[00000030h]	3_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A2E420 mov eax, dword ptr fs:[00000030h]	3_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A2E420 mov eax, dword ptr fs:[00000030h]	3_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A2C427 mov eax, dword ptr fs:[00000030h]	3_2_03A2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB6420 mov eax, dword ptr fs:[00000030h]	3_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB6420 mov eax, dword ptr fs:[00000030h]	3_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB6420 mov eax, dword ptr fs:[00000030h]	3_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB6420 mov eax, dword ptr fs:[00000030h]	3_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB6420 mov eax, dword ptr fs:[00000030h]	3_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB6420 mov eax, dword ptr fs:[00000030h]	3_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB6420 mov eax, dword ptr fs:[00000030h]	3_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6A430 mov eax, dword ptr fs:[00000030h]	3_2_03A6A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A68402 mov eax, dword ptr fs:[00000030h]	3_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A68402 mov eax, dword ptr fs:[00000030h]	3_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A68402 mov eax, dword ptr fs:[00000030h]	3_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ABC460 mov ecx, dword ptr fs:[00000030h]	3_2_03ABC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5A470 mov eax, dword ptr fs:[00000030h]	3_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5A470 mov eax, dword ptr fs:[00000030h]	3_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5A470 mov eax, dword ptr fs:[00000030h]	3_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6E443 mov eax, dword ptr fs:[00000030h]	3_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6E443 mov eax, dword ptr fs:[00000030h]	3_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6E443 mov eax, dword ptr fs:[00000030h]	3_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6E443 mov eax, dword ptr fs:[00000030h]	3_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6E443 mov eax, dword ptr fs:[00000030h]	3_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6E443 mov eax, dword ptr fs:[00000030h]	3_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6E443 mov eax, dword ptr fs:[00000030h]	3_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6E443 mov eax, dword ptr fs:[00000030h]	3_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AEA456 mov eax, dword ptr fs:[00000030h]	3_2_03AEA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A2645D mov eax, dword ptr fs:[00000030h]	3_2_03A2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5245A mov eax, dword ptr fs:[00000030h]	3_2_03A5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40BBE mov eax, dword ptr fs:[00000030h]	3_2_03A40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40BBE mov eax, dword ptr fs:[00000030h]	3_2_03A40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]	3_2_03AE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]	3_2_03AE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	3_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	3_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	3_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5EBFC mov eax, dword ptr fs:[00000030h]	3_2_03A5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ABCBF0 mov eax, dword ptr fs:[00000030h]	3_2_03ABCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A50BCB mov eax, dword ptr fs:[00000030h]	3_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A50BCB mov eax, dword ptr fs:[00000030h]	3_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A50BCB mov eax, dword ptr fs:[00000030h]	3_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A30BCD mov eax, dword ptr fs:[00000030h]	3_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A30BCD mov eax, dword ptr fs:[00000030h]	3_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A30BCD mov eax, dword ptr fs:[00000030h]	3_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ADEBD0 mov eax, dword ptr fs:[00000030h]	3_2_03ADEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5EB20 mov eax, dword ptr fs:[00000030h]	3_2_03A5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5EB20 mov eax, dword ptr fs:[00000030h]	3_2_03A5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AF8B28 mov eax, dword ptr fs:[00000030h]	3_2_03AF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AF8B28 mov eax, dword ptr fs:[00000030h]	3_2_03AF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A2CB7E mov eax, dword ptr fs:[00000030h]	3_2_03A2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AE4B4B mov eax, dword ptr fs:[00000030h]	3_2_03AE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AE4B4B mov eax, dword ptr fs:[00000030h]	3_2_03AE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AC6B40 mov eax, dword ptr fs:[00000030h]	3_2_03AC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AC6B40 mov eax, dword ptr fs:[00000030h]	3_2_03AC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AFAB40 mov eax, dword ptr fs:[00000030h]	3_2_03AFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AD8B42 mov eax, dword ptr fs:[00000030h]	3_2_03AD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ADEB50 mov eax, dword ptr fs:[00000030h]	3_2_03ADEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A38AA0 mov eax, dword ptr fs:[00000030h]	3_2_03A38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A38AA0 mov eax, dword ptr fs:[00000030h]	3_2_03A38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A86AA4 mov eax, dword ptr fs:[00000030h]	3_2_03A86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03B04A80 mov eax, dword ptr fs:[00000030h]	3_2_03B04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A68A90 mov edx, dword ptr fs:[00000030h]	3_2_03A68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6AAEE mov eax, dword ptr fs:[00000030h]	3_2_03A6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6AAEE mov eax, dword ptr fs:[00000030h]	3_2_03A6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A86ACC mov eax, dword ptr fs:[00000030h]	3_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A86ACC mov eax, dword ptr fs:[00000030h]	3_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A86ACC mov eax, dword ptr fs:[00000030h]	3_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A30AD0 mov eax, dword ptr fs:[00000030h]	3_2_03A30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A64AD0 mov eax, dword ptr fs:[00000030h]	3_2_03A64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A64AD0 mov eax, dword ptr fs:[00000030h]	3_2_03A64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6CA24 mov eax, dword ptr fs:[00000030h]	3_2_03A6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5EA2E mov eax, dword ptr fs:[00000030h]	3_2_03A5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A54A35 mov eax, dword ptr fs:[00000030h]	3_2_03A54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A54A35 mov eax, dword ptr fs:[00000030h]	3_2_03A54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6CA38 mov eax, dword ptr fs:[00000030h]	3_2_03A6CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ABCA11 mov eax, dword ptr fs:[00000030h]	3_2_03ABCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	3_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	3_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	3_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ADEA60 mov eax, dword ptr fs:[00000030h]	3_2_03ADEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AACA72 mov eax, dword ptr fs:[00000030h]	3_2_03AACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AACA72 mov eax, dword ptr fs:[00000030h]	3_2_03AACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A36A50 mov eax, dword ptr fs:[00000030h]	3_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A36A50 mov eax, dword ptr fs:[00000030h]	3_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A36A50 mov eax, dword ptr fs:[00000030h]	3_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A36A50 mov eax, dword ptr fs:[00000030h]	3_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A36A50 mov eax, dword ptr fs:[00000030h]	3_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A36A50 mov eax, dword ptr fs:[00000030h]	3_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A36A50 mov eax, dword ptr fs:[00000030h]	3_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40A5B mov eax, dword ptr fs:[00000030h]	3_2_03A40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A40A5B mov eax, dword ptr fs:[00000030h]	3_2_03A40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]	3_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]	3_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]	3_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]	3_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]	3_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]	3_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]	3_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]	3_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]	3_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]	3_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]	3_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]	3_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]	3_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A309AD mov eax, dword ptr fs:[00000030h]	3_2_03A309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A309AD mov eax, dword ptr fs:[00000030h]	3_2_03A309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB89B3 mov esi, dword ptr fs:[00000030h]	3_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB89B3 mov eax, dword ptr fs:[00000030h]	3_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB89B3 mov eax, dword ptr fs:[00000030h]	3_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ABE9E0 mov eax, dword ptr fs:[00000030h]	3_2_03ABE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A629F9 mov eax, dword ptr fs:[00000030h]	3_2_03A629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A629F9 mov eax, dword ptr fs:[00000030h]	3_2_03A629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AC69C0 mov eax, dword ptr fs:[00000030h]	3_2_03AC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A649D0 mov eax, dword ptr fs:[00000030h]	3_2_03A649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AFA9D3 mov eax, dword ptr fs:[00000030h]	3_2_03AFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB892A mov eax, dword ptr fs:[00000030h]	3_2_03AB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AC892B mov eax, dword ptr fs:[00000030h]	3_2_03AC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AAE908 mov eax, dword ptr fs:[00000030h]	3_2_03AAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AAE908 mov eax, dword ptr fs:[00000030h]	3_2_03AAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ABC912 mov eax, dword ptr fs:[00000030h]	3_2_03ABC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A28918 mov eax, dword ptr fs:[00000030h]	3_2_03A28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A28918 mov eax, dword ptr fs:[00000030h]	3_2_03A28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A56962 mov eax, dword ptr fs:[00000030h]	3_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A56962 mov eax, dword ptr fs:[00000030h]	3_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A56962 mov eax, dword ptr fs:[00000030h]	3_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A7096E mov eax, dword ptr fs:[00000030h]	3_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A7096E mov edx, dword ptr fs:[00000030h]	3_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A7096E mov eax, dword ptr fs:[00000030h]	3_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AD4978 mov eax, dword ptr fs:[00000030h]	3_2_03AD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AD4978 mov eax, dword ptr fs:[00000030h]	3_2_03AD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ABC97C mov eax, dword ptr fs:[00000030h]	3_2_03ABC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AB0946 mov eax, dword ptr fs:[00000030h]	3_2_03AB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A30887 mov eax, dword ptr fs:[00000030h]	3_2_03A30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ABC89D mov eax, dword ptr fs:[00000030h]	3_2_03ABC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AFA8E4 mov eax, dword ptr fs:[00000030h]	3_2_03AFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]	3_2_03A6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]	3_2_03A6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A5E8C0 mov eax, dword ptr fs:[00000030h]	3_2_03A5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A52835 mov eax, dword ptr fs:[00000030h]	3_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A52835 mov eax, dword ptr fs:[00000030h]	3_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A52835 mov eax, dword ptr fs:[00000030h]	3_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A52835 mov ecx, dword ptr fs:[00000030h]	3_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A52835 mov eax, dword ptr fs:[00000030h]	3_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A52835 mov eax, dword ptr fs:[00000030h]	3_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6A830 mov eax, dword ptr fs:[00000030h]	3_2_03A6A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AD483A mov eax, dword ptr fs:[00000030h]	3_2_03AD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AD483A mov eax, dword ptr fs:[00000030h]	3_2_03AD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ABC810 mov eax, dword ptr fs:[00000030h]	3_2_03ABC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ABE872 mov eax, dword ptr fs:[00000030h]	3_2_03ABE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03ABE872 mov eax, dword ptr fs:[00000030h]	3_2_03ABE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AC6870 mov eax, dword ptr fs:[00000030h]	3_2_03AC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03AC6870 mov eax, dword ptr fs:[00000030h]	3_2_03AC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A42840 mov ecx, dword ptr fs:[00000030h]	3_2_03A42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A60854 mov eax, dword ptr fs:[00000030h]	3_2_03A60854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A34859 mov eax, dword ptr fs:[00000030h]	3_2_03A34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A34859 mov eax, dword ptr fs:[00000030h]	3_2_03A34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A6CF80 mov eax, dword ptr fs:[00000030h]	3_2_03A6CF80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A62F98 mov eax, dword ptr fs:[00000030h]	3_2_03A62F98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A62F98 mov eax, dword ptr fs:[00000030h]	3_2_03A62F98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03A4CFE0 mov eax, dword ptr fs:[00000030h]	3_2_03A4CFE0

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00DEA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

1_2_00DEA66C

Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DD8189 SetUnhandledExceptionFilter,		1_2_00DD8189
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00DD81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_00DD81AC

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\A2028041200SD..exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\A2028041200SD..exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 30D8008

Jump to behavior

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00DEB106 LogonUserW,

1_2_00DEB106

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00DB3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00DB3D19

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00DF411C SendInput,keybd_event,

1_2_00DF411C

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00DF74E7 mouse_event,

1_2_00DF74E7

Source: C:\Users\user\Desktop\A2028041200SD..exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\A2028041200SD..exe"

Jump to behavior

Source: C:\Users\user\Desktop\A2028041200SD..exe

1_2_00DEA66C

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00DF71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_00DF71FA

Source: A2028041200SD..exe	Binary or memory string: Shell_TrayWnd
Source: A2028041200SD..exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00DD65C4 cpuid

1_2_00DD65C4

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00E0091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

1_2_00E0091D

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00E2B340 GetUserNameW,

1_2_00E2B340

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00DE1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

1_2_00DE1E8E

Source: C:\Users\user\Desktop\A2028041200SD..exe

Code function: 1_2_00DCDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_00DCDDC0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1372712193.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1372556382.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: A2028041200SD..exe	Binary or memory string: WIN_81
Source: A2028041200SD..exe	Binary or memory string: WIN_XP
Source: A2028041200SD..exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: A2028041200SD..exe	Binary or memory string: WIN_XPe
Source: A2028041200SD..exe	Binary or memory string: WIN_VISTA
Source: A2028041200SD..exe	Binary or memory string: WIN_7
Source: A2028041200SD..exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1372712193.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1372556382.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00E08C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		1_2_00E08C4F
Source: C:\Users\user\Desktop\A2028041200SD..exe	Code function: 1_2_00E0923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		1_2_00E0923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	3 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	11 Input Capture	2 System Time Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	LSASS Memory	15 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	21 Access Token Manipulation	2 Virtualization/Sandbox Evasion	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	212 Process Injection	21 Access Token Manipulation	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	212 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	115 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
A2028041200SD..exe	42%	ReversingLabs	Win32.Trojan.AutoitInject
A2028041200SD..exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562199
Start date and time:	2024-11-25 10:37:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	A2028041200SD..exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@3/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 47 Number of non-executed functions: 303
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: A2028041200SD..exe

Simulations

Behavior and APIs

Time	Type	Description
04:38:10	API Interceptor	3x Sleep call for process: svchost.exe modified

Process:	C:\Users\user\Desktop\A2028041200SD..exe
File Type:	data
Category:	dropped
Size (bytes):	287744
Entropy (8bit):	7.994141690690766
Encrypted:	true
SSDEEP:	6144:6QVnFLSRUNTXBZToHQtm0dLg/9nnnPpvzNJLVF1ZjXnX7gRRcC:6QVnFvZLLO9nxzNPB3XmRx
MD5:	0EDD7A31D53248B9971D0D87928DE897
SHA1:	7493C530666889DEB49E5357F693E5FABB4B3CD5
SHA-256:	3AD0AD17737A3226DD3B6A4108D59E9385A9405BC0FA186FA031EC023A432B50
SHA-512:	27E44D51A12B96DAEDBD6940F9BC5671F57DB2FEB7F8C7C62CF209A810C0A17383F977C71528F0B822B7CCB71357AB63A03E7A5F15B4C95F5F4DE27A6E186C9E
Malicious:	false
Reputation:	low
Preview:	...7H0G43F2T..FF.1ZO0HKQ.COSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGR.7K0I+.H2.F.g.K}.nd ""g3=<453&.(Q)ZX2.6*.43$.3!....g. 76i_F=o0G47F2T65O.wQ=..(,.z#(.I....+W.....h/S.\.sP/... 'n3 .K7K0G47Fb.O4.GK1.}r.KQGCOSSG.K5J;F?7F`PO4FFJ1ZO0._QGC_SSG"O7K0.47V2TO6FFL1ZO0HKQACOSSGRK7;4G45F2TO4FDJq.O0XKQWCOSSWRK'K0G47F"TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCa'6?&K7K..07F"TO4.BJ1JO0HKQGCOSSGRK7k0GT7F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4

C:\Users\user\AppData\Local\Temp\pensum

Download File

Process:	C:\Users\user\Desktop\A2028041200SD..exe
File Type:	data
Category:	modified
Size (bytes):	287744
Entropy (8bit):	7.994141690690766
Encrypted:	true
SSDEEP:	6144:6QVnFLSRUNTXBZToHQtm0dLg/9nnnPpvzNJLVF1ZjXnX7gRRcC:6QVnFvZLLO9nxzNPB3XmRx
MD5:	0EDD7A31D53248B9971D0D87928DE897
SHA1:	7493C530666889DEB49E5357F693E5FABB4B3CD5
SHA-256:	3AD0AD17737A3226DD3B6A4108D59E9385A9405BC0FA186FA031EC023A432B50
SHA-512:	27E44D51A12B96DAEDBD6940F9BC5671F57DB2FEB7F8C7C62CF209A810C0A17383F977C71528F0B822B7CCB71357AB63A03E7A5F15B4C95F5F4DE27A6E186C9E
Malicious:	false
Reputation:	low
Preview:	...7H0G43F2T..FF.1ZO0HKQ.COSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGR.7K0I+.H2.F.g.K}.nd ""g3=<453&.(Q)ZX2.6*.43$.3!....g. 76i_F=o0G47F2T65O.wQ=..(,.z#(.I....+W.....h/S.\.sP/... 'n3 .K7K0G47Fb.O4.GK1.}r.KQGCOSSG.K5J;F?7F`PO4FFJ1ZO0._QGC_SSG"O7K0.47V2TO6FFL1ZO0HKQACOSSGRK7;4G45F2TO4FDJq.O0XKQWCOSSWRK'K0G47F"TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCa'6?&K7K..07F"TO4.BJ1JO0HKQGCOSSGRK7k0GT7F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4FFJ1ZO0HKQGCOSSGRK7K0G47F2TO4

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.14323484680738
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	A2028041200SD..exe
File size:	1'207'808 bytes
MD5:	c986b78a1a48072903516a2d652d0159
SHA1:	182d579839cb6bfdc9201785df3c04bde927a720
SHA256:	1f34277db210da7c0c6523afe19d14c436d995fe37165665f11cb2c23204b2e6
SHA512:	361b4724f79274434842a03198bac72999b379eafb0609b684dcbab472e43e027f7c1550ca7eb8aa5f2e33f2c25fd792971ac0aa6bd5fe95b34143115d6f12ac
SSDEEP:	24576:itb20pkaCqT5TBWgNQ7aXCvoZm1pVBKDooBiytI6B6A:vVg5tQ7aXCvoZm9cooBiytIC5
TLSH:	9745CF1373DEC360C3B25273BA25B741AEBB782506A5F96B2FD40D3DE820162525E673
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x674400E7 [Mon Nov 25 04:45:27 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F08ECC4D04Fh
jmp 00007F08ECC40064h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F08ECC401EAh
cmp edi, eax
jc 00007F08ECC4054Eh
bt dword ptr [004C0158h], 01h
jnc 00007F08ECC401E9h
rep movsb
jmp 00007F08ECC404FCh
cmp ecx, 00000080h
jc 00007F08ECC403B4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F08ECC401F0h
bt dword ptr [004BA370h], 01h
jc 00007F08ECC406C0h
bt dword ptr [004C0158h], 00000000h
jnc 00007F08ECC4038Dh
test edi, 00000003h
jne 00007F08ECC4039Eh
test esi, 00000003h
jne 00007F08ECC4037Dh
bt edi, 02h
jnc 00007F08ECC401EFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F08ECC401F3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F08ECC40245h
bt esi, 03h
jnc 00007F08ECC40298h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x5dc84	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x122000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x5dc84	0x5de00	11c8b27ea674e70609f4cb7066b67b72	False	0.9316640312916112	data	7.904364418118836	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x122000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc44a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc45c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc48b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc49d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5880	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6128	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc6690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8c38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xc9ce0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_STRING	0xca148	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xca6dc	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcad68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb1f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcb7f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcbe50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc2b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc410	0x5535b	data			1.0003323601293912
RT_GROUP_ICON	0x12176c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1217e4	0x14	data	English	Great Britain	1.15
RT_VERSION	0x1217f8	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1218d4	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Target ID:	1
Start time:	04:38:06
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\A2028041200SD..exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\A2028041200SD..exe"
Imagebase:	0xdb0000
File size:	1'207'808 bytes
MD5 hash:	C986B78A1A48072903516A2D652D0159
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:38:08
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\A2028041200SD..exe"
Imagebase:	0xe20000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1372712193.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1372556382.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	6.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	162

Executed Functions

Function 00DDB043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a14d074085bc4c462fa3b3e1fd0d365fc10ff3b8f1c069e0d8c16ab04273356
Instruction ID: 0f5729ae43fa537415a2e2d54d088c932287668401a5ae6fc51ad69c6558ecaa
Opcode Fuzzy Hash: 3a14d074085bc4c462fa3b3e1fd0d365fc10ff3b8f1c069e0d8c16ab04273356
Instruction Fuzzy Hash: EC324C75A02269CFCB24CF55DC816E9B7B5FB46324F5940DAE40AA7B81D7309E80CF62

Function 00DB3D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00DB3AA3,?), ref: 00DB3D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00DB3AA3,?), ref: 00DB3D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,00E71148,00E71130,?,?,?,?,00DB3AA3,?), ref: 00DB3DC8

Part of subcall function 00DB6430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00DB3DEE,00E71148,?,?,?,?,?,00DB3AA3,?), ref: 00DB6471

SetCurrentDirectoryW.KERNEL32(?,?,?,00DB3AA3,?), ref: 00DB3E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00E628F4,00000010), ref: 00E21CCE
SetCurrentDirectoryW.KERNEL32(?,00E71148,?,?,?,?,?,00DB3AA3,?), ref: 00E21D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00E4DAB4,00E71148,?,?,?,?,?,00DB3AA3,?), ref: 00E21D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00DB3AA3), ref: 00E21D90

Part of subcall function 00DB3E6E: GetSysColorBrush.USER32(0000000F), ref: 00DB3E79
Part of subcall function 00DB3E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00DB3E88
Part of subcall function 00DB3E6E: LoadIconW.USER32(00000063), ref: 00DB3E9E
Part of subcall function 00DB3E6E: LoadIconW.USER32(000000A4), ref: 00DB3EB0
Part of subcall function 00DB3E6E: LoadIconW.USER32(000000A2), ref: 00DB3EC2
Part of subcall function 00DB3E6E: RegisterClassExW.USER32(?), ref: 00DB3F30

Part of subcall function 00DB36B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00DB36E6
Part of subcall function 00DB36B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00DB3707
Part of subcall function 00DB36B8: ShowWindow.USER32(00000000,?,?,?,?,00DB3AA3,?), ref: 00DB371B
Part of subcall function 00DB36B8: ShowWindow.USER32(00000000,?,?,?,?,00DB3AA3,?), ref: 00DB3724

Part of subcall function 00DB4FFC: _memset.LIBCMT ref: 00DB5022
Part of subcall function 00DB4FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00DB50CB

Strings

(), xrefs: 00E21D49
runas, xrefs: 00E21D84
This is a third-party compiled AutoIt script., xrefs: 00E21CC8

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: ()$This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-3074634049
Opcode ID: a699fe6e1249895c0352ddc50399421993ff83b10412319854d27da7ceebd3b3
Instruction ID: 16e076784c160b330fff8eb2cceb9683cde1ca46d19fd81999b17dc94670115f
Opcode Fuzzy Hash: a699fe6e1249895c0352ddc50399421993ff83b10412319854d27da7ceebd3b3
Instruction Fuzzy Hash: 0C512530A05348EECF11EBB9EC06EED7B75EB55740F0051A9F60776192DA708A49DB31

Function 00DCDDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00DCDDEC
GetCurrentProcess.KERNEL32(00000000,00E4DC38,?,?), ref: 00DCDEAC
GetNativeSystemInfo.KERNELBASE(?,00E4DC38,?,?), ref: 00DCDF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 00DCDF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 00DCDF1F
GetSystemInfo.KERNEL32(?,00E4DC38,?,?), ref: 00DCDF29
GetSystemInfo.KERNEL32(?,00E4DC38,?,?), ref: 00DCDF35

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: 5f650f6dfcfe9e4ba2234b399e3c1e941cc365542b1842636c3a95b12d42c689
Instruction ID: e0edc0f740eceb37b8c900eabf6a5af438f1611c5da3787c1b0a5bcc4a76a108
Opcode Fuzzy Hash: 5f650f6dfcfe9e4ba2234b399e3c1e941cc365542b1842636c3a95b12d42c689
Instruction Fuzzy Hash: C861D0B180A2D5DFCF11DF6898C06EA7FB5AF29300B1949ECD885AF207C624C909CB75

Function 00DB406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00DB449E,?,?,00000000,00000001), ref: 00DB407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00DB449E,?,?,00000000,00000001), ref: 00DB4092
LoadResource.KERNEL32(?,00000000,?,?,00DB449E,?,?,00000000,00000001,?,?,?,?,?,?,00DB41FB), ref: 00E24F1A
SizeofResource.KERNEL32(?,00000000,?,?,00DB449E,?,?,00000000,00000001,?,?,?,?,?,?,00DB41FB), ref: 00E24F2F
LockResource.KERNEL32(00DB449E,?,?,00DB449E,?,?,00000000,00000001,?,?,?,?,?,?,00DB41FB,00000000), ref: 00E24F42

Strings

SCRIPT, xrefs: 00DB4088

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 11b196628376be69355d3e6fe95969db67dcd46537cdac11c6e26b9bf14e6da7
Instruction ID: 0dd4661320b8cde54bee2d3d5c7168d287c24e7b39513da859733d0739d59410
Opcode Fuzzy Hash: 11b196628376be69355d3e6fe95969db67dcd46537cdac11c6e26b9bf14e6da7
Instruction Fuzzy Hash: 7C117970204705BFE7259B26EC48F677BB9EBC5B51F24852CF602A62A0DB71DC048A31

Function 00DF6CA9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,I/), ref: 00DF6CB9
FindFirstFileW.KERNELBASE(?,?), ref: 00DF6CCA
FindClose.KERNEL32(00000000), ref: 00DF6CDA

Strings

I/, xrefs: 00DF6CB5

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID: I/
API String ID: 48322524-530815126
Opcode ID: ce8f70be8149979538f59ad4b33973f62467884c4202a9d30170ef0103bb5269
Instruction ID: 28592a5354548be61ceeaed7c75c16459be5a288e0ce4c28964777213933b3a4
Opcode Fuzzy Hash: ce8f70be8149979538f59ad4b33973f62467884c4202a9d30170ef0103bb5269
Instruction Fuzzy Hash: D4E0D8318194195B82106738FC0D4F93F6CDF05339F104705F5B1D11D0E770D94446E5

Function 00DC3200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON

Download Yara Rule

Strings

, xrefs: 00E2933E

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-3209568608
Opcode ID: fd36882584297e7cbec94b97474be35622870002bc0ff1e36bf045c2d40cdf4e
Instruction ID: 9900fb29a954f5874014edf916c30cd9f49cde3d192447d84659850da0843bf4
Opcode Fuzzy Hash: fd36882584297e7cbec94b97474be35622870002bc0ff1e36bf045c2d40cdf4e
Instruction Fuzzy Hash: 989236706083429FD724DF18C484F6ABBE1FF88308F14985DE99A9B262D771ED45CB62

Function 00DBE8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DBE959
timeGetTime.WINMM ref: 00DBEBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DBED2E
TranslateMessage.USER32(?), ref: 00DBED3F
DispatchMessageW.USER32(?), ref: 00DBED4A
LockWindowUpdate.USER32(00000000), ref: 00DBED79
DestroyWindow.USER32 ref: 00DBED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DBED9F
Sleep.KERNEL32(0000000A), ref: 00E25270
TranslateMessage.USER32(?), ref: 00E259F7
DispatchMessageW.USER32(?), ref: 00E25A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E25A19

Strings

@GUI_WINHANDLE, xrefs: 00E25360
@GUI_CTRLHANDLE, xrefs: 00E253AC
@TRAY_ID, xrefs: 00E254C9
@GUI_CTRLID, xrefs: 00E25314

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: a69bee04af9822f23a13523220d0622d4d39dd6c0fc8516fa2637abb0d9df4b6
Instruction ID: b8064908ba3edbc9e8c479ab1da90253200c9620ad715261de8c3238e762d2e9
Opcode Fuzzy Hash: a69bee04af9822f23a13523220d0622d4d39dd6c0fc8516fa2637abb0d9df4b6
Instruction Fuzzy Hash: 38629D71508340DFDB24DF24D985BEA77E4FB44304F08596DE98AAB292DB71D888CB72

Function 00DE5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 00DE5EC3
___createFile.LIBCMT ref: 00DE5F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00DE5F2D
__dosmaperr.LIBCMT ref: 00DE5F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00DE5F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00DE5F6A
__dosmaperr.LIBCMT ref: 00DE5F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00DE5F7C
__set_osfhnd.LIBCMT ref: 00DE5FAC
__lseeki64_nolock.LIBCMT ref: 00DE6016
__close_nolock.LIBCMT ref: 00DE603C
__chsize_nolock.LIBCMT ref: 00DE606C
__lseeki64_nolock.LIBCMT ref: 00DE607E
__lseeki64_nolock.LIBCMT ref: 00DE6176
__lseeki64_nolock.LIBCMT ref: 00DE618B
__close_nolock.LIBCMT ref: 00DE61EB

Part of subcall function 00DDEA9C: CloseHandle.KERNELBASE(00000000,00E5EEF4,00000000,?,00DE6041,00E5EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00DDEAEC
Part of subcall function 00DDEA9C: GetLastError.KERNEL32(?,00DE6041,00E5EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00DDEAF6
Part of subcall function 00DDEA9C: __free_osfhnd.LIBCMT ref: 00DDEB03
Part of subcall function 00DDEA9C: __dosmaperr.LIBCMT ref: 00DDEB25

Part of subcall function 00DD7C0E: __getptd_noexit.LIBCMT ref: 00DD7C0E

__lseeki64_nolock.LIBCMT ref: 00DE620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00DE6342
___createFile.LIBCMT ref: 00DE6361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00DE636E
__dosmaperr.LIBCMT ref: 00DE6375
__free_osfhnd.LIBCMT ref: 00DE6395
__invoke_watson.LIBCMT ref: 00DE63C3
__wsopen_helper.LIBCMT ref: 00DE63DD

Strings

@, xrefs: 00DE5F98

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: e48af3835e2851c4838cb6d0d757b62c021d77358ad056962815fce1def644f8
Instruction ID: 807b6da9c623f8a3f67b1d5a9a738d6e87ef33ddee07f034327b2a3a6322ff19
Opcode Fuzzy Hash: e48af3835e2851c4838cb6d0d757b62c021d77358ad056962815fce1def644f8
Instruction Fuzzy Hash: 562246719006899FEF25AF6AEC45BAD7B31EF203A8F284229E5219B2D5D235CD40C771

Function 00DFFA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 00DFFA96
_wcschr.LIBCMT ref: 00DFFAA4
_wcscpy.LIBCMT ref: 00DFFABB
_wcscat.LIBCMT ref: 00DFFACA
_wcscat.LIBCMT ref: 00DFFAE8
_wcscpy.LIBCMT ref: 00DFFB09
__wsplitpath.LIBCMT ref: 00DFFBE6
_wcscpy.LIBCMT ref: 00DFFC0B
_wcscpy.LIBCMT ref: 00DFFC1D
_wcscpy.LIBCMT ref: 00DFFC32
_wcscat.LIBCMT ref: 00DFFC47
_wcscat.LIBCMT ref: 00DFFC59
_wcscat.LIBCMT ref: 00DFFC6E

Part of subcall function 00DFBFA4: _wcscmp.LIBCMT ref: 00DFC03E
Part of subcall function 00DFBFA4: __wsplitpath.LIBCMT ref: 00DFC083
Part of subcall function 00DFBFA4: _wcscpy.LIBCMT ref: 00DFC096
Part of subcall function 00DFBFA4: _wcscat.LIBCMT ref: 00DFC0A9
Part of subcall function 00DFBFA4: __wsplitpath.LIBCMT ref: 00DFC0CE
Part of subcall function 00DFBFA4: _wcscat.LIBCMT ref: 00DFC0E4
Part of subcall function 00DFBFA4: _wcscat.LIBCMT ref: 00DFC0F7

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00DFFA61
t2, xrefs: 00DFFC97

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<$t2
API String ID: 2955681530-945735720
Opcode ID: 7da29b7f6b5b9e3aed5fc0bb22daba23ce369ce5df78c098d9da6d01e4ebbc36
Instruction ID: c8ea21b2a9893ffdb9b21ef3f9c824046838297da6694dd9ad5cab5be4578740
Opcode Fuzzy Hash: 7da29b7f6b5b9e3aed5fc0bb22daba23ce369ce5df78c098d9da6d01e4ebbc36
Instruction Fuzzy Hash: B8918371504345AFDB10EB54C851FAEB3E9FF94310F048869FA5997291DB31E944CBB1

Function 00DB3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00DB3F86
RegisterClassExW.USER32(00000030), ref: 00DB3FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DB3FC1
InitCommonControlsEx.COMCTL32(?), ref: 00DB3FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00DB3FEE
LoadIconW.USER32(000000A9), ref: 00DB4004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00DB4013

Strings

AutoIt v3 GUI, xrefs: 00DB3FA2
0, xrefs: 00DB3F68
TaskbarCreated, xrefs: 00DB3FB6
+, xrefs: 00DB3F6F

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 17df0f1e361cce0a0aea3a0e42b6c6bbd68de1d21eb188ced36dc18178e90b66
Instruction ID: 555293aad96ff62b91e023fe7655c396e257be5ecad4a7dcfa85234681da7b6f
Opcode Fuzzy Hash: 17df0f1e361cce0a0aea3a0e42b6c6bbd68de1d21eb188ced36dc18178e90b66
Instruction Fuzzy Hash: 992193B5914319AFDB00DFAAEC89BCDBFB5FB08710F00425AF615B62A0D7B545888F91

Function 00DFBFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DFBDB4: __time64.LIBCMT ref: 00DFBDBE

Part of subcall function 00DB4517: _fseek.LIBCMT ref: 00DB452F

__wsplitpath.LIBCMT ref: 00DFC083

Part of subcall function 00DD1DFC: __wsplitpath_helper.LIBCMT ref: 00DD1E3C

_wcscpy.LIBCMT ref: 00DFC096
_wcscat.LIBCMT ref: 00DFC0A9
__wsplitpath.LIBCMT ref: 00DFC0CE
_wcscat.LIBCMT ref: 00DFC0E4
_wcscat.LIBCMT ref: 00DFC0F7
_wcscmp.LIBCMT ref: 00DFC03E

Part of subcall function 00DFC56D: _wcscmp.LIBCMT ref: 00DFC65D
Part of subcall function 00DFC56D: _wcscmp.LIBCMT ref: 00DFC670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00DFC2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00DFC338
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00DFC34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DFC35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DFC371

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 2378138488-0
Opcode ID: 61f41cab156980bf97754e10a56364bbe86c0953a355acad4bfe185f8f658e10
Instruction ID: 04ebd476fc5d472a3093582cb8f9b15076547fc772ee4b84181c19d774e3b4bd
Opcode Fuzzy Hash: 61f41cab156980bf97754e10a56364bbe86c0953a355acad4bfe185f8f658e10
Instruction Fuzzy Hash: E0C129B191021DAADF25DF95CD81EEEBBBDEF48310F0080AAF609E6151DB709A548F71

Function 00DB3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00DB37B3
KillTimer.USER32(?,00000001), ref: 00DB37DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00DB3800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DB380B
CreatePopupMenu.USER32 ref: 00DB381F
PostQuitMessage.USER32(00000000), ref: 00DB382E

Strings

TaskbarCreated, xrefs: 00DB3806

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 02e8c1e04ef3d157652a081fb85fbf1314b9067e5344f341426a08764ea05b40
Instruction ID: d01abc576db29af6bbd291b5ee7e190ebb230c3d87dbda4d62e4e3636f7e9ee6
Opcode Fuzzy Hash: 02e8c1e04ef3d157652a081fb85fbf1314b9067e5344f341426a08764ea05b40
Instruction Fuzzy Hash: 9F4124F550428AEBDB149F2DAC4BBFA3A59FB44300F040159F507B2191CE60DE94A771

Function 00DB3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00DB3E79
LoadCursorW.USER32(00000000,00007F00), ref: 00DB3E88
LoadIconW.USER32(00000063), ref: 00DB3E9E
LoadIconW.USER32(000000A4), ref: 00DB3EB0
LoadIconW.USER32(000000A2), ref: 00DB3EC2

Part of subcall function 00DB4024: LoadImageW.USER32(00DB0000,00000063,00000001,00000010,00000010,00000000), ref: 00DB4048

RegisterClassExW.USER32(?), ref: 00DB3F30

Part of subcall function 00DB3F53: GetSysColorBrush.USER32(0000000F), ref: 00DB3F86
Part of subcall function 00DB3F53: RegisterClassExW.USER32(00000030), ref: 00DB3FB0
Part of subcall function 00DB3F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DB3FC1
Part of subcall function 00DB3F53: InitCommonControlsEx.COMCTL32(?), ref: 00DB3FDE
Part of subcall function 00DB3F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00DB3FEE
Part of subcall function 00DB3F53: LoadIconW.USER32(000000A9), ref: 00DB4004
Part of subcall function 00DB3F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00DB4013

Strings

0, xrefs: 00DB3F02
AutoIt v3, xrefs: 00DB3F1F
#, xrefs: 00DB3F09

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: b70ff02848cfd60967fd9770ebb76aedb0287c82e8da13fbd7c688f025073d50
Instruction ID: c525c5d0cfa71161d252ced1ef8c39d115718e074392b60101de2609b0cd5531
Opcode Fuzzy Hash: b70ff02848cfd60967fd9770ebb76aedb0287c82e8da13fbd7c688f025073d50
Instruction Fuzzy Hash: D02136B0D05304AFCB10DFAEEC46A99BFF5FB48310F50415AE219B62A0D7754688DF91

Function 016772E8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 016773B9
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 016775DF

Memory Dump Source

Source File: 00000001.00000002.1337125232.0000000001674000.00000040.00000020.00020000.00000000.sdmp, Offset: 01674000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1674000_A2028041200SD.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction ID: 830b6cde89874fd6da5917ba6a96939ed3f8338b494cf34b252e21ac19353409
Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction Fuzzy Hash: 4FA1FB74E00209EBEB14CFA8C898BEEBBB5BF48305F108559E515BB381DB759A41CF54

Function 00DB49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00DB4A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00E241DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00E2421A
RegCloseKey.ADVAPI32(?), ref: 00E24249

Strings

Include, xrefs: 00E241D3, 00E24212
Software\AutoIt v3\AutoIt, xrefs: 00DB4A13

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: d576f70a35605449864dbc1fbfb258c97838935d3b40715db86a2797a56325e7
Instruction ID: 7b7feed470156e741ee06e04f99a2f73d7a5cd1a88e9d14a77096d1881d2c04b
Opcode Fuzzy Hash: d576f70a35605449864dbc1fbfb258c97838935d3b40715db86a2797a56325e7
Instruction Fuzzy Hash: 9E113D71605219FEEB04EBA4DD86DFF7BACEF04754F001059B506E61A1EA709E05DB60

Function 00DB36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00DB36E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00DB3707
ShowWindow.USER32(00000000,?,?,?,?,00DB3AA3,?), ref: 00DB371B
ShowWindow.USER32(00000000,?,?,?,?,00DB3AA3,?), ref: 00DB3724

Strings

AutoIt v3, xrefs: 00DB36DE, 00DB36E3, 00DB36E4
edit, xrefs: 00DB3701

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: f1eadb15f063d67e9ac7c30070afb95752c0982835e5dbe2f73b8f26f104f342
Instruction ID: ac5f613b62d12d5280c00f815630ec52a2afa8772aa4ec75adc7eed9b938b2ba
Opcode Fuzzy Hash: f1eadb15f063d67e9ac7c30070afb95752c0982835e5dbe2f73b8f26f104f342
Instruction Fuzzy Hash: 5BF0B7715483D57EE731A76BAC0AE672E7DD7C6F60F00009FBA08B21A0C56108D9DAB1

Function 01677098 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01676F88: Sleep.KERNELBASE(000001F4), ref: 01676F99

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 016771D2

Strings

GRK7K0G47F2TO4FFJ1ZO0HKQGCOSS, xrefs: 01677235, 01677238

Memory Dump Source

Source File: 00000001.00000002.1337125232.0000000001674000.00000040.00000020.00020000.00000000.sdmp, Offset: 01674000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1674000_A2028041200SD.jbxd

Similarity

API ID: CreateFileSleep
String ID: GRK7K0G47F2TO4FFJ1ZO0HKQGCOSS
API String ID: 2694422964-531618622
Opcode ID: a42a86591bd7a4c8a49664e1e0217de8d12a21b401e33ff133928d4479083a5d
Instruction ID: 7ce60a26f9a4e268d4c90d6a5544501c62cbb2532ccf9557cc87731fb8ab5a3c
Opcode Fuzzy Hash: a42a86591bd7a4c8a49664e1e0217de8d12a21b401e33ff133928d4479083a5d
Instruction Fuzzy Hash: 4261A270D08288DAEF11D7B8C858BDEBBB5AF15304F044199E2597B2C1D7B90B49CBA6

Function 00DB4A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DB5374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00E71148,?,00DB61FF,?,00000000,00000001,00000000), ref: 00DB5392

Part of subcall function 00DB49FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00DB4A1D

_wcscat.LIBCMT ref: 00E22D80
_wcscat.LIBCMT ref: 00E22DB5

Strings

\Include\, xrefs: 00DB4B0A
8!, xrefs: 00DB4B1C
\, xrefs: 00E22DA2

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: 8!$\$\Include\
API String ID: 3592542968-2226600046
Opcode ID: ede1eba95ffabcf694704bcd844f3f5b00b642f9247e29c77bf64f591c62a3e8
Instruction ID: 5e9fe4891dd36e0c3e2f71ab2fe2c21244d3758ca318c67f41a6e6c9ed3e1c07
Opcode Fuzzy Hash: ede1eba95ffabcf694704bcd844f3f5b00b642f9247e29c77bf64f591c62a3e8
Instruction Fuzzy Hash: 69516171415340DFC714EF6AE88189AB7F4FF99300B80552EF74AA3261EB309988CB76

Function 00DB4139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 00DB41A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00DB39FE,?,00000001), ref: 00DB41DB

_free.LIBCMT ref: 00E236B7
_free.LIBCMT ref: 00E236FE

Part of subcall function 00DBC833: __wsplitpath.LIBCMT ref: 00DBC93E
Part of subcall function 00DBC833: _wcscpy.LIBCMT ref: 00DBC953
Part of subcall function 00DBC833: _wcscat.LIBCMT ref: 00DBC968
Part of subcall function 00DBC833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00DBC978

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00E23491
Bad directive syntax error, xrefs: 00E236E4

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: a61d538edc3ee4327c7ec8cd497e420ed1d1490a4477c31c20fa96932a20555e
Instruction ID: cc091f546f9167a9fd41828cfbca9f67c0191b1ec4932cef22a8ce4481195e4c
Opcode Fuzzy Hash: a61d538edc3ee4327c7ec8cd497e420ed1d1490a4477c31c20fa96932a20555e
Instruction Fuzzy Hash: 1D910871910229EBCF04EFA4DC919EEB7B4FF18314B10542AF516AB291DB749A45CF70

Function 00DB40E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E23725
GetOpenFileNameW.COMDLG32 ref: 00E2376F

Part of subcall function 00DB660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DB53B1,?,?,00DB61FF,?,00000000,00000001,00000000), ref: 00DB662F

Part of subcall function 00DB40A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00DB40C6

Strings

t3, xrefs: 00E23745
X, xrefs: 00E2373E

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X$t3
API String ID: 3777226403-2341782549
Opcode ID: 95113fb2a88085dd91f9546da1b31aa0ebe9c5667293a39ff926f5405f91cd4b
Instruction ID: 8699a2e9a35a51b065e6ea12d2a82171afbb341914d3083632167cceee031e1d
Opcode Fuzzy Hash: 95113fb2a88085dd91f9546da1b31aa0ebe9c5667293a39ff926f5405f91cd4b
Instruction Fuzzy Hash: 40219671A10298AFCF01DFA8D845BDE7BF9DF89304F00405AE505B7241DBB49A898F75

Function 00DD34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 00DD34FE

Part of subcall function 00DD7C0E: __getptd_noexit.LIBCMT ref: 00DD7C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00DD3539
__wopenfile.LIBCMT ref: 00DD3549

Strings

<G, xrefs: 00DD34CD, 00DD34F0, 00DD34FC

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: 847d76a15e7d533489d16bcd085c5f2c70aa74e527410cc701f9812f370a9429
Instruction ID: bdb4b78c3e1e5021591b2a60bcec24f7e8d1219908742aebf39c75d0b3e37e87
Opcode Fuzzy Hash: 847d76a15e7d533489d16bcd085c5f2c70aa74e527410cc701f9812f370a9429
Instruction Fuzzy Hash: 19110670A403069FDB12BFB4AC4266E37B4EF45390B198527F815DB381EB34CA0197B2

Function 00DCD298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00DCD28B,SwapMouseButtons,00000004,?), ref: 00DCD2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00DCD28B,SwapMouseButtons,00000004,?,?,?,?,00DCC865), ref: 00DCD2DD
RegCloseKey.KERNELBASE(00000000,?,?,00DCD28B,SwapMouseButtons,00000004,?,?,?,?,00DCC865), ref: 00DCD2FF

Strings

Control Panel\Mouse, xrefs: 00DCD2BA

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 6103ec06496ecc3b7277cd0ed0e8a9f6a34d084eefecac4a17cd51f0d591831f
Instruction ID: d8be21b7be6465d175adffcb32e828ec324bf13fcc7ccccc7147111fbcd3b851
Opcode Fuzzy Hash: 6103ec06496ecc3b7277cd0ed0e8a9f6a34d084eefecac4a17cd51f0d591831f
Instruction Fuzzy Hash: F611577561121ABFDB208FA8DC84EAEBBB9EF45740F004429B801E7110E631EE449B60

Function 01675F88 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01676743
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 016767D9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 016767FB

Memory Dump Source

Source File: 00000001.00000002.1337125232.0000000001674000.00000040.00000020.00020000.00000000.sdmp, Offset: 01674000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1674000_A2028041200SD.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
Instruction ID: d6d4c034a5d5d94928b58e7f935b1b23f9503e4454ccd1a43e6561496cd6d31c
Opcode Fuzzy Hash: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
Instruction Fuzzy Hash: 4B621B30A146189BEB24DFA4CC40BEEB776EF58700F1091A9D10DEB390E7769E85CB59

Function 00DFC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00DB4517: _fseek.LIBCMT ref: 00DB452F

Part of subcall function 00DFC56D: _wcscmp.LIBCMT ref: 00DFC65D
Part of subcall function 00DFC56D: _wcscmp.LIBCMT ref: 00DFC670

_free.LIBCMT ref: 00DFC4DD
_free.LIBCMT ref: 00DFC4E4
_free.LIBCMT ref: 00DFC54F

Part of subcall function 00DD1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00DD7A85), ref: 00DD1CB1
Part of subcall function 00DD1C9D: GetLastError.KERNEL32(00000000,?,00DD7A85), ref: 00DD1CC3

_free.LIBCMT ref: 00DFC557

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
Instruction ID: f4c9aa07fbe0882a5e4f268fdb323ecb7c9800a8cbc5b56e523b1b03f02201a8
Opcode Fuzzy Hash: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
Instruction Fuzzy Hash: 97515FB1904218AFDB14DF64DC81BEEBBB9EF48314F10449EF259A3241DB715A908F69

Function 00DCEB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DCEBB2

Part of subcall function 00DB51AF: _memset.LIBCMT ref: 00DB522F
Part of subcall function 00DB51AF: _wcscpy.LIBCMT ref: 00DB5283
Part of subcall function 00DB51AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00DB5293

KillTimer.USER32(?,00000001,?,?), ref: 00DCEC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00DCEC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E23C88

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 16c4ffe67383b7888feec663a7d98ba708a317d6e9ffd23108018bb2ecad593e
Instruction ID: ef1556d644ffaae759b266311f595a0c15767db0fa57d7e113fa07dc4fa1b0f2
Opcode Fuzzy Hash: 16c4ffe67383b7888feec663a7d98ba708a317d6e9ffd23108018bb2ecad593e
Instruction Fuzzy Hash: FE21B3709087949FE7329B38DC5ABE6FFEC9B01308F04048DE69A67241C3742A848B61

Function 00DFC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00DFC72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00DFC746

Strings

aut, xrefs: 00DFC740

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: ff531504cc1e7f88665b6c488f13f5d58d9489e089f4790fdde4682b698055e9
Instruction ID: f992b8e90ca2f46f0fe0312cd43fc19fe358c67c40641cbcf541223abeacbfbe
Opcode Fuzzy Hash: ff531504cc1e7f88665b6c488f13f5d58d9489e089f4790fdde4682b698055e9
Instruction Fuzzy Hash: 1ED05E7154030EAFDB10ABA0EC0EF8B7B6C9700704F0001A07650B50B2DAB0E6998B54

Function 00E0F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd890680048bf56c3309d53a951ea55d94de79edaa2ed6975485e8d481ca0f99
Instruction ID: ec8479ce351674788787bec2fa585b323559429a126a76155728e2970810bb0a
Opcode Fuzzy Hash: fd890680048bf56c3309d53a951ea55d94de79edaa2ed6975485e8d481ca0f99
Instruction Fuzzy Hash: 12F158716083059FC720DF24C885B6AB7E5FF88314F14892EF995AB292DB70E945CF92

Function 00DD395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00DD3973

Part of subcall function 00DD81C2: __NMSG_WRITE.LIBCMT ref: 00DD81E9
Part of subcall function 00DD81C2: __NMSG_WRITE.LIBCMT ref: 00DD81F3

__NMSG_WRITE.LIBCMT ref: 00DD397A

Part of subcall function 00DD821F: GetModuleFileNameW.KERNEL32(00000000,00E70312,00000104,00000000,00000001,00000000), ref: 00DD82B1
Part of subcall function 00DD821F: ___crtMessageBoxW.LIBCMT ref: 00DD835F

Part of subcall function 00DD1145: ___crtCorExitProcess.LIBCMT ref: 00DD114B
Part of subcall function 00DD1145: ExitProcess.KERNEL32 ref: 00DD1154

Part of subcall function 00DD7C0E: __getptd_noexit.LIBCMT ref: 00DD7C0E

RtlAllocateHeap.NTDLL(01630000,00000000,00000001,00000001,00000000,?,?,00DCF507,?,0000000E), ref: 00DD399F

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: e948a800fc104ed758cbdbff636078647cead9a47f2051a01ef14fe3da2eb6de
Instruction ID: 5ae076457e24cbb58aaec2ff0d9780f88e079a7df9b58d5665265efd37c5cb98
Opcode Fuzzy Hash: e948a800fc104ed758cbdbff636078647cead9a47f2051a01ef14fe3da2eb6de
Instruction Fuzzy Hash: 8C01B935385311AEE6117B29EC66A2A7358DBC1760F25002BF505E7382DFF0DD408A71

Function 00DFC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00DFC385,?,?,?,?,?,00000004), ref: 00DFC6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00DFC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00DFC708
CloseHandle.KERNEL32(00000000,?,00DFC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00DFC70F

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: d48e5757018d3f734001b3f8a2e6a07cf01f8de340bd5f19d0f959f3e37e3e16
Instruction ID: 0c01f09ad12b52a0e81d9cc37a7c235e6fbb2e04954fe929a2bc7ab6884a6e7e
Opcode Fuzzy Hash: d48e5757018d3f734001b3f8a2e6a07cf01f8de340bd5f19d0f959f3e37e3e16
Instruction Fuzzy Hash: 32E0863214522CBBD7212B55BC0DFCA7F18AB05760F104110FB15790E097B129259798

Function 00DFBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00DFBB72

Part of subcall function 00DD1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00DD7A85), ref: 00DD1CB1
Part of subcall function 00DD1C9D: GetLastError.KERNEL32(00000000,?,00DD7A85), ref: 00DD1CC3

_free.LIBCMT ref: 00DFBB83
_free.LIBCMT ref: 00DFBB95

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
Instruction ID: a2c24018b7d47a619557133185080b1253928b5b35e3286841e62ba31c10e28a
Opcode Fuzzy Hash: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
Instruction Fuzzy Hash: 5EE0C2A520070152CA20653CEE44FB353CCCF04322718080FB519E324ADF20E84084B4

Function 00DB2322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 00DB22A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00DB24F1), ref: 00DB2303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00DB25A1
CoInitialize.OLE32(00000000), ref: 00DB2618
CloseHandle.KERNEL32(00000000), ref: 00E2503A

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: 52370b148f1f0de01ccfddcd3e4d79ef0f56672d1ce57e11e081c3c714c2bbd0
Instruction ID: bc6323764dcf07eb9a3a608722dd24125613b1be66de2d7ee7bcfb331c90d525
Opcode Fuzzy Hash: 52370b148f1f0de01ccfddcd3e4d79ef0f56672d1ce57e11e081c3c714c2bbd0
Instruction Fuzzy Hash: 7A71BEB4911381CF8304DF6FA996598BBA5FB9838078051EED11EFB672DB304488EF65

Function 00DB3A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00DB3A73

Part of subcall function 00DD1405: __lock.LIBCMT ref: 00DD140B

Part of subcall function 00DB3ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00DB3AF3
Part of subcall function 00DB3ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00DB3B08

Part of subcall function 00DB3D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00DB3AA3,?), ref: 00DB3D45
Part of subcall function 00DB3D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00DB3AA3,?), ref: 00DB3D57
Part of subcall function 00DB3D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00E71148,00E71130,?,?,?,?,00DB3AA3,?), ref: 00DB3DC8
Part of subcall function 00DB3D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00DB3AA3,?), ref: 00DB3E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00DB3AB3

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: 5f0482beadaaa27937cdec62d2c6cad447cf03c8860188d2c0f9afa38c56430b
Instruction ID: bbc2af2540e8d68a8cf4b19243e1904f0c3e316c7f9f54cd353852aa1ef45dec
Opcode Fuzzy Hash: 5f0482beadaaa27937cdec62d2c6cad447cf03c8860188d2c0f9afa38c56430b
Instruction Fuzzy Hash: 0A1190715083419FC311EF2AEC4595ABBF8FB94710F00495FF589972A1DB709588CBA2

Function 00DDE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 00DDEA29
__close_nolock.LIBCMT ref: 00DDEA42

Part of subcall function 00DD7BDA: __getptd_noexit.LIBCMT ref: 00DD7BDA

Part of subcall function 00DD7C0E: __getptd_noexit.LIBCMT ref: 00DD7C0E

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: ddc16b996f698915c83cd31d7c62d63de1b5456287068e5d0a0d5dab1983c60f
Instruction ID: e1b03e9619951c25be944e68dc2eb9cd633177d37ffb0ec7959fd23512aa7128
Opcode Fuzzy Hash: ddc16b996f698915c83cd31d7c62d63de1b5456287068e5d0a0d5dab1983c60f
Instruction Fuzzy Hash: F411E5728456518ED312BF68C8413187B60AF81335F2A5387E4645F3E3DBB4CD4086B1

Function 00DCF4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00DD395C: __FF_MSGBANNER.LIBCMT ref: 00DD3973
Part of subcall function 00DD395C: __NMSG_WRITE.LIBCMT ref: 00DD397A
Part of subcall function 00DD395C: RtlAllocateHeap.NTDLL(01630000,00000000,00000001,00000001,00000000,?,?,00DCF507,?,0000000E), ref: 00DD399F

std::exception::exception.LIBCMT ref: 00DCF51E
__CxxThrowException@8.LIBCMT ref: 00DCF533

Part of subcall function 00DD6805: RaiseException.KERNEL32(?,?,0000000E,00E66A30,?,?,?,00DCF538,0000000E,00E66A30,?,00000001), ref: 00DD6856

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 998ab3e77acb12eaa1162038ec27032c1cf1e512756382e9ff3c3031a0e0faf3
Instruction ID: 0698034c09e0a6030d22f2603a4ac090c4c08ea7e25a9d1ba8e6f6a754b54dc1
Opcode Fuzzy Hash: 998ab3e77acb12eaa1162038ec27032c1cf1e512756382e9ff3c3031a0e0faf3
Instruction Fuzzy Hash: C5F0A43110821E67D704BF98ED06EDE7BA9DF00354F64402AFA04E2281DBB0D64496F5

Function 00DD35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DD7C0E: __getptd_noexit.LIBCMT ref: 00DD7C0E

__lock_file.LIBCMT ref: 00DD3629

Part of subcall function 00DD4E1C: __lock.LIBCMT ref: 00DD4E3F

__fclose_nolock.LIBCMT ref: 00DD3634

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 4a4e98d338f1a525fe1db3ffd0befe840db0cc77e133caba326440e2b5af3d59
Instruction ID: c3f8e1751e3d4b8bc03a537377b8c4c3e850085c34c728fda567a290bc7b309b
Opcode Fuzzy Hash: 4a4e98d338f1a525fe1db3ffd0befe840db0cc77e133caba326440e2b5af3d59
Instruction Fuzzy Hash: 72F0B471841304AAD7117B65880276E7BA0EF41730F25815BE460AB3C1CB7CCA019FB6

Function 01675F85 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01676743
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 016767D9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 016767FB

Memory Dump Source

Source File: 00000001.00000002.1337125232.0000000001674000.00000040.00000020.00020000.00000000.sdmp, Offset: 01674000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1674000_A2028041200SD.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction ID: 434a2b5b53ac4ff38e9e57fc8a744f2512df9947528a15541396adfe9c8d9ac7
Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction Fuzzy Hash: AD12CF24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F85CF5A

Function 00DD2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00DD2A0B

Part of subcall function 00DD7C0E: __getptd_noexit.LIBCMT ref: 00DD7C0E

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: 4615574318ecd305a5efed293d9d6163e40c42504b8a615f4f3173c9196576d4
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: 9141C4707407069FDB288EA9C8915BEB7A6EF64360B28952FE855C7340EB70DE408B70

Function 00DCED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00DCEDC7

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: db5700e57de67f0417595eeed0520ebd3e9e9427e6f8aa70ae697bec6f86e1ed
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 3231CBB5A00106DBD718DF58C480A69FBB5FF49340B6886A9E44ACB255DB31EDC1DBE0

Function 00E29A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00E29A80

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 9c7aee992061832e2b9284b6a441f0e9088295274068afc7a57f72e8df98c865
Instruction ID: 48d9f63ddd902a80182ab1572c6885631f23f28ded93b31021b064a091c7ce0a
Opcode Fuzzy Hash: 9c7aee992061832e2b9284b6a441f0e9088295274068afc7a57f72e8df98c865
Instruction Fuzzy Hash: 20415774508612CFDB24CF18C484F1ABBF1AF45308F1989ACE99A5B362C372E845CF62

Function 00DB41A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB4214: FreeLibrary.KERNEL32(00000000,?), ref: 00DB4247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00DB39FE,?,00000001), ref: 00DB41DB

Part of subcall function 00DB4291: FreeLibrary.KERNEL32(00000000), ref: 00DB42C4

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: e5e062bb10cf47d0196d72fded14df66ef3cc941ebcf4f77992c51670a5b6f32
Instruction ID: 04077497b2b96c2eb1746446bfcd9a20fee8c6a529cf07eebc3e313fb86e2779
Opcode Fuzzy Hash: e5e062bb10cf47d0196d72fded14df66ef3cc941ebcf4f77992c51670a5b6f32
Instruction Fuzzy Hash: EB11C13160031AEADB14EB70DC06BEE77A9DF40704F10842DB597A61C2DAB0DA04AB74

Function 00E29B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00E29B51

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1c90cdd5ba207bca89ba71a2a4403aa7cb12d631455a0abafb92136f0698e3c4
Instruction ID: ea0f55c6dd07bd63029daf9f13148628790b6600ec1c578c5df0eee75888ae55
Opcode Fuzzy Hash: 1c90cdd5ba207bca89ba71a2a4403aa7cb12d631455a0abafb92136f0698e3c4
Instruction Fuzzy Hash: CA210570508612CFDB24DF68C444F5ABBF1BF85304F19496CEA9A5B662C731E845CF62

Function 00DDAF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 00DDAFC0

Part of subcall function 00DD7BDA: __getptd_noexit.LIBCMT ref: 00DD7BDA

Part of subcall function 00DD7C0E: __getptd_noexit.LIBCMT ref: 00DD7C0E

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: f40107ebe2bf2a6cddcc502a2ce78cd419d5e50417b8f7dcb4fa4ebda23e0368
Instruction ID: 2dc87680a3fae956375fff33e7959a5e933a801b9332de649656ae6886df4f7c
Opcode Fuzzy Hash: f40107ebe2bf2a6cddcc502a2ce78cd419d5e50417b8f7dcb4fa4ebda23e0368
Instruction Fuzzy Hash: 83119D728446409FD7126FA8880276A3A60EF82336F1B4287E4745B3E2D7B58D408BB1

Function 00DB39DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
Instruction ID: 8e1929ce0cc76da0d6dc0c52f5147935dcb715dc8d20293455d772911c882329
Opcode Fuzzy Hash: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
Instruction Fuzzy Hash: 1101363150010DFEDF05EF64C9918FEBB74EF10344F108029B566A7196EA30DA49DB74

Function 00DD2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00DD2AED

Part of subcall function 00DD7C0E: __getptd_noexit.LIBCMT ref: 00DD7C0E

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: aa9fdadefb330107cc94311a9566a35736938856837fe6361c84bf1855dfd9db
Instruction ID: 64078c948ca5469e8fcdde300d95eb7a25e868a2ac4ed865908b7cf78d18e28e
Opcode Fuzzy Hash: aa9fdadefb330107cc94311a9566a35736938856837fe6361c84bf1855dfd9db
Instruction Fuzzy Hash: D0F06231640205ABDF21AFA48C067AF36A5FF10320F199417F4149B391D778CA52DBB1

Function 00DB4252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,00DB39FE,?,00000001), ref: 00DB4286

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 22c3279ef7798a894bdcbd3051d23c55c57d1d3ec200b573ca3a97a9a3f1b5e9
Instruction ID: a51b600dffa9cc41412baae9a162760bcfc717fea76b851778462a6dc25050ba
Opcode Fuzzy Hash: 22c3279ef7798a894bdcbd3051d23c55c57d1d3ec200b573ca3a97a9a3f1b5e9
Instruction Fuzzy Hash: B1F03971509702CFCB34DF64E8948AABBE4BF043253288A7EF1D782612C7729844EF64

Function 00DB40A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00DB40C6

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: d70bed277edb064cc4a47140bd710a32c48e6e1d56811f0ddf419ded729f3ac2
Instruction ID: 396f167947c342c09aa27d620794232025f71d90318e9e16ebf3483af9a23400
Opcode Fuzzy Hash: d70bed277edb064cc4a47140bd710a32c48e6e1d56811f0ddf419ded729f3ac2
Instruction Fuzzy Hash: 8AE0CD775001245BC711A754DC46FEE779DDF88690F090175F905E7244D964D98196B0

Function 01676F88 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01676F99

Memory Dump Source

Source File: 00000001.00000002.1337125232.0000000001674000.00000040.00000020.00020000.00000000.sdmp, Offset: 01674000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1674000_A2028041200SD.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 4486d18ef53f69841733c7e4741d0aef72e0bee4a3ab82dc8c464a0304286b24
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 57E0E67494410DDFDB00EFB8DA4969D7BB4EF04301F100161FD05D2280D6309D508A62

Non-executed Functions

Function 00E1AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00E1B1CD

Strings

%d/%02d/%02d, xrefs: 00E1AEFC

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: c365e61e7f121732db0db5aa0b5ce620cfd854bb97a969c18769d9c1cbf3eb42
Instruction ID: c98c70ace6dca72ff11e951b00d256638d6983949992ebd40407c6690220acdc
Opcode Fuzzy Hash: c365e61e7f121732db0db5aa0b5ce620cfd854bb97a969c18769d9c1cbf3eb42
Instruction Fuzzy Hash: 9712BC71605208AFEB248F65DC49FEA7BB8FF45324F144129F91AEB2D1DB708981CB61

Function 00DCEB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 00DCEB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E23AEA
IsIconic.USER32(000000FF), ref: 00E23AF3
ShowWindow.USER32(000000FF,00000009), ref: 00E23B00
SetForegroundWindow.USER32(000000FF), ref: 00E23B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E23B20
GetCurrentThreadId.KERNEL32 ref: 00E23B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00E23B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00E23B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00E23B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 00E23B54
SetForegroundWindow.USER32(000000FF), ref: 00E23B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E23B6C
keybd_event.USER32(00000012,00000000), ref: 00E23B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E23B81
keybd_event.USER32(00000012,00000000), ref: 00E23B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E23B8F
keybd_event.USER32(00000012,00000000), ref: 00E23B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E23B9E
keybd_event.USER32(00000012,00000000), ref: 00E23BA3
SetForegroundWindow.USER32(000000FF), ref: 00E23BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 00E23BCD

Strings

Shell_TrayWnd, xrefs: 00E23AE5

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 966c1dd2158604cb0fc7c0811b0925d5abc85a223880b31fa588569715c57799
Instruction ID: e28504e9e20ae58e8f71bee9d5254229429d481ba97f60fc13f428212c0be111
Opcode Fuzzy Hash: 966c1dd2158604cb0fc7c0811b0925d5abc85a223880b31fa588569715c57799
Instruction Fuzzy Hash: D13180B1A4422CBFEB211F76AC4EF7E3E6CEB44B54F104016FA05BA1D0D6B55D00AEA0

Function 00DEACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 00DEB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DEB180
Part of subcall function 00DEB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DEB1AD
Part of subcall function 00DEB134: GetLastError.KERNEL32 ref: 00DEB1BA

_memset.LIBCMT ref: 00DEAD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00DEAD5A
CloseHandle.KERNEL32(?), ref: 00DEAD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00DEAD82
GetProcessWindowStation.USER32 ref: 00DEAD9B
SetProcessWindowStation.USER32(00000000), ref: 00DEADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00DEADBF

Part of subcall function 00DEAB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00DEACC0), ref: 00DEAB99
Part of subcall function 00DEAB84: CloseHandle.KERNEL32(?,?,00DEACC0), ref: 00DEABAB

Strings

, xrefs: 00DEAD17
default, xrefs: 00DEADBA
H*, xrefs: 00DEAE40
winsta0, xrefs: 00DEAD7D

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $H*$default$winsta0
API String ID: 2063423040-3938961404
Opcode ID: 7fe2626850d51e9e05af3e1a0dd5f0e6817baa8fb595e8397962e767c8e6b266
Instruction ID: 043c80729c558d507e6ba087f764949de305b386a1a663c23debf8ee5b2e5b0a
Opcode Fuzzy Hash: 7fe2626850d51e9e05af3e1a0dd5f0e6817baa8fb595e8397962e767c8e6b266
Instruction Fuzzy Hash: 41818A7190028EAFDF11AFAADC49AEE7B79FF04304F084119F924B6161D731AE549B72

Function 00DF60DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00DF5FA6,?), ref: 00DF6ED8

Part of subcall function 00DF6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00DF5FA6,?), ref: 00DF6EF1

Part of subcall function 00DF725E: __wsplitpath.LIBCMT ref: 00DF727B
Part of subcall function 00DF725E: __wsplitpath.LIBCMT ref: 00DF728E

Part of subcall function 00DF72CB: GetFileAttributesW.KERNEL32(?,00DF6019), ref: 00DF72CC

_wcscat.LIBCMT ref: 00DF6149
_wcscat.LIBCMT ref: 00DF6167
__wsplitpath.LIBCMT ref: 00DF618E
FindFirstFileW.KERNEL32(?,?), ref: 00DF61A4
_wcscpy.LIBCMT ref: 00DF6209
_wcscat.LIBCMT ref: 00DF621C
_wcscat.LIBCMT ref: 00DF622F
lstrcmpiW.KERNEL32(?,?), ref: 00DF625D
DeleteFileW.KERNEL32(?), ref: 00DF626E
MoveFileW.KERNEL32(?,?), ref: 00DF6289
MoveFileW.KERNEL32(?,?), ref: 00DF6298
CopyFileW.KERNEL32(?,?,00000000), ref: 00DF62AD
DeleteFileW.KERNEL32(?), ref: 00DF62BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00DF62E1
FindClose.KERNEL32(00000000), ref: 00DF62FD
FindClose.KERNEL32(00000000), ref: 00DF630B

Strings

\*.*, xrefs: 00DF6138, 00DF6147, 00DF6165

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*
API String ID: 1917200108-1173974218
Opcode ID: c34c507986861b64396499c2319b4f6071814f73c0cfaf9c860c77933ad444dc
Instruction ID: ce5d571a1877574057f9b513c858aa15f484a26af96658daa2ba8c507cdb9620
Opcode Fuzzy Hash: c34c507986861b64396499c2319b4f6071814f73c0cfaf9c860c77933ad444dc
Instruction Fuzzy Hash: 5F511E7290911C6ACB21EBA5DC44DEF77BCAF05300F0A41E6E685E2541EA36D7498FB8

Function 00E06B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00E4DC00), ref: 00E06B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 00E06B44
GetClipboardData.USER32(0000000D), ref: 00E06B4C
CloseClipboard.USER32 ref: 00E06B58
GlobalLock.KERNEL32(00000000), ref: 00E06B74
CloseClipboard.USER32 ref: 00E06B7E
GlobalUnlock.KERNEL32(00000000), ref: 00E06B93
IsClipboardFormatAvailable.USER32(00000001), ref: 00E06BA0
GetClipboardData.USER32(00000001), ref: 00E06BA8
GlobalLock.KERNEL32(00000000), ref: 00E06BB5
GlobalUnlock.KERNEL32(00000000), ref: 00E06BE9
CloseClipboard.USER32 ref: 00E06CF6

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 8b653cc6a3e778f4473253d8578ba05008497f7eac134dce61f02cae350b1ac3
Instruction ID: b07ae49daf15175853aa87652da7906f4cf6b302bd4060d6ba8f5a06176bf970
Opcode Fuzzy Hash: 8b653cc6a3e778f4473253d8578ba05008497f7eac134dce61f02cae350b1ac3
Instruction Fuzzy Hash: B0518271204205AFD300EF65ED8AFAE77A8EF84B14F005029F556F61E1DF70D9598A72

Function 00DFF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00DFF62B
FindClose.KERNEL32(00000000), ref: 00DFF67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DFF6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DFF6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 00DFF6E2
__swprintf.LIBCMT ref: 00DFF72E
__swprintf.LIBCMT ref: 00DFF767
__swprintf.LIBCMT ref: 00DFF7BB

Part of subcall function 00DD172B: __woutput_l.LIBCMT ref: 00DD1784

__swprintf.LIBCMT ref: 00DFF809
__swprintf.LIBCMT ref: 00DFF858
__swprintf.LIBCMT ref: 00DFF8A7
__swprintf.LIBCMT ref: 00DFF8F6

Strings

%4d, xrefs: 00DFF761
%02d, xrefs: 00DFF7B0, 00DFF7B9, 00DFF807, 00DFF856, 00DFF8A5, 00DFF8F4
%4d%02d%02d%02d%02d%02d, xrefs: 00DFF728

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: fb59030de4d471423a39b4cd9d978551ede3a6f90ecc521d7ba192b72a53b101
Instruction ID: 108a6c0b8f38643c8829ad4632940920ea4c8fa5ea0224dc3adfba215876069b
Opcode Fuzzy Hash: fb59030de4d471423a39b4cd9d978551ede3a6f90ecc521d7ba192b72a53b101
Instruction Fuzzy Hash: 06A1ECB2418344ABC310EBA5C885DBFB7ECEF98704F44492EB69683151EB34D949CB72

Function 00E01B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00E01B50
_wcscmp.LIBCMT ref: 00E01B65
_wcscmp.LIBCMT ref: 00E01B7C
GetFileAttributesW.KERNEL32(?), ref: 00E01B8E
SetFileAttributesW.KERNEL32(?,?), ref: 00E01BA8
FindNextFileW.KERNEL32(00000000,?), ref: 00E01BC0
FindClose.KERNEL32(00000000), ref: 00E01BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 00E01BE7
_wcscmp.LIBCMT ref: 00E01C0E
_wcscmp.LIBCMT ref: 00E01C25
SetCurrentDirectoryW.KERNEL32(?), ref: 00E01C37
SetCurrentDirectoryW.KERNEL32(00E639FC), ref: 00E01C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E01C5F
FindClose.KERNEL32(00000000), ref: 00E01C6C
FindClose.KERNEL32(00000000), ref: 00E01C7C

Strings

*.*, xrefs: 00E01BE2

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 7dd647f55412dd49edbf3874b30bc2a9020fc8dd77f2bc09efbc0fe8218a5116
Instruction ID: 2fefe3b073e41be079afea3bbf4dc28d6868e1818dfff581a1cf25032ed24cdb
Opcode Fuzzy Hash: 7dd647f55412dd49edbf3874b30bc2a9020fc8dd77f2bc09efbc0fe8218a5116
Instruction Fuzzy Hash: FC31E23264521DAFDB14EBB0EC88ADE77ACAF45364F001196E801F60D0EB70DA848E60

Function 00E01C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00E01CAB
_wcscmp.LIBCMT ref: 00E01CC0
_wcscmp.LIBCMT ref: 00E01CD7

Part of subcall function 00DF6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00DF6BEF

FindNextFileW.KERNEL32(00000000,?), ref: 00E01D06
FindClose.KERNEL32(00000000), ref: 00E01D11
FindFirstFileW.KERNEL32(*.*,?), ref: 00E01D2D
_wcscmp.LIBCMT ref: 00E01D54
_wcscmp.LIBCMT ref: 00E01D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 00E01D7D
SetCurrentDirectoryW.KERNEL32(00E639FC), ref: 00E01D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E01DA5
FindClose.KERNEL32(00000000), ref: 00E01DB2
FindClose.KERNEL32(00000000), ref: 00E01DC2

Strings

*.*, xrefs: 00E01D28

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 6a2f18d53a24b104b07b11dac1b12e3e4f60b9f990704e5bce0c55d70f4ff4d2
Instruction ID: 1683dceb54498b32db93849f98923d361e83e6d39a5d9548fd7ce10697314f90
Opcode Fuzzy Hash: 6a2f18d53a24b104b07b11dac1b12e3e4f60b9f990704e5bce0c55d70f4ff4d2
Instruction Fuzzy Hash: 2A31F03290421EAFDB10EBA0EC48ADE77ACAF45328F101596E800B61D0DB30CA858B60

Function 00DB7D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DB7DBD

Strings

\, xrefs: 00E2F95B
^, xrefs: 00DB7D96
\b(?=\w), xrefs: 00E2F85E
[, xrefs: 00DB7E14
Q\E, xrefs: 00DB86D6
\, xrefs: 00DB7D89
[:<:]], xrefs: 00DB7D1D
\, xrefs: 00DB7E1D
[:>:]], xrefs: 00DB7D37
\b(?<=\w), xrefs: 00E2F877
], xrefs: 00DB7D9F

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
API String ID: 2102423945-2023335898
Opcode ID: 5c94e5fe822be52b63ed0ffbe12ea107f6a77771ab0f88945acbdf411fea777c
Instruction ID: 7f602b7b26591033836cb84e9aa81698911dad926e67bcfc6731cf8510ace09e
Opcode Fuzzy Hash: 5c94e5fe822be52b63ed0ffbe12ea107f6a77771ab0f88945acbdf411fea777c
Instruction Fuzzy Hash: F382A071D04229CBCB24CF94D8806EDBBB1FF84314F299169D85ABB251E770DD85DBA0

Function 00E0091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00E009DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 00E009EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00E009FB
__wsplitpath.LIBCMT ref: 00E00A59
_wcscat.LIBCMT ref: 00E00A71
_wcscat.LIBCMT ref: 00E00A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E00A98
SetCurrentDirectoryW.KERNEL32(?), ref: 00E00AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 00E00ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 00E00AFF
_wcscpy.LIBCMT ref: 00E00B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00E00B4A

Strings

*.*, xrefs: 00E00B05

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: fac097052c0a7e0797375b3f41e09f9a89ff9ac426ed8b117c6779d625368352
Instruction ID: d0855fd38b6a39f29b795f260404adad24da863fda4c8e86a80aef951eecb3af
Opcode Fuzzy Hash: fac097052c0a7e0797375b3f41e09f9a89ff9ac426ed8b117c6779d625368352
Instruction Fuzzy Hash: 40615A725083459FD710EF60C844AAEB3E8FF89314F04891EF989D7251EB31E949CBA2

Function 00DB6F07 Relevance: 22.1, Strings: 17, Instructions: 883COMMON

Download Yara Rule

Strings

UTF), xrefs: 00E32C7C
UCP), xrefs: 00E32C8F
CR), xrefs: 00E32E09
ANY), xrefs: 00E32E60
LIMIT_MATCH=, xrefs: 00E32CF2
BSR_ANYCRLF), xrefs: 00E32EA0
CRLF), xrefs: 00E32E43
NO_AUTO_POSSESS), xrefs: 00E32CB0
LF), xrefs: 00E32E26
BSR_UNICODE), xrefs: 00E32EBA
dv836ddv876ddv8d6ddv8f6ddv886ddv806ddv806ddv876ddv856ddv806ddv876ddv836ddv836ddv8c6ddv806ddv8e6ddv896ddv816ddv896ddv806ddv816ddv80, xrefs: 00DB6FD1
LIMIT_RECURSION=, xrefs: 00E32D7E
NO_START_OPT), xrefs: 00E32CD1
, xrefs: 00DB7096, 00DB709C
UTF16), xrefs: 00E32C56
ANYCRLF), xrefs: 00E32E7D
, xrefs: 00DB6F77

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID:
String ID: $ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$dv836ddv876ddv8d6ddv8f6ddv886ddv806ddv806ddv876ddv856ddv806ddv876ddv836ddv836ddv8c6ddv806ddv8e6ddv896ddv816ddv896ddv806ddv816ddv80$
API String ID: 0-453874636
Opcode ID: 811369b45b411ec260730667eff998edc10a56ae8195663328e8add5e0740c7a
Instruction ID: a117a4893c914550245aa278da0f51bf6e58c39e0f51de2decfd340cde523a96
Opcode Fuzzy Hash: 811369b45b411ec260730667eff998edc10a56ae8195663328e8add5e0740c7a
Instruction Fuzzy Hash: 97728C71E04219DBDB24CF58D841BEEBBB5FF48310F14916AE956BB280DB309E41DBA0

Function 00DEA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DEABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00DEABD7
Part of subcall function 00DEABBB: GetLastError.KERNEL32(?,00DEA69F,?,?,?), ref: 00DEABE1
Part of subcall function 00DEABBB: GetProcessHeap.KERNEL32(00000008,?,?,00DEA69F,?,?,?), ref: 00DEABF0
Part of subcall function 00DEABBB: HeapAlloc.KERNEL32(00000000,?,00DEA69F,?,?,?), ref: 00DEABF7
Part of subcall function 00DEABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00DEAC0E

Part of subcall function 00DEAC56: GetProcessHeap.KERNEL32(00000008,00DEA6B5,00000000,00000000,?,00DEA6B5,?), ref: 00DEAC62
Part of subcall function 00DEAC56: HeapAlloc.KERNEL32(00000000,?,00DEA6B5,?), ref: 00DEAC69
Part of subcall function 00DEAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00DEA6B5,?), ref: 00DEAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00DEA6D0
_memset.LIBCMT ref: 00DEA6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00DEA704
GetLengthSid.ADVAPI32(?), ref: 00DEA715
GetAce.ADVAPI32(?,00000000,?), ref: 00DEA752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00DEA76E
GetLengthSid.ADVAPI32(?), ref: 00DEA78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00DEA79A
HeapAlloc.KERNEL32(00000000), ref: 00DEA7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00DEA7C2
CopySid.ADVAPI32(00000000), ref: 00DEA7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00DEA7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00DEA820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00DEA834

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 8d93ebb6e01b7dd4871da1815b90d81ae44632aa199ae92d2067e43fb8c0b592
Instruction ID: 8ceb987e4bdcc450a1d5459de58b71e141f0a79573884b2b6d3472e43d70e928
Opcode Fuzzy Hash: 8d93ebb6e01b7dd4871da1815b90d81ae44632aa199ae92d2067e43fb8c0b592
Instruction Fuzzy Hash: 01513F7190014AAFDF14EFA6DC85AEEBBB9FF04700F048119F911A6251D735AD05CB71

Function 00DF63F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00DF5FA6,?), ref: 00DF6ED8

Part of subcall function 00DF72CB: GetFileAttributesW.KERNEL32(?,00DF6019), ref: 00DF72CC

_wcscat.LIBCMT ref: 00DF6441
__wsplitpath.LIBCMT ref: 00DF645F
FindFirstFileW.KERNEL32(?,?), ref: 00DF6474
_wcscpy.LIBCMT ref: 00DF64A3
_wcscat.LIBCMT ref: 00DF64B8
_wcscat.LIBCMT ref: 00DF64CA
DeleteFileW.KERNEL32(?), ref: 00DF64DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 00DF64EB
FindClose.KERNEL32(00000000), ref: 00DF6506

Strings

\*.*, xrefs: 00DF643B

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: 739dbb124616137f79998054bd2240d5af636c1037acdd46d76d8f2312a3b496
Instruction ID: 1d7f158d186202b752851add72c9ed4b8a714a9ae2e09068ebf296f832e8a67f
Opcode Fuzzy Hash: 739dbb124616137f79998054bd2240d5af636c1037acdd46d76d8f2312a3b496
Instruction Fuzzy Hash: 1E3152B240D388AEC721EBA48C85AEB7BDCAF95310F44491AF6D9C3241EA35D50D8777

Function 00E131BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E13C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E12BB5,?,?), ref: 00E13C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E1328E

Part of subcall function 00DB936C: __swprintf.LIBCMT ref: 00DB93AB
Part of subcall function 00DB936C: __itow.LIBCMT ref: 00DB93DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00E1332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00E133C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00E13604
RegCloseKey.ADVAPI32(00000000), ref: 00E13611

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 62fc084a12a7bb40a492202c2b103f6084302a799e918360b71608683b3695f7
Instruction ID: 126177e9a97b048c50563c6f375f3c60fa84ab3796be0faaac6375b784bcfcb5
Opcode Fuzzy Hash: 62fc084a12a7bb40a492202c2b103f6084302a799e918360b71608683b3695f7
Instruction Fuzzy Hash: 19E15B35604200AFCB14DF29C995EAEBBE9FF88714F04846DF54AE7261DB30E945CB61

Function 00DF2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00DF2B5F
GetAsyncKeyState.USER32(000000A0), ref: 00DF2BE0
GetKeyState.USER32(000000A0), ref: 00DF2BFB
GetAsyncKeyState.USER32(000000A1), ref: 00DF2C15
GetKeyState.USER32(000000A1), ref: 00DF2C2A
GetAsyncKeyState.USER32(00000011), ref: 00DF2C42
GetKeyState.USER32(00000011), ref: 00DF2C54
GetAsyncKeyState.USER32(00000012), ref: 00DF2C6C
GetKeyState.USER32(00000012), ref: 00DF2C7E
GetAsyncKeyState.USER32(0000005B), ref: 00DF2C96
GetKeyState.USER32(0000005B), ref: 00DF2CA8

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b28fb6a749e44c8887150f2ba57d596c8138332fbe338a32d06d9a9435b18226
Instruction ID: ba671c24c5f12dca7c16476cd0621406d1caf3d7dfa6a121a7bdf80a778b4546
Opcode Fuzzy Hash: b28fb6a749e44c8887150f2ba57d596c8138332fbe338a32d06d9a9435b18226
Instruction Fuzzy Hash: 6041A4345087CD6DFF359B649C043BABEA0AB11344F0DC059DBCA562C2DBA499D8C7B2

Function 00E06D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00E06D2E
EmptyClipboard.USER32 ref: 00E06D34
GlobalAlloc.KERNEL32(00000002,?), ref: 00E06D49
CloseClipboard.USER32 ref: 00E06DE8

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: ae0661d517fa1e122b4db4902cf512d7ea6a8324fea5d2c925fd0c15899180a4
Instruction ID: 0a5f3e8252f0a22f4a3ddf5f7c08d386cd2859561e40d6322b2adb132d0a5fc7
Opcode Fuzzy Hash: ae0661d517fa1e122b4db4902cf512d7ea6a8324fea5d2c925fd0c15899180a4
Instruction Fuzzy Hash: 0521A1313042159FDB01BF65ED4AF6DBBA8EF44710F04801AF91AEB2A1DB30ED548B60

Function 00E0C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 00DE9ABF: CLSIDFromProgID.OLE32 ref: 00DE9ADC
Part of subcall function 00DE9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00DE9AF7
Part of subcall function 00DE9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00DE9B05
Part of subcall function 00DE9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00DE9B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00E0C235
_memset.LIBCMT ref: 00E0C242
_memset.LIBCMT ref: 00E0C360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 00E0C38C
CoTaskMemFree.OLE32(?), ref: 00E0C397

Strings

NULL Pointer assignment, xrefs: 00E0C3E5

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 07c0807709c1b9dd908ee60d1f698ea18407545dba75c47e2d7e0f7ad1766831
Instruction ID: 02b6f96eab518c6a285504eee2d5e57a8febd406d5643defe296ff033cb313b6
Opcode Fuzzy Hash: 07c0807709c1b9dd908ee60d1f698ea18407545dba75c47e2d7e0f7ad1766831
Instruction Fuzzy Hash: 20911871D00218ABDB10DF95DC95EDEBBB9EF44710F20815AF519B7281EB70AA45CFA0

Function 00DF79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00DEB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DEB180
Part of subcall function 00DEB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DEB1AD
Part of subcall function 00DEB134: GetLastError.KERNEL32 ref: 00DEB1BA

ExitWindowsEx.USER32(?,00000000), ref: 00DF7A0F

Strings

, xrefs: 00DF79FD
SeShutdownPrivilege, xrefs: 00DF79DD
@, xrefs: 00DF7A02

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 32f1e6589e5e9ef0c4cf85df8aec531e3615710cdf14ebaa84aff74315f9e891
Instruction ID: ab7b50325790ad930ede163de2e95db663548d1cc48041062d502939e2957ea2
Opcode Fuzzy Hash: 32f1e6589e5e9ef0c4cf85df8aec531e3615710cdf14ebaa84aff74315f9e891
Instruction Fuzzy Hash: 5101D47175825A6AE7282678AC4EBFF36589B00740F2B8424BB47A20D2E5A19F0081B0

Function 00E08C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00E08CA8
WSAGetLastError.WSOCK32(00000000), ref: 00E08CB7
bind.WSOCK32(00000000,?,00000010), ref: 00E08CD3
listen.WSOCK32(00000000,00000005), ref: 00E08CE2
WSAGetLastError.WSOCK32(00000000), ref: 00E08CFC
closesocket.WSOCK32(00000000,00000000), ref: 00E08D10

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 468513b70c9857425223cb8712e2fc8221bfcd4fa8fc33453324440d1c249bec
Instruction ID: 1dfca01923b7e3834ca1c60bc23e2c225e332b9b20cf24b020dcd49557f45555
Opcode Fuzzy Hash: 468513b70c9857425223cb8712e2fc8221bfcd4fa8fc33453324440d1c249bec
Instruction Fuzzy Hash: 4321D031600208AFCB10AF28DE89B6EB7F9EF48314F148159F956B73D2CB30AD458B61

Function 00DF6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00DF6554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00DF6564
Process32NextW.KERNEL32(00000000,0000022C), ref: 00DF6583
__wsplitpath.LIBCMT ref: 00DF65A7
_wcscat.LIBCMT ref: 00DF65BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00DF65F9

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: e45d5a31c986ae1dfd2312d95d26bfe153ed5a7a0e15e226c712660b94361a52
Instruction ID: 4d5a4dfc785a087859744d0bc6f71ebe5c084f9a009953bfd84efff0d870f0c9
Opcode Fuzzy Hash: e45d5a31c986ae1dfd2312d95d26bfe153ed5a7a0e15e226c712660b94361a52
Instruction Fuzzy Hash: 0621537190425CABDB10ABA4DC88BEDBBBCAB49300F5044A5F645E7241EB71DF85CB70

Function 00DB9B60 Relevance: 8.6, Strings: 6, Instructions: 1055COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00DB9E95
dv836ddv876ddv8d6ddv8f6ddv886ddv806ddv806ddv876ddv856ddv806ddv876ddv836ddv836ddv8c6ddv806ddv8e6ddv896ddv816ddv896ddv806ddv816ddv80, xrefs: 00DB9E48, 00DB9E53
VUUU, xrefs: 00E3BE14
VUUU, xrefs: 00DB9EA7
ERCP, xrefs: 00DB9C32
VUUU, xrefs: 00DB9ED4

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$dv836ddv876ddv8d6ddv8f6ddv886ddv806ddv806ddv876ddv856ddv806ddv876ddv836ddv836ddv8c6ddv806ddv8e6ddv896ddv816ddv896ddv806ddv816ddv80
API String ID: 0-2913670471
Opcode ID: c69f976fb2f0bfcf01a5c2e8cd9c3386bd18991ea522be72ea470b5e2ee6b32b
Instruction ID: ab4e1a8bed93b4b1baf7985d821d7a087b7b8b6f34436829ab34c1a3ce1fe141
Opcode Fuzzy Hash: c69f976fb2f0bfcf01a5c2e8cd9c3386bd18991ea522be72ea470b5e2ee6b32b
Instruction Fuzzy Hash: 84927A71E0025ACBDF24CF58C8947FDBBB1AB54314F24919AE95ABB280D770DD81CBA1

Function 00DF13CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00DF13DC

Strings

<2, xrefs: 00DF16FA
|, xrefs: 00DF140C
(, xrefs: 00DF1422
,2, xrefs: 00DF16B1

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: lstrlen
String ID: ($,2$<2$|
API String ID: 1659193697-916407979
Opcode ID: 92cd1d5994d52bc6434c6bd0a9cb4b1bbcc18708104132b511886fefaab96090
Instruction ID: ffa5a084a7e130e481ab36b7f74c353fa34c1584bdf887779d96686d50bd05c0
Opcode Fuzzy Hash: 92cd1d5994d52bc6434c6bd0a9cb4b1bbcc18708104132b511886fefaab96090
Instruction Fuzzy Hash: F9321579A00605DFC728CF69C480A6AB7F0FF88320B16C56EE59ADB3A1D770E941CB54

Function 00E0923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E0A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00E0A84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00E09296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 00E092B9

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 6d29f432c9035ab877a1fe60640fafb5b6e5b1b826e998cd241f01695d1dc00e
Instruction ID: 0560cd5cefd740849fed13273c10e73a453a27f968b9b7123f409d948bd55640
Opcode Fuzzy Hash: 6d29f432c9035ab877a1fe60640fafb5b6e5b1b826e998cd241f01695d1dc00e
Instruction Fuzzy Hash: 8E41AD70600204AFDB14AB68C846F7EB7EDEF44724F14844DFA56AB2D2CA749D418BB1

Function 00DFEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00DFEB8A
_wcscmp.LIBCMT ref: 00DFEBBA
_wcscmp.LIBCMT ref: 00DFEBCF
FindNextFileW.KERNEL32(00000000,?), ref: 00DFEBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00DFEC0E

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 7e84c2ce6cf2c61d4b95eb83fde5d1ff87c3ce946e7130c4a301685298a35891
Instruction ID: bd4efc2e52fb4c34cc9452ea8b3d1e7b7a50cbaa52d216e7a8019fec03189dd0
Opcode Fuzzy Hash: 7e84c2ce6cf2c61d4b95eb83fde5d1ff87c3ce946e7130c4a301685298a35891
Instruction Fuzzy Hash: B941AF356043069FC708DF28D491EAAB7E4FF49324F14855EFA5A8B3A1DB31E944CB61

Function 00E18111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00E18160
IsWindowEnabled.USER32 ref: 00E1816E
GetForegroundWindow.USER32(?,?,00000001), ref: 00E1817B
IsIconic.USER32 ref: 00E18189
IsZoomed.USER32 ref: 00E18197

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: cd767fcb26a3ecb1df78e165440c6571834a334a0afcf38c2ed9b7cfd537ae8a
Instruction ID: b5e432ded39005a97a2de6a840bc5daa1ee72b0386eacc16ee997f092ffa381b
Opcode Fuzzy Hash: cd767fcb26a3ecb1df78e165440c6571834a334a0afcf38c2ed9b7cfd537ae8a
Instruction Fuzzy Hash: 3C11B232301115BFE7211F26ED49EAFBB9CEF54764B041429F84AE7241CF30D98286B0

Function 00DCE01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00DCE014,771B0AE0,00DCDEF1,00E4DC38,?,?), ref: 00DCE02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00DCE03E

Strings

kernel32.dll, xrefs: 00DCE027
GetNativeSystemInfo, xrefs: 00DCE038

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 72f6f9c81e07f53991412629d9919a99ae1e809c471413418108f8c6861f365a
Instruction ID: dd093dc3efed57f334b27ca3a89379e4aaf31a92d446dad4e27b5e9a5853af68
Opcode Fuzzy Hash: 72f6f9c81e07f53991412629d9919a99ae1e809c471413418108f8c6861f365a
Instruction Fuzzy Hash: 52D0A770445B139FC7324F61FC0CB127BD4AB00301F1C442EE481F3150D7B4C8848AA0

Function 00DC3B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON

Download Yara Rule

Strings

, xrefs: 00E2701F
, xrefs: 00DC40EC
@, xrefs: 00DC4176
, xrefs: 00DC40A4

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @$ $ $
API String ID: 3728558374-1762808387
Opcode ID: 5672972e8508aa722dca3d59888e88a47292f76cf914916ebb1fab766d7e534f
Instruction ID: c8819fb31139ecc04db65e2f8f978747985b011be3094af9746a98d056e62463
Opcode Fuzzy Hash: 5672972e8508aa722dca3d59888e88a47292f76cf914916ebb1fab766d7e534f
Instruction Fuzzy Hash: 00728A71A0421ADFCB14DF94C891FAEB7B5EF48304F18C05EE94AAB251D731AE45CBA1

Function 00DCB11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 00DCB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DCB35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 00DCB22F

Part of subcall function 00DCB55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00DCB5A5

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: 203126c7a317bb68158551d3b07851524593cf7554e14034f2c815b359351ea4
Instruction ID: 2313dec2b5878356f0c032bcfb78c10fc07e412c9d5248cb7aee1baaa416d754
Opcode Fuzzy Hash: 203126c7a317bb68158551d3b07851524593cf7554e14034f2c815b359351ea4
Instruction Fuzzy Hash: 47A13870114127BADB28AB2A6C8BFBF795CEB42368F18511FF445F7291CB24DC4096B6

Function 00E04EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00E043BF,00000000), ref: 00E04FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00E04FD2

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 76d646d0088c54e80935b084eb72c16f2bc5af50cd09ba084b62be69add68d18
Instruction ID: bfa6052f1b48457d5d7b6e2421c64a7c929b2aa6229b182a2a55fca8cba2ddbc
Opcode Fuzzy Hash: 76d646d0088c54e80935b084eb72c16f2bc5af50cd09ba084b62be69add68d18
Instruction Fuzzy Hash: 8041CBF260460ABFEB109E94DD85EBF77BCEB40758F10602EF705761C1D6719E819A60

Function 00DB77B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DB7921

Strings

\Q, xrefs: 00E31028

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: _memmove
String ID: \Q
API String ID: 4104443479-1011046347
Opcode ID: 1fd8c96fe28af85ffbad50a803c05a90f01070d1826670d999620b2c350c4d78
Instruction ID: 27f0417fea41fd4e6622125c7bb2507b7ce9c20833790fd1ab8a401a80a5740d
Opcode Fuzzy Hash: 1fd8c96fe28af85ffbad50a803c05a90f01070d1826670d999620b2c350c4d78
Instruction Fuzzy Hash: 16A22975A04219CFDB24CF58C8846EDBBB1FF88314F2581A9D85AAB391D7349E81DF90

Function 00DFE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00DFE20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00DFE267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00DFE2B4

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 4505f7c0c59a6fe7bd47c6cc2f8b2695f4cffcc8cc0d94c7300e94079643f4d2
Instruction ID: cd8b665b31ef0e25224536b9099c1ea2a8ec5b52b97c8e46f7f5bea79346df60
Opcode Fuzzy Hash: 4505f7c0c59a6fe7bd47c6cc2f8b2695f4cffcc8cc0d94c7300e94079643f4d2
Instruction Fuzzy Hash: 0A215C35A00118EFCB00EFA5D884EEEFBB8FF48310F0584A9E905AB251DB319915CB64

Function 00DEB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00DCF4EA: std::exception::exception.LIBCMT ref: 00DCF51E
Part of subcall function 00DCF4EA: __CxxThrowException@8.LIBCMT ref: 00DCF533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DEB180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DEB1AD
GetLastError.KERNEL32 ref: 00DEB1BA

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 0d85712924c1a3c8f847dadc7934f64a5fe7e0c282d370a0f26dc16fdb9c7759
Instruction ID: b27deac469dc5d9f3a0375ce5e24f9069335597c93ac6aec97c454b92ed0355a
Opcode Fuzzy Hash: 0d85712924c1a3c8f847dadc7934f64a5fe7e0c282d370a0f26dc16fdb9c7759
Instruction Fuzzy Hash: A5119EB2518305AFE718AF65ECC5D6BBBBDFB44720B20852EE456A7240DB70FC458A70

Function 00DF6685 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00DF66AF
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 00DF66EC
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00DF66F5

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 83531503cfbecd94d8a08e4f26bfbf542c2034f417ac30b6ac6bbe2fec2efdda
Instruction ID: d87ce8a2da2a3eddf6eb7641be9cc74628d6e308a88fe1df3890767fb509437c
Opcode Fuzzy Hash: 83531503cfbecd94d8a08e4f26bfbf542c2034f417ac30b6ac6bbe2fec2efdda
Instruction Fuzzy Hash: CF1182B1901228BEE7109BA8DC49FBF7BACEB04714F054555FA01F7190C3749E0487A1

Function 00DF71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00DF7223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00DF723A
FreeSid.ADVAPI32(?), ref: 00DF724A

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 0279a0beee866410def522b369bf34bd4a0b6bc63d727825b545e3e9cbfff3b1
Instruction ID: e0637f36885136f90ace7f128660b7f9adefdc0e403ebc3c64e55f6300a831a0
Opcode Fuzzy Hash: 0279a0beee866410def522b369bf34bd4a0b6bc63d727825b545e3e9cbfff3b1
Instruction Fuzzy Hash: CFF01D76A1420DBFDF04DFF5DD89AEEBBB9EF08605F104469A602E2191E2709A449B14

Function 00DFF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00DFF599
FindClose.KERNEL32(00000000), ref: 00DFF5C9

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 38b3c06b3a4b77fb60a5283247a7e6c87d11fa9e17629eb152eebedff94cf685
Instruction ID: 321c397b688993ae0f21973451b2e2e04349ec46d00609a88c736f5c2dcf20df
Opcode Fuzzy Hash: 38b3c06b3a4b77fb60a5283247a7e6c87d11fa9e17629eb152eebedff94cf685
Instruction Fuzzy Hash: A1118E316042049FD700EF29D849A2EB7E9FF84324F05891EF9A597391CB30A9048BA1

Function 00DFCE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00E0BE6A,?,?,00000000,?), ref: 00DFCEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00E0BE6A,?,?,00000000,?), ref: 00DFCEB9

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: f00feb4157ebf95266dd8bd1beba240563cb6f23c2524186e0eef81f69903d0e
Instruction ID: 3c39a68c08f64785d9aef540a41000557c0357a1b88f8d66838e2b3b7c1eecae
Opcode Fuzzy Hash: f00feb4157ebf95266dd8bd1beba240563cb6f23c2524186e0eef81f69903d0e
Instruction Fuzzy Hash: A2F0EC3101022DEBDB20ABA0DC48FFA376CFF083A0F008126F91AE2181C630DA14CBB0

Function 00DF411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00DF4153
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 00DF4166

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 3a4a9f994570f84916c5e7b86a3b0323dc6d7ffe22ac3be1feedf46e1f939a04
Instruction ID: d3ab3afc73989c2dc6b4979f533d396aeeadaa05d8595fa0cbc7f2fe7a6287df
Opcode Fuzzy Hash: 3a4a9f994570f84916c5e7b86a3b0323dc6d7ffe22ac3be1feedf46e1f939a04
Instruction Fuzzy Hash: 8CF0677080434DAFDB058FA1CC09BBEBFB0EF00305F04800AF966A6192D779C6169FA0

Function 00DEAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00DEACC0), ref: 00DEAB99
CloseHandle.KERNEL32(?,?,00DEACC0), ref: 00DEABAB

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 79d74f9bf7c81e74bccbc33a3e46dbe41bdaf35d26049f4eb8544dce3db78e11
Instruction ID: 22562db31f81a77a947387707355f7cd8e2379c7bec12481a239aff0ec0ee973
Opcode Fuzzy Hash: 79d74f9bf7c81e74bccbc33a3e46dbe41bdaf35d26049f4eb8544dce3db78e11
Instruction Fuzzy Hash: 12E0E671014511AFE7252F55FC09DB77BEAEF04320710846DF55A81470D762AC94DB60

Function 00DD81AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00DD6DB3,-0000031A,?,?,00000001), ref: 00DD81B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00DD81BA

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0edd9e893ce250822326f2b6c2134971e5bb17189770be5e0138db5cf8788064
Instruction ID: 4f145dec2a02e3e7bab6e20ab5e72c0c940ab54604d2a19fcaf888a4017395b7
Opcode Fuzzy Hash: 0edd9e893ce250822326f2b6c2134971e5bb17189770be5e0138db5cf8788064
Instruction Fuzzy Hash: 9AB0923104860CAFDB002BA2FC0DBA87F68EB08662F004010F60D550618B7358288A92

Function 00DDD1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be333a869b1bd6f71bdd43a254de56de1122951e021785c64f4119497f9f6af
Instruction ID: 545fb1ff64520f26ad70d259a228881b3123f28bbfacdccf3303424d66e6f36c
Opcode Fuzzy Hash: 8be333a869b1bd6f71bdd43a254de56de1122951e021785c64f4119497f9f6af
Instruction Fuzzy Hash: DF322522D68F014DDB239639DC22335A299AFB73C4F55D737F81AB5AA6EB29C4834110

Function 00DB96C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 761acf11f8882ce7d6fc00e7a28f2af8886c94f1b17b54cb24951842eead5039
Instruction ID: cc8688b552e1672a9f37f43db7a6b71d37d66645c8c8ec076fb06a6357565048
Opcode Fuzzy Hash: 761acf11f8882ce7d6fc00e7a28f2af8886c94f1b17b54cb24951842eead5039
Instruction Fuzzy Hash: CB229771608341DFC724DF24C8A0BAEB7E4EF84314F24491DFA9A97291DB71E904CBA2

Function 00DE038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ba794f98a1865b46581ab18944e3d05dee9aba146e88f667b8f384dacf7eca4
Instruction ID: 9e4ad439f635cf559ef3bd18584b095a0d8d560bdd034f5d21b3a56571db6310
Opcode Fuzzy Hash: 0ba794f98a1865b46581ab18944e3d05dee9aba146e88f667b8f384dacf7eca4
Instruction Fuzzy Hash: EDB10525D2AF414ED323A63A8831336B75C6FBB2D5F91D71BFC1A74D62EB2185874180

Function 00DFB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00DFB6DF

Part of subcall function 00DD344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00DFBDC3,00000000,?,?,?,?,00DFBF70,00000000,?), ref: 00DD3453
Part of subcall function 00DD344A: __aulldiv.LIBCMT ref: 00DD3473

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 7547dd4455e35c730392c19a4ec72b49b0b77878fca0d0356a107eb9dcf1318f
Instruction ID: dd09ecbb9aaae4c111b65993f36b124e36da14a3e33756754688513f8040abe5
Opcode Fuzzy Hash: 7547dd4455e35c730392c19a4ec72b49b0b77878fca0d0356a107eb9dcf1318f
Instruction Fuzzy Hash: 0E219372634510CBC729CF39D481A52B7E1EB95320B248E6DE0E5CF281CB74B945DB64

Function 00E06AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00E06ACA

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 769dc09863e20a68a94e47f6c4849faa18a41e9c36f4f6823b39d267fc1259e6
Instruction ID: c8462a420c6a62a5bfc2a2bc4dcc1479546cecfa84daf4fd8634f1bb9aa85b0d
Opcode Fuzzy Hash: 769dc09863e20a68a94e47f6c4849faa18a41e9c36f4f6823b39d267fc1259e6
Instruction Fuzzy Hash: A9E01235300204AFC700EB69D905E9AB7EDEF64761B048416E946E7291DAB0E8448BA0

Function 00DF74E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00DF750A

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 4e5e40fe5095568e8e15589d114dc27ae624c0b4d79825034a83714b88c43b32
Instruction ID: 488747e4231b2de38fed532957e13fc420a519372e7436cb79f351d43b2fe00c
Opcode Fuzzy Hash: 4e5e40fe5095568e8e15589d114dc27ae624c0b4d79825034a83714b88c43b32
Instruction Fuzzy Hash: BAD092A526C64E79EC294724AC1FFF71E08F300781FDEC589B743EA2C4A8E4AD15A031

Function 00DEB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00DEAD3E), ref: 00DEB124

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 134bc07d8555d5f903c73ef8a779c4159f542308062a1a78a03d5d7dea58b438
Instruction ID: aeb626e6decdb44c9403849912201ce54b1b1590ba9cdbc2049ea1f35811ae0e
Opcode Fuzzy Hash: 134bc07d8555d5f903c73ef8a779c4159f542308062a1a78a03d5d7dea58b438
Instruction Fuzzy Hash: AAD05E320A460EAEDF024FA4EC06EAE3F6AEB04B00F408110FA11D50A0C771D531AF50

Function 00E2B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 00E2B352

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: c96cdd21fcd63b65b101ec807162417513b47d481731f083c51d79c1b67155d2
Instruction ID: 122ac5d888ee69311ce61781d6787ce91b57f21adc2d57053c5054fee20fd7a7
Opcode Fuzzy Hash: c96cdd21fcd63b65b101ec807162417513b47d481731f083c51d79c1b67155d2
Instruction Fuzzy Hash: EEC04CB140411DDFC755DBC0DD499EEB7BDAB04701F145091A105F1110D7709B459F72

Function 00DD8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00DD818F

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 37e96633821f8021c9764d2856e6fb98c13cb98b711fb4e83f7471f2beb620d2
Instruction ID: 95320ec9284f0ce3892e3fcd2db5fadb1e4af203c2ed77fff36a7bf1b8f06d4d
Opcode Fuzzy Hash: 37e96633821f8021c9764d2856e6fb98c13cb98b711fb4e83f7471f2beb620d2
Instruction Fuzzy Hash: E2A0113000820CAB8F002B82FC088A83F2CEB002A0B000020F80C000208B22A8388A82

Function 00DBE3B0 Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 191cb97b84304ba76c72b83888146ba1c06f1a3a53a2c8b0b80f33a4d1eaed81
Instruction ID: fcd36f52fd5c1586649ebf80058b2207b751e3b4886ebc67a13139c7609974c6
Opcode Fuzzy Hash: 191cb97b84304ba76c72b83888146ba1c06f1a3a53a2c8b0b80f33a4d1eaed81
Instruction Fuzzy Hash: DE22AC74904216CFDB24DF58C480BEAB7F1FF18304F188569E996AB351E735E981CBA1

Function 00DB93F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7be16d4c38f825b7827e7112172c8ab9061493e069d312f3a6a7a1336947641e
Instruction ID: cac61c8a7d1446c1e65e4774c34ec9e0f4cb8986b71235582bcfec25fec31948
Opcode Fuzzy Hash: 7be16d4c38f825b7827e7112172c8ab9061493e069d312f3a6a7a1336947641e
Instruction Fuzzy Hash: 70127970A00219EFDF14DFA9D991AEEB7F5FF48300F108529E946E7250EB35A914CB64

Function 00DBAF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 3c70c88d2a0f6a898a04a56fc53e9a646d0eb5373fe0530e8f0901c2d7e61ffd
Instruction ID: d86e48db8dde374cc743f28b97dfa587be61feee75aa065be538fd569a7d0eee
Opcode Fuzzy Hash: 3c70c88d2a0f6a898a04a56fc53e9a646d0eb5373fe0530e8f0901c2d7e61ffd
Instruction Fuzzy Hash: DC02B3B0A00205EFCF14DF68D981AAEB7B5FF48340F14806DE906EB255EB75DA15CBA1

Function 00DD02A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 7e8c11cf09d0107b34edda5603d63506b6e1bde2676672b25537f01f59f35d36
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: A4C1C6322051970ADF2D473A8434A7EBEA55AD27B171E076EE8B3CB5D5EF20C524D630

Function 00DD06D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: f178e6d503d3913a807f1d1f371e98fc546fb63f953a4247da89f37f42a8d42d
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: B5C1C23220519709DF2D463A8434A7EBEA15AE2BB171E176EE4B3CF6D5EF20C524D630

Function 00DCFA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 7ce9fa8fc411f62f65de0e640893adb5e7963f33993def2899f6c0465e0102c7
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 6BC1913220509709DF2D473AC474ABEBAA65AA2BB131E077DE4B3CB5D5EF20C564D630

Function 01678308 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1337125232.0000000001674000.00000040.00000020.00020000.00000000.sdmp, Offset: 01674000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1674000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 9544b30f7b846510291e9f494a523e35069d2dfac98e48b33bc7a66521c8669e
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 9D41D271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80

Function 016781F8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1337125232.0000000001674000.00000040.00000020.00020000.00000000.sdmp, Offset: 01674000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1674000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 0ef8afa4fa1fd8de95f03861238da280747043576431bf2550a4f8cf551609a4
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: E501A478A00609EFCB44DF98C9949AEF7F9FF48310F208599D819A7705D730AE41DB84

Function 01678198 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1337125232.0000000001674000.00000040.00000020.00020000.00000000.sdmp, Offset: 01674000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1674000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: fb730e5b29fb26bfd5be8442daae00d5aaee6610d8c18001663c6386bfd130ba
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 22019278A01109EFCB48DF98D9949AEF7BAFB48310F208599D809A7301D730AE41DB84

Function 01676B58 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1337125232.0000000001674000.00000040.00000020.00020000.00000000.sdmp, Offset: 01674000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1674000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00E0A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00E0A2FE
DeleteObject.GDI32(00000000), ref: 00E0A310
DestroyWindow.USER32 ref: 00E0A31E
GetDesktopWindow.USER32 ref: 00E0A338
GetWindowRect.USER32(00000000), ref: 00E0A33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00E0A480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00E0A490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E0A4D8
GetClientRect.USER32(00000000,?), ref: 00E0A4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00E0A51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E0A540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E0A553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E0A55E
GlobalLock.KERNEL32(00000000), ref: 00E0A567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E0A576
GlobalUnlock.KERNEL32(00000000), ref: 00E0A57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E0A586
GlobalFree.KERNEL32(00000000), ref: 00E0A591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E0A5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00E3D9BC,00000000), ref: 00E0A5B9
GlobalFree.KERNEL32(00000000), ref: 00E0A5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00E0A5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00E0A60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E0A630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E0A81D

Strings

DISPLAY, xrefs: 00E0A680
AutoIt v3, xrefs: 00E0A4D0
static, xrefs: 00E0A518, 00E0A66F
, xrefs: 00E0A7A3

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 3c762d052e93f8d78a702cf13fabf700e31a2686db813a4f7e5106af57a4cf4f
Instruction ID: 9b6c1e28b61111946c005241d30125b714e07f71f2cf10796423476d61a3f87d
Opcode Fuzzy Hash: 3c762d052e93f8d78a702cf13fabf700e31a2686db813a4f7e5106af57a4cf4f
Instruction Fuzzy Hash: 05028D75900208EFDB14DFA9DD89EAE7BB9FF48310F148158F915AB2A0D770AD85CB60

Function 00E1D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00E1D2DB
GetSysColorBrush.USER32(0000000F), ref: 00E1D30C
GetSysColor.USER32(0000000F), ref: 00E1D318
SetBkColor.GDI32(?,000000FF), ref: 00E1D332
SelectObject.GDI32(?,00000000), ref: 00E1D341
InflateRect.USER32(?,000000FF,000000FF), ref: 00E1D36C
GetSysColor.USER32(00000010), ref: 00E1D374
CreateSolidBrush.GDI32(00000000), ref: 00E1D37B
FrameRect.USER32(?,?,00000000), ref: 00E1D38A
DeleteObject.GDI32(00000000), ref: 00E1D391
InflateRect.USER32(?,000000FE,000000FE), ref: 00E1D3DC
FillRect.USER32(?,?,00000000), ref: 00E1D40E
GetWindowLongW.USER32(?,000000F0), ref: 00E1D439

Part of subcall function 00E1D575: GetSysColor.USER32(00000012), ref: 00E1D5AE
Part of subcall function 00E1D575: SetTextColor.GDI32(?,?), ref: 00E1D5B2
Part of subcall function 00E1D575: GetSysColorBrush.USER32(0000000F), ref: 00E1D5C8
Part of subcall function 00E1D575: GetSysColor.USER32(0000000F), ref: 00E1D5D3
Part of subcall function 00E1D575: GetSysColor.USER32(00000011), ref: 00E1D5F0
Part of subcall function 00E1D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E1D5FE
Part of subcall function 00E1D575: SelectObject.GDI32(?,00000000), ref: 00E1D60F
Part of subcall function 00E1D575: SetBkColor.GDI32(?,00000000), ref: 00E1D618
Part of subcall function 00E1D575: SelectObject.GDI32(?,?), ref: 00E1D625
Part of subcall function 00E1D575: InflateRect.USER32(?,000000FF,000000FF), ref: 00E1D644
Part of subcall function 00E1D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E1D65B
Part of subcall function 00E1D575: GetWindowLongW.USER32(00000000,000000F0), ref: 00E1D670
Part of subcall function 00E1D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E1D698

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: c2e413ee9d17b43583dbe100113614b362d3f51ddf76dd088dcb85bd509a8654
Instruction ID: aafa2bd2fcdfddb20d37683e948f92ff67fe8f7f03c6feac39259d3df28906f7
Opcode Fuzzy Hash: c2e413ee9d17b43583dbe100113614b362d3f51ddf76dd088dcb85bd509a8654
Instruction Fuzzy Hash: CC918E7240D309FFCB109F65EC48AABBBA9FB85325F101A19F562A61E0C731D948CB52

Function 00DCB8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00DCB98B
DeleteObject.GDI32(00000000), ref: 00DCB9CD
DeleteObject.GDI32(00000000), ref: 00DCB9D8
DestroyIcon.USER32(00000000), ref: 00DCB9E3
DestroyWindow.USER32(00000000), ref: 00DCB9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 00E2D2AA
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00E2D2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00E2D711

Part of subcall function 00DCB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00DCB759,?,00000000,?,?,?,?,00DCB72B,00000000,?), ref: 00DCBA58

SendMessageW.USER32 ref: 00E2D758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00E2D76F
ImageList_Destroy.COMCTL32(00000000), ref: 00E2D785
ImageList_Destroy.COMCTL32(00000000), ref: 00E2D790

Strings

0, xrefs: 00E2D5A5

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 07bf39d0cf9adbdba87eef9017b871e0cf8b4afb8d57c7c7cca7f194be1753c1
Instruction ID: c08dd0b432b7b3a983bbb711ec0534a41d53f93918be217fe67161be0ccc5116
Opcode Fuzzy Hash: 07bf39d0cf9adbdba87eef9017b871e0cf8b4afb8d57c7c7cca7f194be1753c1
Instruction Fuzzy Hash: 49129F30508212DFDB15CF14D889BA9BBE5FF04318F18556EE699EB252CB31E845CFA1

Function 00DFDBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00DFDBD6
GetDriveTypeW.KERNEL32(?,00E4DC54,?,\\.\,00E4DC00), ref: 00DFDCC3
SetErrorMode.KERNEL32(00000000,00E4DC54,?,\\.\,00E4DC00), ref: 00DFDE29

Strings

SSD, xrefs: 00DFDD50
\\.\, xrefs: 00DFDC2B
SAS, xrefs: 00DFDDD2
iSCSI, xrefs: 00DFDDCB
Removable, xrefs: 00DFDD15
MMC, xrefs: 00DFDDE7
ATA, xrefs: 00DFDDA1
RAID, xrefs: 00DFDDC4
Unknown, xrefs: 00DFDCE3, 00DFDD8C
1394, xrefs: 00DFDDA8
Fixed, xrefs: 00DFDD0B
CDROM, xrefs: 00DFDCF7
Fibre, xrefs: 00DFDDB6
Network, xrefs: 00DFDD01
SSA, xrefs: 00DFDDAF
ATAPI, xrefs: 00DFDD9A
FileBackedVirtual, xrefs: 00DFDDF5
SATA, xrefs: 00DFDDD9
USB, xrefs: 00DFDDBD
PhysicalDrive, xrefs: 00DFDC67
RAMDisk, xrefs: 00DFDCED
SCSI, xrefs: 00DFDD93
Virtual, xrefs: 00DFDDEE

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ad3ab5006ad06458c98357e0f83b20a3279ea09d45dfc9025a361970a119b0da
Instruction ID: ac348a23763dbaa182c5d3aaf759bcc4c7a8b9b31e71aad8bf5a8883bc9ed685
Opcode Fuzzy Hash: ad3ab5006ad06458c98357e0f83b20a3279ea09d45dfc9025a361970a119b0da
Instruction Fuzzy Hash: 6C51B63028834AEBC214DF24DC81979B7A3FB94780B25E919F287A7291DB70DD45D772

Function 00DBCC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00DBCC68
__wcsnicmp.LIBCMT ref: 00DBCC80
__wcsnicmp.LIBCMT ref: 00DBCC98
__wcsnicmp.LIBCMT ref: 00DBCCB0
__wcsnicmp.LIBCMT ref: 00DBCCC8
__wcsnicmp.LIBCMT ref: 00DBCCE0
__wcsnicmp.LIBCMT ref: 00DBCCF8
__wcsnicmp.LIBCMT ref: 00DBCD0C
__wcsnicmp.LIBCMT ref: 00DBCD4D
__wcsnicmp.LIBCMT ref: 00DBCD61
__wcsnicmp.LIBCMT ref: 00DBCD75
__wcsnicmp.LIBCMT ref: 00DBCD89

Strings

#OnAutoItStartRegister, xrefs: 00DBCCAA
#pragma compile, xrefs: 00DBCC62
#comments-end, xrefs: 00DBCD6F
#include, xrefs: 00DBCCDA
#requireadmin, xrefs: 00DBCC92
Cannot parse #include, xrefs: 00E22FA1
#ce, xrefs: 00DBCD83
#notrayicon, xrefs: 00DBCC7A
Unterminated group of comments, xrefs: 00E22FB4
#comments-start, xrefs: 00DBCCF2, 00DBCD47
#include-once, xrefs: 00DBCCC2
Bad directive syntax error, xrefs: 00E22ECB
#cs, xrefs: 00DBCD06, 00DBCD5B

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: b972ccc86217d99eb5cbeb5f349f21d51f6f3f67d55e18b3111984a1d1b7c974
Instruction ID: 7ff8eee4761331c4513f6a97e12fdf3bba9c16c72f756795e99290c041113ecd
Opcode Fuzzy Hash: b972ccc86217d99eb5cbeb5f349f21d51f6f3f67d55e18b3111984a1d1b7c974
Instruction Fuzzy Hash: 4B81D634644315FADB25AF64EC82FFE7768EF24704F046029FA06BB182EB60D941D6B5

Function 00E1C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 00E1C788
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00E1C83E
SendMessageW.USER32(?,00001102,00000002,?), ref: 00E1C859
SendMessageW.USER32(?,000000F1,?,00000000), ref: 00E1CB15

Strings

0, xrefs: 00E1C89C

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 68ffb10a07e5cd2d8a5abe9b987088407bb1ba59a426a6eae517b6ced35728c4
Instruction ID: aa08dcbd32c2fb45ed82f1d54baf3c68e85c29bc0a6a9d12ccf3e4ccf8136a6b
Opcode Fuzzy Hash: 68ffb10a07e5cd2d8a5abe9b987088407bb1ba59a426a6eae517b6ced35728c4
Instruction Fuzzy Hash: B2F1D370288305AFD7118F24CC8ABEABBE4FF49758F241919F599F62A1C774D884CB91

Function 00E1638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00E4DC00), ref: 00E16449

Strings

GETCURRENTLINE, xrefs: 00E16704
GETCURRENTSELECTION, xrefs: 00E16603
ISENABLED, xrefs: 00E1648C
FINDSTRING, xrefs: 00E16596
TABRIGHT, xrefs: 00E164BD
SELECTSTRING, xrefs: 00E16626
EDITPASTE, xrefs: 00E1675B
ISVISIBLE, xrefs: 00E16455
DELSTRING, xrefs: 00E16569
ISCHECKED, xrefs: 00E16659
GETSELECTED, xrefs: 00E166C1
UNCHECK, xrefs: 00E166A1
CURRENTTAB, xrefs: 00E164DD
SENDCOMMANDID, xrefs: 00E167CA
ADDSTRING, xrefs: 00E16536
GETLINE, xrefs: 00E1678B
GETLINECOUNT, xrefs: 00E166E4
HIDEDROPDOWN, xrefs: 00E16520
SHOWDROPDOWN, xrefs: 00E16500
TABLEFT, xrefs: 00E164A7
GETCURRENTCOL, xrefs: 00E16724
CHECK, xrefs: 00E1668B
SETCURRENTSELECTION, xrefs: 00E165D6

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: b56067fb0780aea11c2b771feb507020d35e2c37542148cb4a949c29e5a65bc2
Instruction ID: 78c44deea3063f4cef274bcd5835a42b75c740b543713eec8b55de7f542b63b3
Opcode Fuzzy Hash: b56067fb0780aea11c2b771feb507020d35e2c37542148cb4a949c29e5a65bc2
Instruction Fuzzy Hash: A1C183702042468BCB04EF10C552EEE77A6EF95358F14585DF8966B2E2DB20ED8ACB71

Function 00E1D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00E1D5AE
SetTextColor.GDI32(?,?), ref: 00E1D5B2
GetSysColorBrush.USER32(0000000F), ref: 00E1D5C8
GetSysColor.USER32(0000000F), ref: 00E1D5D3
CreateSolidBrush.GDI32(?), ref: 00E1D5D8
GetSysColor.USER32(00000011), ref: 00E1D5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E1D5FE
SelectObject.GDI32(?,00000000), ref: 00E1D60F
SetBkColor.GDI32(?,00000000), ref: 00E1D618
SelectObject.GDI32(?,?), ref: 00E1D625
InflateRect.USER32(?,000000FF,000000FF), ref: 00E1D644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E1D65B
GetWindowLongW.USER32(00000000,000000F0), ref: 00E1D670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E1D698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00E1D6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 00E1D6DD
DrawFocusRect.USER32(?,?), ref: 00E1D6E8
GetSysColor.USER32(00000011), ref: 00E1D6F6
SetTextColor.GDI32(?,00000000), ref: 00E1D6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00E1D712
SelectObject.GDI32(?,00E1D2A5), ref: 00E1D729
DeleteObject.GDI32(?), ref: 00E1D734
SelectObject.GDI32(?,?), ref: 00E1D73A
DeleteObject.GDI32(?), ref: 00E1D73F
SetTextColor.GDI32(?,?), ref: 00E1D745
SetBkColor.GDI32(?,?), ref: 00E1D74F

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 9f05f66a75a5b3c7cfb4b606f718ee8277661c3a575cf1bc6bb66dd634a2ef9b
Instruction ID: 9e51c43147d2fe892985318183dd57a6e386c9cc9cd96ee2cb15cf747fd3988d
Opcode Fuzzy Hash: 9f05f66a75a5b3c7cfb4b606f718ee8277661c3a575cf1bc6bb66dd634a2ef9b
Instruction Fuzzy Hash: 0E514A71905208FFDF119FA9EC48EEEBF7AEB08324F104115F915BB2A1D7719A449B50

Function 00E1B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00E1B7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E1B7C1
CharNextW.USER32(0000014E), ref: 00E1B7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00E1B831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00E1B847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E1B858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00E1B875
SetWindowTextW.USER32(?,0000014E), ref: 00E1B8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00E1B8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 00E1B90E
_memset.LIBCMT ref: 00E1B933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00E1B97C
_memset.LIBCMT ref: 00E1B9DB
SendMessageW.USER32 ref: 00E1BA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 00E1BA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 00E1BB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 00E1BB2C
GetMenuItemInfoW.USER32(?), ref: 00E1BB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E1BBA3
DrawMenuBar.USER32(?), ref: 00E1BBB2
SetWindowTextW.USER32(?,0000014E), ref: 00E1BBDA

Strings

0, xrefs: 00E1BB4F

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: a32e0ec4a4ce415251c15d3f28a68cdf04a88f844e22a28b03b7adeeed4010be
Instruction ID: 24cc20937b2c70c415df800c9d7800ecd7b12e43aa70cec56be6a18b933a9e0b
Opcode Fuzzy Hash: a32e0ec4a4ce415251c15d3f28a68cdf04a88f844e22a28b03b7adeeed4010be
Instruction Fuzzy Hash: A1E19E71904218AFDB20DF66DC85EEE7BB8FF05714F10815AF929BA290D7748A85CF60

Function 00DB2EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00DB2F7A
IsWindow.USER32(?), ref: 00E222FD

Strings

L+, xrefs: 00E221B2
CLASS, xrefs: 00E22128
T+, xrefs: 00E2220E
LAST, xrefs: 00E220B6
ALL, xrefs: 00E22264
H+, xrefs: 00E22184
INSTANCE, xrefs: 00E2223C
TITLE, xrefs: 00E22292
ACTIVE, xrefs: 00E220CC
REGEXPCLASS, xrefs: 00E22149
HANDLE, xrefs: 00E220E2
P+, xrefs: 00E221E0
REGEXPTITLE, xrefs: 00E220F8

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$H+$HANDLE$INSTANCE$L+$LAST$P+$REGEXPCLASS$REGEXPTITLE$T+$TITLE
API String ID: 62970417-993842312
Opcode ID: 3e17fd33fa590bef33ba568424e24ecb077e9b76521158b39606756850f709ce
Instruction ID: 527f7ea42fb8c9cc1a4bc62630dde114d4c80338c3218b109252b3335602fd95
Opcode Fuzzy Hash: 3e17fd33fa590bef33ba568424e24ecb077e9b76521158b39606756850f709ce
Instruction Fuzzy Hash: C5D1C431508646EBCB04EF20D982AEABBB0FF54344F005A1DF556771A1DB30E99ACBB1

Function 00E1764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E1778A
GetDesktopWindow.USER32 ref: 00E1779F
GetWindowRect.USER32(00000000), ref: 00E177A6
GetWindowLongW.USER32(?,000000F0), ref: 00E17808
DestroyWindow.USER32(?), ref: 00E17834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00E1785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E1787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00E178A1
SendMessageW.USER32(?,00000421,?,?), ref: 00E178B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00E178C9
IsWindowVisible.USER32(?), ref: 00E178E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00E17904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00E17918
GetWindowRect.USER32(?,?), ref: 00E17930
MonitorFromPoint.USER32(?,?,00000002), ref: 00E17956
GetMonitorInfoW.USER32 ref: 00E17970
CopyRect.USER32(?,?), ref: 00E17987
SendMessageW.USER32(?,00000412,00000000), ref: 00E179F2

Strings

(, xrefs: 00E17965
tooltips_class32, xrefs: 00E17856
0, xrefs: 00E17735

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 32f112720646ece66cf1297155d92242ee47df7a7a8e9002c65086a4d292ffed
Instruction ID: 405a6655aba12705e541746fbb5fa74382f9e1860660c4c569a257bd7b37cf26
Opcode Fuzzy Hash: 32f112720646ece66cf1297155d92242ee47df7a7a8e9002c65086a4d292ffed
Instruction Fuzzy Hash: 84B1AE71608340AFD704DF64C949BAABBF5FF88714F00891DF59AAB291D770E844CBA6

Function 00DF6CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00DF6CFB
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00DF6D21
_wcscpy.LIBCMT ref: 00DF6D4F
_wcscmp.LIBCMT ref: 00DF6D5A
_wcscat.LIBCMT ref: 00DF6D70
_wcsstr.LIBCMT ref: 00DF6D7B
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00DF6D97
_wcscat.LIBCMT ref: 00DF6DE0
_wcscat.LIBCMT ref: 00DF6DE7
_wcsncpy.LIBCMT ref: 00DF6E12

Strings

%u.%u.%u.%u, xrefs: 00DF6E75
DefaultLangCodepage, xrefs: 00DF6DFA
\VarFileInfo\Translation, xrefs: 00DF6D8F
04090000, xrefs: 00DF6DCD
StringFileInfo\, xrefs: 00DF6D6A

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: a2ae075c049cd9c650f919a56acf619b9a026ec16b52c5017b1cd7350f86e21b
Instruction ID: 5c6e03b67df47ad5ed6142fd5fd8a188c00bdecbf226db2d86a9487f934331ad
Opcode Fuzzy Hash: a2ae075c049cd9c650f919a56acf619b9a026ec16b52c5017b1cd7350f86e21b
Instruction Fuzzy Hash: F941E772A04215BBE714AB74DC47EBF7B7CDF45710F04402AFA01B6282EB74DA0596B1

Function 00DCA856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00DCA939
GetSystemMetrics.USER32(00000007), ref: 00DCA941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00DCA96C
GetSystemMetrics.USER32(00000008), ref: 00DCA974
GetSystemMetrics.USER32(00000004), ref: 00DCA999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00DCA9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00DCA9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00DCA9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00DCAA0D
GetClientRect.USER32(00000000,000000FF), ref: 00DCAA2B
GetStockObject.GDI32(00000011), ref: 00DCAA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 00DCAA52

Part of subcall function 00DCB63C: GetCursorPos.USER32(000000FF), ref: 00DCB64F
Part of subcall function 00DCB63C: ScreenToClient.USER32(00000000,000000FF), ref: 00DCB66C
Part of subcall function 00DCB63C: GetAsyncKeyState.USER32(00000001), ref: 00DCB691
Part of subcall function 00DCB63C: GetAsyncKeyState.USER32(00000002), ref: 00DCB69F

SetTimer.USER32(00000000,00000000,00000028,00DCAB87), ref: 00DCAA79

Strings

AutoIt v3 GUI, xrefs: 00DCA9F1

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 7e2f11d37862c6eeedc5bf985b0855d72a7532d91793d991e72619dc9e661868
Instruction ID: adde4b4a7416e89ed8d69f2174aee1a86c40500e4e96a803beda15415457339e
Opcode Fuzzy Hash: 7e2f11d37862c6eeedc5bf985b0855d72a7532d91793d991e72619dc9e661868
Instruction Fuzzy Hash: F1B17C71A0420AAFDB14DFA9DC4AFAE7BB4FB08318F154219FA15E7290DB70D841CB61

Function 00E13639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E13735
RegCreateKeyExW.ADVAPI32(?,?,00000000,00E4DC00,00000000,?,00000000,?,?), ref: 00E137A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00E137EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00E13874
RegCloseKey.ADVAPI32(?), ref: 00E13B94
RegCloseKey.ADVAPI32(00000000), ref: 00E13BA1

Strings

REG_QWORD, xrefs: 00E13AE2
REG_MULTI_SZ, xrefs: 00E1395C
REG_DWORD, xrefs: 00E13A65
REG_SZ, xrefs: 00E138B2
REG_BINARY, xrefs: 00E13B2F
REG_EXPAND_SZ, xrefs: 00E13811

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: fef906dc30add86bc310dd30576bb9816cb8489aa0eb10e350f6ff00e210b908
Instruction ID: c1b417f6227a3bfd0309bb34af437fc54ab16d49b767441618e900991240dfdf
Opcode Fuzzy Hash: fef906dc30add86bc310dd30576bb9816cb8489aa0eb10e350f6ff00e210b908
Instruction Fuzzy Hash: AC0226756046019FCB14EF24C855AAEB7E5FF88724F04845DF98AAB3A1DB30ED41CBA1

Function 00E16BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00E16C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00E16D16

Strings

GETITEMCOUNT, xrefs: 00E16C84
SELECTINVERT, xrefs: 00E16DDE
ISSELECTED, xrefs: 00E16D21
DESELECT, xrefs: 00E16DFC
FINDITEM, xrefs: 00E16E81
GETSELECTEDCOUNT, xrefs: 00E16CF9
VIEWCHANGE, xrefs: 00E16ECD
SELECTALL, xrefs: 00E16D75
GETSELECTED, xrefs: 00E16E3C
GETSUBITEMCOUNT, xrefs: 00E16CA1
SELECT, xrefs: 00E16DA8
SELECTCLEAR, xrefs: 00E16D8D
GETTEXT, xrefs: 00E16CBF

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 6403c7ecae678e88c99bb913b597e1aac92cb3311ebd6261a226170b8a104642
Instruction ID: c7b8e7f16cf4fe42c259b5e1075ad236cae4616f96fa84bdb67cd3d6560147cd
Opcode Fuzzy Hash: 6403c7ecae678e88c99bb913b597e1aac92cb3311ebd6261a226170b8a104642
Instruction Fuzzy Hash: C3A18F702042829BCB14EF20D952EAAB3A5FF84354F14596DB8666B3D2DB30ED46CB71

Function 00DECF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00DECF91
__swprintf.LIBCMT ref: 00DED032
_wcscmp.LIBCMT ref: 00DED045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00DED09A
_wcscmp.LIBCMT ref: 00DED0D6
GetClassNameW.USER32(?,?,00000400), ref: 00DED10D
GetDlgCtrlID.USER32(?), ref: 00DED15F
GetWindowRect.USER32(?,?), ref: 00DED195
GetParent.USER32(?), ref: 00DED1B3
ScreenToClient.USER32(00000000), ref: 00DED1BA
GetClassNameW.USER32(?,?,00000100), ref: 00DED234
_wcscmp.LIBCMT ref: 00DED248
GetWindowTextW.USER32(?,?,00000400), ref: 00DED26E
_wcscmp.LIBCMT ref: 00DED282

Strings

%s%u, xrefs: 00DED02C

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: b0b0852f7f1a54d2293a7c6513aa7a9f1031f721268b5ac6947c1fc3a5a6fad5
Instruction ID: 156634675c8e5372f23f70ec628de1152a970bd2f21577c77d830f32a8e09a8d
Opcode Fuzzy Hash: b0b0852f7f1a54d2293a7c6513aa7a9f1031f721268b5ac6947c1fc3a5a6fad5
Instruction Fuzzy Hash: 98A10471604346AFD714EF65C884FAAB7A9FF44354F04852AFAA9D3180DB30EA05CBB1

Function 00DED8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00DED8EB
_wcscmp.LIBCMT ref: 00DED8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00DED924
CharUpperBuffW.USER32(?,00000000), ref: 00DED941
_wcscmp.LIBCMT ref: 00DED95F
_wcsstr.LIBCMT ref: 00DED970
GetClassNameW.USER32(00000018,?,00000400), ref: 00DED9A8
_wcscmp.LIBCMT ref: 00DED9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00DED9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 00DEDA28
_wcscmp.LIBCMT ref: 00DEDA38
GetClassNameW.USER32(00000010,?,00000400), ref: 00DEDA60
GetWindowRect.USER32(00000004,?), ref: 00DEDAC9

Strings

ThumbnailClass, xrefs: 00DED9B3, 00DEDA33
@, xrefs: 00DED8C6

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: cae9246bdde897ced5ad513d1e2becd92817a67aaf488e086739d2a75a6e9213
Instruction ID: 628ed06596e906744da7c34dc156ab8c563951fc76012a47a35b0efddcdd876a
Opcode Fuzzy Hash: cae9246bdde897ced5ad513d1e2becd92817a67aaf488e086739d2a75a6e9213
Instruction Fuzzy Hash: 318192710083859FDB01EF11D885FAA7BA9FF54314F08846AFD899A096EB34DE45CBB1

Function 00DED6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00DED753

Strings

[LAST, xrefs: 00DED800
[ALL, xrefs: 00DED7F9
[CLASS:, xrefs: 00DED7A3
[HANDLE:, xrefs: 00DED75F
ACTIVE, xrefs: 00DED72E
LAST, xrefs: 00DED718
HANDLE=, xrefs: 00DED74C
[ACTIVE, xrefs: 00DED740
CLASSNAME=, xrefs: 00DED790
REGEXP=, xrefs: 00DED768
ALL, xrefs: 00DED7E7
[REGEXPTITLE:, xrefs: 00DED77B

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: b36ca8b82cd8123b61b9f1e66841f754fb1255af70c74063cbfcd18ddc21d7d9
Instruction ID: 29422f07834037cfbb00b1312dedab72abeea7b1e3803a43c2f04268d9188b5b
Opcode Fuzzy Hash: b36ca8b82cd8123b61b9f1e66841f754fb1255af70c74063cbfcd18ddc21d7d9
Instruction Fuzzy Hash: B3317A31A84745EAEB14FB61ED83EEDB366DF20780F20112AF582B10D5EF51AE04C671

Function 00DEEA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00DEEAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00DEEAC2
SetWindowTextW.USER32(?,?), ref: 00DEEAD9
GetDlgItem.USER32(?,000003EA), ref: 00DEEAEE
SetWindowTextW.USER32(00000000,?), ref: 00DEEAF4
GetDlgItem.USER32(?,000003E9), ref: 00DEEB04
SetWindowTextW.USER32(00000000,?), ref: 00DEEB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00DEEB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00DEEB45
GetWindowRect.USER32(?,?), ref: 00DEEB4E
SetWindowTextW.USER32(?,?), ref: 00DEEBB9
GetDesktopWindow.USER32 ref: 00DEEBBF
GetWindowRect.USER32(00000000), ref: 00DEEBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00DEEC12
GetClientRect.USER32(?,?), ref: 00DEEC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00DEEC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00DEEC6F

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 3b7545285f1c8bacfd70d184cec280d6f21dcbddc9143f2d329d820cbc923fe2
Instruction ID: 42dfac3cb15affe4f3b3dd0c3b0d2b6061705097e12c017e12efbf06a655dcf3
Opcode Fuzzy Hash: 3b7545285f1c8bacfd70d184cec280d6f21dcbddc9143f2d329d820cbc923fe2
Instruction Fuzzy Hash: B5513F71900749EFDB20EFAADD8AF6EBBF5FF04704F004928E596A25A0D775A944CB10

Function 00E079B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00E079C6
LoadCursorW.USER32(00000000,00007F00), ref: 00E079D1
LoadCursorW.USER32(00000000,00007F03), ref: 00E079DC
LoadCursorW.USER32(00000000,00007F8B), ref: 00E079E7
LoadCursorW.USER32(00000000,00007F01), ref: 00E079F2
LoadCursorW.USER32(00000000,00007F81), ref: 00E079FD
LoadCursorW.USER32(00000000,00007F88), ref: 00E07A08
LoadCursorW.USER32(00000000,00007F80), ref: 00E07A13
LoadCursorW.USER32(00000000,00007F86), ref: 00E07A1E
LoadCursorW.USER32(00000000,00007F83), ref: 00E07A29
LoadCursorW.USER32(00000000,00007F85), ref: 00E07A34
LoadCursorW.USER32(00000000,00007F82), ref: 00E07A3F
LoadCursorW.USER32(00000000,00007F84), ref: 00E07A4A
LoadCursorW.USER32(00000000,00007F04), ref: 00E07A55
LoadCursorW.USER32(00000000,00007F02), ref: 00E07A60
LoadCursorW.USER32(00000000,00007F89), ref: 00E07A6B
GetCursorInfo.USER32(?), ref: 00E07A7B

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: ef177b712d4ad9995f6671632a2a99bf7d1a064932ea90c2f2398dff583ebafe
Instruction ID: 864f39df54eb05656a2e810a8fa0b1c4ee5bd5ba323a3f59e8ae086e577252e1
Opcode Fuzzy Hash: ef177b712d4ad9995f6671632a2a99bf7d1a064932ea90c2f2398dff583ebafe
Instruction Fuzzy Hash: B23129B0E0831A6ADB109FB68C8995FBFF8FF04754F50452AE54DF7180DA78A5408FA1

Function 00DBC833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 00DCE968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00DBC8B7,?,00002000,?,?,00000000,?,00DB419E,?,?,?,00E4DC00), ref: 00DCE984

Part of subcall function 00DB660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DB53B1,?,?,00DB61FF,?,00000000,00000001,00000000), ref: 00DB662F

__wsplitpath.LIBCMT ref: 00DBC93E

Part of subcall function 00DD1DFC: __wsplitpath_helper.LIBCMT ref: 00DD1E3C

_wcscpy.LIBCMT ref: 00DBC953
_wcscat.LIBCMT ref: 00DBC968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00DBC978
SetCurrentDirectoryW.KERNEL32(?), ref: 00DBCABE

Part of subcall function 00DBB337: _wcscpy.LIBCMT ref: 00DBB36F

Strings

EA06, xrefs: 00E230C9
Error opening the file, xrefs: 00E230B4, 00E2313D
>>>AUTOIT SCRIPT<<<, xrefs: 00E2311B
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00E23098
Unterminated string, xrefs: 00E23470
AU3!, xrefs: 00DBC90C
Bad directive syntax error, xrefs: 00E23429

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: b1036b674a46b67a531c0e68a8651d1c16e26aa35a93afd45738d95a12fa8287
Instruction ID: 306322fd614237f01d5cdaf6c94819bda43166eae346d99ceb9b97293a382a5a
Opcode Fuzzy Hash: b1036b674a46b67a531c0e68a8651d1c16e26aa35a93afd45738d95a12fa8287
Instruction Fuzzy Hash: 15125A71508341DBC724EF24D881AAEBBE5FF99304F04591EF59AA3261DB30DA49CB72

Function 00E1CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E1CEFB
DestroyWindow.USER32(?,?), ref: 00E1CF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00E1CFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00E1D016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E1D025
DestroyWindow.USER32(?), ref: 00E1D042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00DB0000,00000000), ref: 00E1D075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E1D094
GetDesktopWindow.USER32 ref: 00E1D0A9
GetWindowRect.USER32(00000000), ref: 00E1D0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00E1D0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00E1D0DA

Part of subcall function 00DCB526: GetWindowLongW.USER32(?,000000EB), ref: 00DCB537

Strings

0, xrefs: 00E1CF1B
tooltips_class32, xrefs: 00E1CFED, 00E1D06E

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: 982c1ab2e84e89fd2ba0f98bca459592b11608a4424a538641935991b9f0f6ad
Instruction ID: 2ffc8dde22f6b65d9ff561003a00d84a2cb0292dccfd7694cf88b74cb8ee7022
Opcode Fuzzy Hash: 982c1ab2e84e89fd2ba0f98bca459592b11608a4424a538641935991b9f0f6ad
Instruction Fuzzy Hash: 2171D270158305AFD720CF68CC85FA67BEAEB8C708F04551DF985A72A1D770E986CB22

Function 00E1F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DCB35F

DragQueryPoint.SHELL32(?,?), ref: 00E1F37A

Part of subcall function 00E1D7DE: ClientToScreen.USER32(?,?), ref: 00E1D807
Part of subcall function 00E1D7DE: GetWindowRect.USER32(?,?), ref: 00E1D87D
Part of subcall function 00E1D7DE: PtInRect.USER32(?,?,00E1ED5A), ref: 00E1D88D

SendMessageW.USER32(?,000000B0,?,?), ref: 00E1F3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00E1F3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00E1F411
_wcscat.LIBCMT ref: 00E1F441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00E1F458
SendMessageW.USER32(?,000000B0,?,?), ref: 00E1F471
SendMessageW.USER32(?,000000B1,?,?), ref: 00E1F488
SendMessageW.USER32(?,000000B1,?,?), ref: 00E1F4AA
DragFinish.SHELL32(?), ref: 00E1F4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00E1F59C

Strings

@GUI_DRAGID, xrefs: 00E1F510
@GUI_DROPID, xrefs: 00E1F4D1
@GUI_DRAGFILE, xrefs: 00E1F54B

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 2191583d4ebfd66219b2d793d721b35a64d1e5f923b0dc997596b9de55cc3d4a
Instruction ID: 278e60b68a16ca228bdb93079c16d3b5a397dabd8ce03e5a0ba92283f8956798
Opcode Fuzzy Hash: 2191583d4ebfd66219b2d793d721b35a64d1e5f923b0dc997596b9de55cc3d4a
Instruction Fuzzy Hash: 84614A71108305AFC301DF64DC46E9FBBF8FB88710F004A1EF5A6A21A1DB719A49CB62

Function 00DF26BC Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00E23973,00000016,0000138C,00000016,?,00000016,00E4DDB4,00000000,?), ref: 00DF26F1
LoadStringW.USER32(00000000,?,00E23973,00000016), ref: 00DF26FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00E23973,00000016,0000138C,00000016,?,00000016,00E4DDB4,00000000,?,00000016), ref: 00DF271C
LoadStringW.USER32(00000000,?,00E23973,00000016), ref: 00DF271F
__swprintf.LIBCMT ref: 00DF276F
__swprintf.LIBCMT ref: 00DF2780
_wprintf.LIBCMT ref: 00DF2829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00DF2840

Strings

Error: , xrefs: 00DF27F7
Line %d (File "%s"):, xrefs: 00DF2769
%s (%d) : ==> %s: %s %s, xrefs: 00DF2824
Line %d:, xrefs: 00DF277A
s9, xrefs: 00DF2728
^ ERROR, xrefs: 00DF27D5

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR$s9
API String ID: 618562835-2846937808
Opcode ID: 782219bc2a7ae03f99c188d64490bac8725f7b1f9558f141599d724f8bfb8c8f
Instruction ID: 2d6b55523a39424a6f876c37144b94a295d3251ba1d99b3a37f9e49013d0e3c3
Opcode Fuzzy Hash: 782219bc2a7ae03f99c188d64490bac8725f7b1f9558f141599d724f8bfb8c8f
Instruction Fuzzy Hash: AC410E72800219FACB14FBE4ED86EEEB778EF54380F504065F60676092EA646F59CB71

Function 00DFAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00DFAB3D
VariantCopy.OLEAUT32(?,?), ref: 00DFAB46
VariantClear.OLEAUT32(?), ref: 00DFAB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00DFAC40
__swprintf.LIBCMT ref: 00DFAC70
VarR8FromDec.OLEAUT32(?,?), ref: 00DFAC9C
VariantInit.OLEAUT32(?), ref: 00DFAD4D
SysFreeString.OLEAUT32(00000016), ref: 00DFADDF
VariantClear.OLEAUT32(?), ref: 00DFAE35
VariantClear.OLEAUT32(?), ref: 00DFAE44
VariantInit.OLEAUT32(00000000), ref: 00DFAE80

Strings

Default, xrefs: 00DFACFD
%4d%02d%02d%02d%02d%02d, xrefs: 00DFAC6A

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: cb516953f2140e624bd8ad5d33d1f58e1cf9944c7b9a9e94c0599dc2af23f501
Instruction ID: 7aad51285d4ec4b4a0a14b82354406078b0d6ab0f002e5a0f95076a572f73fed
Opcode Fuzzy Hash: cb516953f2140e624bd8ad5d33d1f58e1cf9944c7b9a9e94c0599dc2af23f501
Instruction Fuzzy Hash: 83D1C2B1A04219DBCB149F69D885BB9B7B5FF04700F1AC095F6599B280DB70DC40DBB2

Function 00E1716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00E171FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E17247

Strings

GETITEMCOUNT, xrefs: 00E17311
ISCHECKED, xrefs: 00E173B2
COLLAPSE, xrefs: 00E1728D
EXISTS, xrefs: 00E172B0
GETSELECTED, xrefs: 00E1733F
UNCHECK, xrefs: 00E1740B
SELECT, xrefs: 00E173E0
EXPAND, xrefs: 00E172E1
GETTEXT, xrefs: 00E17382
GETTOTALCOUNT, xrefs: 00E1722A
CHECK, xrefs: 00E17267

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 20be4990b75c0db37d9d8b4b8e58ff145cb9088fe7b6f55ac0342ef413b2e8cd
Instruction ID: 44e51c43d74c8706b50f1d796d37f87ea9a34f5a34b851f97ca0a6367b4605e3
Opcode Fuzzy Hash: 20be4990b75c0db37d9d8b4b8e58ff145cb9088fe7b6f55ac0342ef413b2e8cd
Instruction Fuzzy Hash: 7F917E702087419BCB05EF10C952AAEB7A1FF94754F04585CF8966B3A2DB30ED4ACBA1

Function 00DECB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00DECF50), ref: 00DECE90

Strings

L+, xrefs: 00DECD14
CLASS, xrefs: 00DECC10
INSTANCE, xrefs: 00DECD9E
P+, xrefs: 00DECD43
T+, xrefs: 00DECD72
H+, xrefs: 00DECCE8
REGEXPCLASS, xrefs: 00DECC56
4+, xrefs: 00DECC96
TEXT, xrefs: 00DECDC7
CLASSNN, xrefs: 00DECC33
NAME, xrefs: 00DECCC2

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ChildEnumWindows
String ID: 4+$CLASS$CLASSNN$H+$INSTANCE$L+$NAME$P+$REGEXPCLASS$T+$TEXT
API String ID: 3555792229-2655548891
Opcode ID: 8682ecc5ac1ba3848af7666f0f3ca74ab508b818d4ecfe2ee2f253755a438ac6
Instruction ID: d72b6dce89fdf375698d8313f1d0a7248ddcdca712b72542e997e7f5b7a86a22
Opcode Fuzzy Hash: 8682ecc5ac1ba3848af7666f0f3ca74ab508b818d4ecfe2ee2f253755a438ac6
Instruction Fuzzy Hash: EF91B470610686AACB18EF61C482BEEFB75FF04340F549519E95AB7141DF30A95ACBF0

Function 00E1E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00E1E5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00E1BEAF), ref: 00E1E607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E1E647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E1E68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E1E6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,?,00E1BEAF), ref: 00E1E6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E1E6DF
DestroyIcon.USER32(?,?,?,?,?,00E1BEAF), ref: 00E1E6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00E1E70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00E1E717

Part of subcall function 00DD0FA7: __wcsicmp_l.LIBCMT ref: 00DD1030

Strings

.exe, xrefs: 00E1E541
.dll, xrefs: 00E1E564
.icl, xrefs: 00E1E521

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: d343169eff14dd8ad1449fdc7f11eba09b7702c9225b43c3e1dcfeed2a0c8087
Instruction ID: 1a256169382dee1a673ea88b2a3e10b9f2a76783cc17a4a7432409fe7372d5fc
Opcode Fuzzy Hash: d343169eff14dd8ad1449fdc7f11eba09b7702c9225b43c3e1dcfeed2a0c8087
Instruction Fuzzy Hash: CA619D71540219FEEB24DF64DC46BFE7BA8FB18724F104106F915E62D1EBB0A994CBA0

Function 00DFD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00DB936C: __swprintf.LIBCMT ref: 00DB93AB
Part of subcall function 00DB936C: __itow.LIBCMT ref: 00DB93DF

CharLowerBuffW.USER32(?,?), ref: 00DFD292
GetDriveTypeW.KERNEL32 ref: 00DFD2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DFD327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DFD35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DFD38C

Strings

wait, xrefs: 00DFD349
type cdaudio alias cd wait, xrefs: 00DFD30A
closed, xrefs: 00DFD2A6, 00DFD2AF
close, xrefs: 00DFD298
open , xrefs: 00DFD2EE
open, xrefs: 00DFD2B9
set cd door , xrefs: 00DFD32D
close cd wait, xrefs: 00DFD377

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: 82da842ca045e5d8b55d59a29d2d8fe48d1b6ed09a5a00264cb4bbddee336a37
Instruction ID: 9843ecd53540d35a6c32b9dcf07c7e89f5ad9e7b13a1ee950ea919fbb4f79ffa
Opcode Fuzzy Hash: 82da842ca045e5d8b55d59a29d2d8fe48d1b6ed09a5a00264cb4bbddee336a37
Instruction Fuzzy Hash: 655128711043059FC700EF20D9819AEB7E5EF98758F04885DF99667291DB31EE09CBA2

Function 00DFD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00DFD0D8
__swprintf.LIBCMT ref: 00DFD0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 00DFD137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00DFD15C
_memset.LIBCMT ref: 00DFD17B
_wcsncpy.LIBCMT ref: 00DFD1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00DFD1EC
CloseHandle.KERNEL32(00000000), ref: 00DFD1F7
RemoveDirectoryW.KERNEL32(?), ref: 00DFD200
CloseHandle.KERNEL32(00000000), ref: 00DFD20A

Strings

\, xrefs: 00DFD110
\??\%s, xrefs: 00DFD0F4
:, xrefs: 00DFD11B

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 631df2873211686d8bc1cf74fddcd373b8bcce22bcd3421ef70118c02fbb1a98
Instruction ID: bf78c87a2a4c2c846b4734a3c5cefc0e76d2bc6e1490c95ccbad8e6b387aaf81
Opcode Fuzzy Hash: 631df2873211686d8bc1cf74fddcd373b8bcce22bcd3421ef70118c02fbb1a98
Instruction Fuzzy Hash: 973190B250020DABDB21DFA5DC49FEB77BEEF89740F1480A6F609E2160E77096448B34

Function 00E1E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00E1BEF4,?,?), ref: 00E1E754
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00E1BEF4,?,?,00000000,?), ref: 00E1E76B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00E1BEF4,?,?,00000000,?), ref: 00E1E776
CloseHandle.KERNEL32(00000000,?,?,?,?,00E1BEF4,?,?,00000000,?), ref: 00E1E783
GlobalLock.KERNEL32(00000000), ref: 00E1E78C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00E1BEF4,?,?,00000000,?), ref: 00E1E79B
GlobalUnlock.KERNEL32(00000000), ref: 00E1E7A4
CloseHandle.KERNEL32(00000000,?,?,?,?,00E1BEF4,?,?,00000000,?), ref: 00E1E7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00E1BEF4,?,?,00000000,?), ref: 00E1E7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,00E3D9BC,?), ref: 00E1E7D5
GlobalFree.KERNEL32(00000000), ref: 00E1E7E5
GetObjectW.GDI32(00000000,00000018,?), ref: 00E1E809
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00E1E834
DeleteObject.GDI32(00000000), ref: 00E1E85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00E1E872

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 904984729eb537e76c516599e142181269a5397fa5ddb0f497b3bc36872537cf
Instruction ID: e9b038e71a93b95dcb3c047c9cc1cc35bab0a9ccb7c9ac9173a5b43df2958e0a
Opcode Fuzzy Hash: 904984729eb537e76c516599e142181269a5397fa5ddb0f497b3bc36872537cf
Instruction Fuzzy Hash: C8414975600208EFDB119F66EC8CEAB7BB9EF89715F104058F916A72A0C7309D45DB20

Function 00E005F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00E0076F
_wcscat.LIBCMT ref: 00E00787
_wcscat.LIBCMT ref: 00E00799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E007AE
SetCurrentDirectoryW.KERNEL32(?), ref: 00E007C2
GetFileAttributesW.KERNEL32(?), ref: 00E007DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 00E007F4
SetCurrentDirectoryW.KERNEL32(?), ref: 00E00806

Strings

*.*, xrefs: 00E00845

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 72ad17363a8d43fdc1ad7778665a3adf2f9947b6819ff319667e2928fda85112
Instruction ID: c574429bf015e935f82d81ff0956553dd4cef46d13070223b96f9141240229ce
Opcode Fuzzy Hash: 72ad17363a8d43fdc1ad7778665a3adf2f9947b6819ff319667e2928fda85112
Instruction Fuzzy Hash: 6081B3715043419FCB24DF24D844AAEB7E9FBC8304F18982EF885E7291EB35D9948B62

Function 00E1EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DCB35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00E1EF3B
GetFocus.USER32 ref: 00E1EF4B
GetDlgCtrlID.USER32(00000000), ref: 00E1EF56
_memset.LIBCMT ref: 00E1F081
GetMenuItemInfoW.USER32 ref: 00E1F0AC
GetMenuItemCount.USER32(00000000), ref: 00E1F0CC
GetMenuItemID.USER32(?,00000000), ref: 00E1F0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 00E1F113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 00E1F15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E1F193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00E1F1C8

Strings

0, xrefs: 00E1F079

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: d59f2c49697dbb32535ff68762cee2b96c5a1a33f4202fc9e1253488d418e1ba
Instruction ID: 4c97f208977ef7c2edfdb3a2096e3b0d833244d5f3e4e6e45fa8a4a544a7cb49
Opcode Fuzzy Hash: d59f2c49697dbb32535ff68762cee2b96c5a1a33f4202fc9e1253488d418e1ba
Instruction Fuzzy Hash: B381AE71209305EFD710CF15D885AABBBE5FB88318F00552EF999A7292D770D885CBA2

Function 00DEA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DEABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00DEABD7
Part of subcall function 00DEABBB: GetLastError.KERNEL32(?,00DEA69F,?,?,?), ref: 00DEABE1
Part of subcall function 00DEABBB: GetProcessHeap.KERNEL32(00000008,?,?,00DEA69F,?,?,?), ref: 00DEABF0
Part of subcall function 00DEABBB: HeapAlloc.KERNEL32(00000000,?,00DEA69F,?,?,?), ref: 00DEABF7
Part of subcall function 00DEABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00DEAC0E

Part of subcall function 00DEAC56: GetProcessHeap.KERNEL32(00000008,00DEA6B5,00000000,00000000,?,00DEA6B5,?), ref: 00DEAC62
Part of subcall function 00DEAC56: HeapAlloc.KERNEL32(00000000,?,00DEA6B5,?), ref: 00DEAC69
Part of subcall function 00DEAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00DEA6B5,?), ref: 00DEAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00DEA8CB
_memset.LIBCMT ref: 00DEA8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00DEA8FF
GetLengthSid.ADVAPI32(?), ref: 00DEA910
GetAce.ADVAPI32(?,00000000,?), ref: 00DEA94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00DEA969
GetLengthSid.ADVAPI32(?), ref: 00DEA986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00DEA995
HeapAlloc.KERNEL32(00000000), ref: 00DEA99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00DEA9BD
CopySid.ADVAPI32(00000000), ref: 00DEA9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00DEA9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00DEAA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00DEAA2F

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 50c51a5cb13cd0e03c3a4721d6479e797807d81e9047030bcb24779550811789
Instruction ID: aed362c1bcd6a2fa6b35d6f0fafa6462faa5c3bc158cca10f265cfb53e4caf88
Opcode Fuzzy Hash: 50c51a5cb13cd0e03c3a4721d6479e797807d81e9047030bcb24779550811789
Instruction Fuzzy Hash: 7A515D7190024AAFDF05DFA6DD89AEEBB7AFF04300F048129F811AA250D731A909CB61

Function 00E09DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00E09E36
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00E09E42
CreateCompatibleDC.GDI32(?), ref: 00E09E4E
SelectObject.GDI32(00000000,?), ref: 00E09E5B
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00E09EAF
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00E09EEB
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00E09F0F
SelectObject.GDI32(00000006,?), ref: 00E09F17
DeleteObject.GDI32(?), ref: 00E09F20
DeleteDC.GDI32(00000006), ref: 00E09F27
ReleaseDC.USER32(00000000,?), ref: 00E09F32

Strings

(, xrefs: 00E09ED7

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: c243923a6f61bf5a6fe5d28ad4f3a1ad6ac606f615e746ccbe605ad0d03d4d1d
Instruction ID: 92247a57ce6f599f3f6133e4862bc4211175019d60745f5dd8c03bef3f9be099
Opcode Fuzzy Hash: c243923a6f61bf5a6fe5d28ad4f3a1ad6ac606f615e746ccbe605ad0d03d4d1d
Instruction Fuzzy Hash: E2514871A04309EFCB14CFA9DC89EAEBBB9EF48710F14841DF959A7251C731A845CBA0

Function 00DFCC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 00DFCCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 00DFCCC5
__swprintf.LIBCMT ref: 00DFCD1E
__swprintf.LIBCMT ref: 00DFCD37
_wprintf.LIBCMT ref: 00DFCDED
_wprintf.LIBCMT ref: 00DFCE0B

Strings

"%s" (%d) : ==> %s:, xrefs: 00DFCE06
Error: , xrefs: 00DFCDB5
Line %d (File "%s"):, xrefs: 00DFCD18, 00DFCD31
"%s" (%d) : ==> %s:%s%s, xrefs: 00DFCDE8
^ ERROR, xrefs: 00DFCD8F

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: ec6d26f5dd7c2b77e937aae75b8c469cd4dcc12d8a62c5649b0d7e356f7afc47
Instruction ID: b664128159165cc6f16fe67d752281b51b6cd473d11b937d0db2508592e8ed3d
Opcode Fuzzy Hash: ec6d26f5dd7c2b77e937aae75b8c469cd4dcc12d8a62c5649b0d7e356f7afc47
Instruction Fuzzy Hash: 6C515A3190020DFACB15EBA4DE46EEEB778EF04340F104166F506721A2EB316E69DB71

Function 00DFCA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00DFCA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00DFCAB0
__swprintf.LIBCMT ref: 00DFCB09
__swprintf.LIBCMT ref: 00DFCB22
_wprintf.LIBCMT ref: 00DFCBCD
_wprintf.LIBCMT ref: 00DFCBEB

Strings

"%s" (%d) : ==> %s:, xrefs: 00DFCBE6
Error: , xrefs: 00DFCB95
Line %d (File "%s"):, xrefs: 00DFCB03, 00DFCB1C
"%s" (%d) : ==> %s:%s%s, xrefs: 00DFCBC8
^ ERROR , xrefs: 00DFCB64

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: bbac4ed41650cbaade76d389ce0d88fa7f73472cf5cca5fae65ec62b9117e118
Instruction ID: 7ce8e7dfcc8718a6cbf20ed1c6d4b246fa953e2e7510b06abffb4acda46b2291
Opcode Fuzzy Hash: bbac4ed41650cbaade76d389ce0d88fa7f73472cf5cca5fae65ec62b9117e118
Instruction Fuzzy Hash: 49515931900209FADB15EBE4DE46EEEB778EF04340F104165F606721A2EB716EA9DB71

Function 00E13C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E12BB5,?,?), ref: 00E13C1D

Strings

$E, xrefs: 00E13C36
HKCR, xrefs: 00E13CAB
HKEY_CLASSES_ROOT, xrefs: 00E13C96
HKLM, xrefs: 00E13C81
HKCU, xrefs: 00E13CF3
HKCC, xrefs: 00E13CD1
HKEY_LOCAL_MACHINE, xrefs: 00E13C6C
HKEY_CURRENT_USER, xrefs: 00E13CE2
HKEY_USERS, xrefs: 00E13D04
HKEY_CURRENT_CONFIG, xrefs: 00E13CC0
HKU, xrefs: 00E13D15

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: BuffCharUpper
String ID: $E$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-1752687603
Opcode ID: 5ec38b74693f6137f3ffa570fa37ec4b4455255a9ba826c5d9d8fce4010d8b6d
Instruction ID: 12e4fb82f190a11ed7b0523349cefa54d74ecfb6c2861a114e83021268b3b0bc
Opcode Fuzzy Hash: 5ec38b74693f6137f3ffa570fa37ec4b4455255a9ba826c5d9d8fce4010d8b6d
Instruction Fuzzy Hash: 1E4160B015024A8BDF01EF20F952AEB3765FF52344F546458EC663B292EB709E5ACB70

Function 00DF55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DF55D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00DF5664
GetMenuItemCount.USER32(00E71708), ref: 00DF56ED
DeleteMenu.USER32(00E71708,00000005,00000000,000000F5,?,?), ref: 00DF577D
DeleteMenu.USER32(00E71708,00000004,00000000), ref: 00DF5785
DeleteMenu.USER32(00E71708,00000006,00000000), ref: 00DF578D
DeleteMenu.USER32(00E71708,00000003,00000000), ref: 00DF5795
GetMenuItemCount.USER32(00E71708), ref: 00DF579D
SetMenuItemInfoW.USER32(00E71708,00000004,00000000,00000030), ref: 00DF57D3
GetCursorPos.USER32(?), ref: 00DF57DD
SetForegroundWindow.USER32(00000000), ref: 00DF57E6
TrackPopupMenuEx.USER32(00E71708,00000000,?,00000000,00000000,00000000), ref: 00DF57F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00DF5805

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: a82dad13b52324d627a1b33490af95fe83b16d089fd51f2d6313cdb0786a7c5d
Instruction ID: 97033825d50c34b5c83352badea852c68193a90a8b7a25ad4b5114b775d27975
Opcode Fuzzy Hash: a82dad13b52324d627a1b33490af95fe83b16d089fd51f2d6313cdb0786a7c5d
Instruction Fuzzy Hash: BE710630640A0DBEEB209B15EC49FBABF65FF01368F198205F728AA1D5C7719810D770

Function 00DEA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DEA1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00DEA211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00DEA22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00DEA249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00DEA273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00DEA29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00DEA2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00DEA2AB

Strings

\CLSID, xrefs: 00DEA193
\IPC$, xrefs: 00DEA1F3
SOFTWARE\Classes\, xrefs: 00DEA17D

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: 09582d6613acda2473e0e5e611cca00b0a10eccf1e28f9804abe9c28c4c4d583
Instruction ID: 65ca5aa2fc421f70cb1049a5dcb96b8dcdef6848ae0f0e02a58f809de29018d0
Opcode Fuzzy Hash: 09582d6613acda2473e0e5e611cca00b0a10eccf1e28f9804abe9c28c4c4d583
Instruction Fuzzy Hash: B141D676C10629ABDB15EBA5EC85DEDB778FF04740F044469E902B31A1EB70AE05CBA0

Function 00DF67E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00DF67FD
__swprintf.LIBCMT ref: 00DF680A

Part of subcall function 00DD172B: __woutput_l.LIBCMT ref: 00DD1784

FindResourceW.KERNEL32(?,?,0000000E), ref: 00DF6834
LoadResource.KERNEL32(?,00000000), ref: 00DF6840
LockResource.KERNEL32(00000000), ref: 00DF684D
FindResourceW.KERNEL32(?,?,00000003), ref: 00DF686D
LoadResource.KERNEL32(?,00000000), ref: 00DF687F
SizeofResource.KERNEL32(?,00000000), ref: 00DF688E
LockResource.KERNEL32(?), ref: 00DF689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00DF68F9

Strings

5, xrefs: 00DF67F6

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID: 5
API String ID: 1433390588-3632891597
Opcode ID: 838d61c161ace91f5339ffa3f4fd68d708cde7aa4f7b7a0e30886c5572750cb0
Instruction ID: fcaa4f8d1ef29e9785496cf654dde41024d2325d30d8aa2001a53084f60e2236
Opcode Fuzzy Hash: 838d61c161ace91f5339ffa3f4fd68d708cde7aa4f7b7a0e30886c5572750cb0
Instruction Fuzzy Hash: A3318E7190021EAFDB109FA1ED49EBB7BA8EF08380F058429FA16E2190E730D955DB70

Function 00DF25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00E236F4,00000010,?,Bad directive syntax error,00E4DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00DF25D6
LoadStringW.USER32(00000000,?,00E236F4,00000010), ref: 00DF25DD
_wprintf.LIBCMT ref: 00DF2610
__swprintf.LIBCMT ref: 00DF2632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00DF26A1

Strings

Error: , xrefs: 00DF266F
%s (%d) : ==> %s.: %s %s, xrefs: 00DF260B
Line %d (File "%s"):, xrefs: 00DF2647
., xrefs: 00DF2687
Line %d:, xrefs: 00DF262C

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: 69b40ce47279ba873ec31625fe82a7f28e703c31b4014cbb8d0ec57f3208f39f
Instruction ID: 22f27efd62387399b2eb1f0863f2f196bfa4c81501df367d0808e0fd300d839d
Opcode Fuzzy Hash: 69b40ce47279ba873ec31625fe82a7f28e703c31b4014cbb8d0ec57f3208f39f
Instruction Fuzzy Hash: CC21273184021EFECF11ABA0DC4AEEE7B39FB18344F044455F516661A2EA71A628DB70

Function 00DF7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00DF7B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00DF7B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DF7B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00DF7B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00DF7B8C

Strings

play PlayMe wait, xrefs: 00DF7B76
close PlayMe, xrefs: 00DF7B53, 00DF7B80
status PlayMe mode, xrefs: 00DF7B3D
alias PlayMe, xrefs: 00DF7B1B
open , xrefs: 00DF7AF1
play PlayMe, xrefs: 00DF7B87

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: 639313f09d6a3596c88b717c524200603704f17ac8c0061c8a225c63c640ec1a
Instruction ID: f3ef8c6e83406cdc647b72f1cac9a19510476701c8469edcac82e295014f54a7
Opcode Fuzzy Hash: 639313f09d6a3596c88b717c524200603704f17ac8c0061c8a225c63c640ec1a
Instruction Fuzzy Hash: BD11C4A0A9035DB9D720B775DC4ADFF7B7CEBD2B40F00541AB412B20C1EEA05A45C5B0

Function 00DF778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00DF7794

Part of subcall function 00DCDC38: timeGetTime.WINMM(?,75A4B400,00E258AB), ref: 00DCDC3C

Sleep.KERNEL32(0000000A), ref: 00DF77C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 00DF77E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00DF7806
SetActiveWindow.USER32 ref: 00DF7825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00DF7833
SendMessageW.USER32(00000010,00000000,00000000), ref: 00DF7852
Sleep.KERNEL32(000000FA), ref: 00DF785D
IsWindow.USER32 ref: 00DF7869
EndDialog.USER32(00000000), ref: 00DF787A

Strings

BUTTON, xrefs: 00DF77F8

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 291a9b6b909cf951f2cbcbbdbc350e711a7ee8d5b01a21c856b493b715441e59
Instruction ID: aa5de1280ba3e25c5a5b91e1dffb6fcf56c8304fc833816e01ae0ed810e1d7d8
Opcode Fuzzy Hash: 291a9b6b909cf951f2cbcbbdbc350e711a7ee8d5b01a21c856b493b715441e59
Instruction Fuzzy Hash: CF21337420820DBFE7519B32FC8DAB53F6AFB44354F058014F61AA61B2CB719D58D631

Function 00E002EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB936C: __swprintf.LIBCMT ref: 00DB93AB
Part of subcall function 00DB936C: __itow.LIBCMT ref: 00DB93DF

CoInitialize.OLE32(00000000), ref: 00E0034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00E003DE
SHGetDesktopFolder.SHELL32(?), ref: 00E003F2
CoCreateInstance.OLE32(00E3DA8C,00000000,00000001,00E63CF8,?), ref: 00E0043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00E004AD
CoTaskMemFree.OLE32(?,?), ref: 00E00505
_memset.LIBCMT ref: 00E00542
SHBrowseForFolderW.SHELL32(?), ref: 00E0057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00E005A1
CoTaskMemFree.OLE32(00000000), ref: 00E005A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00E005DF
CoUninitialize.OLE32(00000001,00000000), ref: 00E005E1

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 1efb1be7033218071b40eb4213165d3a0d3a9f424094620060d4dbe40a774949
Instruction ID: ff350c2f042f68cc03fc6a3366cc3fa2aa4b25f4ba37ba2c63ee27c30ee49d4a
Opcode Fuzzy Hash: 1efb1be7033218071b40eb4213165d3a0d3a9f424094620060d4dbe40a774949
Instruction Fuzzy Hash: DEB1E875A00209AFDB14DFA4D888EAEBBB9FF48304F149459F916EB251DB30ED45CB60

Function 00DF2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00DF2ED6
SetKeyboardState.USER32(?), ref: 00DF2F41
GetAsyncKeyState.USER32(000000A0), ref: 00DF2F61
GetKeyState.USER32(000000A0), ref: 00DF2F78
GetAsyncKeyState.USER32(000000A1), ref: 00DF2FA7
GetKeyState.USER32(000000A1), ref: 00DF2FB8
GetAsyncKeyState.USER32(00000011), ref: 00DF2FE4
GetKeyState.USER32(00000011), ref: 00DF2FF2
GetAsyncKeyState.USER32(00000012), ref: 00DF301B
GetKeyState.USER32(00000012), ref: 00DF3029
GetAsyncKeyState.USER32(0000005B), ref: 00DF3052
GetKeyState.USER32(0000005B), ref: 00DF3060

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 10b9c953f5cd9fb7a305ba723058e04a1b543c4b2d16227c54ceb735ebcc225d
Instruction ID: c7f7068eb601a7280c6d5b5eefba5052a8a8d963347b14ee8a5ef8d087393bd5
Opcode Fuzzy Hash: 10b9c953f5cd9fb7a305ba723058e04a1b543c4b2d16227c54ceb735ebcc225d
Instruction Fuzzy Hash: 6951B660A0878C29FB35DBA488117FABFB49F11344F0EC59AD7C25A1C2DA549B8CC772

Function 00DEED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00DEED1E
GetWindowRect.USER32(00000000,?), ref: 00DEED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00DEED8E
GetDlgItem.USER32(?,00000002), ref: 00DEED99
GetWindowRect.USER32(00000000,?), ref: 00DEEDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00DEEE01
GetDlgItem.USER32(?,000003E9), ref: 00DEEE0F
GetWindowRect.USER32(00000000,?), ref: 00DEEE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00DEEE63
GetDlgItem.USER32(?,000003EA), ref: 00DEEE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00DEEE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 00DEEE9B

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: e26e079c8960159a3322054ae8d62a19ce9a182b8725de88436d840d0719cdaa
Instruction ID: a3c3741c27599130136094fb022fb7c96ff79104d902bcb50035fb230b8e1d29
Opcode Fuzzy Hash: e26e079c8960159a3322054ae8d62a19ce9a182b8725de88436d840d0719cdaa
Instruction Fuzzy Hash: FB512771B04609AFDF18DF69DD8AAAEBBB9FB88710F14812DF519E7290D7709D048B10

Function 00DCB73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00DCB759,?,00000000,?,?,?,?,00DCB72B,00000000,?), ref: 00DCBA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00DCB72B), ref: 00DCB7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,00DCB72B,00000000,?,?,00DCB2EF,?,?), ref: 00DCB88D
DestroyAcceleratorTable.USER32(00000000), ref: 00E2D8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00DCB72B,00000000,?,?,00DCB2EF,?,?), ref: 00E2D8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00DCB72B,00000000,?,?,00DCB2EF,?,?), ref: 00E2D8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00DCB72B,00000000,?,?,00DCB2EF,?,?), ref: 00E2D90A
DeleteObject.GDI32(00000000), ref: 00E2D91C

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 82b320b595e7e40aa4696965b2db441156e8ef4a6f8cf62139ecd06ee49eb475
Instruction ID: 2374db653893c3b1552f2d465429091037ebe98115992a9fc498466cd610374d
Opcode Fuzzy Hash: 82b320b595e7e40aa4696965b2db441156e8ef4a6f8cf62139ecd06ee49eb475
Instruction Fuzzy Hash: BE618B30504712DFDB298F5AEC8AB257BA5FF90725F14111EE586A7AA0C770E884CFA0

Function 00DCB40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 00DCB526: GetWindowLongW.USER32(?,000000EB), ref: 00DCB537

GetSysColor.USER32(0000000F), ref: 00DCB438

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: f111dd1f3b9ee10718c5158c438500823090ebf8b3d7df593685b15418d9045f
Instruction ID: f82babd77341ee613b19b3fc5dcde399df3509691d42b7c623acca8d3e807cac
Opcode Fuzzy Hash: f111dd1f3b9ee10718c5158c438500823090ebf8b3d7df593685b15418d9045f
Instruction Fuzzy Hash: 0741BF3000D515AFCB245F28AC8AFB93B65AB05734F18425AF9659F1E2C731CC41D731

Function 00DF690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00DF6923
_wcscpy.LIBCMT ref: 00DF6934
__wsplitpath.LIBCMT ref: 00DF6958
__wsplitpath.LIBCMT ref: 00DF6979
_wcscpy.LIBCMT ref: 00DF699B
_wcscpy.LIBCMT ref: 00DF69B9
_wcscpy.LIBCMT ref: 00DF69C7
_wcscat.LIBCMT ref: 00DF69D6
_wcscat.LIBCMT ref: 00DF6A2B
_wcscat.LIBCMT ref: 00DF6A61
_wcscat.LIBCMT ref: 00DF6A73

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: e1227600ee634b8d423f04a14847deba96461f6b8931e4d0a6d94aff8ceeb26d
Instruction ID: 692984ba1394c8268efb7995717ee031388fc30e50ce40d3d1ec3c106cfdaed5
Opcode Fuzzy Hash: e1227600ee634b8d423f04a14847deba96461f6b8931e4d0a6d94aff8ceeb26d
Instruction Fuzzy Hash: 56414E7684511CAECF61DB94DC42DDA77BDEB84300F0041E7B649A2141EB70ABE88F70

Function 00DFD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00E4DC00,00E4DC00,00E4DC00), ref: 00DFD7CE
GetDriveTypeW.KERNEL32(?,00E63A70,00000061), ref: 00DFD898
_wcscpy.LIBCMT ref: 00DFD8C2

Strings

network, xrefs: 00DFD82C
removable, xrefs: 00DFD800
cdrom, xrefs: 00DFD7EA
unknown, xrefs: 00DFD859
ramdisk, xrefs: 00DFD842
fixed, xrefs: 00DFD816
all, xrefs: 00DFD7D4

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 1a61fd7261f0508c346b76f59247eb80dfdf7bc953762619d3c2b598af6d6c58
Instruction ID: a89288414e09b56ba24a36835c69ca41633392948f37a98028978701bb62e44f
Opcode Fuzzy Hash: 1a61fd7261f0508c346b76f59247eb80dfdf7bc953762619d3c2b598af6d6c58
Instruction Fuzzy Hash: 8451A031108309AFC700EF14D892BBEB7A6EF84354F14C92DF69A572A2DB71D905DA72

Function 00DB936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00DB93AB
__itow.LIBCMT ref: 00DB93DF

Part of subcall function 00DD1557: _xtow@16.LIBCMT ref: 00DD1578

Strings

0x%p, xrefs: 00E24CAD
%.15g, xrefs: 00DB93A5
True, xrefs: 00E24C8C
False, xrefs: 00E24C93

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: 817dd73413d92f9d1d5a70e9864bcef2294bd230e778223b1904a7f2b97bc15a
Instruction ID: 1d56d1f5b4b74736869fc5b6378d4624c14a2c3b79a9a83d8acd22d7bdfb0c39
Opcode Fuzzy Hash: 817dd73413d92f9d1d5a70e9864bcef2294bd230e778223b1904a7f2b97bc15a
Instruction Fuzzy Hash: 1B41B4B1504215EBEB28DB78E952FAAB7E5EF44304F24446EE54AE72C1EA31D941CB30

Function 00E1A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00E1A259
CreateCompatibleDC.GDI32(00000000), ref: 00E1A260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00E1A273
SelectObject.GDI32(00000000,00000000), ref: 00E1A27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 00E1A286
DeleteDC.GDI32(00000000), ref: 00E1A28F
GetWindowLongW.USER32(?,000000EC), ref: 00E1A299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00E1A2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00E1A2B9

Strings

static, xrefs: 00E1A1F1

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: de44eff1f1e1febd033f128bc609d28e64e6497dbd5056d296539f0bfe43814e
Instruction ID: 3c37eeaeb06d0837d13350367ea0a1877b0f1fe3a470a343d13eb02a235eb71b
Opcode Fuzzy Hash: de44eff1f1e1febd033f128bc609d28e64e6497dbd5056d296539f0bfe43814e
Instruction Fuzzy Hash: 7631AE31101218AFDF115FA5EC09FEA3F69FF09364F140224FA19B20A0C731D860DBA0

Function 00DF6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00DF6F1D
gethostname.WSOCK32(?,00000100), ref: 00DF6F37
gethostbyname.WSOCK32(?), ref: 00DF6F44
_wcscpy.LIBCMT ref: 00DF6F6C
inet_ntoa.WSOCK32(?), ref: 00DF6F8A
_strcat.LIBCMT ref: 00DF6F98
_wcscpy.LIBCMT ref: 00DF6FAF
WSACleanup.WSOCK32 ref: 00DF6FBD
_wcscpy.LIBCMT ref: 00DF6FCB

Strings

0.0.0.0, xrefs: 00DF6F66

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: 33508a59fb397228e6e6ee4d7f4c3f5c01e8bbbcea7e61ea5b7bf7a6be9bf470
Instruction ID: b2e85c25b254a0ca7bd4c854c3db7d4d7e9db5ec4aaf142caa38586d16da0786
Opcode Fuzzy Hash: 33508a59fb397228e6e6ee4d7f4c3f5c01e8bbbcea7e61ea5b7bf7a6be9bf470
Instruction Fuzzy Hash: 2111B47250821DAFCB24AB71BC4AEEA7BACEF40710F054166F245A6191EF70DA858A70

Function 00DD500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DD5047

Part of subcall function 00DD7C0E: __getptd_noexit.LIBCMT ref: 00DD7C0E

__gmtime64_s.LIBCMT ref: 00DD50E0
__gmtime64_s.LIBCMT ref: 00DD5116
__gmtime64_s.LIBCMT ref: 00DD5133
__allrem.LIBCMT ref: 00DD5189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DD51A5
__allrem.LIBCMT ref: 00DD51BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DD51DA
__allrem.LIBCMT ref: 00DD51F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DD520F
__invoke_watson.LIBCMT ref: 00DD5280

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: 374b8e551560e551409121b96f4a1552fb4f9c0858ad51f837a6b94f62d7c255
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: AD71D871A00B16ABE714AE79DC42B6A77A8EF14764F18422BF410DA385E770DD408BF0

Function 00DF4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DF4DF8
GetMenuItemInfoW.USER32(00E71708,000000FF,00000000,00000030), ref: 00DF4E59
SetMenuItemInfoW.USER32(00E71708,00000004,00000000,00000030), ref: 00DF4E8F
Sleep.KERNEL32(000001F4), ref: 00DF4EA1
GetMenuItemCount.USER32(?), ref: 00DF4EE5
GetMenuItemID.USER32(?,00000000), ref: 00DF4F01
GetMenuItemID.USER32(?,-00000001), ref: 00DF4F2B
GetMenuItemID.USER32(?,?), ref: 00DF4F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00DF4FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DF4FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DF4FEB

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 6376b3d219c2afa743c72164750dc4793c381e9ee1cb1d148de71509ad043096
Instruction ID: 5b9dbc81c96a1e849cfe8e09ff213b86e7235d4f2f154bbc6020c85c67232002
Opcode Fuzzy Hash: 6376b3d219c2afa743c72164750dc4793c381e9ee1cb1d148de71509ad043096
Instruction Fuzzy Hash: 2A61587190428DAFDB21CFA8D888ABF7BB8EF41318F198159F646A7251D731AD45CB30

Function 00E19C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00E19C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00E19C9B
GetWindowLongW.USER32(?,000000F0), ref: 00E19CBF
_memset.LIBCMT ref: 00E19CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E19CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00E19D5A

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 5b7016080aafac2d3139f7300c8edb0a63c3f91d155b464c7d7c686aab8a2222
Instruction ID: 0a65392913a05dfcfa90ecc63173e83082a9a438fa2f5e07f43a1190766e62fc
Opcode Fuzzy Hash: 5b7016080aafac2d3139f7300c8edb0a63c3f91d155b464c7d7c686aab8a2222
Instruction Fuzzy Hash: 71618E75900208AFDB10DFA8DC81EEEB7B8EF09714F144199FA15E7292D770AD85DB60

Function 00DE94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 00DE94FE
SafeArrayAllocData.OLEAUT32(?), ref: 00DE9549
VariantInit.OLEAUT32(?), ref: 00DE955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 00DE957B
VariantCopy.OLEAUT32(?,?), ref: 00DE95BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 00DE95D2
VariantClear.OLEAUT32(?), ref: 00DE95E7
SafeArrayDestroyData.OLEAUT32(?), ref: 00DE95F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00DE95FD
VariantClear.OLEAUT32(?), ref: 00DE960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00DE961A

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: e987f01657ffe6708fbcd30eced12511088ce054aba491e7d54adece8abe30e6
Instruction ID: 446d3a60572e39e136fc71486a220e9bbe3d4c30f46a010fd3f6033767c133f1
Opcode Fuzzy Hash: e987f01657ffe6708fbcd30eced12511088ce054aba491e7d54adece8abe30e6
Instruction Fuzzy Hash: 81412B71900219AFCB01EFA6EC589DEBF79EF08354F008069E512A7251DB70AA45CBB0

Function 00E0BB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E0BB5C
VariantInit.OLEAUT32(?), ref: 00E0BC2D
VariantInit.OLEAUT32(?), ref: 00E0BD2E
VariantClear.OLEAUT32(?), ref: 00E0BD38
VariantClear.OLEAUT32(?), ref: 00E0BD99

Strings

|?, xrefs: 00E0BBFE, 00E0BC01
h?, xrefs: 00E0BBD7, 00E0BBDA
Null Object assignment in FOR..IN loop, xrefs: 00E0BBBD, 00E0BCEB, 00E0BDA7
Incorrect Object type in FOR..IN loop, xrefs: 00E0BD11

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?$|?
API String ID: 2862541840-300242882
Opcode ID: b9fa839bca048f10a038966576ff88f5d62823cf19b4090ab9b0d10256bce1f3
Instruction ID: 58426f78524521d2ac6682cb3d680e578d19ae8b24c5e6f9fb43a207669117bd
Opcode Fuzzy Hash: b9fa839bca048f10a038966576ff88f5d62823cf19b4090ab9b0d10256bce1f3
Instruction Fuzzy Hash: 4A916071A00219ABDB24CFA5D888FEEBBB8FF85714F109559F515BB280D7709984CFA0

Function 00E0ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB936C: __swprintf.LIBCMT ref: 00DB93AB
Part of subcall function 00DB936C: __itow.LIBCMT ref: 00DB93DF

CoInitialize.OLE32 ref: 00E0ADF6
CoUninitialize.OLE32 ref: 00E0AE01
CoCreateInstance.OLE32(?,00000000,00000017,00E3D8FC,?), ref: 00E0AE61
IIDFromString.OLE32(?,?), ref: 00E0AED4
VariantInit.OLEAUT32(?), ref: 00E0AF6E
VariantClear.OLEAUT32(?), ref: 00E0AFCF

Strings

Invalid parameter, xrefs: 00E0AEED
Failed to create object, xrefs: 00E0AE6C, 00E0AF22
NULL Pointer assignment, xrefs: 00E0AEA6

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: a0e40ea002862434975052d68c23616975cfef98b4f1e90a6eaf10e19e5a008c
Instruction ID: 582d64689632bc2f831bec4f95f5e0ffc07ed30c547fd7e9eedc126e0641fd36
Opcode Fuzzy Hash: a0e40ea002862434975052d68c23616975cfef98b4f1e90a6eaf10e19e5a008c
Instruction Fuzzy Hash: 08618B712083169FC711DF54D848BAABBE8EF44714F185429F985AB2D1C770ED89CBA3

Function 00E08107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00E08168
inet_addr.WSOCK32(?,?,?), ref: 00E081AD
gethostbyname.WSOCK32(?), ref: 00E081B9
IcmpCreateFile.IPHLPAPI ref: 00E081C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00E08237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00E0824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00E082C2
WSACleanup.WSOCK32 ref: 00E082C8

Strings

Ping, xrefs: 00E081EB

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 7dd0bbdeb6c6eb1fa48f5c820429df783fbf72abd162d76558ca3ab0b9e709c6
Instruction ID: 6ce6d06450909d1ad4af9f7eb12f9995174f20681ed86e4aabbaae1e4dc5ae6d
Opcode Fuzzy Hash: 7dd0bbdeb6c6eb1fa48f5c820429df783fbf72abd162d76558ca3ab0b9e709c6
Instruction Fuzzy Hash: C451C1316047019FD710DF65DE49B6ABBE5EF48310F04882AFA96E72E1DB70E944CB61

Function 00E19E43 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E19E5B
CreateMenu.USER32 ref: 00E19E76
SetMenu.USER32(?,00000000), ref: 00E19E85
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E19F12
IsMenu.USER32(?), ref: 00E19F28
CreatePopupMenu.USER32 ref: 00E19F32
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E19F63
DrawMenuBar.USER32 ref: 00E19F71

Strings

0, xrefs: 00E19E54

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0
API String ID: 176399719-4108050209
Opcode ID: 92607f29d76ae287f1e17a7fa9ba4f207d1ab3c91f9c93b708fcec19ed5fcc6a
Instruction ID: 9696156f8dbc307e1ee7033e59bd647c2188a5e4e9a207b122387d081f9137de
Opcode Fuzzy Hash: 92607f29d76ae287f1e17a7fa9ba4f207d1ab3c91f9c93b708fcec19ed5fcc6a
Instruction Fuzzy Hash: BC417C74A00209EFDB10DFA5D858BEABBB5FF48314F144019F946A7361D734A994CF50

Function 00DFE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00DFE396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00DFE40C
GetLastError.KERNEL32 ref: 00DFE416
SetErrorMode.KERNEL32(00000000,READY), ref: 00DFE483

Strings

INVALID, xrefs: 00DFE455
NOTREADY, xrefs: 00DFE442
READONLY, xrefs: 00DFE44E
READY, xrefs: 00DFE45C
UNKNOWN, xrefs: 00DFE43B

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 909bc602b3828dd0eb1b1f23b1fcc5e15d2d10ae3ae641b48010d0a3090891c1
Instruction ID: 853481067fcd2f56756616960d42191621877eec7dc0c687d98f56a0f47fdd26
Opcode Fuzzy Hash: 909bc602b3828dd0eb1b1f23b1fcc5e15d2d10ae3ae641b48010d0a3090891c1
Instruction Fuzzy Hash: 66314135A4020DDFDB01EBA8D945ABDBBB4EF44340F15C069FA16A72A1DA70DA01CBB1

Function 00DEB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00DEB98C
GetDlgCtrlID.USER32 ref: 00DEB997
GetParent.USER32 ref: 00DEB9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 00DEB9B6
GetDlgCtrlID.USER32(?), ref: 00DEB9BF
GetParent.USER32(?), ref: 00DEB9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 00DEB9DE

Strings

ListBox, xrefs: 00DEB949
ComboBox, xrefs: 00DEB911

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 52ed808e5a5073d0a4223f11e72689217e220dbaa9375bd037a6fe4b9bc342e3
Instruction ID: 63a0b79e57b5c81d74fde332c2c463ea914c0c390915f64abe908c3e014eaf18
Opcode Fuzzy Hash: 52ed808e5a5073d0a4223f11e72689217e220dbaa9375bd037a6fe4b9bc342e3
Instruction Fuzzy Hash: CC21A4B4900108AFDB05ABA5DC86EFEBBB5EB45310B10011AF662A72D2DB7599199F30

Function 00DEB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00DEBA73
GetDlgCtrlID.USER32 ref: 00DEBA7E
GetParent.USER32 ref: 00DEBA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00DEBA9D
GetDlgCtrlID.USER32(?), ref: 00DEBAA6
GetParent.USER32(?), ref: 00DEBAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 00DEBAC5

Strings

ListBox, xrefs: 00DEBA32
ComboBox, xrefs: 00DEB9FA

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 607939917bef864c02a3401c09c61ee3624abf3e12742ac296535f1edd4f3932
Instruction ID: 7ba5f7761b95011326d33a2732dc690032c76f84383a5be0dcafce33d9737d1c
Opcode Fuzzy Hash: 607939917bef864c02a3401c09c61ee3624abf3e12742ac296535f1edd4f3932
Instruction Fuzzy Hash: 4221B0B4A40248BFDF01ABA5DC86EFEBB79EF45310F14001AF562A3191DBB599199B30

Function 00DEBAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00DEBAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 00DEBAF8
_wcscmp.LIBCMT ref: 00DEBB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00DEBB85

Strings

largeicons, xrefs: 00DEBB19
SHELLDLL_DefView, xrefs: 00DEBB04
details, xrefs: 00DEBB33
smallicons, xrefs: 00DEBB4D
list, xrefs: 00DEBB67

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 4cda4902a384f04c830e925080a50cdc9efe7ffe80f595bd0d5c14f3f1c35797
Instruction ID: e34b3358c9852934d853ff64030e92607686a6d7e62333013db54a8b5367065f
Opcode Fuzzy Hash: 4cda4902a384f04c830e925080a50cdc9efe7ffe80f595bd0d5c14f3f1c35797
Instruction Fuzzy Hash: 0911CE76648786FAFA207632EC0BDA73B98DF51774B200027FA58F40D9EBA2A8114534

Function 00E0B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E0B2D5
CoInitialize.OLE32(00000000), ref: 00E0B302
CoUninitialize.OLE32 ref: 00E0B30C
GetRunningObjectTable.OLE32(00000000,?), ref: 00E0B40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 00E0B539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 00E0B56D
CoGetObject.OLE32(?,00000000,00E3D91C,?), ref: 00E0B590
SetErrorMode.KERNEL32(00000000), ref: 00E0B5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00E0B623
VariantClear.OLEAUT32(00E3D91C), ref: 00E0B633

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: b24d3ca17af19dd7526d75b28786f572ad9b10ca4ca8384416514ee77944df72
Instruction ID: 9d9567e23caf731cce1a7033417cd4c161e7ea5a577c2866699881b02c46a2e8
Opcode Fuzzy Hash: b24d3ca17af19dd7526d75b28786f572ad9b10ca4ca8384416514ee77944df72
Instruction Fuzzy Hash: 02C13371608305AFC704DF64C884A6BBBE9FF88708F00595DF58AAB291DB71ED45CB62

Function 00DDACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00DDACC1

Part of subcall function 00DD7CF4: __mtinitlocknum.LIBCMT ref: 00DD7D06
Part of subcall function 00DD7CF4: EnterCriticalSection.KERNEL32(00000000,?,00DD7ADD,0000000D), ref: 00DD7D1F

__calloc_crt.LIBCMT ref: 00DDACD2

Part of subcall function 00DD6986: __calloc_impl.LIBCMT ref: 00DD6995
Part of subcall function 00DD6986: Sleep.KERNEL32(00000000,000003BC,00DCF507,?,0000000E), ref: 00DD69AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 00DDACED
GetStartupInfoW.KERNEL32(?,00E66E28,00000064,00DD5E91,00E66C70,00000014), ref: 00DDAD46
__calloc_crt.LIBCMT ref: 00DDAD91
GetFileType.KERNEL32(00000001), ref: 00DDADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00DDAE11

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: d480cf1e1158684ac7a0c78532c9d26f802d360f3d78263fd9b9d51265902f85
Instruction ID: 2e5c326180d19943dfd2b8ba3dbe926672e3c69cded31d6585a11b414195f91f
Opcode Fuzzy Hash: d480cf1e1158684ac7a0c78532c9d26f802d360f3d78263fd9b9d51265902f85
Instruction Fuzzy Hash: 9E81D271A053458FDB14CF7CC8405A9BBF0AF45320B28825EE4AAAB3E1D734D843CB66

Function 00DF4025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00DF4047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00DF30A5,?,00000001), ref: 00DF405B
GetWindowThreadProcessId.USER32(00000000), ref: 00DF4062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00DF30A5,?,00000001), ref: 00DF4071
GetWindowThreadProcessId.USER32(?,00000000), ref: 00DF4083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00DF30A5,?,00000001), ref: 00DF409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00DF30A5,?,00000001), ref: 00DF40AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00DF30A5,?,00000001), ref: 00DF40F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00DF30A5,?,00000001), ref: 00DF4108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00DF30A5,?,00000001), ref: 00DF4113

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 735034c2dfa59161b1f62a04b62d428cd6ba077b63e2b294eecf38df89ac3927
Instruction ID: a37209c6ad5715d9b82061ae5d04bc1728d0b31fa91f69384107b745ef8ef5dc
Opcode Fuzzy Hash: 735034c2dfa59161b1f62a04b62d428cd6ba077b63e2b294eecf38df89ac3927
Instruction Fuzzy Hash: DA31C575500209BFEB12DF66EC4AB7AB7BDAB90311F15C006FA08F6260CB74D9848B71

Function 00E2DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00DCB496
SetTextColor.GDI32(?,000000FF), ref: 00DCB4A0
SetBkMode.GDI32(?,00000001), ref: 00DCB4B5
GetStockObject.GDI32(00000005), ref: 00DCB4BD
GetClientRect.USER32(?), ref: 00E2DD63
SendMessageW.USER32(?,00001328,00000000,?), ref: 00E2DD7A
GetWindowDC.USER32(?), ref: 00E2DD86
GetPixel.GDI32(00000000,?,?), ref: 00E2DD95
ReleaseDC.USER32(?,00000000), ref: 00E2DDA7
GetSysColor.USER32(00000005), ref: 00E2DDC5

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: 8e96ff1361e042c40baa16ccf6f03039a0ab8d04dbfe451c17b1db19ea18bf58
Instruction ID: 1c1c6d740937363dc06e949fdfe17cb330807daf2a49224de7a7aa611330c242
Opcode Fuzzy Hash: 8e96ff1361e042c40baa16ccf6f03039a0ab8d04dbfe451c17b1db19ea18bf58
Instruction Fuzzy Hash: 62116731508609FFDB216BB5FC0EFA97F61EB04325F108265FA66A50E2CB324945EB20

Function 00DB3093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00DB30DC
CoUninitialize.OLE32(?,00000000), ref: 00DB3181
UnregisterHotKey.USER32(?), ref: 00DB32A9
DestroyWindow.USER32(?), ref: 00E25079
FreeLibrary.KERNEL32(?), ref: 00E250F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E25125

Strings

close all, xrefs: 00DB30D7

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 8b8c9637aa61e84b2662494fcc7e49ad9e61ed0ef7a23247ea23569d182ddd28
Instruction ID: 17bf86699f707335451ff09e97b332d94923fb813768d1b60d3341919ff4027c
Opcode Fuzzy Hash: 8b8c9637aa61e84b2662494fcc7e49ad9e61ed0ef7a23247ea23569d182ddd28
Instruction Fuzzy Hash: B9912831600216CFC705EF14D995FA8F3A4FF04304F5452A9E50AA7262DF30AE6ADF64

Function 00DCCB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00DCCC15

Part of subcall function 00DCCCCD: GetClientRect.USER32(?,?), ref: 00DCCCF6
Part of subcall function 00DCCCCD: GetWindowRect.USER32(?,?), ref: 00DCCD37
Part of subcall function 00DCCCCD: ScreenToClient.USER32(?,?), ref: 00DCCD5F

GetDC.USER32 ref: 00E2D137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00E2D14A
SelectObject.GDI32(00000000,00000000), ref: 00E2D158
SelectObject.GDI32(00000000,00000000), ref: 00E2D16D
ReleaseDC.USER32(?,00000000), ref: 00E2D175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00E2D200

Strings

U, xrefs: 00E2D0D5

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 1d83d591f36d3e537d94224d9e59912e594d4c427c64db83aec292abf9628f50
Instruction ID: 05ee41e3cbc99da120c12d0f2f65c2d14d86695d38e1323747c4e66ad7447ba8
Opcode Fuzzy Hash: 1d83d591f36d3e537d94224d9e59912e594d4c427c64db83aec292abf9628f50
Instruction Fuzzy Hash: EA71B031404209DFCF219F64EC85EEA7BB6FF48314F186269EE596B2A5C7318891DB60

Function 00E1ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DCB35F

Part of subcall function 00DCB63C: GetCursorPos.USER32(000000FF), ref: 00DCB64F
Part of subcall function 00DCB63C: ScreenToClient.USER32(00000000,000000FF), ref: 00DCB66C
Part of subcall function 00DCB63C: GetAsyncKeyState.USER32(00000001), ref: 00DCB691
Part of subcall function 00DCB63C: GetAsyncKeyState.USER32(00000002), ref: 00DCB69F

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 00E1ED3C
ImageList_EndDrag.COMCTL32 ref: 00E1ED42
ReleaseCapture.USER32 ref: 00E1ED48
SetWindowTextW.USER32(?,00000000), ref: 00E1EDF0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00E1EE03
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 00E1EEDC

Strings

@GUI_DROPID, xrefs: 00E1EE33
@GUI_DRAGFILE, xrefs: 00E1EE77

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: d6bca0ebe70a7dcd0cbee2e43c51d5ab218c49be8d6e9e7ff8cdc1da92478339
Instruction ID: bc12e1c33c298acdd93b1a8bf1f8565870ec8bf495ce69cdaa53b8b296dd5279
Opcode Fuzzy Hash: d6bca0ebe70a7dcd0cbee2e43c51d5ab218c49be8d6e9e7ff8cdc1da92478339
Instruction Fuzzy Hash: A851BD70204304AFD710DF24DC8AFAA77E5FB88714F44591DF996A72E1DB709988CB62

Function 00E045C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E045FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00E0462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00E0466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00E04682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E0468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00E046BF
InternetCloseHandle.WININET(00000000), ref: 00E04706

Part of subcall function 00E05052: GetLastError.KERNEL32(?,?,00E043CC,00000000,00000000,00000001), ref: 00E05067

Strings

, xrefs: 00E046B8

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: 3d0b849e8e38665e7fb78d4a859b1af1e10699680be40a47582697694c4a44d4
Instruction ID: 1e1b87d7ac9c47bcf3b63ed9b02436556b0bf5cb5b31a41c15e1a64be0a314f6
Opcode Fuzzy Hash: 3d0b849e8e38665e7fb78d4a859b1af1e10699680be40a47582697694c4a44d4
Instruction Fuzzy Hash: 65416DF2501209BFEB029F50DD89FBB7BACEF09354F005116FA05BA1C1E7B199848BA4

Function 00E0B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00E4DC00), ref: 00E0B715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00E4DC00), ref: 00E0B749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00E0B8C1
SysFreeString.OLEAUT32(?), ref: 00E0B8EB

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 413aec5cc93644576df1595623ab09f27bb6493ec6eabe5bd1b1f6f75e815cc6
Instruction ID: e26f1842cf621c99e9f162ee536c58e1f4c3db26b465bc27f5f1ab408ae9258a
Opcode Fuzzy Hash: 413aec5cc93644576df1595623ab09f27bb6493ec6eabe5bd1b1f6f75e815cc6
Instruction Fuzzy Hash: 86F12C75A00109EFCF04DF94C888EAEB7B9FF49315F149459F915AB290DB31AE85CB60

Function 00E124D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E124F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E12688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E126AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E126EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E1270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E1286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00E128A1
CloseHandle.KERNEL32(?), ref: 00E128D0
CloseHandle.KERNEL32(?), ref: 00E12947

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 61cfa870a1bfb981a76d2169eb99d764d29edf7f58b392995d8dcf28bb3bd7f8
Instruction ID: 47bb3e16958b3ce674889177459babaa915bc0f528ecad19691fefb2404bcf06
Opcode Fuzzy Hash: 61cfa870a1bfb981a76d2169eb99d764d29edf7f58b392995d8dcf28bb3bd7f8
Instruction Fuzzy Hash: B8D19E31604241DFCB14EF24C891BAEBBE5EF84314F14945DFA8AAB2A1DB31DC54CB62

Function 00E1B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00E1B3F4

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 48ff1b40b1c7574457d72d2b2b355ea9b34105d2d41a9c347d9f0eb4973e3f2c
Instruction ID: 6cb1095b23d08df920cbc2c695b4d634ebb19900af25d98effcca5b9374c9647
Opcode Fuzzy Hash: 48ff1b40b1c7574457d72d2b2b355ea9b34105d2d41a9c347d9f0eb4973e3f2c
Instruction Fuzzy Hash: 1451A170500208BFEB209F69CC89BEE3B65EB05328F645115F635F61E2D7B1E9D48B61

Function 00DCA699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00E2DB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E2DB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00E2DB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00E2DB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00E2DB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,00DCA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00E2DBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00E2DBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,00DCA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00E2DBC8

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 7d2bbed22293b670e904e2e7b50af07ab3039758ca5cfb44a8e01b9a1cb99ada
Instruction ID: e700775438b4f898e2bdaea5eb098dbb9b4e5154b83ac9c5504658e41a029a2f
Opcode Fuzzy Hash: 7d2bbed22293b670e904e2e7b50af07ab3039758ca5cfb44a8e01b9a1cb99ada
Instruction Fuzzy Hash: 81515870604209EFDB20DF69DC96FAA3BB8BB08758F100519FA46A72D0D770EC80DB60

Function 00DF7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00DF5FA6,?), ref: 00DF6ED8

Part of subcall function 00DF6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00DF5FA6,?), ref: 00DF6EF1

Part of subcall function 00DF72CB: GetFileAttributesW.KERNEL32(?,00DF6019), ref: 00DF72CC

lstrcmpiW.KERNEL32(?,?), ref: 00DF75CA
_wcscmp.LIBCMT ref: 00DF75E2
MoveFileW.KERNEL32(?,?), ref: 00DF75FB

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 2e56470f766cf9941d9eef405c7d30b73df7226f0aa969637de456cf89948e81
Instruction ID: f8a3f7b45e9fee1e7bc6b17d33a1d73fb5f4e47d34060f110ccf8651166d6a3d
Opcode Fuzzy Hash: 2e56470f766cf9941d9eef405c7d30b73df7226f0aa969637de456cf89948e81
Instruction Fuzzy Hash: 855101B2A0921D9ADF50EB94E8459ED77BCDF48310F04809AF605E3541EA74D6C9CB74

Function 00DCEA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00E2DAD1,00000004,00000000,00000000), ref: 00DCEAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,00E2DAD1,00000004,00000000,00000000), ref: 00DCEB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,00E2DAD1,00000004,00000000,00000000), ref: 00E2DC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00E2DAD1,00000004,00000000,00000000), ref: 00E2DCF2

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e6942778258b89c555f47ccc9b7342b4d12bb4e5b99e628edb0898ad45889267
Instruction ID: f274694f3599ee817609b49ff3f5f3f32ad133875087f60f2837dc3dabb75745
Opcode Fuzzy Hash: e6942778258b89c555f47ccc9b7342b4d12bb4e5b99e628edb0898ad45889267
Instruction Fuzzy Hash: 1841E4F020C6829ED7394B29AE8EF7ABB97AB45314F1D140DF187A3561C670AC84C731

Function 00DEB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00DEAEF1,00000B00,?,?), ref: 00DEB26C
HeapAlloc.KERNEL32(00000000,?,00DEAEF1,00000B00,?,?), ref: 00DEB273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00DEAEF1,00000B00,?,?), ref: 00DEB288
GetCurrentProcess.KERNEL32(?,00000000,?,00DEAEF1,00000B00,?,?), ref: 00DEB290
DuplicateHandle.KERNEL32(00000000,?,00DEAEF1,00000B00,?,?), ref: 00DEB293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00DEAEF1,00000B00,?,?), ref: 00DEB2A3
GetCurrentProcess.KERNEL32(00DEAEF1,00000000,?,00DEAEF1,00000B00,?,?), ref: 00DEB2AB
DuplicateHandle.KERNEL32(00000000,?,00DEAEF1,00000B00,?,?), ref: 00DEB2AE
CreateThread.KERNEL32(00000000,00000000,00DEB2D4,00000000,00000000,00000000), ref: 00DEB2C8

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: f1f89694973af2b98fe6538e60a3f72995d3f24aa296bf9e61bb3dc611d168d9
Instruction ID: 71838a9a54c48f8824560390d8a162a2f9c24bc5a159ac5c6b20c92d59b4717e
Opcode Fuzzy Hash: f1f89694973af2b98fe6538e60a3f72995d3f24aa296bf9e61bb3dc611d168d9
Instruction Fuzzy Hash: A601BBB5644348BFE710ABA6EC4DF6B7FACEB88B11F018411FA05DB1A1CA749C04CB61

Function 00E0C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00E0C49E
NULL Pointer assignment, xrefs: 00E0C876, 00E0C887

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 006876edde9ad1fd250c05b6223b7ef90127ae14b9abf559d9cf5c3b054584ab
Instruction ID: 1d882f090932e70eacb9a9340c22e26723696a209e82d1e1431aae4da69c9bfa
Opcode Fuzzy Hash: 006876edde9ad1fd250c05b6223b7ef90127ae14b9abf559d9cf5c3b054584ab
Instruction Fuzzy Hash: 2DE1B271A00219AFCF14DFA4D885AEEB7B5EF48714F249229F905B72C1D770AD85CBA0

Function 00E016DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 00DB936C: __swprintf.LIBCMT ref: 00DB93AB
Part of subcall function 00DB936C: __itow.LIBCMT ref: 00DB93DF

Part of subcall function 00DCC6F4: _wcscpy.LIBCMT ref: 00DCC717

_wcstok.LIBCMT ref: 00E0184E
_wcscpy.LIBCMT ref: 00E018DD
_memset.LIBCMT ref: 00E01910

Strings

p2, xrefs: 00E01920
X, xrefs: 00E01948

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X$p2
API String ID: 774024439-3332900272
Opcode ID: 1d8455e22dfcbacd5c9d6d9073c5ad4948092274fb96a4e9a4189268e5647662
Instruction ID: f4f1a9d6b74b0997d22a8e4dba7a0ccdcde9b81664d249c6c96387afb47f743d
Opcode Fuzzy Hash: 1d8455e22dfcbacd5c9d6d9073c5ad4948092274fb96a4e9a4189268e5647662
Instruction Fuzzy Hash: 77C16C30608340DFC714EF64C991A9EB7E4FF85354F04596DF59AAB2A2DB30E944CBA2

Function 00E19A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00E19B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 00E19B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00E19B47
_wcscat.LIBCMT ref: 00E19BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 00E19BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00E19BE7

Strings

SysListView32, xrefs: 00E19AEB

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 3ce59e2c8a518ed1c601fe0b7a165a209926422921441da3c633b789db728381
Instruction ID: b2c7f922dbfc8ba31a5a21c026969cba4b9f781ce0bc21bc1f31f3a866957308
Opcode Fuzzy Hash: 3ce59e2c8a518ed1c601fe0b7a165a209926422921441da3c633b789db728381
Instruction Fuzzy Hash: 1F41A171944308AFDB219FA4DC85FEE7BA8EF08354F10442AF589B7292D7719D88CB64

Function 00E1172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 00DF6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00DF6554
Part of subcall function 00DF6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00DF6564
Part of subcall function 00DF6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00DF65F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E1179A
GetLastError.KERNEL32 ref: 00E117AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E117D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 00E11855
GetLastError.KERNEL32(00000000), ref: 00E11860
CloseHandle.KERNEL32(00000000), ref: 00E11895

Strings

SeDebugPrivilege, xrefs: 00E117B8

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 8651898b1abde746c520e3548fb8fe251ecddc6aa7c920480e9b26f08d544203
Instruction ID: 73135902040cec78a199b94f1c48b5104ae63a2fb4fe6c006976d483ca483b86
Opcode Fuzzy Hash: 8651898b1abde746c520e3548fb8fe251ecddc6aa7c920480e9b26f08d544203
Instruction Fuzzy Hash: 8741AB71600205AFDB05EF54CDA5FBEB7A1EF44314F09C099FA06AF2D2DB74A9448B61

Function 00DF5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00DF58B8

Strings

stop, xrefs: 00DF5889
question, xrefs: 00DF5871
warning, xrefs: 00DF58A1
blank, xrefs: 00DF583A
info, xrefs: 00DF5859

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 1d141f10cb4c30aafadded8dc7364275e9d604e42e04a32d0704451395994c9b
Instruction ID: 6de052bfab9f7dfcff1ae9bfe66db75c8ef5b4c966101453e6690e540ecd5881
Opcode Fuzzy Hash: 1d141f10cb4c30aafadded8dc7364275e9d604e42e04a32d0704451395994c9b
Instruction Fuzzy Hash: 0B11D83164974AFAA7115B64FC82DBE679CDF653A4F21403BF741B5281E7A0AA0042B4

Function 00DFA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 00DFA806

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 4f7acb7a490effc0b7a58712c408efc674500eb159dde1bd74ca8686b7e51ed3
Instruction ID: ab0c549f8fcabcaf0b77041fa3fd7db42417d8a10a951fa24d78ad82d44a21ec
Opcode Fuzzy Hash: 4f7acb7a490effc0b7a58712c408efc674500eb159dde1bd74ca8686b7e51ed3
Instruction Fuzzy Hash: C3C19BB5A0420ADFDB04CF98D481BBEB7F4EF08314F25806AE659E7241C774AA45CBB1

Function 00DF6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00DF6B63
LoadStringW.USER32(00000000), ref: 00DF6B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00DF6B80
LoadStringW.USER32(00000000), ref: 00DF6B87
_wprintf.LIBCMT ref: 00DF6BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00DF6BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00DF6BA8

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 0cfd0316f1b7798f757536f1e16ec1965aaeb026cd62f2999c219394d9dfc810
Instruction ID: b4f8fd26e714fa93e5184d3723d2fee7bf27f2033565f566af7f04dc9b8bb00e
Opcode Fuzzy Hash: 0cfd0316f1b7798f757536f1e16ec1965aaeb026cd62f2999c219394d9dfc810
Instruction Fuzzy Hash: B8011DF690421CBFEB11ABA5AD8DEF7766CD708304F0044A1B746E2141EAB4DE888B70

Function 00E12B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E13C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E12BB5,?,?), ref: 00E13C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E12BF6

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: 577b45acf8d99cd9b02eb52932b2100a431dd781179f5a6358680045555bc1b0
Instruction ID: 46a8f3e206b261459465969eca034c695f352ccc0a815469125bc088035836db
Opcode Fuzzy Hash: 577b45acf8d99cd9b02eb52932b2100a431dd781179f5a6358680045555bc1b0
Instruction Fuzzy Hash: 429189312042059FCB01EF14CC85BAEB7E5FF88314F04981DFA96A72A1DB30E955CB62

Function 00E095BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 00E09691
WSAGetLastError.WSOCK32(00000000), ref: 00E0969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 00E096C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00E096E9
WSAGetLastError.WSOCK32(00000000), ref: 00E096F8
htons.WSOCK32(?,?,?,00000000,?), ref: 00E097AA
inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,00E4DC00), ref: 00E09765

Part of subcall function 00DED2FF: _strlen.LIBCMT ref: 00DED309

_strlen.LIBCMT ref: 00E09800

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ErrorLast_strlen$htonsinet_ntoaselect
String ID:
API String ID: 3480843537-0
Opcode ID: 42c69e609c861140701b14afa767bcea64b6bc893f88d82d1fa2117fead74e7e
Instruction ID: c416375e590b1b610c905cdf52c663abaa9d012a0fe7845c52ace9fce41ce050
Opcode Fuzzy Hash: 42c69e609c861140701b14afa767bcea64b6bc893f88d82d1fa2117fead74e7e
Instruction Fuzzy Hash: 6981BD31508200ABC714EF64DC85FAFBBA9EF85714F10461DF556AB292EB30D944CBB6

Function 00DDA979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 00DDA991

Part of subcall function 00DD7D7C: __FF_MSGBANNER.LIBCMT ref: 00DD7D91
Part of subcall function 00DD7D7C: __NMSG_WRITE.LIBCMT ref: 00DD7D98
Part of subcall function 00DD7D7C: __malloc_crt.LIBCMT ref: 00DD7DB8

__lock.LIBCMT ref: 00DDA9A4
__lock.LIBCMT ref: 00DDA9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00E66DE0,00000018,00DE5E7B,?,00000000,00000109), ref: 00DDAA0C
EnterCriticalSection.KERNEL32(8000000C,00E66DE0,00000018,00DE5E7B,?,00000000,00000109), ref: 00DDAA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 00DDAA39

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 48ee73f9590acbd018c144004a4ea99b54320f1eeb9f0c04309cd76ad1ed7704
Instruction ID: ab93cfc3b6836bb1745880a54943765a8b0db047a767a1b8f98e02fae0ae0eb9
Opcode Fuzzy Hash: 48ee73f9590acbd018c144004a4ea99b54320f1eeb9f0c04309cd76ad1ed7704
Instruction Fuzzy Hash: 5F412271A002059FEB10DF6CDA44759BBA0AF41334F15C31AE529AB3D1DB749845CBB2

Function 00E18ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00E18EE4
GetDC.USER32(00000000), ref: 00E18EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E18EF7
ReleaseDC.USER32(00000000,00000000), ref: 00E18F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00E18F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00E18F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00E1BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00E18F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00E18FAA

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 2e0b9e95c5174ccbf7d4dfcff2c72f2d40d644e28487a3d333da8b921b677a43
Instruction ID: c46a2c3e37b03ecde5e2675d5558b5985f0b6618549932f712aa326c60993662
Opcode Fuzzy Hash: 2e0b9e95c5174ccbf7d4dfcff2c72f2d40d644e28487a3d333da8b921b677a43
Instruction Fuzzy Hash: 6A317F72204618BFEB118F51DD4AFEA3FAEEF49715F044065FE09AA191C6759842CB70

Function 00E20133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DCB35F

GetSystemMetrics.USER32(0000000F), ref: 00E2016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 00E2038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00E203AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 00E203D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00E203FF
ShowWindow.USER32(00000003,00000000), ref: 00E20421
DefDlgProcW.USER32(?,00000005,?,?), ref: 00E20440

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: 94d02abe08c328023b66581107c733da9c9d12be538c602589b466ddd530a322
Instruction ID: 24a053f60534673346ef7e2de92ac62d3e251d7d41e1f27b8510d46f68f43f3c
Opcode Fuzzy Hash: 94d02abe08c328023b66581107c733da9c9d12be538c602589b466ddd530a322
Instruction Fuzzy Hash: 0BA1CD3160062AEFDB18CF68D9897BDBBB1BF08714F149115EC59BB292D734AD60CB90

Function 00DCAE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f8c525103962b0427bb41aeb94d45ad8d58176bcf08c43e7560c5b320723aa8
Instruction ID: 99f14aa037539b681ca2ddd02608d6e8cbf92a8f1415ad8faba0670fa015e3df
Opcode Fuzzy Hash: 8f8c525103962b0427bb41aeb94d45ad8d58176bcf08c43e7560c5b320723aa8
Instruction Fuzzy Hash: FB7139B190411AAFCB14CF98CC89EAEBB79FF85318F24814DF915AB251C7309A51CFA1

Function 00E12230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E1225A
_memset.LIBCMT ref: 00E12323
ShellExecuteExW.SHELL32(?), ref: 00E12368

Part of subcall function 00DB936C: __swprintf.LIBCMT ref: 00DB93AB
Part of subcall function 00DB936C: __itow.LIBCMT ref: 00DB93DF

Part of subcall function 00DCC6F4: _wcscpy.LIBCMT ref: 00DCC717

CloseHandle.KERNEL32(00000000), ref: 00E1242F
FreeLibrary.KERNEL32(00000000), ref: 00E1243E

Strings

@, xrefs: 00E12334

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: 28f81eed5eb9b1e7b4ebadc2447eca23dbd779302883e0df4f1eff0d86bb302d
Instruction ID: 71e62b38f6dabdf5840a98fe126869f744b6f819e850d4a8c73d8eb49606e9ac
Opcode Fuzzy Hash: 28f81eed5eb9b1e7b4ebadc2447eca23dbd779302883e0df4f1eff0d86bb302d
Instruction Fuzzy Hash: 1A715770A006199FCB04EFA4C981AEEBBF5FF48310B108459E95ABB351CB34AD50CBA4

Function 00DF3DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00DF3DE7
GetKeyboardState.USER32(?), ref: 00DF3DFC
SetKeyboardState.USER32(?), ref: 00DF3E5D
PostMessageW.USER32(?,00000101,00000010,?), ref: 00DF3E8B
PostMessageW.USER32(?,00000101,00000011,?), ref: 00DF3EAA
PostMessageW.USER32(?,00000101,00000012,?), ref: 00DF3EF0
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00DF3F13

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5e37c654ce0e74bc0cce82a80984db6765ff3e1d8cc58e2ee1e5880c68fd921b
Instruction ID: 050d39b15861a4b8476ef1dbb5bf735d496db963414f0f6b3ccd73a47311a7a3
Opcode Fuzzy Hash: 5e37c654ce0e74bc0cce82a80984db6765ff3e1d8cc58e2ee1e5880c68fd921b
Instruction Fuzzy Hash: 1151B3A0A047D93DFB364224CC45BBA7EA95F06304F0EC589F2D5968C2D2A4DEC8D770

Function 00DF3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00DF3C02
GetKeyboardState.USER32(?), ref: 00DF3C17
SetKeyboardState.USER32(?), ref: 00DF3C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00DF3CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00DF3CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00DF3D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00DF3D26

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c3c2375a731971ce319166f4fb5b141e0db3b7b91c2b93413b1684951aed776f
Instruction ID: 02e56344054e01e09a658837ad374a5ca4445fcc5732e46ec9deb1ede87c9aec
Opcode Fuzzy Hash: c3c2375a731971ce319166f4fb5b141e0db3b7b91c2b93413b1684951aed776f
Instruction Fuzzy Hash: 6751E6A05087D93DFB368774CC55B76BE999B06304F0EC488E2D55A4C2D294EE94D770

Function 00DF7DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00DF7DBE
_wcsncpy.LIBCMT ref: 00DF7DF3
_wcsncpy.LIBCMT ref: 00DF7E25
_wcsncpy.LIBCMT ref: 00DF7E58
_wcsncpy.LIBCMT ref: 00DF7E9A
_wcsncpy.LIBCMT ref: 00DF7ED4
_wcsncpy.LIBCMT ref: 00DF7F03

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 116a34e00d7f8fb6e0a2440c891a306313d98ad951d1466e2c7633b3102c3c6d
Instruction ID: 91af17a5ad948d0b6a6ebe140774aa1e1401394e58483258a681de4b93004ae8
Opcode Fuzzy Hash: 116a34e00d7f8fb6e0a2440c891a306313d98ad951d1466e2c7633b3102c3c6d
Instruction Fuzzy Hash: E3416F66C14218B6CB20EBF88846ADFB7ACDF54310F558967E514E3221FA34E614C3B5

Function 00E13D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00E13DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E13DCB
FreeLibrary.KERNEL32(00000000), ref: 00E13E80

Part of subcall function 00E13D72: RegCloseKey.ADVAPI32(?), ref: 00E13DE8
Part of subcall function 00E13D72: FreeLibrary.KERNEL32(?), ref: 00E13E3A
Part of subcall function 00E13D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00E13E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 00E13E25

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 0ec152990ba85d3026f0a70ad862cf4246ab6ee8b49eccbf9dbade6715f9d5f3
Instruction ID: 0370ec21632e1232d5f6098d7f4d53367c0cd7b235e01035764a572a09bee173
Opcode Fuzzy Hash: 0ec152990ba85d3026f0a70ad862cf4246ab6ee8b49eccbf9dbade6715f9d5f3
Instruction Fuzzy Hash: EC310DB1905209BFDB159BA1EC89AFFBBBDEF08304F001169E512F2150D6709F899BA0

Function 00E18FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00E18FE7
GetWindowLongW.USER32(0164F6E8,000000F0), ref: 00E1901A
GetWindowLongW.USER32(0164F6E8,000000F0), ref: 00E1904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00E19081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00E190AB
GetWindowLongW.USER32(00000000,000000F0), ref: 00E190BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00E190D6

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 7dc62b82d6720306daa8d97ca482f06eb61930b77170d2fa2185fcdf5f2bc7e3
Instruction ID: 3b275a37cf7c5610ffafa24cc48dd8f7fcd811126d58a74e70ba7b5175c20f1d
Opcode Fuzzy Hash: 7dc62b82d6720306daa8d97ca482f06eb61930b77170d2fa2185fcdf5f2bc7e3
Instruction Fuzzy Hash: A8315734604218DFDB21CF59DC99FA437A5FB4A718F1411A8F529AB2B2CB72AC84DF41

Function 00DF08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DF08F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DF0918
SysAllocString.OLEAUT32(00000000), ref: 00DF091B
SysAllocString.OLEAUT32(?), ref: 00DF0939
SysFreeString.OLEAUT32(?), ref: 00DF0942
StringFromGUID2.OLE32(?,?,00000028), ref: 00DF0967
SysAllocString.OLEAUT32(?), ref: 00DF0975

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: dc952c6dfec2ee26e55f94aa9ede9e3540234ffe2f1a7cc72e4649dd072addf6
Instruction ID: 2182330cc039b134217b42fd1a842e2165d20316ba9f9eaa2fd0accff94dcc64
Opcode Fuzzy Hash: dc952c6dfec2ee26e55f94aa9ede9e3540234ffe2f1a7cc72e4649dd072addf6
Instruction Fuzzy Hash: 6D21E77660520DAFDB009F78DC88DBB7BACEB08360B05C125FA14DB152E6B0EC458B70

Function 00DF2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00DF2485
__wcsnicmp.LIBCMT ref: 00DF24A6
__wcsnicmp.LIBCMT ref: 00DF24C0

Strings

#notrayicon, xrefs: 00DF247D
#OnAutoItStartRegister, xrefs: 00DF24BA
#requireadmin, xrefs: 00DF24A0

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: fd64f2c4e4ef69f1bf2936603852ad0206a627ab771290082d888e65b96d7321
Instruction ID: 914bde0229429524f827b2bfb3cc85c4a314cfad36150466a40c26cbb047768b
Opcode Fuzzy Hash: fd64f2c4e4ef69f1bf2936603852ad0206a627ab771290082d888e65b96d7321
Instruction Fuzzy Hash: B121493220821977D320AB34DC12FBBB398EF65314F15C02AF68AA7281E695D942C3B5

Function 00DF0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DF09CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DF09F1
SysAllocString.OLEAUT32(00000000), ref: 00DF09F4
SysAllocString.OLEAUT32 ref: 00DF0A15
SysFreeString.OLEAUT32 ref: 00DF0A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 00DF0A38
SysAllocString.OLEAUT32(?), ref: 00DF0A46

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: caf0adb72c38013ecaa8a90bacac611e53687f10fe83c63982a1b03b5a77f8df
Instruction ID: 6ac535765cc080e1cd91c980c7c0fadc2570cd9bec9411c2449b71ff2d00897d
Opcode Fuzzy Hash: caf0adb72c38013ecaa8a90bacac611e53687f10fe83c63982a1b03b5a77f8df
Instruction Fuzzy Hash: CF217475204208AFDB109FA9DC88DBABBECEF08360745C125FA59DB261E670ED458B74

Function 00E1A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DCD1BA
Part of subcall function 00DCD17C: GetStockObject.GDI32(00000011), ref: 00DCD1CE
Part of subcall function 00DCD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DCD1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00E1A32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00E1A33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00E1A345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00E1A354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00E1A360

Strings

Msctls_Progress32, xrefs: 00E1A2FE

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 8df06a3ddb678ef0ab549c3d12ec9e580d02a0a7792252b269b30b2e8990233d
Instruction ID: 0eeb7e7979a36213e28018fa5cb70da2af275271e2b1ad2013b7278e2153b5cc
Opcode Fuzzy Hash: 8df06a3ddb678ef0ab549c3d12ec9e580d02a0a7792252b269b30b2e8990233d
Instruction Fuzzy Hash: 4F11D3B1140219BEEF105FA0CC85EFB7F6DFF08398F014114BA08A20A0C6729C21DBA4

Function 00DCCCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00DCCCF6
GetWindowRect.USER32(?,?), ref: 00DCCD37
ScreenToClient.USER32(?,?), ref: 00DCCD5F
GetClientRect.USER32(?,?), ref: 00DCCE8C
GetWindowRect.USER32(?,?), ref: 00DCCEA5

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 90ed4b179b14bf36d062e6f986de96fc44a2043286930bdbe9c5241759fd045a
Instruction ID: eb4731fc89336a4f7168636e00aa6136fc4646416d9fca6a7b88fd220a81c92a
Opcode Fuzzy Hash: 90ed4b179b14bf36d062e6f986de96fc44a2043286930bdbe9c5241759fd045a
Instruction Fuzzy Hash: 44B1607991024ADBDF10CFA8C484BEDBBB5FF08310F14A529ED99EB250DB30A951CB64

Function 00E11BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00E11C18
Process32FirstW.KERNEL32(00000000,?), ref: 00E11C26
__wsplitpath.LIBCMT ref: 00E11C54

Part of subcall function 00DD1DFC: __wsplitpath_helper.LIBCMT ref: 00DD1E3C

_wcscat.LIBCMT ref: 00E11C69
Process32NextW.KERNEL32(00000000,?), ref: 00E11CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00E11CF1

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: b6bfcb5fc7212790afe67e94bb5adadaaece617203205082b91d7c70f7374e79
Instruction ID: dde4a57dc2a0d7e142b29f18640d0f38545ef9855f90ae3b7b90e8b2b894444f
Opcode Fuzzy Hash: b6bfcb5fc7212790afe67e94bb5adadaaece617203205082b91d7c70f7374e79
Instruction Fuzzy Hash: 03516D711083459FD720DF24D885FABBBE8EF88754F00491EF586A7291EB30D944CBA2

Function 00E12FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E13C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E12BB5,?,?), ref: 00E13C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E130AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E130EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00E13112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00E1313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00E1317E
RegCloseKey.ADVAPI32(00000000), ref: 00E1318B

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: 987c3b60a7d9576160a9ba0312a1dd2fbc5a3defbbe60303da60f22c3fd6200c
Instruction ID: a53e4f0a26073c320f28d6ab2dcefe16efad97c2c1b71a98d3c627f4a1d7ba25
Opcode Fuzzy Hash: 987c3b60a7d9576160a9ba0312a1dd2fbc5a3defbbe60303da60f22c3fd6200c
Instruction Fuzzy Hash: E7514831208204AFC704EF64CC95EAEBBE9FF88304F04495DF55697291DB31EA49CB62

Function 00E184DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00E18540
GetMenuItemCount.USER32(00000000), ref: 00E18577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00E1859F
GetMenuItemID.USER32(?,?), ref: 00E1860E
GetSubMenu.USER32(?,?), ref: 00E1861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 00E1866D

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 93e5a20493e4eaf26cd5f9e1219fd04def2e0d9da03aba1fb927c06567db9f5e
Instruction ID: 2a9b0152d602a13c102b77c3c3ea706ebb3c5c6e96532567eae301605705a50f
Opcode Fuzzy Hash: 93e5a20493e4eaf26cd5f9e1219fd04def2e0d9da03aba1fb927c06567db9f5e
Instruction Fuzzy Hash: FF51A075A00219EFCF11EF64C945AEEBBF5EF48310F154499E916B7351DB30AE818BA0

Function 00DF4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DF4B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DF4B5B
IsMenu.USER32(00000000), ref: 00DF4B7B
CreatePopupMenu.USER32 ref: 00DF4BAF
GetMenuItemCount.USER32(000000FF), ref: 00DF4C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00DF4C3E

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 012a1f6fa1d83771e476373715fb9503c78dedd7fb115e67882ae6d029017ceb
Instruction ID: fd9a4f8442cc1653bf74508dc443a35f4a532886b7ee67bc8432bcdd8eef2134
Opcode Fuzzy Hash: 012a1f6fa1d83771e476373715fb9503c78dedd7fb115e67882ae6d029017ceb
Instruction Fuzzy Hash: E151CC7060120DEFDF20CF68D988BBEBBF4EF44318F198119E6659A291D3709984CB31

Function 00E08DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,00E4DC00), ref: 00E08E7C
WSAGetLastError.WSOCK32(00000000), ref: 00E08E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00E08EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 00E08EC5
_strlen.LIBCMT ref: 00E08EF7
WSAGetLastError.WSOCK32(00000000), ref: 00E08F6A

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: d56111af539ac11a7f8158a871c7d34f16ed9690d48cda6ed65d7462e6fec89c
Instruction ID: 8e77a699c6f77162b047d5a8db50a50af979ca9245908c0f77b91e59b930e214
Opcode Fuzzy Hash: d56111af539ac11a7f8158a871c7d34f16ed9690d48cda6ed65d7462e6fec89c
Instruction Fuzzy Hash: 54419D71600109ABCB14EBA4CE85EEEB7BAEF58314F10525AF156A72D1DF30AE44CA70

Function 00DCABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00DCB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DCB35F

BeginPaint.USER32(?,?,?), ref: 00DCAC2A
GetWindowRect.USER32(?,?), ref: 00DCAC8E
ScreenToClient.USER32(?,?), ref: 00DCACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00DCACBC
EndPaint.USER32(?,?,?,?,?), ref: 00DCAD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00E2E673

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: 7aa60efe498e07c5950f217e70ba8fb12dfd506bc6d929c08bf93c7d8f61844d
Instruction ID: b619fa2240cc86179192f7320d138cbe6d8cb3c1059738f3142f033471c5e11a
Opcode Fuzzy Hash: 7aa60efe498e07c5950f217e70ba8fb12dfd506bc6d929c08bf93c7d8f61844d
Instruction Fuzzy Hash: 3141D0701043169FC710DF69DC89FB67BA8EB59724F08026DF9A9972A1C7319888DB72

Function 00E1E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00E71628,00000000,00E71628,00000000,00000000,00E71628,?,00E2DC5D,00000000,?,00000000,00000000,00000000,?,00E2DAD1,00000004), ref: 00E1E40B
EnableWindow.USER32(00000000,00000000), ref: 00E1E42F
ShowWindow.USER32(00E71628,00000000), ref: 00E1E48F
ShowWindow.USER32(00000000,00000004), ref: 00E1E4A1
EnableWindow.USER32(00000000,00000001), ref: 00E1E4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00E1E4E8

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 60bc950b941f9db3ee0b2fcaf24865f27d6d57f5e149e56b3013860f0c617a83
Instruction ID: 3927324492020c53f3a9e8d465bde578aaf9aff7351ee222288aefc02765f1d2
Opcode Fuzzy Hash: 60bc950b941f9db3ee0b2fcaf24865f27d6d57f5e149e56b3013860f0c617a83
Instruction Fuzzy Hash: 6D417230601154EFDB22CF24C499BD47BE1BF05308F5851A9FE69AF2A2C731E885CB91

Function 00DF98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00DF98D1

Part of subcall function 00DCF4EA: std::exception::exception.LIBCMT ref: 00DCF51E
Part of subcall function 00DCF4EA: __CxxThrowException@8.LIBCMT ref: 00DCF533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00DF9908
EnterCriticalSection.KERNEL32(?), ref: 00DF9924
LeaveCriticalSection.KERNEL32(?), ref: 00DF999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00DF99B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00DF99D2

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: 704f5161f2e868a8da7012d7eaa16876bacf9d744af04e6143bf41022144bfb3
Instruction ID: 291f8a5a0632192b475f2b0a627c6c924ab4c30f2fe5cbd7ce8cac92e42daf1c
Opcode Fuzzy Hash: 704f5161f2e868a8da7012d7eaa16876bacf9d744af04e6143bf41022144bfb3
Instruction Fuzzy Hash: 0C318131A00109AFDB109F95DC89EAFBBB9FF45710B1580A9F904AB256D770DE14CBB0

Function 00E09B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00E077F4,?,?,00000000,00000001), ref: 00E09B53

Part of subcall function 00E06544: GetWindowRect.USER32(?,?), ref: 00E06557

GetDesktopWindow.USER32 ref: 00E09B7D
GetWindowRect.USER32(00000000), ref: 00E09B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00E09BB6

Part of subcall function 00DF7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00DF7AD0

GetCursorPos.USER32(?), ref: 00E09BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00E09C44

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 5c5bfa0d1a073ab9321bda267d288ccf946859b9a96711c8a54dd8f623d3112d
Instruction ID: 4c1df30ef06634eedd0f5214fd8ce97cb99c8d3a8dfdabb6c409acd8f7855143
Opcode Fuzzy Hash: 5c5bfa0d1a073ab9321bda267d288ccf946859b9a96711c8a54dd8f623d3112d
Instruction Fuzzy Hash: 8C31C172508309AFC710DF14EC49F9ABBE9FF89314F00091AF599E7182D631E958CBA2

Function 00DEAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00DEAFAE
OpenProcessToken.ADVAPI32(00000000), ref: 00DEAFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00DEAFC4
CloseHandle.KERNEL32(00000004), ref: 00DEAFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00DEAFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 00DEB012

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: d06592fe9650847a05c6931f56d82919ece1476d904d2e855cbb6715bca0912c
Instruction ID: b9a8bd57b4ec65ec17e35cb1b5f6fe0d86005aa4af590af603443666c1c47095
Opcode Fuzzy Hash: d06592fe9650847a05c6931f56d82919ece1476d904d2e855cbb6715bca0912c
Instruction Fuzzy Hash: 0E218E7210424EAFCF029FAAED09FAE7BA9EF44304F144055FA01A2161C376ED24EB71

Function 00E1EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00DCAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00DCAFE3
Part of subcall function 00DCAF83: SelectObject.GDI32(?,00000000), ref: 00DCAFF2
Part of subcall function 00DCAF83: BeginPath.GDI32(?), ref: 00DCB009
Part of subcall function 00DCAF83: SelectObject.GDI32(?,00000000), ref: 00DCB033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00E1EC20
LineTo.GDI32(00000000,00000003,?), ref: 00E1EC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00E1EC42
LineTo.GDI32(00000000,00000000,?), ref: 00E1EC52
EndPath.GDI32(00000000), ref: 00E1EC62
StrokePath.GDI32(00000000), ref: 00E1EC72

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: fda2bfb6925ef5ad5bd6de4128a88fae6a4d0a3eca987f8a682e2b329b45096d
Instruction ID: b7c40952194507b29e33ae82fc6678106194d0f24064ce914082a6f310e0a891
Opcode Fuzzy Hash: fda2bfb6925ef5ad5bd6de4128a88fae6a4d0a3eca987f8a682e2b329b45096d
Instruction Fuzzy Hash: C0110C7200414DBFDB029FA5EC88EDA7F6DEF08354F048112BE1869160D7719D99DBA0

Function 00DEE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00DEE1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 00DEE1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DEE1D8
ReleaseDC.USER32(00000000,00000000), ref: 00DEE1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00DEE1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 00DEE209

Part of subcall function 00DE9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00DE9A05,00000000,00000000,?,00DE9DDB), ref: 00DEA53A

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: e401e91ad166194910baf9af829d00eb97d8d34d85d8ec6f99ac3d2176bf849f
Instruction ID: e46091da249d0a533539ac9431753bf17d811c4f27ad6e2fc460cb5da3fa377f
Opcode Fuzzy Hash: e401e91ad166194910baf9af829d00eb97d8d34d85d8ec6f99ac3d2176bf849f
Instruction Fuzzy Hash: 750184B5A00758BFEB109BA79C49B5EBFB9EB48751F044066FE04A7290D6719C00CF60

Function 00DD7B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00DD7B47

Part of subcall function 00DD123A: __initp_misc_winsig.LIBCMT ref: 00DD125E
Part of subcall function 00DD123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00DD7F51
Part of subcall function 00DD123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00DD7F65
Part of subcall function 00DD123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00DD7F78
Part of subcall function 00DD123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00DD7F8B
Part of subcall function 00DD123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00DD7F9E
Part of subcall function 00DD123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00DD7FB1
Part of subcall function 00DD123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00DD7FC4
Part of subcall function 00DD123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00DD7FD7
Part of subcall function 00DD123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00DD7FEA
Part of subcall function 00DD123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00DD7FFD
Part of subcall function 00DD123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00DD8010
Part of subcall function 00DD123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00DD8023
Part of subcall function 00DD123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00DD8036
Part of subcall function 00DD123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00DD8049
Part of subcall function 00DD123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00DD805C
Part of subcall function 00DD123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00DD806F

__mtinitlocks.LIBCMT ref: 00DD7B4C

Part of subcall function 00DD7E23: InitializeCriticalSectionAndSpinCount.KERNEL32(00E6AC68,00000FA0,?,?,00DD7B51,00DD5E77,00E66C70,00000014), ref: 00DD7E41

__mtterm.LIBCMT ref: 00DD7B55

Part of subcall function 00DD7BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00DD7B5A,00DD5E77,00E66C70,00000014), ref: 00DD7D3F
Part of subcall function 00DD7BBD: _free.LIBCMT ref: 00DD7D46
Part of subcall function 00DD7BBD: DeleteCriticalSection.KERNEL32(00E6AC68,?,?,00DD7B5A,00DD5E77,00E66C70,00000014), ref: 00DD7D68

__calloc_crt.LIBCMT ref: 00DD7B7A
GetCurrentThreadId.KERNEL32 ref: 00DD7BA3

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: 6bbbb86ff2c0df9dca772667349ef2eab7d36835b14eb9a250936ee32fbad2ff
Instruction ID: dda73dbc153669f83c4deaae7c5d20589d2b63fe23cb27d891e2ed53745a4fd7
Opcode Fuzzy Hash: 6bbbb86ff2c0df9dca772667349ef2eab7d36835b14eb9a250936ee32fbad2ff
Instruction Fuzzy Hash: FFF0B43250D3121EE62877347C0BA4B2BC4DF01730B2906EBF8A4EA3D2FF21984145B0

Function 00DB27EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00DB281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00DB2825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00DB2830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00DB283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00DB2843
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DB284B

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 4d0a35e58d63cab74789f1ae89ec389663b08cbc792033b11309b366de92ee11
Instruction ID: 962087e786d57c6fcc63a5ef735c68177fdfecd837f1fe22e76db4ae30ef779e
Opcode Fuzzy Hash: 4d0a35e58d63cab74789f1ae89ec389663b08cbc792033b11309b366de92ee11
Instruction Fuzzy Hash: E70167B0902B5EBDE3008F6A8C85B52FFA8FF19354F00411BA15C47A42C7F5A868CBE5

Function 00DF9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 495ad348c8befcd99556b065f20b6b8e604ce1995e295641ffd5ea34d5a9802a
Instruction ID: 86d7ef3a2879dba4ec4722aafca870543287e1fa1b2332dbea40033146c1416d
Opcode Fuzzy Hash: 495ad348c8befcd99556b065f20b6b8e604ce1995e295641ffd5ea34d5a9802a
Instruction Fuzzy Hash: 5101863254521AAFD7151B55FC5CEFBBB7AFF887017054429F603A20A0DB649814DB70

Function 00DF7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00DF7C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00DF7C1D
GetWindowThreadProcessId.USER32(?,?), ref: 00DF7C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DF7C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DF7C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DF7C4C

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 2f39f81237e13f577e0f436b939a34d6dafb0313cbf19d90c62e8a9d27218361
Instruction ID: db86d95d49f9cb705e5f6fc27af75e37c06b20055391000784163456187684b9
Opcode Fuzzy Hash: 2f39f81237e13f577e0f436b939a34d6dafb0313cbf19d90c62e8a9d27218361
Instruction Fuzzy Hash: C2F0177224615CBFE6215B63AC0EEEF7FBCEBC6B11F000058FA12A1051D7A05A49D6B5

Function 00DF9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00DF9A33
EnterCriticalSection.KERNEL32(?,?,?,?,00E25DEE,?,?,?,?,?,00DBED63), ref: 00DF9A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,00E25DEE,?,?,?,?,?,00DBED63), ref: 00DF9A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00E25DEE,?,?,?,?,?,00DBED63), ref: 00DF9A5E

Part of subcall function 00DF93D1: CloseHandle.KERNEL32(?,?,00DF9A6B,?,?,?,00E25DEE,?,?,?,?,?,00DBED63), ref: 00DF93DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 00DF9A71
LeaveCriticalSection.KERNEL32(?,?,?,?,00E25DEE,?,?,?,?,?,00DBED63), ref: 00DF9A78

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 6c48bb4a8ff02fd4e968b5b2db99840307c753207fadf58b4b49ee6b83a2fdf1
Instruction ID: 030644463f966ad586a03cdc732c94fd95fd2630c8a52796c70272f0fb3ade4c
Opcode Fuzzy Hash: 6c48bb4a8ff02fd4e968b5b2db99840307c753207fadf58b4b49ee6b83a2fdf1
Instruction Fuzzy Hash: DBF08232549219AFD7121BA5FC8DEEBBB7AFF84301B150425F603B10B0DBB59819DB61

Function 00DB1CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 00DCF4EA: std::exception::exception.LIBCMT ref: 00DCF51E
Part of subcall function 00DCF4EA: __CxxThrowException@8.LIBCMT ref: 00DCF533

__swprintf.LIBCMT ref: 00DB1EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00DB1D49

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: 729f902a7b4f05d951b12749d8bc5a47b2b473d056a02d4ba696638aa3c98600
Instruction ID: 3ca178288b8835757f1c9689a700a600c2e2f233afcfbfab77e111be63e17742
Opcode Fuzzy Hash: 729f902a7b4f05d951b12749d8bc5a47b2b473d056a02d4ba696638aa3c98600
Instruction Fuzzy Hash: 04915A75108211EFC724EF24D895CAEB7A4EF85700F54492DF996A72A1DB70ED04CBB2

Function 00E0AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E0B006
CharUpperBuffW.USER32(?,?), ref: 00E0B115
VariantClear.OLEAUT32(?), ref: 00E0B298

Part of subcall function 00DF9DC5: VariantInit.OLEAUT32(00000000), ref: 00DF9E05
Part of subcall function 00DF9DC5: VariantCopy.OLEAUT32(?,?), ref: 00DF9E0E
Part of subcall function 00DF9DC5: VariantClear.OLEAUT32(?), ref: 00DF9E1A

Strings

Incorrect Parameter format, xrefs: 00E0B03E, 00E0B20B
AUTOIT.ERROR, xrefs: 00E0B11B

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: dda217f3bd892e0c9d51aae1ac1c13cce785d9a4712c338e87f51f3d31b7c80a
Instruction ID: 478d6902050ea9ec07a72af59f0ca298c0bc69a6e28b280f03fff8bba6d2a94c
Opcode Fuzzy Hash: dda217f3bd892e0c9d51aae1ac1c13cce785d9a4712c338e87f51f3d31b7c80a
Instruction Fuzzy Hash: 9B915B74608301DFCB10DF24D49599ABBE4FF89704F04586DF89AAB3A2DB31E945CB62

Function 00DF5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCC6F4: _wcscpy.LIBCMT ref: 00DCC717

_memset.LIBCMT ref: 00DF5438
GetMenuItemInfoW.USER32(?), ref: 00DF5467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DF5513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00DF553D

Strings

0, xrefs: 00DF5430

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 05adf6ef5a02678e37febf53e8fa4d75a791a064262c39c0ec6b9a2b95a63a8f
Instruction ID: 0cb029d3610a55b3722c2b25b8410e352004aa79a718088a2f10dda8ba1aa327
Opcode Fuzzy Hash: 05adf6ef5a02678e37febf53e8fa4d75a791a064262c39c0ec6b9a2b95a63a8f
Instruction Fuzzy Hash: 6A5143311047099BD314DF2CE8416BBBBE8EB85310F09862EFB9AD3294DB60CD4487B2

Function 00DF0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00DF027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00DF02B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00DF02C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00DF0344

Strings

DllGetClassObject, xrefs: 00DF02B7

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: c9c5692e89473d66293c32ed3b5e548d5958102e7b5fbee4200e8aa535414769
Instruction ID: f2417b4f7c8569d9f0b5768691748c7540f3fe5c761fd0ae34a984e73aca633d
Opcode Fuzzy Hash: c9c5692e89473d66293c32ed3b5e548d5958102e7b5fbee4200e8aa535414769
Instruction Fuzzy Hash: 1C414CB1604208EFDB05CF54C985BAA7FF9EF44310B15C0A9EA09AF216D7B1DA44CBB0

Function 00DF5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DF5075
GetMenuItemInfoW.USER32 ref: 00DF5091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 00DF50D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00E71708,00000000), ref: 00DF5120

Strings

0, xrefs: 00DF506D

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 31f99782ee1bb4d77ef1baa7e837867bc144348ef643469eb24c8f776a01d8a6
Instruction ID: e885c3080bc4aa3a4b03570a0e5827946fb906ed8228567483ca4a0b3715341f
Opcode Fuzzy Hash: 31f99782ee1bb4d77ef1baa7e837867bc144348ef643469eb24c8f776a01d8a6
Instruction Fuzzy Hash: 9841C230204705AFD710DF28EC85B6ABBE8EF85324F09861EFA5597295D770E904CB72

Function 00E10567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 00E10587

Strings

stdcall, xrefs: 00E10609
none, xrefs: 00E10662
winapi, xrefs: 00E105F8
cdecl, xrefs: 00E105DE

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: 9da3488a12cc7a225670a373d2fcbdc50be2d32f62f02f6022dcfa8c711d85cb
Instruction ID: adb204afa96b5de44e3214dca38bbc3da3e62788dfbb7cf9e7d68f121ea33137
Opcode Fuzzy Hash: 9da3488a12cc7a225670a373d2fcbdc50be2d32f62f02f6022dcfa8c711d85cb
Instruction Fuzzy Hash: 8131AF70500216AFCF00EF54CD429EEB3B4FF95354B00962AE826B76D1DBB1A995CBA0

Function 00DEB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00DEB88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00DEB8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 00DEB8D1

Strings

ListBox, xrefs: 00DEB84D
ComboBox, xrefs: 00DEB815

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: ed22119c830abde193a6e067083f8df91cee7616634be41dba830fcdd7497cc2
Instruction ID: f461624edf4c562dead28ea6eefa868c792bbba323e543ed1d1a4e9e7f56cc89
Opcode Fuzzy Hash: ed22119c830abde193a6e067083f8df91cee7616634be41dba830fcdd7497cc2
Instruction Fuzzy Hash: 6A210471900148AFDB04ABA5DC86DFF7B79EF05360B14412AF122A32E0DB759D0A8A30

Function 00DB51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DB522F
_wcscpy.LIBCMT ref: 00DB5283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00DB5293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00E23CB0

Strings

Line: , xrefs: 00E23CD9

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: 934429fb25f78c13238072aca12f811440c88f71355881d9028559607156184a
Instruction ID: 9b0ea326a8551e4899c56aecc584b2c0797205a987e1a41a35f9b578c9f27890
Opcode Fuzzy Hash: 934429fb25f78c13238072aca12f811440c88f71355881d9028559607156184a
Instruction Fuzzy Hash: 4F31A171508740EED321EB64EC46FDE77D8EB44350F40451EF58AA2191EB74A64CCBB6

Function 00E043E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E04401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E04427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00E04457
InternetCloseHandle.WININET(00000000), ref: 00E0449E

Part of subcall function 00E05052: GetLastError.KERNEL32(?,?,00E043CC,00000000,00000000,00000001), ref: 00E05067

Strings

, xrefs: 00E04450

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 782d9b65b1f31344123d7a40151218689b58943984f4ffe5ecdd1e450cd7726b
Instruction ID: abd00efb5a70ac202f5bc77a74f61d659650afe8e32f3804684ce35fe5c1177b
Opcode Fuzzy Hash: 782d9b65b1f31344123d7a40151218689b58943984f4ffe5ecdd1e450cd7726b
Instruction Fuzzy Hash: 5F218EF6500208BEE7219F64DD85EBFBAECEB48758F10901AF219F61C0EA748D859770

Function 00E190E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DCD1BA
Part of subcall function 00DCD17C: GetStockObject.GDI32(00000011), ref: 00DCD1CE
Part of subcall function 00DCD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DCD1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00E1915C
LoadLibraryW.KERNEL32(?), ref: 00E19163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00E19178
DestroyWindow.USER32(?), ref: 00E19180

Strings

SysAnimate32, xrefs: 00E19137

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 556db8d7e8d73b6f5d61bc6264da27c6b343cd2413926e8d2a2a8b3453cbeaf5
Instruction ID: 85c2f1248c15f78f82fd7e3c01443ea5d00ff4dd1e87d8f30bcdc8972522d511
Opcode Fuzzy Hash: 556db8d7e8d73b6f5d61bc6264da27c6b343cd2413926e8d2a2a8b3453cbeaf5
Instruction Fuzzy Hash: 25218E7120020ABFEF104E64DC99EFB37A9EB99368F111658FA14A2191C735DCD1A760

Function 00DF9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00DF9588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00DF95B9
GetStdHandle.KERNEL32(0000000C), ref: 00DF95CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00DF9605

Strings

nul, xrefs: 00DF9600

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 41a1afb736c8546defb00e7fc0b9673e34d89ba98b32eb7e941b9772aa72a9ed
Instruction ID: caeec5072ed42012684ac46ffa3faecaa02aca9db3aa246f9cf11e9ecbf6c89e
Opcode Fuzzy Hash: 41a1afb736c8546defb00e7fc0b9673e34d89ba98b32eb7e941b9772aa72a9ed
Instruction Fuzzy Hash: 04218D7090020DABDB219F75DC14BAABBB4AF44724F258A19FAA1E72E0D770D944CB30

Function 00DF9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00DF9653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00DF9683
GetStdHandle.KERNEL32(000000F6), ref: 00DF9694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00DF96CE

Strings

nul, xrefs: 00DF96C9

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: fc4c3e300b7eabe8e9dc819ae9864a79617de8bcc02ea635801e1c0260bc252e
Instruction ID: a3faa42416b07367f760851ede036612a8cb307da5ebe098ad79b4cc60c9df07
Opcode Fuzzy Hash: fc4c3e300b7eabe8e9dc819ae9864a79617de8bcc02ea635801e1c0260bc252e
Instruction Fuzzy Hash: 1821957190020D9BDB209F699C14FAAF7E8AF54724F258619FEA1E72D0E770D845CB30

Function 00DFDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00DFDB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00DFDB5E
__swprintf.LIBCMT ref: 00DFDB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,00E4DC00), ref: 00DFDBB5

Strings

%lu, xrefs: 00DFDB71

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 82478041a0332ae1348955b27b381f23cc36b0cc5506e7a9ae33c753fe39a51a
Instruction ID: 34a82d9854f86582a7928b3e887af1eabafd8ecd38e260f6a70addca3ecb0b51
Opcode Fuzzy Hash: 82478041a0332ae1348955b27b381f23cc36b0cc5506e7a9ae33c753fe39a51a
Instruction Fuzzy Hash: E521603560020CAFCB10EFA5DD85EEEBBB8EF48704B154069F605E7251DA70EA05DB71

Function 00DEC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DEC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00DEC84A
Part of subcall function 00DEC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DEC85D
Part of subcall function 00DEC82D: GetCurrentThreadId.KERNEL32 ref: 00DEC864
Part of subcall function 00DEC82D: AttachThreadInput.USER32(00000000), ref: 00DEC86B

GetFocus.USER32 ref: 00DECA05

Part of subcall function 00DEC876: GetParent.USER32(?), ref: 00DEC884

GetClassNameW.USER32(?,?,00000100), ref: 00DECA4E
EnumChildWindows.USER32(?,00DECAC4), ref: 00DECA76
__swprintf.LIBCMT ref: 00DECA90

Strings

%s%d, xrefs: 00DECA8A

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: 210b1216fe0b10adb1db37aaf0cf2407f822c6b6ae237c176cce15a30a6d1443
Instruction ID: d40829870a6ddea58b2e869d13be4ed15867f3ab4a21dc7e2fa23a69fe9add42
Opcode Fuzzy Hash: 210b1216fe0b10adb1db37aaf0cf2407f822c6b6ae237c176cce15a30a6d1443
Instruction Fuzzy Hash: 4D117F71610209BBCF11BFA19CCAFED3B79EB44714F04906AFE19AA182CB749546DB70

Function 00DD7A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00DD7AD8

Part of subcall function 00DD7CF4: __mtinitlocknum.LIBCMT ref: 00DD7D06
Part of subcall function 00DD7CF4: EnterCriticalSection.KERNEL32(00000000,?,00DD7ADD,0000000D), ref: 00DD7D1F

InterlockedIncrement.KERNEL32(?), ref: 00DD7AE5
__lock.LIBCMT ref: 00DD7AF9
___addlocaleref.LIBCMT ref: 00DD7B17

Strings

`, xrefs: 00DD7AA3

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID: `
API String ID: 1687444384-4168407445
Opcode ID: 20c7c9846a87ca0591995432c23e69bfcd64b71a7f5a4df97a2b4c156c340946
Instruction ID: e99415dd261ac6bc91b290443de752655f9b05ff45f4104846c593ee16826792
Opcode Fuzzy Hash: 20c7c9846a87ca0591995432c23e69bfcd64b71a7f5a4df97a2b4c156c340946
Instruction Fuzzy Hash: D2015B71445B009ED7209F79D90A74ABBF0EF40321F20894FE49AA73A0DBB0A644CB61

Function 00E1E32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E1E33D
_memset.LIBCMT ref: 00E1E34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E73D00,00E73D44), ref: 00E1E37B
CloseHandle.KERNEL32 ref: 00E1E38D

Strings

D=, xrefs: 00E1E346

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: D=
API String ID: 3277943733-488882995
Opcode ID: 06f82b87177c448ed92a12e252ba5e97821f142b1b45cbbb47766c5f7ba58a88
Instruction ID: ceba86114ce66d4dc4ed80706229f5d85c26cd94389a533646644ad7ee08f5ba
Opcode Fuzzy Hash: 06f82b87177c448ed92a12e252ba5e97821f142b1b45cbbb47766c5f7ba58a88
Instruction Fuzzy Hash: 20F05EF1540314BEE2605B72AC4AF7B7E5CDB05754F004422BF0DF62A2D3759E44A6B9

Function 00E11945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00E119F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00E11A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00E11B49
CloseHandle.KERNEL32(?), ref: 00E11BBF

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 7acf4b82c3fef4ab20084202972235a56467d2547054ad7fcd3b9b94a558315f
Instruction ID: 3aa8413e9a6382f00c93fd71923ad8751e9c7012b47a3e9d35a9e36016112b58
Opcode Fuzzy Hash: 7acf4b82c3fef4ab20084202972235a56467d2547054ad7fcd3b9b94a558315f
Instruction Fuzzy Hash: 4E817F70600215ABDF119F64C986FADBBF5EF44720F148499FA05BF382DBB5E9418BA0

Function 00E1E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00E1E1D5
SendMessageW.USER32(?,000000B0,?,?), ref: 00E1E20D
IsDlgButtonChecked.USER32(?,00000001), ref: 00E1E248
GetWindowLongW.USER32(?,000000EC), ref: 00E1E269
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00E1E281

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID:
API String ID: 3188977179-0
Opcode ID: 273ce7b589d1be1071cc151283f83a4a6c48f0c7425f71c6a428be01cab71f9b
Instruction ID: 30e24d9566447e17f2fe5fbc9c07b92c97843ce84d9df90f4cfc18126f094ef3
Opcode Fuzzy Hash: 273ce7b589d1be1071cc151283f83a4a6c48f0c7425f71c6a428be01cab71f9b
Instruction Fuzzy Hash: 8E618E34B05204AFDB25CF58C895FEA7BBABB89304F145099FC59B73A1C771A980CB11

Function 00DF1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00DF1CB4
VariantClear.OLEAUT32(00000013), ref: 00DF1D26
VariantClear.OLEAUT32(00000000), ref: 00DF1D81
VariantClear.OLEAUT32(?), ref: 00DF1DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00DF1E26

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 84a83d1dbecc87fd7da107dfd4062dd706e18262e9fd00bd9a10bde670e13bf9
Instruction ID: 240b057b900acf75d6ee37ac56ec7328790b92acf6745cee9598ddbf88e4691d
Opcode Fuzzy Hash: 84a83d1dbecc87fd7da107dfd4062dd706e18262e9fd00bd9a10bde670e13bf9
Instruction Fuzzy Hash: 85514BB9A00209EFDB14CF58D884AAAB7B9FF4C314B158559FA59DB301E330E951CFA0

Function 00E10688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB936C: __swprintf.LIBCMT ref: 00DB93AB
Part of subcall function 00DB936C: __itow.LIBCMT ref: 00DB93DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 00E106EE
GetProcAddress.KERNEL32(00000000,?), ref: 00E1077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00E1079B
GetProcAddress.KERNEL32(00000000,?), ref: 00E107E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 00E107FB

Part of subcall function 00DCE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00DFA574,?,?,00000000,00000008), ref: 00DCE675
Part of subcall function 00DCE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00DFA574,?,?,00000000,00000008), ref: 00DCE699

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 47f9e87a0ca8e09c639e147aab10b94deef680ada428437825c22cb750f58238
Instruction ID: 77c3b48e66f79e6427b8b26b9683b5a79661d754a81b82d6e81fd1e439902e4f
Opcode Fuzzy Hash: 47f9e87a0ca8e09c639e147aab10b94deef680ada428437825c22cb750f58238
Instruction Fuzzy Hash: BE514B75A04209DFCB00EFA8C885DEDB7B5FF49314B14805AE916AB352DB70ED85CBA0

Function 00E12E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E13C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E12BB5,?,?), ref: 00E13C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E12EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E12F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00E12F75
RegCloseKey.ADVAPI32(?,?), ref: 00E12FA1
RegCloseKey.ADVAPI32(00000000), ref: 00E12FAE

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: d0571f7a2fcbf09e3c81d960a8b8cc85b5f7deed9f4f0915fb7919d20c93250e
Instruction ID: 5cae65c1a4e41cf89c98e6a9ce3c36523d5b5c02f411cd0d9440aabe8b707c06
Opcode Fuzzy Hash: d0571f7a2fcbf09e3c81d960a8b8cc85b5f7deed9f4f0915fb7919d20c93250e
Instruction Fuzzy Hash: 41516771218204AFC704EB64CC81EAEB7F9FF88304F00981DF696A7291DB30E955CB62

Function 00E1CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c6ca104423e6970327bcc9b4bc074517ac147507cebc5dbdcc7ba26f379be7
Instruction ID: 4021812d6fe5a3a61d1983441d87541726c76a4b1455b72968d0e2ade3b5eaa4
Opcode Fuzzy Hash: 56c6ca104423e6970327bcc9b4bc074517ac147507cebc5dbdcc7ba26f379be7
Instruction Fuzzy Hash: 6341C179944248AFC720DB68DC48FE9BF68EB09314F242265E95AF72E1C630AD91DA50

Function 00E01206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00E012B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00E012DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00E0131C

Part of subcall function 00DB936C: __swprintf.LIBCMT ref: 00DB93AB
Part of subcall function 00DB936C: __itow.LIBCMT ref: 00DB93DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00E01341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00E01349

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 9cb47e74e4a2ebae2578a5ef0696a21a42eec7c6d256625603b63727d552c260
Instruction ID: 4d25ab3758c1fda261558da5156fa1e50e7d736684c5f080a0ef5881c40a38fb
Opcode Fuzzy Hash: 9cb47e74e4a2ebae2578a5ef0696a21a42eec7c6d256625603b63727d552c260
Instruction Fuzzy Hash: B7411F35600109DFCF01EF64C995AAEBBF5FF08314B148099E906AB3A2DB35ED51DB61

Function 00DCB63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 00DCB64F
ScreenToClient.USER32(00000000,000000FF), ref: 00DCB66C
GetAsyncKeyState.USER32(00000001), ref: 00DCB691
GetAsyncKeyState.USER32(00000002), ref: 00DCB69F

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 2803bae4aca72231de5a960f7e33166bba5334daab13946e998ab099be993b80
Instruction ID: c1be98b8ba4ddb593a349395bab0c94b55b5813fa9fb19ada0cfe7841aa9155d
Opcode Fuzzy Hash: 2803bae4aca72231de5a960f7e33166bba5334daab13946e998ab099be993b80
Instruction Fuzzy Hash: 07416C7560811AFFDF159F64CD45EE9BBB4FB05324F20431AE829A7290CB30A994DFA1

Function 00DEB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00DEB369
PostMessageW.USER32(?,00000201,00000001), ref: 00DEB413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00DEB41B
PostMessageW.USER32(?,00000202,00000000), ref: 00DEB429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00DEB431

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: fe3376494f6ef0eb8df8706d32cbc9271e36268bf5c3f1a550c07bff67468ddf
Instruction ID: 3680de685cf2d700564a7d0f52403d14cba5c00080628eb05879d9ec5759d7e8
Opcode Fuzzy Hash: fe3376494f6ef0eb8df8706d32cbc9271e36268bf5c3f1a550c07bff67468ddf
Instruction Fuzzy Hash: 6131BF7190025DEFDB04DF69DD4EA9E3BB5EB04329F10422AF921A61D1C3B0E914CBA0

Function 00DEDBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00DEDBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00DEDBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00DEDC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00DEDC52
_wcsstr.LIBCMT ref: 00DEDC5C

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: f328ab0c57be71ffb2f2e7389e4d3da8bd4d0e63a6afe2134a14b26db7f265e0
Instruction ID: 2021471e6db9d81cd1e131b7032e6b39a3fa3b8da738bf3dda531ad8176bfb9a
Opcode Fuzzy Hash: f328ab0c57be71ffb2f2e7389e4d3da8bd4d0e63a6afe2134a14b26db7f265e0
Instruction Fuzzy Hash: 2D21DA71208144BFE7156F3ADC49E7B7BAADF49760F244029F909DA151EEA1DC41D2B0

Function 00E1DE69 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00DCB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DCB35F

GetWindowLongW.USER32(?,000000F0), ref: 00E1DEB0
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00E1DED4
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00E1DEEC
GetSystemMetrics.USER32(00000004), ref: 00E1DF14
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,00E03A1E,00000000), ref: 00E1DF32

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 48108c89e257affefad6709b774bb42c82388d2222622b1aabe54fd66e681e0d
Instruction ID: 48a6ed489c3457f06babc6d75813b704b8151026bdbb2ef1cb1b930fe966d9a9
Opcode Fuzzy Hash: 48108c89e257affefad6709b774bb42c82388d2222622b1aabe54fd66e681e0d
Instruction Fuzzy Hash: AE21D631A18216AFCB204F79DC48BE63B94FB15739F151324F936E61E0D73098A1CB90

Function 00DEBC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00DEBC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00DEBCC2
__itow.LIBCMT ref: 00DEBCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00DEBD00
__itow.LIBCMT ref: 00DEBD11

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 20f2a30bb3e4fee4dafc13aed2e8b33431ae5615399f33000bb7b2d921a34397
Instruction ID: fd284aae01d3ffe2b3d58b8d541cab5f0d7f6515f4a10426a8c7b1a2b7bfef14
Opcode Fuzzy Hash: 20f2a30bb3e4fee4dafc13aed2e8b33431ae5615399f33000bb7b2d921a34397
Instruction Fuzzy Hash: F721A435600748BADB11BE6A9C86FDF7A68EF49760F101026FA06EB181DB60DD4587B1

Function 00DF6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00DB50E6: _wcsncpy.LIBCMT ref: 00DB50FA

GetFileAttributesW.KERNEL32(?,?,?,?,00DF60C3), ref: 00DF6369
GetLastError.KERNEL32(?,?,?,00DF60C3), ref: 00DF6374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00DF60C3), ref: 00DF6388
_wcsrchr.LIBCMT ref: 00DF63AA

Part of subcall function 00DF6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00DF60C3), ref: 00DF63E0

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: d10b8b7bf476418a950ab1d5eee3ae5890fcef1ef30f45fb05e1b5b5cdd2329a
Instruction ID: 9c5137d7c8a4a29079307c6230fd0d901c807ef5e3a392cfc48ad93964c7bc52
Opcode Fuzzy Hash: d10b8b7bf476418a950ab1d5eee3ae5890fcef1ef30f45fb05e1b5b5cdd2329a
Instruction Fuzzy Hash: E3216D3150421D8BDB14AB78AC06FFA33ECEF15360F1D806AF245D34C0EB60D9848A71

Function 00E08B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E0A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00E0A84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00E08BD3
WSAGetLastError.WSOCK32(00000000), ref: 00E08BE2
connect.WSOCK32(00000000,?,00000010), ref: 00E08BFE

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: c3791434ee4fce76fbc88adc7008b861b2a359a8247236fab5001ab03650009d
Instruction ID: f83c2791df92483c9d59df22336260ac782d293e3770120d18890d57cffbefff
Opcode Fuzzy Hash: c3791434ee4fce76fbc88adc7008b861b2a359a8247236fab5001ab03650009d
Instruction Fuzzy Hash: 1121AE312042189FDB10EF28DE89F7EB7A9EF58710F048459F946AB2D2CF70AC458B61

Function 00E08420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00E08441
GetForegroundWindow.USER32 ref: 00E08458
GetDC.USER32(00000000), ref: 00E08494
GetPixel.GDI32(00000000,?,00000003), ref: 00E084A0
ReleaseDC.USER32(00000000,00000003), ref: 00E084DB

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 8607df73517c3224232fe5ea07e717230b3bd64ece5d196be11efc3385dddd2c
Instruction ID: 7d4e0d9e80d045addbcbf27305512a961a79379ada4013c0cdde24fe748de2a7
Opcode Fuzzy Hash: 8607df73517c3224232fe5ea07e717230b3bd64ece5d196be11efc3385dddd2c
Instruction Fuzzy Hash: 4C218175A00208AFD700DFA5DD89AAEBBF5EF48301F148479E95AA7352DB70AD44CB60

Function 00DCAF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00DCAFE3
SelectObject.GDI32(?,00000000), ref: 00DCAFF2
BeginPath.GDI32(?), ref: 00DCB009
SelectObject.GDI32(?,00000000), ref: 00DCB033

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 88499f0d8e78b90b504af3733b1cb6c922ea71bffac6076bed2277350ff09fed
Instruction ID: 5c9cc38b4f386973a59282f1420da0c6b2fb0ce834267e78f6120fdd58956730
Opcode Fuzzy Hash: 88499f0d8e78b90b504af3733b1cb6c922ea71bffac6076bed2277350ff09fed
Instruction Fuzzy Hash: 0121777080434AEFDB10DF9AEC49B997B69BB11365F18425EF415771A0C370889DDFA1

Function 00DD217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00DD21A9
CreateThread.KERNEL32(?,?,00DD22DF,00000000,?,?), ref: 00DD21ED
GetLastError.KERNEL32 ref: 00DD21F7
_free.LIBCMT ref: 00DD2200
__dosmaperr.LIBCMT ref: 00DD220B

Part of subcall function 00DD7C0E: __getptd_noexit.LIBCMT ref: 00DD7C0E

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: 7350cb7bd7df274ee1cc3673e92b9b3e18d3ef03b1d8ba3ceb5910bdbe807b69
Instruction ID: cce48ef34ca4246a756c5adb303512c9363475dc7f1c8b1b41dec6ee271ded52
Opcode Fuzzy Hash: 7350cb7bd7df274ee1cc3673e92b9b3e18d3ef03b1d8ba3ceb5910bdbe807b69
Instruction Fuzzy Hash: AC112B33104306AFDB11AFA5DC42DBB3B98EF50770B14002BF91486341EB31C81187B1

Function 00DEABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00DEABD7
GetLastError.KERNEL32(?,00DEA69F,?,?,?), ref: 00DEABE1
GetProcessHeap.KERNEL32(00000008,?,?,00DEA69F,?,?,?), ref: 00DEABF0
HeapAlloc.KERNEL32(00000000,?,00DEA69F,?,?,?), ref: 00DEABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00DEAC0E

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 9e1a38a9d6664a32a6149a9068b72701c9e9a578cf162968f330a84bf09d472a
Instruction ID: 64925a53411ffed6091eabfbedec908185818ee431c59a7745581d4d75f7c49a
Opcode Fuzzy Hash: 9e1a38a9d6664a32a6149a9068b72701c9e9a578cf162968f330a84bf09d472a
Instruction Fuzzy Hash: 1C014674205249BFDB105FAAEC48DAB3EBCEF8A3547240429F905D3260DA719C44CA71

Function 00DE9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 00DE9ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 00DE9AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 00DE9B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00DE9B15
CLSIDFromString.OLE32(?,?), ref: 00DE9B21

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: ade2e5f1d616443cc5910da169fccb50c6a007704f7ece164c8ff296db53e5b3
Instruction ID: 1cf86dabb18a3a6433c236ea01151b01cfc7fa8d06c52f3e077ccd133f039731
Opcode Fuzzy Hash: ade2e5f1d616443cc5910da169fccb50c6a007704f7ece164c8ff296db53e5b3
Instruction Fuzzy Hash: 5F018B76601248BFDB146F6AEC88BAABEEDEF44352F148424F905E2210D770ED049BB0

Function 00DF7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00DF7A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00DF7A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00DF7A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00DF7A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00DF7AD0

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 81064114583901eabde3ab12b0c65d0fd92f86ea97a1b36aa209e0ef9527e1ac
Instruction ID: 41cd903a00f6062c3d1483105d95fe66f48e1d64b4d2e1044137f8a0038d20b0
Opcode Fuzzy Hash: 81064114583901eabde3ab12b0c65d0fd92f86ea97a1b36aa209e0ef9527e1ac
Instruction Fuzzy Hash: F6012931C0962DEFCF00AFE9EC4CAEEBB78FB08751F068495E646B2150DB30965487A1

Function 00DEAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00DEAADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00DEAAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DEAAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00DEAAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DEAB10

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 486febd39354c8b365acacdbec209b6ad719cbec27607b64b9b69200d42f799e
Instruction ID: 8ba69e16cbdb91a1269aea12edda11c1b392dbb3b31fc69ff2d51218fb042a1c
Opcode Fuzzy Hash: 486febd39354c8b365acacdbec209b6ad719cbec27607b64b9b69200d42f799e
Instruction Fuzzy Hash: 40F04F71205209AFEB111FAAFC88EA73B6DFF45754F040029F941D7190CA61EC159E71

Function 00DEAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00DEAA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00DEAA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00DEAA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00DEAA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00DEAAAF

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b5721a0f99cb688cbfeccbee7309daa879a67217ae0e552a97e4b4ffb54f942a
Instruction ID: bf1c65a7584e815df24cd0c41f6b33957ccdf14eb7d718e8954d4a3dd47409b1
Opcode Fuzzy Hash: b5721a0f99cb688cbfeccbee7309daa879a67217ae0e552a97e4b4ffb54f942a
Instruction Fuzzy Hash: BCF0AF31205309AFEB102FAAAC8CEA73FACFF49758F04002AF901D7190DA61EC05CA71

Function 00DEEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00DEEC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 00DEECAB
MessageBeep.USER32(00000000), ref: 00DEECC3
KillTimer.USER32(?,0000040A), ref: 00DEECDF
EndDialog.USER32(?,00000001), ref: 00DEECF9

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: e252be0d921d4bfc763035eb5dbbf83c931370fc47ca47b2cdf98853ce11c3c4
Instruction ID: b59c24800aef09b523e3115621fe829eb1bca8f9b298bc77174c2059c79c2557
Opcode Fuzzy Hash: e252be0d921d4bfc763035eb5dbbf83c931370fc47ca47b2cdf98853ce11c3c4
Instruction Fuzzy Hash: 06018630504748EFEB246B21EE4EB967BB8FF00705F140559B693714E0DBF4A958CB60

Function 00DCB0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00DCB0BA
StrokeAndFillPath.GDI32(?,?,00E2E680,00000000,?,?,?), ref: 00DCB0D6
SelectObject.GDI32(?,00000000), ref: 00DCB0E9
DeleteObject.GDI32 ref: 00DCB0FC
StrokePath.GDI32(?), ref: 00DCB117

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: bc314fb46472c50e9e227768c290371b9c542c3a9ef3db7c6fdf2a5549f283af
Instruction ID: a3c4baac057cfe1a9050ffa1ba0dccb4498a7f7f046ad7f87a2a6982f4a5431d
Opcode Fuzzy Hash: bc314fb46472c50e9e227768c290371b9c542c3a9ef3db7c6fdf2a5549f283af
Instruction Fuzzy Hash: 2BF0B63000834AAFDB259FAAEC0DB553F65B711762F088359F469660F0C731899DDF60

Function 00DFF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00DFF2DA
CoCreateInstance.OLE32(00E3DA7C,00000000,00000001,00E3D8EC,?), ref: 00DFF2F2
CoUninitialize.OLE32 ref: 00DFF555

Strings

.lnk, xrefs: 00DFF28B, 00DFF290, 00DFF29E

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: 8e6ba0a896301a33eb7c2acd4044b6d503d4d9a6b0f818f07f70bc0ed3e081b8
Instruction ID: cd7fc4f48f2c76429f595fd4e1483625f047acaf4037cb18c4b454a132721997
Opcode Fuzzy Hash: 8e6ba0a896301a33eb7c2acd4044b6d503d4d9a6b0f818f07f70bc0ed3e081b8
Instruction Fuzzy Hash: 6FA11971108205AFD300EF64C891EAFB7B8EF98714F04491DF65697292EB70EA49CB72

Function 00DFE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DB53B1,?,?,00DB61FF,?,00000000,00000001,00000000), ref: 00DB662F

CoInitialize.OLE32(00000000), ref: 00DFE85D
CoCreateInstance.OLE32(00E3DA7C,00000000,00000001,00E3D8EC,?), ref: 00DFE876
CoUninitialize.OLE32 ref: 00DFE893

Part of subcall function 00DB936C: __swprintf.LIBCMT ref: 00DB93AB
Part of subcall function 00DB936C: __itow.LIBCMT ref: 00DB93DF

Strings

.lnk, xrefs: 00DFE83B, 00DFE84D

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 3cb551741aa31634b8251bef5d7ffd7515e955b378afd9985a1cd2f076fb61fd
Instruction ID: 151be86c3859932f103c9e0e7c1b066761cf2f5e97cd1fae10ab2d4a123a84e7
Opcode Fuzzy Hash: 3cb551741aa31634b8251bef5d7ffd7515e955b378afd9985a1cd2f076fb61fd
Instruction Fuzzy Hash: ECA134356043059FCB14DF14C88496EBBE5FF88310F198998FA9A9B3A1CB31ED45CBA1

Function 00DD325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00DD32ED

Part of subcall function 00DDE0D0: __87except.LIBCMT ref: 00DDE10B

Strings

pow, xrefs: 00DD32C5, 00DD32E2

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 2dce5ad3419a114333be896e37964adbde0899970d6fba08babc1b3f9cbbf28b
Instruction ID: 993460e5e04d2acd131ee97ac1404aad5d26607fa9391e7e5a337925aa4cfe07
Opcode Fuzzy Hash: 2dce5ad3419a114333be896e37964adbde0899970d6fba08babc1b3f9cbbf28b
Instruction Fuzzy Hash: 62513921E092019ACB157714CE4137E7F94EB81710F688D2BF4C58A3A9DE74CDC996BB

Function 00DF4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,00E4DC50,?,0000000F,0000000C,00000016,00E4DC50,?), ref: 00DF4645

Part of subcall function 00DB936C: __swprintf.LIBCMT ref: 00DB93AB
Part of subcall function 00DB936C: __itow.LIBCMT ref: 00DB93DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 00DF46C5

Strings

REMOVE, xrefs: 00DF4676
THIS, xrefs: 00DF4703

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: dac402147fa5135ddb7adc18a996594ee7eb5dbb0ef8558e455b89c80fdd51b6
Instruction ID: c04b94de78194d6576c1aed854869635cef9a57be143f44177217edab2f7fc85
Opcode Fuzzy Hash: dac402147fa5135ddb7adc18a996594ee7eb5dbb0ef8558e455b89c80fdd51b6
Instruction Fuzzy Hash: 85414B74A0021D9FCF01EF64C885ABEB7B5FF49314F198059EA16AB2A2DB34D945CB70

Function 00DEC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00DEBC08,?,?,00000034,00000800,?,00000034), ref: 00DF4335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00DEC1D3

Part of subcall function 00DF42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00DEBC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00DF4300

Part of subcall function 00DF422F: GetWindowThreadProcessId.USER32(?,?), ref: 00DF425A
Part of subcall function 00DF422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00DEBBCC,00000034,?,?,00001004,00000000,00000000), ref: 00DF426A
Part of subcall function 00DF422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00DEBBCC,00000034,?,?,00001004,00000000,00000000), ref: 00DF4280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00DEC240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00DEC28D

Strings

@, xrefs: 00DEC2A5

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 113264931196c3d68dfa62f7f80f58ebeabb52294dcc6c82babaca5966a85ece
Instruction ID: b522d4d6578690a0f0d3ae5b5a2a5dda5ed9cab793b57a7ece426c33124ac7af
Opcode Fuzzy Hash: 113264931196c3d68dfa62f7f80f58ebeabb52294dcc6c82babaca5966a85ece
Instruction Fuzzy Hash: C1411C7290021CAEDB11EBA4CD81AEEB7B8FB09710F044095FA56B7181DA716E45CB75

Function 00E1A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00E4DC00,00000000,?,?,?,?), ref: 00E1A6D8
GetWindowLongW.USER32 ref: 00E1A6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E1A705

Strings

SysTreeView32, xrefs: 00E1A6AA

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 55fbb2c31cac6be2a74d50d4e471ab7109963f1b28568720f271bd35b27c18cc
Instruction ID: bc60eb7b907a58767fda7f747b3ee57a0806fb11dc9bae9b304b81498ffc5609
Opcode Fuzzy Hash: 55fbb2c31cac6be2a74d50d4e471ab7109963f1b28568720f271bd35b27c18cc
Instruction Fuzzy Hash: E631B371141205AFDB118F34DC45BE67BA9EB45328F185725F875A32E0C730E9908B60

Function 00E05180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E05190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 00E051C6

Strings

D, xrefs: 00E0522E
|, xrefs: 00E051B5

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |$D
API String ID: 1413715105-465884809
Opcode ID: a86579e35f047e9eac56397f1592943bae1d650bb7fc9fe8fb0046883b111b33
Instruction ID: 1bc3a85f5ca06bae68ee69870530d6850752cdcfcf6994e9857de12d8bfcfe6f
Opcode Fuzzy Hash: a86579e35f047e9eac56397f1592943bae1d650bb7fc9fe8fb0046883b111b33
Instruction Fuzzy Hash: A8311671811119EBCF01EFA4CC85AEEBFB9FF19714F100019E915A6166EA31AA46DBB0

Function 00E1A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00E1A15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00E1A172
SendMessageW.USER32(?,00001002,00000000,?), ref: 00E1A196

Strings

SysMonthCal32, xrefs: 00E1A129

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 1f66e06e79aa3389bf8fa197b1da8fcabc96f9c8385d92267c83d2927fa720e9
Instruction ID: 3c72274c9b60c102bd8eb4d9ddbb4a63ed380fa94510672aa8f701458be446dc
Opcode Fuzzy Hash: 1f66e06e79aa3389bf8fa197b1da8fcabc96f9c8385d92267c83d2927fa720e9
Instruction Fuzzy Hash: FC21AD72600218BBDF118FA4CC42FEA3B79EF48724F151224FA55BB1D0D6B5A894CBA0

Function 00E1A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00E1A941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00E1A94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E1A956

Strings

msctls_updown32, xrefs: 00E1A8BB

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 29dd848ab9da21260cf6e2f5514d9c942fecfc2490cc47fe2b998c2a37d04dc8
Instruction ID: ba76735357f6a6c921bd11ab79ea72205a98e0279815a0bf795c227069553559
Opcode Fuzzy Hash: 29dd848ab9da21260cf6e2f5514d9c942fecfc2490cc47fe2b998c2a37d04dc8
Instruction Fuzzy Hash: 082195B5600209AFDB10DF68DC92DB737ADEB5A358B050059F905A7351CB30EC91CB71

Function 00E199A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00E19A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00E19A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00E19A65

Strings

Listbox, xrefs: 00E199FD

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: fe3abe86c0135587ee5f0b3a38f228f9b2c6e005c3e2af91c56e669572d049a8
Instruction ID: 8bd2babfc6d851102eb0551bc00e461009da164d69c2484b0e1a92f19a891301
Opcode Fuzzy Hash: fe3abe86c0135587ee5f0b3a38f228f9b2c6e005c3e2af91c56e669572d049a8
Instruction Fuzzy Hash: E721F572600118BFDB118F54DC95FFB3BAAEF89754F019128F95467191C6719C9187A0

Function 00E1A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00E1A46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00E1A482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00E1A48F

Strings

msctls_trackbar32, xrefs: 00E1A444

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: f7c202fa41f921362370063bf3f17a9b480a7a9ceb9a0e24ce31afec75657e2f
Instruction ID: fa09b5ee6ccb81e032d13382d5542f913821c78833081de1ecb1c85a560a89ff
Opcode Fuzzy Hash: f7c202fa41f921362370063bf3f17a9b480a7a9ceb9a0e24ce31afec75657e2f
Instruction Fuzzy Hash: 1A110A71240308BEEF205F65CC49FEB3B69EF89758F054128FA55B60D1D2B2E851CB20

Function 00DD2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00DD2350,?), ref: 00DD22A1
GetProcAddress.KERNEL32(00000000), ref: 00DD22A8

Strings

combase.dll, xrefs: 00DD229C
RoInitialize, xrefs: 00DD2290

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: 0ec0d6df9db50040df61819dade0fab46e1f51688cf1a3165ebcdce8eaad18a6
Instruction ID: 1ac7dcfd8b88bea0c130938603e40e65018e3fb922194e6dbde0e72a9c67e692
Opcode Fuzzy Hash: 0ec0d6df9db50040df61819dade0fab46e1f51688cf1a3165ebcdce8eaad18a6
Instruction Fuzzy Hash: D8E01270A99300EFDB609F72FD4EB263E69AB10B02F804020F106F61A0CBF44098DF18

Function 00DD235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00DD2276), ref: 00DD2376
GetProcAddress.KERNEL32(00000000), ref: 00DD237D

Strings

RoUninitialize, xrefs: 00DD2365
combase.dll, xrefs: 00DD2371

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: 6069532b9516f16deafba72e98eb80eba1130ec4fc052f446d68808cb8a6e5a6
Instruction ID: d8abfcfb118ec2841d8d1857c20a1896368d8c6131d5749d20bdcb6e3c134489
Opcode Fuzzy Hash: 6069532b9516f16deafba72e98eb80eba1130ec4fc052f446d68808cb8a6e5a6
Instruction Fuzzy Hash: D3E0B67054A304EFDB60AF62FD0DB153A65B710712F550424F10DF21B0CBF99499DA14

Function 00E2AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00E2AC60
__swprintf.LIBCMT ref: 00E2AC94

Strings

%.3d, xrefs: 00E2AC6E
WIN_XPe, xrefs: 00E2ACD3

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 89ce0e0b6315e0d9f3fd9ce62510916a781117f8375dad9b7926709187d5dd6f
Instruction ID: 2ba7023fe17a90734caa957fabd8e62ecb738260b9222c86d60d4e845f0b9b85
Opcode Fuzzy Hash: 89ce0e0b6315e0d9f3fd9ce62510916a781117f8375dad9b7926709187d5dd6f
Instruction Fuzzy Hash: D9E012B180862CEFCB119750ED06DFAB37DEB04741F2814E2F906B2110D6359B94AB22

Function 00DB42F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00DB42EC,?,00DB42AA,?), ref: 00DB4304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00DB4316

Strings

kernel32.dll, xrefs: 00DB42FF
Wow64RevertWow64FsRedirection, xrefs: 00DB4310

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: dac01aadea600aa85b7ed8baa60a3de8f2254e0d877a81c91829fd23dacfa2ac
Instruction ID: fa72a8cad42542f09ec79a51fccf5a25a41c3a442961e3f0550629b737dcfff0
Opcode Fuzzy Hash: dac01aadea600aa85b7ed8baa60a3de8f2254e0d877a81c91829fd23dacfa2ac
Instruction Fuzzy Hash: 56D0A730485B12DFC7208F31FC0C6417BD4AB05301B08442EE542F2265D7B0CC848B60

Function 00E12205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E121FB,?,00E123EF), ref: 00E12213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00E12225

Strings

kernel32.dll, xrefs: 00E1220E
GetProcessId, xrefs: 00E1221F

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: 11d39030fc33bd0a13516d452fb2cb0fdd23a91eb8f8231b607d502b6871243e
Instruction ID: 0a33fe790f115935ba15bae41ba20bc0d14d665e7611468b3c981c64381b3049
Opcode Fuzzy Hash: 11d39030fc33bd0a13516d452fb2cb0fdd23a91eb8f8231b607d502b6871243e
Instruction Fuzzy Hash: 44D0A7744457169FC7214F31FC0C6457BD5EB04308B00642EE942F2160D770D8D4C650

Function 00DB434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00DB41BB,00DB4341,?,00DB422F,?,00DB41BB,?,?,?,?,00DB39FE,?,00000001), ref: 00DB4359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00DB436B

Strings

Wow64DisableWow64FsRedirection, xrefs: 00DB4365
kernel32.dll, xrefs: 00DB4354

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: a8517115cdda80850682c0895a638d8d79c7c2d6bac5aa193bfca6e551102b38
Instruction ID: a36af50ffe4614b8b0ed145a621ef3595d8b0711f2302eddf620445ea18f3120
Opcode Fuzzy Hash: a8517115cdda80850682c0895a638d8d79c7c2d6bac5aa193bfca6e551102b38
Instruction Fuzzy Hash: FDD0A730485722DFC7208F31FC0CA417BD4AB10715B08842EE482F2250D7B0D8848B60

Function 00DF0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00DF052F,?,00DF06D7), ref: 00DF0572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00DF0584

Strings

oleaut32.dll, xrefs: 00DF056D
UnRegisterTypeLibForUser, xrefs: 00DF057E

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 34ec40837b74f85df6521d376ee58a16a4830ad114ccf3e3a11bcf7c11280886
Instruction ID: 9d2b360c2989ffa95456f16741a108a7c122debd29ec3315eed3b631919fb3a4
Opcode Fuzzy Hash: 34ec40837b74f85df6521d376ee58a16a4830ad114ccf3e3a11bcf7c11280886
Instruction Fuzzy Hash: 7ED05E305447169FC7205F21BC08A127FE4AB04301B55C41DEA41F2250D6B0C4888A60

Function 00DF0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,00DF051D,?,00DF05FE), ref: 00DF0547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00DF0559

Strings

RegisterTypeLibForUser, xrefs: 00DF0553
oleaut32.dll, xrefs: 00DF0542

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: 622153084f94d8829dda0a19329a25e0ef2d22460806e2707198b9882d640b12
Instruction ID: d0cd074a7445e3050468fbb0f6f6a78775442053d749d6a4ece4408597cd7345
Opcode Fuzzy Hash: 622153084f94d8829dda0a19329a25e0ef2d22460806e2707198b9882d640b12
Instruction Fuzzy Hash: C0D0A730544B169FC7208F21FC0C6117EE4AB00341B15C41DE546F3251D6F0C8848A60

Function 00E0ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E0ECBE,?,00E0EBBB), ref: 00E0ECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00E0ECE8

Strings

GetSystemWow64DirectoryW, xrefs: 00E0ECE2
kernel32.dll, xrefs: 00E0ECD1

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 03666df40c6ed796db06ae8f68aaaad462cab1dd221652010b01287a53987775
Instruction ID: ff352219cdca6899de0b448d43586873f6c553a28a235b4edfb3a6365206bc9c
Opcode Fuzzy Hash: 03666df40c6ed796db06ae8f68aaaad462cab1dd221652010b01287a53987775
Instruction Fuzzy Hash: CFD05E704467239FDB245B61BC88702BBE4AB00344B04982AF855F2290DA70C8848650

Function 00E0BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00E0BAD3,00000001,00E0B6EE,?,00E4DC00), ref: 00E0BAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00E0BAFD

Strings

kernel32.dll, xrefs: 00E0BAE6
GetModuleHandleExW, xrefs: 00E0BAF7

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 2b101326824ec655319631a3584928f24ae0ba6c9fd6df36baee3cd0f74eb38b
Instruction ID: 66eeb76fb5fd3bb53e86ffeb570619a1080fceebb8b40a9582534ba900c7dfa9
Opcode Fuzzy Hash: 2b101326824ec655319631a3584928f24ae0ba6c9fd6df36baee3cd0f74eb38b
Instruction Fuzzy Hash: 36D05E70C557129FC7305F61BC48A117BD4AB00344B00542AA843F2190D770C894CA50

Function 00E13BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00E13BD1,?,00E13E06), ref: 00E13BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00E13BFB

Strings

RegDeleteKeyExW, xrefs: 00E13BF5
advapi32.dll, xrefs: 00E13BE4

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 9baf5cf00c887dfce418d6f7f31923878cd687be4230cb332548bc6be319e7ad
Instruction ID: 40d9ee6cef39955543f54857c862053997f16304890eec0aade72c06bd24f07b
Opcode Fuzzy Hash: 9baf5cf00c887dfce418d6f7f31923878cd687be4230cb332548bc6be319e7ad
Instruction Fuzzy Hash: E5D0A7B44447169FC7205F71FC0C64BFEF4AB01318B105429E446F2190D6B0C4C48EA0

Function 00DE9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6172ed31aa9a91cf50ba1debc7a0fbad5f6e4e9700b85ba55e610d42f02c77d5
Instruction ID: daf31853453b59bbe992f7d1b50a61ee79b6d66573840483b8f99d21c4452e7b
Opcode Fuzzy Hash: 6172ed31aa9a91cf50ba1debc7a0fbad5f6e4e9700b85ba55e610d42f02c77d5
Instruction Fuzzy Hash: B8C17D75A0125AEFCB14EFA5C8A4AAEF7B5FF48700F244598E905EB251D730DE41CBA0

Function 00E0AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00E0AAB4
CoUninitialize.OLE32 ref: 00E0AABF

Part of subcall function 00DF0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00DF027B

VariantInit.OLEAUT32(?), ref: 00E0AACA
VariantClear.OLEAUT32(?), ref: 00E0AD9D

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 508627efc1273ad1a2fc4d2d4ae74188f408be589a3524347dde36cfb81af604
Instruction ID: 0d0fddc58d3a9dfa6a349bb963f43359d5a7d5618563bed56a353a80db1742f2
Opcode Fuzzy Hash: 508627efc1273ad1a2fc4d2d4ae74188f408be589a3524347dde36cfb81af604
Instruction Fuzzy Hash: 78A135352047059FDB10DF14C891B6AB7E5FF89314F188459FA96AB3A2CB30ED44CBA6

Function 00DE91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00DE91DD
SysAllocString.OLEAUT32(?), ref: 00DE9286
VariantCopy.OLEAUT32 ref: 00DE92B5
VariantClear.OLEAUT32(?), ref: 00DE92DC

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: b117e69a101d1b1309f475343c64784d259eb571f641e9866f87afb51083c983
Instruction ID: 96f2a10b5014ce608a9b1e9e0e5fb778cc6a3eb4cbf5b0a2d02e65850036113b
Opcode Fuzzy Hash: b117e69a101d1b1309f475343c64784d259eb571f641e9866f87afb51083c983
Instruction Fuzzy Hash: B551B030605386ABDB24BF6BD8A1A6EF3A5EF45310F24881FE596CB2D1DB70D8408735

Function 00DD365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DD36B7
_memcpy_s.LIBCMT ref: 00DD3729
__filbuf.LIBCMT ref: 00DD37AA
_memset.LIBCMT ref: 00DD37EE

Part of subcall function 00DD7C0E: __getptd_noexit.LIBCMT ref: 00DD7C0E

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction ID: 71867716eecdd00d6656fdd8a649d87127e16ce1ec7584547fc0c3aa2bd34841
Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction Fuzzy Hash: 7751A5B0A00705ABDB249FA9888566E77A1EF40320F28872BF865963D0D771DF50DB72

Function 00E1C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(01657CF8,?), ref: 00E1C544
ScreenToClient.USER32(?,00000002), ref: 00E1C574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 00E1C5DA

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: d6183f9534994bfdb9dff3914d87a4ec1ad5b811148c64f6c516ac421ae4728b
Instruction ID: 94239dd60df3473b5a797f913d26ac10f87ba733c7ae8103899ec47187c23d01
Opcode Fuzzy Hash: d6183f9534994bfdb9dff3914d87a4ec1ad5b811148c64f6c516ac421ae4728b
Instruction Fuzzy Hash: 93515075900204EFCF10DF69D881AEE7BB6EB55724F209259F969E7290D730ED81CB90

Function 00DEC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00DEC462
__itow.LIBCMT ref: 00DEC49C

Part of subcall function 00DEC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00DEC753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00DEC505
__itow.LIBCMT ref: 00DEC55A

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: e3e180f191d4ff5f566f999f8d482730d86099960aca6ef40874109696e14e80
Instruction ID: ef75f198eb5b393bada3a260a75229c977041ecf6afa3d8d4bdf9de1106ea138
Opcode Fuzzy Hash: e3e180f191d4ff5f566f999f8d482730d86099960aca6ef40874109696e14e80
Instruction Fuzzy Hash: 2441D771600748AFDF11EF59D851FEE7BB5EF44740F041059F906A3281DB74AA468BB1

Function 00DF390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00DF3966
SetKeyboardState.USER32(00000080,?,00000001), ref: 00DF3982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00DF39EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00DF3A4D

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 24a361357bc59e1d3edf7492bff7acc2a5c125cc27f6a197c596677db19ed83b
Instruction ID: 11908c001b503696e2d7a5c8014d6310a7e08ee3200203821ef8240dbaedb81d
Opcode Fuzzy Hash: 24a361357bc59e1d3edf7492bff7acc2a5c125cc27f6a197c596677db19ed83b
Instruction Fuzzy Hash: A541F770A0424CAEEF208B6588097FDBBB99B55310F1A815AF6C1662C1C7F4CE85DB75

Function 00DFE698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00DFE742
GetLastError.KERNEL32(?,00000000), ref: 00DFE768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00DFE78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00DFE7B9

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 72c12f61a2b215e0fea030ad68a6453d41c48d9de181ab5f40893a260720c973
Instruction ID: 3240a92f0b7cdba0311ca23ea31dcb3e137a3a9fb15644049905a046a69dc98f
Opcode Fuzzy Hash: 72c12f61a2b215e0fea030ad68a6453d41c48d9de181ab5f40893a260720c973
Instruction Fuzzy Hash: 04413739204654DFCB11EF15C544A9DBBE6FF59710B19C498EA46AB3A2CB30FC04CBA1

Function 00E1B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E1B5D1

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: d64bc42f57833d9ef9b8a100536f63e06ecbbec48b69eb48de104e747c474cee
Instruction ID: 64e52f46022fe0e4ea19b628d32ea1cb2c8e96420e9fc6cfe2ee1ca16ddba962
Opcode Fuzzy Hash: d64bc42f57833d9ef9b8a100536f63e06ecbbec48b69eb48de104e747c474cee
Instruction Fuzzy Hash: 5931E074601208BFEF209F19CC89FE93B6AEB15354F646105FA62F62E1C730A9C08B61

Function 00E1D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00E1D807
GetWindowRect.USER32(?,?), ref: 00E1D87D
PtInRect.USER32(?,?,00E1ED5A), ref: 00E1D88D
MessageBeep.USER32(00000000), ref: 00E1D8FE

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f92dc1200f2d301687bab9fcde8471196878b7550bea498a650542a5192fa23e
Instruction ID: b3bc65454dd35362e279687ece9eadb89a8a1eed4e5dac84f40378b36ff3714e
Opcode Fuzzy Hash: f92dc1200f2d301687bab9fcde8471196878b7550bea498a650542a5192fa23e
Instruction Fuzzy Hash: 6D418A70A08218EFCB19DF99DC84BE97BF5FB48315F1891A9E418AB260D330E985CB40

Function 00DF3A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00DF3AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00DF3AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00DF3B34
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00DF3B92

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b8c5fe52eda44a579aa83932333bd3fa6c480d39f1c2ebd639e15385b60af770
Instruction ID: 4c10d7f451ea260efd92371c0c5f3ae8b98cbc00d3db0245670a6fb5ed3bf0cf
Opcode Fuzzy Hash: b8c5fe52eda44a579aa83932333bd3fa6c480d39f1c2ebd639e15385b60af770
Instruction Fuzzy Hash: CE312430A0025CAEEF258B64CC29BFE7BA99B55310F0B815AE6C1A72D1C7748B85C771

Function 00DE4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00DE4038
__isleadbyte_l.LIBCMT ref: 00DE4066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00DE4094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00DE40CA

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 3349aa5377e37b28e80b688d9dfd4030efbcedc35741e24ba310978dcfbba17b
Instruction ID: 23f345efea3e51ded071c763fb1eb5a487021c198344f8690fb4beae599ab170
Opcode Fuzzy Hash: 3349aa5377e37b28e80b688d9dfd4030efbcedc35741e24ba310978dcfbba17b
Instruction Fuzzy Hash: 0131B231604286EFDF21AF76C844B6A7BB5FF40361F194439E66587191E731D890D7B0

Function 00E17CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00E17CB9

Part of subcall function 00DF5F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DF5F6F
Part of subcall function 00DF5F55: GetCurrentThreadId.KERNEL32 ref: 00DF5F76
Part of subcall function 00DF5F55: AttachThreadInput.USER32(00000000,?,00DF781F), ref: 00DF5F7D

GetCaretPos.USER32(?), ref: 00E17CCA
ClientToScreen.USER32(00000000,?), ref: 00E17D03
GetForegroundWindow.USER32 ref: 00E17D09

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: b39621da84919a3867750079f9c747b1c1abc1392605370c0462fb292fbd964d
Instruction ID: 4db884e50ab4ffb7f9200ebc8be26098651b83311a24af9f4e7e3978a44bf77f
Opcode Fuzzy Hash: b39621da84919a3867750079f9c747b1c1abc1392605370c0462fb292fbd964d
Instruction Fuzzy Hash: C4312D71900108AFCB00EFA5DC459FFBBF9EF58314B10846AE915E3211DA309E458BB0

Function 00E1F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DCB35F

GetCursorPos.USER32(?), ref: 00E1F211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00E2E4C0,?,?,?,?,?), ref: 00E1F226
GetCursorPos.USER32(?), ref: 00E1F270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00E2E4C0,?,?,?), ref: 00E1F2A6

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 0b17852ab898546e28f23c7d10c96327e9b2f6dc4c979f7163d0e76f5dd77727
Instruction ID: e81a9dd440739c5aa903f87d4c0b4524685e56e7a1628ecbc42c6eb2394fed2a
Opcode Fuzzy Hash: 0b17852ab898546e28f23c7d10c96327e9b2f6dc4c979f7163d0e76f5dd77727
Instruction Fuzzy Hash: 61219139500128EFCB158F95DC59EEA7FB5FF0A714F048469F90A671B1D3309990DBA0

Function 00E0431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E04358

Part of subcall function 00E043E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E04401
Part of subcall function 00E043E2: InternetCloseHandle.WININET(00000000), ref: 00E0449E

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 2925a22ccde6c2c748489957274edf7955700b1f971b06528bc8dc493777427f
Instruction ID: 5ccf1cd1c0bb6e4806c35589155f86075782bfebb20ff5049275c05e68923f54
Opcode Fuzzy Hash: 2925a22ccde6c2c748489957274edf7955700b1f971b06528bc8dc493777427f
Instruction Fuzzy Hash: 1421F2F1200605BFDB119F609D01FBBBBE9FF44704F00601ABB45A65D0D77598A09B90

Function 00E08A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00E08AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00E08AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 00E08AFF
WSAGetLastError.WSOCK32(00000000), ref: 00E08B16

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: b7e0b8da0365238275c43ebeb7774122ed3724fcbbe06af602e140a1a9eea5a0
Instruction ID: 195fb633940233c1b845d37549a5835a3d07c956cb2256db884a769895901061
Opcode Fuzzy Hash: b7e0b8da0365238275c43ebeb7774122ed3724fcbbe06af602e140a1a9eea5a0
Instruction Fuzzy Hash: 8B21A871A001289FC7219F69DD85ADEBBFCEF49310F00416AF849E7290DB74DA458FA0

Function 00E18A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00E18AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00E18AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00E18ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00E18ADC

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 7ed1386b7022dea4fdbbc323deba5e6a9bb9551ce8654f26f3805230a906a5e4
Instruction ID: 11f2b8c27c7ad8fd341681f39ccb874d66905075feaa261b6cbce37183156755
Opcode Fuzzy Hash: 7ed1386b7022dea4fdbbc323deba5e6a9bb9551ce8654f26f3805230a906a5e4
Instruction Fuzzy Hash: 8311D031205115AFD744AB28DD09FFE7BADEF85321F18411AF926E72E1CB70AC4087A4

Function 00DF0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00DF0ABB,?,?,?,00DF187A,00000000,000000EF,00000119,?,?), ref: 00DF1E77
Part of subcall function 00DF1E68: lstrcpyW.KERNEL32(00000000,?,?,00DF0ABB,?,?,?,00DF187A,00000000,000000EF,00000119,?,?,00000000), ref: 00DF1E9D
Part of subcall function 00DF1E68: lstrcmpiW.KERNEL32(00000000,?,00DF0ABB,?,?,?,00DF187A,00000000,000000EF,00000119,?,?), ref: 00DF1ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00DF187A,00000000,000000EF,00000119,?,?,00000000), ref: 00DF0AD4
lstrcpyW.KERNEL32(00000000,?,?,00DF187A,00000000,000000EF,00000119,?,?,00000000), ref: 00DF0AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,00DF187A,00000000,000000EF,00000119,?,?,00000000), ref: 00DF0B2E

Strings

cdecl, xrefs: 00DF0B25

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: e9251f12b94fbd3ddca4300f1f238716492419a02d0c706b5faaeddbeb9d6b7c
Instruction ID: c6f625bb224480c8dd80153dbf7ac5b4783fb0c3e6a482c293f10972a80f967f
Opcode Fuzzy Hash: e9251f12b94fbd3ddca4300f1f238716492419a02d0c706b5faaeddbeb9d6b7c
Instruction Fuzzy Hash: 0C11B436200309AFDB259F34DC05D7A7BA9FF45350B81802AF905CB251EB719850C7B0

Function 00DE2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00DE2FB5

Part of subcall function 00DD395C: __FF_MSGBANNER.LIBCMT ref: 00DD3973
Part of subcall function 00DD395C: __NMSG_WRITE.LIBCMT ref: 00DD397A
Part of subcall function 00DD395C: RtlAllocateHeap.NTDLL(01630000,00000000,00000001,00000001,00000000,?,?,00DCF507,?,0000000E), ref: 00DD399F

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 887ded58efc99ace81cc36b1be0f85fadabe2e9aaf1fad2d7bbd30e5c97e6ac3
Instruction ID: 132b7d2d53cf6fdbc839c78ff282efe280abc07b4ac5fc25302a340ba5e623d2
Opcode Fuzzy Hash: 887ded58efc99ace81cc36b1be0f85fadabe2e9aaf1fad2d7bbd30e5c97e6ac3
Instruction Fuzzy Hash: 3111EC31549255EFDB313F77AC4967A3BA8EF44360F244926F949D7251DB30CD409AB0

Function 00DF058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00DF05AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00DF05C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00DF05DD
FreeLibrary.KERNEL32(?), ref: 00DF0632

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: f87a4b52487fdbdf318063cc2a4c293f7a1caf2dbb1d12c99ac5abba0f73f699
Instruction ID: 666555a6aa4e44d2f83d0f9991716c7be4e77141a408598be52951c44203f30a
Opcode Fuzzy Hash: f87a4b52487fdbdf318063cc2a4c293f7a1caf2dbb1d12c99ac5abba0f73f699
Instruction Fuzzy Hash: 02215E7190020DAFDB209F91EC88AEABFB8EF40700F11C469A656D3151D7B0EA599B60

Function 00DF6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00DF6733
_memset.LIBCMT ref: 00DF6754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00DF67A6
CloseHandle.KERNEL32(00000000), ref: 00DF67AF

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 9041fc290224e49acb6a7ec818bbb0f126ddb2789e176151941fcf98f1fe47aa
Instruction ID: 350bc8a3ca76a7bd59c1ade689c806614fc56163612a529364a0256b845fd560
Opcode Fuzzy Hash: 9041fc290224e49acb6a7ec818bbb0f126ddb2789e176151941fcf98f1fe47aa
Instruction Fuzzy Hash: A0110A7190122CBAE72067A5AC4DFABBABCEF44724F10419AF504E71D0D2708F848B74

Function 00DEB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DEAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00DEAA79
Part of subcall function 00DEAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00DEAA83
Part of subcall function 00DEAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00DEAA92
Part of subcall function 00DEAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00DEAA99
Part of subcall function 00DEAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00DEAAAF

GetLengthSid.ADVAPI32(?,00000000,00DEADE4,?,?), ref: 00DEB21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00DEB227
HeapAlloc.KERNEL32(00000000), ref: 00DEB22E
CopySid.ADVAPI32(?,00000000,?), ref: 00DEB247

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: 325bf99f89018b41792002592905afdc97393ab0eb83e6e93dc7e4e23bbe1ddc
Instruction ID: 6b616ad1a31ad367b7b9783dc655882fd3231692b549943e86716cc8671fec00
Opcode Fuzzy Hash: 325bf99f89018b41792002592905afdc97393ab0eb83e6e93dc7e4e23bbe1ddc
Instruction Fuzzy Hash: D5119871901205EFDB04AF5ADD45AAF77B9EF85318F14802EEA42D7211D731AE44DB30

Function 00DEB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00DEB498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DEB4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DEB4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DEB4DB

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a2e95a080e7c5ccb91adacbc0a3aa1b80efa1c770a45dde67463e4cfafec3bef
Instruction ID: e8d3e45daef15511c4ddb95fbf2557d7992b10862b9a722626c96720d359dc76
Opcode Fuzzy Hash: a2e95a080e7c5ccb91adacbc0a3aa1b80efa1c770a45dde67463e4cfafec3bef
Instruction Fuzzy Hash: 78115E7A900218FFDB11DF99CC85E9EBBB4FB08714F204091E604B7290D771AE10DBA4

Function 00DCB55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00DCB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DCB35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00DCB5A5
GetClientRect.USER32(?,?), ref: 00E2E69A
GetCursorPos.USER32(?), ref: 00E2E6A4
ScreenToClient.USER32(?,?), ref: 00E2E6AF

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 03ca819d608a5dba2c0c5c668d44b71aface922a6a544ffb82d51ce49c51f4ab
Instruction ID: e6eea4b0411f89cf0cb6355aa04e12b581b88a37a1ad644d06180a8be1445f42
Opcode Fuzzy Hash: 03ca819d608a5dba2c0c5c668d44b71aface922a6a544ffb82d51ce49c51f4ab
Instruction Fuzzy Hash: 1E11F53190012ABFCB10DFA9EC4ADEE7BB9EB09315F100456E951E7240D734EA96CBB1

Function 00DF732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00DF7352
MessageBoxW.USER32(?,?,?,?), ref: 00DF7385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00DF739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00DF73A2

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 74f08fb29f52c855c3b3ac1f86b90315de09f8b791a745c99647c67122829c3f
Instruction ID: d8acdb9e3d05770154e80b39bab0a0ec061fb70e95a29d57791396a80e45c01b
Opcode Fuzzy Hash: 74f08fb29f52c855c3b3ac1f86b90315de09f8b791a745c99647c67122829c3f
Instruction Fuzzy Hash: 7311E576A08249BFC701DB6DAC09AEE7FED9B45310F148355F925E3261D7708D0897B0

Function 00DCD17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DCD1BA
GetStockObject.GDI32(00000011), ref: 00DCD1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 00DCD1D8

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: e1c1d2f538f3e19f352d92d482aaa7803820f69a08473b00d0839602907955d8
Instruction ID: 807595d434893ef9e4159ec9dc0d55144ef15306ff8020d6c9cf242077a9e399
Opcode Fuzzy Hash: e1c1d2f538f3e19f352d92d482aaa7803820f69a08473b00d0839602907955d8
Instruction Fuzzy Hash: BA11A17250160EBFEB024F909C59EEA7F6AFF09364F080126FA1562150C731DC60DBA0

Function 00DE4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00DE4E16

Part of subcall function 00DE54F5: __fltout2.LIBCMT ref: 00DE551E

__cftog_l.LIBCMT ref: 00DE4E3C
__cftoe_l.LIBCMT ref: 00DE4E6E

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 4ceed5a601f1fef1a259a163a2672a941122f345894a2f4ccefc91346754cbe3
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 87014C3600018EBBCF126E85DC068EE3F23FB18794B588455FE2859035D336CAB1ABA1

Function 00DD7452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DD7A0D: __getptd_noexit.LIBCMT ref: 00DD7A0E

__lock.LIBCMT ref: 00DD748F
InterlockedDecrement.KERNEL32(?), ref: 00DD74AC
_free.LIBCMT ref: 00DD74BF
InterlockedIncrement.KERNEL32(01641CB0), ref: 00DD74D7

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: 3fc6a0082fdee5e1fba3560e8a30afd80c3072cf6ffb9673e8f1a6af704944b0
Instruction ID: 4d8098b0565b3df39f2b5e2068e375deaad0fe6fed8b75c73da3d1bf35404227
Opcode Fuzzy Hash: 3fc6a0082fdee5e1fba3560e8a30afd80c3072cf6ffb9673e8f1a6af704944b0
Instruction Fuzzy Hash: 4401C431D49621ABC723AF65A80A75EBB60FF04B10F194097F81473780E7205900CFF2

Function 00E1EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00DCAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00DCAFE3
Part of subcall function 00DCAF83: SelectObject.GDI32(?,00000000), ref: 00DCAFF2
Part of subcall function 00DCAF83: BeginPath.GDI32(?), ref: 00DCB009
Part of subcall function 00DCAF83: SelectObject.GDI32(?,00000000), ref: 00DCB033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00E1EA8E
LineTo.GDI32(00000000,?,?), ref: 00E1EA9B
EndPath.GDI32(00000000), ref: 00E1EAAB
StrokePath.GDI32(00000000), ref: 00E1EAB9

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: c6f7f27d87f1a9898d4fe90f2401d3ffa1e3e8e5caea26cd99cb7233358fd8f1
Instruction ID: 9068c717b8372f62870ea8754fed44848bea4f11e09c82ec025f6de7fe2eb5a2
Opcode Fuzzy Hash: c6f7f27d87f1a9898d4fe90f2401d3ffa1e3e8e5caea26cd99cb7233358fd8f1
Instruction Fuzzy Hash: 70F0BE31049259BFDB129FA9AC0EFCA3F2AAF06710F044201FE01710E183B45599CBA5

Function 00DEC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00DEC84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00DEC85D
GetCurrentThreadId.KERNEL32 ref: 00DEC864
AttachThreadInput.USER32(00000000), ref: 00DEC86B

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: d6f758bdb34dc077662ded6425982e6297c4a2aeca3e778660ff722139e4839b
Instruction ID: ced9df3a14b05be4af7277bffbea79937ee6a4deb8515f5daeb14dafea73288c
Opcode Fuzzy Hash: d6f758bdb34dc077662ded6425982e6297c4a2aeca3e778660ff722139e4839b
Instruction Fuzzy Hash: 28E03971146268BADB212BA3AC4EEDB7F2CEF067A1F008021B609A4460C6B1C585DBF0

Function 00DEB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00DEB0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,00DEAC9D), ref: 00DEB0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00DEAC9D), ref: 00DEB0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,00DEAC9D), ref: 00DEB0F1

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 4e539711e20ecae707ebfc47e9ad31246789f6024af7885f6a6fff4832790c9c
Instruction ID: 6fb6348021253ff8d60ba37c5d359dc17d967405671086cac0f0ada84767834c
Opcode Fuzzy Hash: 4e539711e20ecae707ebfc47e9ad31246789f6024af7885f6a6fff4832790c9c
Instruction Fuzzy Hash: 08E04F326052159FD7202FB36D0CB473FA9EF55BA1F018818B241E6040DA2494058B60

Function 00DCB47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00DCB496
SetTextColor.GDI32(?,000000FF), ref: 00DCB4A0
SetBkMode.GDI32(?,00000001), ref: 00DCB4B5
GetStockObject.GDI32(00000005), ref: 00DCB4BD
GetWindowDC.USER32(?,00000000), ref: 00E2DE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 00E2DE38
GetPixel.GDI32(00000000,?,00000000), ref: 00E2DE51
GetPixel.GDI32(00000000,00000000,?), ref: 00E2DE6A
GetPixel.GDI32(00000000,?,?), ref: 00E2DE8A
ReleaseDC.USER32(?,00000000), ref: 00E2DE95

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 3dd74d10e267635ad828e2de120a97dedf160eb73aa5b01384dddb9a291d0e88
Instruction ID: 13da1fe2b12ed07b2ef76a43ca4bc59376cb86fd1d61ef3bd71ba5477cf8f76c
Opcode Fuzzy Hash: 3dd74d10e267635ad828e2de120a97dedf160eb73aa5b01384dddb9a291d0e88
Instruction Fuzzy Hash: 95E0ED31508248AFDB215B65BC0DBD87F21AB51339F14C766F769680E1C7718985DB11

Function 00DEB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00DEB2DF
UnloadUserProfile.USERENV(?,?), ref: 00DEB2EB
CloseHandle.KERNEL32(?), ref: 00DEB2F4
CloseHandle.KERNEL32(?), ref: 00DEB2FC

Part of subcall function 00DEAB24: GetProcessHeap.KERNEL32(00000000,?,00DEA848), ref: 00DEAB2B
Part of subcall function 00DEAB24: HeapFree.KERNEL32(00000000), ref: 00DEAB32

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 90efdec99881bebbbba694b2fd58038c85b7197aad9c8d3099d07f128f95d2ac
Instruction ID: 7603ca0a782c6b65c550faed9464de2ecc24e8842a42a165d5f82b5b98be77f3
Opcode Fuzzy Hash: 90efdec99881bebbbba694b2fd58038c85b7197aad9c8d3099d07f128f95d2ac
Instruction Fuzzy Hash: 37E02F36108409FFDB016B96EC0C859FF76FF993213108621F62591575CB32A875EB91

Function 00E2B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00E2B29A
GetDC.USER32(00000000), ref: 00E2B2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E2B2C3
ReleaseDC.USER32 ref: 00E2B2E2

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 094588bcc62196e080bdda216b715ba222513e2a3cd2536b1b0de40a4b2f576c
Instruction ID: 0bcb61dd2a1f857c216a80650a22289a384cccfa1bc6c1f08c664dc820af007f
Opcode Fuzzy Hash: 094588bcc62196e080bdda216b715ba222513e2a3cd2536b1b0de40a4b2f576c
Instruction Fuzzy Hash: 85E01AB1104208EFDB015F71AC4DA6D7FA5EB4C350F118819F86AA7210CA7598458F50

Function 00E2B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00E2B2AE
GetDC.USER32(00000000), ref: 00E2B2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E2B2C3
ReleaseDC.USER32 ref: 00E2B2E2

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 329b750fee55e2d379220e0ed4369f067cc8bd807baf565df3a15687b0b0813e
Instruction ID: 8f02a9b30023a1406c2606880b8a8691998ea87f1fc40e19e29e408382572413
Opcode Fuzzy Hash: 329b750fee55e2d379220e0ed4369f067cc8bd807baf565df3a15687b0b0813e
Instruction Fuzzy Hash: 7FE046B1508208EFDB015F72EC4DA2D7FA9EB4C350F118819F96EAB210CF7998058F20

Function 00DEDCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00DEDEAA

Strings

Container, xrefs: 00DEDE29
AutoIt3GUI, xrefs: 00DEDE22

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: bc03ed33d63eca445a9c77149f928f3197411954df71aacdcb7b01a3a6fdacab
Instruction ID: 11f285dcd4eb3e98b78b4cca0455d8237f64eb3320a12d19f6f3c64102341838
Opcode Fuzzy Hash: bc03ed33d63eca445a9c77149f928f3197411954df71aacdcb7b01a3a6fdacab
Instruction Fuzzy Hash: 46912670600741AFDB14DF65C888B6ABBBAFF49710F24856DF94ADB291DB70E841CB60

Function 00DFDE7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCC6F4: _wcscpy.LIBCMT ref: 00DCC717

Part of subcall function 00DB936C: __swprintf.LIBCMT ref: 00DB93AB
Part of subcall function 00DB936C: __itow.LIBCMT ref: 00DB93DF

__wcsnicmp.LIBCMT ref: 00DFDEFD
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00DFDFC6

Strings

LPT, xrefs: 00DFDEF7

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: f1f7842a500bc364c56d41faeed3e2d5e1b6acea3dbf319c90a72679152b3b26
Instruction ID: 59fad2004cd3b0998c1ab8d25ac6f168ebbd9a598b289b5435252b90607cd91e
Opcode Fuzzy Hash: f1f7842a500bc364c56d41faeed3e2d5e1b6acea3dbf319c90a72679152b3b26
Instruction Fuzzy Hash: 1E616175A04219AFCB14DF98C995EBEB7F5EF08310F058059F646AB291DB70AE40CB70

Function 00DF290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00DF2A72

Strings

I/, xrefs: 00DF297F, 00DF29E0, 00DF29EA, 00DF2A23, 00DF2A4F, 00DF2A71
I/, xrefs: 00DF29FC, 00DF2A64, 00DF2A12

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: _wcscpy
String ID: I/$I/
API String ID: 3048848545-2526233121
Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction ID: ef215af49d19e828866234530b3a26e55cd0a890c560e6c750caf222b91480f9
Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction Fuzzy Hash: 3241F83190021EAACF25DF98D441AFDB7B0EF48314F59D05BEA81A7191DB709E82CBB0

Function 00DCBCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00DCBCDA
GlobalMemoryStatusEx.KERNEL32 ref: 00DCBCF3

Strings

@, xrefs: 00DCBCE8

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 4bac44456636d85beb01e15ae50a45000651c1b0a7c42d410b60837f4b19b451
Instruction ID: a5c37832cc7ca51debf1f8d935a68500b42a8c74acbc556fc320057a4d548e63
Opcode Fuzzy Hash: 4bac44456636d85beb01e15ae50a45000651c1b0a7c42d410b60837f4b19b451
Instruction Fuzzy Hash: EC5126714087459BE320AF54EC86FAFBBE8FB94354F41484EF1C8520A6DF7185AC8B66

Function 00DFC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00DB44ED: __fread_nolock.LIBCMT ref: 00DB450B

_wcscmp.LIBCMT ref: 00DFC65D
_wcscmp.LIBCMT ref: 00DFC670

Strings

FILE, xrefs: 00DFC5A5

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: d995c11e418ff84c970bb7be1c07aaf355a26e3ab77058a62131e7e1faeb1772
Instruction ID: 131ce42fb31b2a236d79391eedee4bf2fefc99da7f5a6a71eecea920900ec48d
Opcode Fuzzy Hash: d995c11e418ff84c970bb7be1c07aaf355a26e3ab77058a62131e7e1faeb1772
Instruction Fuzzy Hash: 6D41E372A0420EBADF20EAA4DC41FEF77B9EF49714F01406AF605EB191D6B19A14CB71

Function 00E1A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00E1A85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E1A86F

Strings

', xrefs: 00E1A7C3

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: c7074d42d235f0b3ea41ec51cd26bda0f4d03f3671df0ceb00a8f9f9041e44c9
Instruction ID: bd3f5caa8c4de9381ee77772ea80d998d673a6566be55821417688b70033ed27
Opcode Fuzzy Hash: c7074d42d235f0b3ea41ec51cd26bda0f4d03f3671df0ceb00a8f9f9041e44c9
Instruction Fuzzy Hash: 5541E975E013099FDB14CFA9D885BEA7BB5FB08704F14106AE905AB381D770A985CFA1

Function 00E1975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00E1980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00E1984A

Strings

static, xrefs: 00E197AA

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 69e424248a3843c182765fcff435cc32efc8aaa15e3f1869244326a643b453e9
Instruction ID: f90cfdff7d78b42bf72c04743caa196bce1082e15adb37ada9503a92c2903288
Opcode Fuzzy Hash: 69e424248a3843c182765fcff435cc32efc8aaa15e3f1869244326a643b453e9
Instruction Fuzzy Hash: E7319C71110204AEEB149F78CC91BFB77A9FF99764F009619F8A9E7191CB30AC81CB60

Function 00DF5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DF51C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00DF5201

Strings

0, xrefs: 00DF51BF

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: f115aabf5579c542e01f76ea9aee2179a62e3aa8258653b690370fc11ece45ed
Instruction ID: d0dcc3bbaf31bcc46390ba7f5c6ce219f8916efe4a5430d0b29f804ac560ca9b
Opcode Fuzzy Hash: f115aabf5579c542e01f76ea9aee2179a62e3aa8258653b690370fc11ece45ed
Instruction Fuzzy Hash: 0731F53160030C9BEB24CF99E845BBEBBF4EF46354F198119EB86A61A4D7709A44CB34

Function 00E0658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00E06608

Strings

, $, xrefs: 00E06648
AUTOITCALLVARIABLE%d, xrefs: 00E065FA

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 1dbb883f410d1280c711bc48271da4f0f973dff1c162c48ccf0b853361423ecf
Instruction ID: 0d1b880bcc9795eefa6487fd539f638dd37fde98e8748318bf2dbe2bd27c3185
Opcode Fuzzy Hash: 1dbb883f410d1280c711bc48271da4f0f973dff1c162c48ccf0b853361423ecf
Instruction Fuzzy Hash: 16217A71600218AFCF10EFA4E892BEE77B4EF45740F001499F406BB191DA71EA558BB1

Function 00E193CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00E1945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E19467

Strings

Combobox, xrefs: 00E19429

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: cbec2d8cdb0e56e502cc3db75d7453a9892e584ba71ed35f898755561775c5f7
Instruction ID: 2d919809f2fe512fc31031702657a9ad4599030c5b99d10d63c003194f67272a
Opcode Fuzzy Hash: cbec2d8cdb0e56e502cc3db75d7453a9892e584ba71ed35f898755561775c5f7
Instruction Fuzzy Hash: FA11B2B1300208AFEF15DE54DCD0EFB376FEB583A8F101125F929A72A1D6319C928760

Function 00E1DA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00DCB34E: GetWindowLongW.USER32(?,000000EB), ref: 00DCB35F

GetActiveWindow.USER32 ref: 00E1DA7B
EnumChildWindows.USER32(?,00E1D75F,00000000), ref: 00E1DAF5

Strings

T1, xrefs: 00E1DAFB

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: T1
API String ID: 3814560230-924183305
Opcode ID: f7dfdc0e1505cd650cfbe04ba249fb2ac08db19fe32c041a971330b6c1e40cab
Instruction ID: afce037178530e94308e4f1e7e99eaff69fe4b7268c38e7e2f82b9d674a5e05b
Opcode Fuzzy Hash: f7dfdc0e1505cd650cfbe04ba249fb2ac08db19fe32c041a971330b6c1e40cab
Instruction Fuzzy Hash: 3C212675208301DFC714DF69E852AA677E5EF89320F251659E86AA73E0D730A884CB60

Function 00E198FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00DCD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DCD1BA
Part of subcall function 00DCD17C: GetStockObject.GDI32(00000011), ref: 00DCD1CE
Part of subcall function 00DCD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DCD1D8

GetWindowRect.USER32(00000000,?), ref: 00E19968
GetSysColor.USER32(00000012), ref: 00E19982

Strings

static, xrefs: 00E19945

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 4b316dfb3651ceb556461cc18436f7206789dfee5a03d6c61a86bf6d5a61b313
Instruction ID: 2244bac6ae77f582e760b84d84c26326ccb42f8820d521790cfc0abf953ec9ba
Opcode Fuzzy Hash: 4b316dfb3651ceb556461cc18436f7206789dfee5a03d6c61a86bf6d5a61b313
Instruction Fuzzy Hash: 17116A72510209AFDB04DFB8CC45EEA7BB8FB48344F055628F956E3251D734E850DB60

Function 00E19617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00E19699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00E196A8

Strings

edit, xrefs: 00E1967D

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: e0d3de6443a85ac75358f93ab59320c61388b50169e09192c15d47817a51dea2
Instruction ID: e5a454c096f2f1a19cfce370a1ee24fb21fe709d58b6431bc05faebd84e59563
Opcode Fuzzy Hash: e0d3de6443a85ac75358f93ab59320c61388b50169e09192c15d47817a51dea2
Instruction Fuzzy Hash: F1118C71500208AFEB109FA4EC64EEB3B6AEB053B8F505314F965A31E1C735DC909BB0

Function 00DF5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DF52D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00DF52F4

Strings

0, xrefs: 00DF52CE

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: e7ff0b06866edb1931e215671bd8dd8c99a7a44085519a02658cfcdf6720d471
Instruction ID: 9e0326486b66611fe918ecce8e5eb60f9dd4000fd7430dc2d78d46e4c368bd96
Opcode Fuzzy Hash: e7ff0b06866edb1931e215671bd8dd8c99a7a44085519a02658cfcdf6720d471
Instruction Fuzzy Hash: 7D110331900728AFDB24DA9CF844BBD77E8AB05354F0E8215EB45A7298D3B0ED04C7B1

Function 00E04D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00E04DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00E04E1E

Strings

<local>, xrefs: 00E04DE6

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 6519a650de1d1ab597e04e24dda3c4cb2e8436703a596a9a706051c603b5e057
Instruction ID: a18846d3428027ec1f6d05ac97880467c92a4655ad322484272b8c44597e4c2f
Opcode Fuzzy Hash: 6519a650de1d1ab597e04e24dda3c4cb2e8436703a596a9a706051c603b5e057
Instruction Fuzzy Hash: C8119EF1501225FADB258B61CD88EFBFBA8FB16758F10922AF605A61C0D2705995C6E0

Function 00DDA70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00DE37A7
___raise_securityfailure.LIBCMT ref: 00DE388E

Strings

(, xrefs: 00DE3889

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (
API String ID: 3761405300-2982846942
Opcode ID: 01506d619a9088bd5600cd067a670d89f01018b81142bd086fe5450395544452
Instruction ID: f5bfc7553361fa89908efa5a754ffbae99e9c137250f84d2ea055b7ac823f690
Opcode Fuzzy Hash: 01506d619a9088bd5600cd067a670d89f01018b81142bd086fe5450395544452
Instruction Fuzzy Hash: 7D21DFB5501304DFDB10EF56F9956117BB4FB48314F24982AE60DAB2A0E3F0AAC8CF56

Function 00E0A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00E0A84E
htons.WSOCK32(00000000,?,00000000), ref: 00E0A88B

Strings

255.255.255.255, xrefs: 00E0A866

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: 184705c3ae82ea7426e311743e0b854acb303cf9560b86670ecdfb83859f390b
Instruction ID: f5086d5f8b59614f6c07917ac6a8355e7386bcda4adac9265f2ecb073bc809bf
Opcode Fuzzy Hash: 184705c3ae82ea7426e311743e0b854acb303cf9560b86670ecdfb83859f390b
Instruction Fuzzy Hash: 49012234200308ABCB24AF68D88AFADB364EF44314F14A42AF512BB2D1C731E8468762

Function 00DEB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00DEB7EF

Strings

ListBox, xrefs: 00DEB7B9
ComboBox, xrefs: 00DEB78B

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 8103ba21ee77457e5409997dfb82392bcfd29831f5ee6cc50195ddd9fe5258e3
Instruction ID: 16b6a5f15d0f90ef3d2911efd177218af672c9c165acdcbd26e17d3bde83a5dc
Opcode Fuzzy Hash: 8103ba21ee77457e5409997dfb82392bcfd29831f5ee6cc50195ddd9fe5258e3
Instruction Fuzzy Hash: 9D019E71650258EBCB04FBA4DC529FE3369FF46364B04061DF4A2672D2EB61A9188BB4

Function 00DEB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 00DEB6EB

Strings

ListBox, xrefs: 00DEB6B5
ComboBox, xrefs: 00DEB687

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 40ebf7d6d260cd741ad972d4018eaa99538a249bbe7a78dfba2304aba569df44
Instruction ID: d7567f68b32d39249c0a900f18606e67c1c9e81517a51e1fb588807b98e53363
Opcode Fuzzy Hash: 40ebf7d6d260cd741ad972d4018eaa99538a249bbe7a78dfba2304aba569df44
Instruction Fuzzy Hash: 40018F71641148ABCB04FBA5D952FFF77B9EB06344B14002DB542B7181EB90AE188BB5

Function 00DEB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 00DEB76C

Strings

ListBox, xrefs: 00DEB738
ComboBox, xrefs: 00DEB70A

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 61bd599dd1b8d553486e0afdfcc3029cb6228ccea8b23827ba6babcc68c8a132
Instruction ID: aca85c4b10fcf2b65a5f6f2c358d1fd38517ccc06813d014d886e0e20e2b9155
Opcode Fuzzy Hash: 61bd599dd1b8d553486e0afdfcc3029cb6228ccea8b23827ba6babcc68c8a132
Instruction Fuzzy Hash: 6701D675640244EBCB01F7A5D903FFF73ACEB05344F54001AB442B3192DBA1AE1987B5

Function 00DD4D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00DD4D9E
__calloc_crt.LIBCMT ref: 00DD4DB7

Strings

", xrefs: 00DD4DCE

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: __calloc_crt
String ID: "
API String ID: 3494438863-357034475
Opcode ID: 43ec4282d4349ddef397fb68f45f3de8df77cf71cf4bf10c3f581a00fb01035a
Instruction ID: fef91af6f34b83519ed54f61c39654e4ac09b110515813baaf7cdb0fc9d5bb44
Opcode Fuzzy Hash: 43ec4282d4349ddef397fb68f45f3de8df77cf71cf4bf10c3f581a00fb01035a
Instruction Fuzzy Hash: 80F0C2712496019FE724DB1ABC517A667DAE744760B18012FF308EA3A6E730C8C18BB4

Function 00DF7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00DF7762
_wcscmp.LIBCMT ref: 00DF7774

Strings

#32770, xrefs: 00DF776E

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: f6250bc51651aef7f4d8539d9c9ba8da062ff252ac5f2f4eaf4c37a25f27c6bb
Instruction ID: d9ccd0e28506a7ffe52c2368f2084f804238ef8f5c2f65f7c780b9b84329c288
Opcode Fuzzy Hash: f6250bc51651aef7f4d8539d9c9ba8da062ff252ac5f2f4eaf4c37a25f27c6bb
Instruction Fuzzy Hash: 1BE09277A043282BD720EAA6EC0AEDBFBACEB55760F014116B915E3141D670A64587E0

Function 00DEA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00DEA63F

Part of subcall function 00DD13F1: _doexit.LIBCMT ref: 00DD13FB

Strings

AutoIt, xrefs: 00DEA633
Error allocating memory., xrefs: 00DEA638

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 94e39ba38972a266e3ddc2e3004b98737f23670287ea2d0274b64bd166742e0b
Instruction ID: d735260098334e971571669f792a8462fbd1554fb057256d3b8c4f3746a74f7f
Opcode Fuzzy Hash: 94e39ba38972a266e3ddc2e3004b98737f23670287ea2d0274b64bd166742e0b
Instruction Fuzzy Hash: 8BD05B313C8B1837D214379D7C1BFC5754CCB55B95F04401ABB08E56C249E2D55042F9

Function 00E2AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00E2ACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00E2AEBD

Strings

WIN_XPe, xrefs: 00E2ACD3

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: e2e8051a477b28073cb82ee2eb149ef2d859b15a13d42fc400f1acfcaeebe630
Instruction ID: 7c9b834ed096a67b75e35e64d5e6a8a7716950dc1b7ac30916eab5b701878d1c
Opcode Fuzzy Hash: e2e8051a477b28073cb82ee2eb149ef2d859b15a13d42fc400f1acfcaeebe630
Instruction Fuzzy Hash: 72E0ED70C04619DFCB11DBA5ED49AECFBB9AB48301F1890A5E156B2260DB705A88DF22

Function 00E186CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E186E2
PostMessageW.USER32(00000000), ref: 00E186E9

Part of subcall function 00DF7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00DF7AD0

Strings

Shell_TrayWnd, xrefs: 00E186DB

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 4177c5850536e0fab2d03d509c88c631c0782674e04969687ea7ddac7500f4d9
Instruction ID: 114ef55842ac26f9c16d4372a6fe283eeb06636f8ad1615e8b27c2f5098da69d
Opcode Fuzzy Hash: 4177c5850536e0fab2d03d509c88c631c0782674e04969687ea7ddac7500f4d9
Instruction Fuzzy Hash: 45D0C931789318BBE2646771AC0FFC67E189B04B21F111815B75ABA1D0C9A1A9548664

Function 00E18698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E186A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00E186B5

Part of subcall function 00DF7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00DF7AD0

Strings

Shell_TrayWnd, xrefs: 00E1869B

Memory Dump Source

Source File: 00000001.00000002.1336762879.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1336743484.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E3D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336818674.0000000000E5E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336869898.0000000000E6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1336886581.0000000000E74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_A2028041200SD.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 5fbeb071da025cd8078671b5f84f1f2379bb9ae2e6d20c3fc6c402f32f09301d
Instruction ID: f1c61fe20075584b213f189dc6f8fe308910df90d230049cc278ff3312fe6cea
Opcode Fuzzy Hash: 5fbeb071da025cd8078671b5f84f1f2379bb9ae2e6d20c3fc6c402f32f09301d
Instruction Fuzzy Hash: AED0123178831CBBE2646771BC0FFD67E189B04B21F111815B75ABB1D0C9E1E954C764

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report A2028041200SD..exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut164B.tmp

C:\Users\user\AppData\Local\Temp\pensum

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
A2028041200SD..exe

Function 00DDB043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 00DB3D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Function 00DCDDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 00DB406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00DFFA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Function 00DB3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00DFBFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Function 00DB3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00DB3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Function 016772E8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00DB49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Function 00DB36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01677098 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151
fileCOMMON

Function 00DB4A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138
COMMON