Edit tour

Windows Analysis Report
MACHINE SPECIFICATION.exe

Overview

General Information

Sample name:	MACHINE SPECIFICATION.exe
Analysis ID:	1592546
MD5:	d1c6ab3629f6d71840186bd535086505
SHA1:	5591a31837bb82615ddb484a3e21c8db35420dbf
SHA256:	0c1418234d0411468fb45398076b8eed5b2a889472c9a97311069d7fb858c803
Tags:	exeRedLineStealeruser-lowmal3
Infos:

Detection

MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

MACHINE SPECIFICATION.exe (PID: 7728 cmdline: "C:\Users\user\Desktop\MACHINE SPECIFICATION.exe" MD5: D1C6AB3629F6D71840186BD535086505)

RegSvcs.exe (PID: 7784 cmdline: "C:\Users\user\Desktop\MACHINE SPECIFICATION.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

MACHINE SPECIFICATION.exe (PID: 7792 cmdline: "C:\Users\user\Desktop\MACHINE SPECIFICATION.exe" MD5: D1C6AB3629F6D71840186BD535086505)

RegSvcs.exe (PID: 7840 cmdline: "C:\Users\user\Desktop\MACHINE SPECIFICATION.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "info@kianaenergy.com", "Password": "@kiana@energy", "Server": "mail.kianaenergy.com", "To": "chuckc.wmtubewire@outlook.com", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d6bc:$a1: get_encryptedPassword 0x1d690:$a2: get_encryptedUsername 0x1d754:$a3: get_timePasswordChanged 0x1d66c:$a4: get_passwordField 0x1d6d2:$a5: set_encryptedPassword 0x1d49f:$a7: get_logins 0x1ca0d:$a8: GetOutlookPasswords 0x1bf21:$a9: StartKeylogger 0x1a97b:$a10: KeyLoggerEventArgs 0x1a94a:$a11: KeyLoggerEventArgsEventHandler 0x1d573:$a13: _encryptedPassword
00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21deb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x212e9:$a3: \Google\Chrome\User Data\Default\Login Data 0x215f7:$a4: \Orbitum\User Data\Default\Login Data 0x223ef:$a5: \Kometa\User Data\Default\Login Data
00000004.00000002.2648810250.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c7d4:$a1: get_encryptedPassword 0x1c7a8:$a2: get_encryptedUsername 0x1c86c:$a3: get_timePasswordChanged 0x1c784:$a4: get_passwordField 0x1c7ea:$a5: set_encryptedPassword 0x1c5b7:$a7: get_logins 0x1bb25:$a8: GetOutlookPasswords 0x1b039:$a9: StartKeylogger 0x19a93:$a10: KeyLoggerEventArgs 0x19a62:$a11: KeyLoggerEventArgsEventHandler 0x1c68b:$a13: _encryptedPassword
00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20f03:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20401:$a3: \Google\Chrome\User Data\Default\Login Data 0x2070f:$a4: \Orbitum\User Data\Default\Login Data 0x21507:$a5: \Kometa\User Data\Default\Login Data
00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x21c2c:$a1: get_encryptedPassword 0x49d64:$a1: get_encryptedPassword 0x21c00:$a2: get_encryptedUsername 0x49d38:$a2: get_encryptedUsername 0x21cc4:$a3: get_timePasswordChanged 0x49dfc:$a3: get_timePasswordChanged 0x21bdc:$a4: get_passwordField 0x49d14:$a4: get_passwordField 0x21c42:$a5: set_encryptedPassword 0x49d7a:$a5: set_encryptedPassword 0x21a0f:$a7: get_logins 0x49b47:$a7: get_logins 0x20f7d:$a8: GetOutlookPasswords 0x490b5:$a8: GetOutlookPasswords 0x20491:$a9: StartKeylogger 0x485c9:$a9: StartKeylogger 0x1eeeb:$a10: KeyLoggerEventArgs 0x47023:$a10: KeyLoggerEventArgs 0x1eeba:$a11: KeyLoggerEventArgsEventHandler 0x46ff2:$a11: KeyLoggerEventArgsEventHandler 0x21ae3:$a13: _encryptedPassword
00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.1437380212.0000000003590000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000000.00000002.1419250581.0000000002580000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5e322:$a1: get_encryptedPassword 0x5e2f6:$a2: get_encryptedUsername 0x5e3ba:$a3: get_timePasswordChanged 0x5e2d2:$a4: get_passwordField 0x5e338:$a5: set_encryptedPassword 0x5e105:$a7: get_logins 0x5d673:$a8: GetOutlookPasswords 0x5cb87:$a9: StartKeylogger 0x5b5e1:$a10: KeyLoggerEventArgs 0x5b5b0:$a11: KeyLoggerEventArgsEventHandler 0x5e1d9:$a13: _encryptedPassword
Process Memory Space: RegSvcs.exe PID: 7840	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7840	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7840	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 7840	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7840	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1690c:$a1: get_encryptedPassword 0x3efb3:$a1: get_encryptedPassword 0x69fa0:$a1: get_encryptedPassword 0x96e8a:$a1: get_encryptedPassword 0x168e0:$a2: get_encryptedUsername 0x3ef87:$a2: get_encryptedUsername 0x69f74:$a2: get_encryptedUsername 0x96e5e:$a2: get_encryptedUsername 0x169a4:$a3: get_timePasswordChanged 0x3f04b:$a3: get_timePasswordChanged 0x6a038:$a3: get_timePasswordChanged 0x96f22:$a3: get_timePasswordChanged 0x168bc:$a4: get_passwordField 0x3ef63:$a4: get_passwordField 0x69f50:$a4: get_passwordField 0x96e3a:$a4: get_passwordField 0x16922:$a5: set_encryptedPassword 0x3efc9:$a5: set_encryptedPassword 0x69fb6:$a5: set_encryptedPassword 0x96ea0:$a5: set_encryptedPassword 0x166f8:$a7: get_logins
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
4.2.RegSvcs.exe.349e590.5.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.RegSvcs.exe.349e590.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.349e590.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.349e590.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.349e590.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c7d4:$a1: get_encryptedPassword 0x1c7a8:$a2: get_encryptedUsername 0x1c86c:$a3: get_timePasswordChanged 0x1c784:$a4: get_passwordField 0x1c7ea:$a5: set_encryptedPassword 0x1c5b7:$a7: get_logins 0x1bb25:$a8: GetOutlookPasswords 0x1b039:$a9: StartKeylogger 0x19a93:$a10: KeyLoggerEventArgs 0x19a62:$a11: KeyLoggerEventArgsEventHandler 0x1c68b:$a13: _encryptedPassword
4.2.RegSvcs.exe.349e590.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20f03:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20401:$a3: \Google\Chrome\User Data\Default\Login Data 0x2070f:$a4: \Orbitum\User Data\Default\Login Data 0x21507:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.2430000.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.RegSvcs.exe.2430000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.2430000.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.2430000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.21f1b4e.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.RegSvcs.exe.21f1b4e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.21f1b4e.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.21f1b4e.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.2430000.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d6bc:$a1: get_encryptedPassword 0x1d690:$a2: get_encryptedUsername 0x1d754:$a3: get_timePasswordChanged 0x1d66c:$a4: get_passwordField 0x1d6d2:$a5: set_encryptedPassword 0x1d49f:$a7: get_logins 0x1ca0d:$a8: GetOutlookPasswords 0x1bf21:$a9: StartKeylogger 0x1a97b:$a10: KeyLoggerEventArgs 0x1a94a:$a11: KeyLoggerEventArgsEventHandler 0x1d573:$a13: _encryptedPassword
4.2.RegSvcs.exe.21f1b4e.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a9d4:$a1: get_encryptedPassword 0x1a9a8:$a2: get_encryptedUsername 0x1aa6c:$a3: get_timePasswordChanged 0x1a984:$a4: get_passwordField 0x1a9ea:$a5: set_encryptedPassword 0x1a7b7:$a7: get_logins 0x19d25:$a8: GetOutlookPasswords 0x19239:$a9: StartKeylogger 0x17c93:$a10: KeyLoggerEventArgs 0x17c62:$a11: KeyLoggerEventArgsEventHandler 0x1a88b:$a13: _encryptedPassword
4.2.RegSvcs.exe.2430000.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21deb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x212e9:$a3: \Google\Chrome\User Data\Default\Login Data 0x215f7:$a4: \Orbitum\User Data\Default\Login Data 0x223ef:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.21f1b4e.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f103:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e601:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e90f:$a4: \Orbitum\User Data\Default\Login Data 0x1f707:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.4ad0000.8.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.RegSvcs.exe.4ad0000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.4ad0000.8.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.4ad0000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.4ad0000.8.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a9d4:$a1: get_encryptedPassword 0x1a9a8:$a2: get_encryptedUsername 0x1aa6c:$a3: get_timePasswordChanged 0x1a984:$a4: get_passwordField 0x1a9ea:$a5: set_encryptedPassword 0x1a7b7:$a7: get_logins 0x19d25:$a8: GetOutlookPasswords 0x19239:$a9: StartKeylogger 0x17c93:$a10: KeyLoggerEventArgs 0x17c62:$a11: KeyLoggerEventArgsEventHandler 0x1a88b:$a13: _encryptedPassword
4.2.RegSvcs.exe.4ad0000.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f103:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e601:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e90f:$a4: \Orbitum\User Data\Default\Login Data 0x1f707:$a5: \Kometa\User Data\Default\Login Data
0.2.MACHINE SPECIFICATION.exe.2580000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
4.2.RegSvcs.exe.349e590.5.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.RegSvcs.exe.349e590.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.349e590.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.349e590.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.2430000.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.RegSvcs.exe.2430000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.3476458.7.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.RegSvcs.exe.3476458.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.3476458.7.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.3476458.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.2430000.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.349e590.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a9d4:$a1: get_encryptedPassword 0x1a9a8:$a2: get_encryptedUsername 0x1aa6c:$a3: get_timePasswordChanged 0x1a984:$a4: get_passwordField 0x1a9ea:$a5: set_encryptedPassword 0x1a7b7:$a7: get_logins 0x19d25:$a8: GetOutlookPasswords 0x19239:$a9: StartKeylogger 0x17c93:$a10: KeyLoggerEventArgs 0x17c62:$a11: KeyLoggerEventArgsEventHandler 0x1a88b:$a13: _encryptedPassword
4.2.RegSvcs.exe.3476458.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a9d4:$a1: get_encryptedPassword 0x1a9a8:$a2: get_encryptedUsername 0x1aa6c:$a3: get_timePasswordChanged 0x1a984:$a4: get_passwordField 0x1a9ea:$a5: set_encryptedPassword 0x1a7b7:$a7: get_logins 0x19d25:$a8: GetOutlookPasswords 0x19239:$a9: StartKeylogger 0x17c93:$a10: KeyLoggerEventArgs 0x17c62:$a11: KeyLoggerEventArgsEventHandler 0x1a88b:$a13: _encryptedPassword
4.2.RegSvcs.exe.3476458.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f103:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e601:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e90f:$a4: \Orbitum\User Data\Default\Login Data 0x1f707:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.349e590.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f103:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e601:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e90f:$a4: \Orbitum\User Data\Default\Login Data 0x1f707:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.2430000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.21f0c66.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.RegSvcs.exe.21f0c66.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.21f0c66.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.21f0c66.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.21f0c66.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b8bc:$a1: get_encryptedPassword 0x1b890:$a2: get_encryptedUsername 0x1b954:$a3: get_timePasswordChanged 0x1b86c:$a4: get_passwordField 0x1b8d2:$a5: set_encryptedPassword 0x1b69f:$a7: get_logins 0x1ac0d:$a8: GetOutlookPasswords 0x1a121:$a9: StartKeylogger 0x18b7b:$a10: KeyLoggerEventArgs 0x18b4a:$a11: KeyLoggerEventArgsEventHandler 0x1b773:$a13: _encryptedPassword
4.2.RegSvcs.exe.21f0c66.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1ffeb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f4e9:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f7f7:$a4: \Orbitum\User Data\Default\Login Data 0x205ef:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.3476458.7.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.RegSvcs.exe.3476458.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.3476458.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.3476458.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.2430000.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b8bc:$a1: get_encryptedPassword 0x1b890:$a2: get_encryptedUsername 0x1b954:$a3: get_timePasswordChanged 0x1b86c:$a4: get_passwordField 0x1b8d2:$a5: set_encryptedPassword 0x1b69f:$a7: get_logins 0x1ac0d:$a8: GetOutlookPasswords 0x1a121:$a9: StartKeylogger 0x18b7b:$a10: KeyLoggerEventArgs 0x18b4a:$a11: KeyLoggerEventArgsEventHandler 0x1b773:$a13: _encryptedPassword
4.2.RegSvcs.exe.3476458.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c7d4:$a1: get_encryptedPassword 0x4490c:$a1: get_encryptedPassword 0x1c7a8:$a2: get_encryptedUsername 0x448e0:$a2: get_encryptedUsername 0x1c86c:$a3: get_timePasswordChanged 0x449a4:$a3: get_timePasswordChanged 0x1c784:$a4: get_passwordField 0x448bc:$a4: get_passwordField 0x1c7ea:$a5: set_encryptedPassword 0x44922:$a5: set_encryptedPassword 0x1c5b7:$a7: get_logins 0x446ef:$a7: get_logins 0x1bb25:$a8: GetOutlookPasswords 0x43c5d:$a8: GetOutlookPasswords 0x1b039:$a9: StartKeylogger 0x43171:$a9: StartKeylogger 0x19a93:$a10: KeyLoggerEventArgs 0x41bcb:$a10: KeyLoggerEventArgs 0x19a62:$a11: KeyLoggerEventArgsEventHandler 0x41b9a:$a11: KeyLoggerEventArgsEventHandler 0x1c68b:$a13: _encryptedPassword
4.2.RegSvcs.exe.3475570.6.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.RegSvcs.exe.3475570.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.3475570.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.3475570.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.2430000.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1ffeb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f4e9:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f7f7:$a4: \Orbitum\User Data\Default\Login Data 0x205ef:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.4ad0000.8.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.RegSvcs.exe.4ad0000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.4ad0000.8.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.4ad0000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.3475570.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b8bc:$a1: get_encryptedPassword 0x1b890:$a2: get_encryptedUsername 0x1b954:$a3: get_timePasswordChanged 0x1b86c:$a4: get_passwordField 0x1b8d2:$a5: set_encryptedPassword 0x1b69f:$a7: get_logins 0x1ac0d:$a8: GetOutlookPasswords 0x1a121:$a9: StartKeylogger 0x18b7b:$a10: KeyLoggerEventArgs 0x18b4a:$a11: KeyLoggerEventArgsEventHandler 0x1b773:$a13: _encryptedPassword
4.2.RegSvcs.exe.3475570.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1ffeb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f4e9:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f7f7:$a4: \Orbitum\User Data\Default\Login Data 0x205ef:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.21f1b4e.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.RegSvcs.exe.21f1b4e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.4ad0000.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c7d4:$a1: get_encryptedPassword 0x1c7a8:$a2: get_encryptedUsername 0x1c86c:$a3: get_timePasswordChanged 0x1c784:$a4: get_passwordField 0x1c7ea:$a5: set_encryptedPassword 0x1c5b7:$a7: get_logins 0x1bb25:$a8: GetOutlookPasswords 0x1b039:$a9: StartKeylogger 0x19a93:$a10: KeyLoggerEventArgs 0x19a62:$a11: KeyLoggerEventArgsEventHandler 0x1c68b:$a13: _encryptedPassword
4.2.RegSvcs.exe.3476458.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20f03:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4903b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20401:$a3: \Google\Chrome\User Data\Default\Login Data 0x48539:$a3: \Google\Chrome\User Data\Default\Login Data 0x2070f:$a4: \Orbitum\User Data\Default\Login Data 0x48847:$a4: \Orbitum\User Data\Default\Login Data 0x21507:$a5: \Kometa\User Data\Default\Login Data 0x4963f:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.3475570.6.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.RegSvcs.exe.3475570.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.3475570.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.3475570.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.4ad0000.8.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20f03:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20401:$a3: \Google\Chrome\User Data\Default\Login Data 0x2070f:$a4: \Orbitum\User Data\Default\Login Data 0x21507:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.21f1b4e.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.21f1b4e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.3475570.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d6bc:$a1: get_encryptedPassword 0x457f4:$a1: get_encryptedPassword 0x1d690:$a2: get_encryptedUsername 0x457c8:$a2: get_encryptedUsername 0x1d754:$a3: get_timePasswordChanged 0x4588c:$a3: get_timePasswordChanged 0x1d66c:$a4: get_passwordField 0x457a4:$a4: get_passwordField 0x1d6d2:$a5: set_encryptedPassword 0x4580a:$a5: set_encryptedPassword 0x1d49f:$a7: get_logins 0x455d7:$a7: get_logins 0x1ca0d:$a8: GetOutlookPasswords 0x44b45:$a8: GetOutlookPasswords 0x1bf21:$a9: StartKeylogger 0x44059:$a9: StartKeylogger 0x1a97b:$a10: KeyLoggerEventArgs 0x42ab3:$a10: KeyLoggerEventArgs 0x1a94a:$a11: KeyLoggerEventArgsEventHandler 0x42a82:$a11: KeyLoggerEventArgsEventHandler 0x1d573:$a13: _encryptedPassword
4.2.RegSvcs.exe.21f1b4e.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c7d4:$a1: get_encryptedPassword 0x1c7a8:$a2: get_encryptedUsername 0x1c86c:$a3: get_timePasswordChanged 0x1c784:$a4: get_passwordField 0x1c7ea:$a5: set_encryptedPassword 0x1c5b7:$a7: get_logins 0x1bb25:$a8: GetOutlookPasswords 0x1b039:$a9: StartKeylogger 0x19a93:$a10: KeyLoggerEventArgs 0x19a62:$a11: KeyLoggerEventArgsEventHandler 0x1c68b:$a13: _encryptedPassword
4.2.RegSvcs.exe.3475570.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21deb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f23:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x212e9:$a3: \Google\Chrome\User Data\Default\Login Data 0x49421:$a3: \Google\Chrome\User Data\Default\Login Data 0x215f7:$a4: \Orbitum\User Data\Default\Login Data 0x4972f:$a4: \Orbitum\User Data\Default\Login Data 0x223ef:$a5: \Kometa\User Data\Default\Login Data 0x4a527:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.21f1b4e.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20f03:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20401:$a3: \Google\Chrome\User Data\Default\Login Data 0x2070f:$a4: \Orbitum\User Data\Default\Login Data 0x21507:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
4.2.RegSvcs.exe.2430ee8.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.RegSvcs.exe.2430ee8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.2430ee8.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.2430ee8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.2430ee8.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a9d4:$a1: get_encryptedPassword 0x1a9a8:$a2: get_encryptedUsername 0x1aa6c:$a3: get_timePasswordChanged 0x1a984:$a4: get_passwordField 0x1a9ea:$a5: set_encryptedPassword 0x1a7b7:$a7: get_logins 0x19d25:$a8: GetOutlookPasswords 0x19239:$a9: StartKeylogger 0x17c93:$a10: KeyLoggerEventArgs 0x17c62:$a11: KeyLoggerEventArgsEventHandler 0x1a88b:$a13: _encryptedPassword
4.2.RegSvcs.exe.2430ee8.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f103:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e601:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e90f:$a4: \Orbitum\User Data\Default\Login Data 0x1f707:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.2430ee8.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.RegSvcs.exe.2430ee8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.2430ee8.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.2430ee8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.2430ee8.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c7d4:$a1: get_encryptedPassword 0x1c7a8:$a2: get_encryptedUsername 0x1c86c:$a3: get_timePasswordChanged 0x1c784:$a4: get_passwordField 0x1c7ea:$a5: set_encryptedPassword 0x1c5b7:$a7: get_logins 0x1bb25:$a8: GetOutlookPasswords 0x1b039:$a9: StartKeylogger 0x19a93:$a10: KeyLoggerEventArgs 0x19a62:$a11: KeyLoggerEventArgsEventHandler 0x1c68b:$a13: _encryptedPassword
4.2.RegSvcs.exe.2430ee8.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20f03:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20401:$a3: \Google\Chrome\User Data\Default\Login Data 0x2070f:$a4: \Orbitum\User Data\Default\Login Data 0x21507:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.21f0c66.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.RegSvcs.exe.21f0c66.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.21f0c66.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.21f0c66.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.21f0c66.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d6bc:$a1: get_encryptedPassword 0x1d690:$a2: get_encryptedUsername 0x1d754:$a3: get_timePasswordChanged 0x1d66c:$a4: get_passwordField 0x1d6d2:$a5: set_encryptedPassword 0x1d49f:$a7: get_logins 0x1ca0d:$a8: GetOutlookPasswords 0x1bf21:$a9: StartKeylogger 0x1a97b:$a10: KeyLoggerEventArgs 0x1a94a:$a11: KeyLoggerEventArgsEventHandler 0x1d573:$a13: _encryptedPassword
4.2.RegSvcs.exe.21f0c66.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21deb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x212e9:$a3: \Google\Chrome\User Data\Default\Login Data 0x215f7:$a4: \Orbitum\User Data\Default\Login Data 0x223ef:$a5: \Kometa\User Data\Default\Login Data
3.2.MACHINE SPECIFICATION.exe.3590000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 0A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
Click to see the 95 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 5.144.131.244, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7840, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49708

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T09:17:43.757109+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49706	193.122.130.0	80	TCP
2025-01-16T09:17:50.147663+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49706	193.122.130.0	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: MACHINE SPECIFICATION.exe

Avira: detected

Found malware configuration

Source: 4.2.RegSvcs.exe.3476458.7.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "info@kianaenergy.com", "Password": "@kiana@energy", "Server": "mail.kianaenergy.com", "To": "chuckc.wmtubewire@outlook.com", "Port": 587}

Multi AV Scanner detection for submitted file

Source: MACHINE SPECIFICATION.exe	Virustotal: Detection: 36%			Perma Link
Source: MACHINE SPECIFICATION.exe	ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: MACHINE SPECIFICATION.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: MACHINE SPECIFICATION.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.8:49707 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.8:49707 -> 104.21.16.1:443 version: TLS 1.0

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: MACHINE SPECIFICATION.exe, 00000000.00000003.1411710198.0000000004420000.00000004.00001000.00020000.00000000.sdmp, MACHINE SPECIFICATION.exe, 00000000.00000003.1411166296.0000000004280000.00000004.00001000.00020000.00000000.sdmp, MACHINE SPECIFICATION.exe, 00000003.00000003.1432414737.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, MACHINE SPECIFICATION.exe, 00000003.00000003.1433610097.0000000003D40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: MACHINE SPECIFICATION.exe, 00000000.00000003.1411710198.0000000004420000.00000004.00001000.00020000.00000000.sdmp, MACHINE SPECIFICATION.exe, 00000000.00000003.1411166296.0000000004280000.00000004.00001000.00020000.00000000.sdmp, MACHINE SPECIFICATION.exe, 00000003.00000003.1432414737.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, MACHINE SPECIFICATION.exe, 00000003.00000003.1433610097.0000000003D40000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_0062C2A2 FindFirstFileExW,	0_2_0062C2A2
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_006668EE FindFirstFileW,FindClose,	0_2_006668EE
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_0066698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0066698F
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_0065D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0065D076
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_0065D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0065D3A9
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_00669642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00669642
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_0066979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0066979D
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_00669B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00669B2B
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_0065DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0065DBBE
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_00665C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00665C97

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	4_2_0204DE50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BC037Dh	4_2_05BC0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BC9060h	4_2_05BC8DB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BCC028h	4_2_05BCBD80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BCC482h	4_2_05BCC1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BCE878h	4_2_05BCE5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BCBBD0h	4_2_05BCB928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BCDFC8h	4_2_05BCDD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BCE420h	4_2_05BCE178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BCB778h	4_2_05BCB4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BCDB70h	4_2_05BCD8C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BCAEC8h	4_2_05BCAC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BCD2C0h	4_2_05BCD018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BCB320h	4_2_05BCB078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BCD718h	4_2_05BCD470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BC2A40h	4_2_05BC2798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BC2E98h	4_2_05BC2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BC8C08h	4_2_05BC87E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BCAA70h	4_2_05BCA7C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BCCE68h	4_2_05BCCBC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BCA1C0h	4_2_05BC9F18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BCA618h	4_2_05BCA370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BCCA10h	4_2_05BCC768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BC25E8h	4_2_05BC2340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BC1D38h	4_2_05BC1A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BCF128h	4_2_05BCEE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BC2190h	4_2_05BC1EE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BC9D68h	4_2_05BC9AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BC18E0h	4_2_05BC1638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BCECD0h	4_2_05BCEA28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BC0EC2h	4_2_05BC0E18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BC94B8h	4_2_05BC9210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BC0EC2h	4_2_05BC0E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05BC9910h	4_2_05BC9668

Source: global traffic

TCP traffic: 192.168.2.8:49708 -> 5.144.131.244:587

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View

ASN Name: HOSTIRAN-NETWORKIR HOSTIRAN-NETWORKIR

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49706 -> 193.122.130.0:80

Source: global traffic

TCP traffic: 192.168.2.8:49708 -> 5.144.131.244:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.8:49707 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.8:49707 -> 104.21.16.1:443 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_0066CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0066CE44

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: mail.kianaenergy.com

Source: RegSvcs.exe, 00000004.00000002.2649833145.000000000255C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000004.00000002.2649833145.000000000255C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.0000000002550000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000004.00000002.2649833145.00000000024D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://kianaenergy.com
Source: RegSvcs.exe, 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.kianaenergy.com
Source: RegSvcs.exe, 00000004.00000002.2652223776.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2648902531.0000000000509000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0-
Source: RegSvcs.exe, 00000004.00000002.2652223776.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2648902531.0000000000582000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2648902531.0000000000509000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: RegSvcs.exe, 00000004.00000002.2649833145.0000000002578000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000004.00000002.2649833145.00000000024D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000004.00000002.2652223776.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2648902531.0000000000509000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: RegSvcs.exe, 00000004.00000002.2652223776.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2648902531.0000000000509000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: RegSvcs.exe, 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: RegSvcs.exe, 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000004.00000002.2649833145.000000000255C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: RegSvcs.exe, 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.000000000255C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000004.00000002.2649833145.000000000255C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_0066EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0066EAFF

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_0066ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0066ED6A

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

0_2_0066EAFF

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_0065AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0065AA57

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_00689576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00689576

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.RegSvcs.exe.349e590.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.349e590.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.2430000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.21f1b4e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.2430000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.21f1b4e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.4ad0000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.4ad0000.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.MACHINE SPECIFICATION.exe.2580000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.RegSvcs.exe.349e590.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.3476458.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.3476458.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.349e590.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.21f0c66.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.21f0c66.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.2430000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.3476458.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.2430000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.3475570.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.3475570.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.4ad0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.3476458.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.4ad0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.3475570.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.21f1b4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.3475570.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.21f1b4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.RegSvcs.exe.2430ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.2430ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.2430ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.2430ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.21f0c66.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.21f0c66.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.MACHINE SPECIFICATION.exe.3590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.2648810250.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.1437380212.0000000003590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.1419250581.0000000002580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7840, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: MACHINE SPECIFICATION.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: MACHINE SPECIFICATION.exe, 00000000.00000000.1401944424.00000000006B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_63199941-a
Source: MACHINE SPECIFICATION.exe, 00000000.00000000.1401944424.00000000006B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_8116f4a8-4
Source: MACHINE SPECIFICATION.exe, 00000003.00000002.1434705461.00000000006B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_aad184bd-9
Source: MACHINE SPECIFICATION.exe, 00000003.00000002.1434705461.00000000006B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_8a937656-a
Source: MACHINE SPECIFICATION.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ebde27f2-2
Source: MACHINE SPECIFICATION.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6bd23ee9-1

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_0065D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0065D5EB

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_00651201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00651201

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_0065E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0065E8F6

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_00662046	0_2_00662046
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_005F8060	0_2_005F8060
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_00658298	0_2_00658298
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_0062E4FF	0_2_0062E4FF
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_0062676B	0_2_0062676B
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_00684873	0_2_00684873
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_005FCAF0	0_2_005FCAF0
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_0061CAA0	0_2_0061CAA0
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_0060CC39	0_2_0060CC39
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_00626DD9	0_2_00626DD9
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_0060B119	0_2_0060B119
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_005F91C0	0_2_005F91C0
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_00611394	0_2_00611394
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_00611706	0_2_00611706
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_0061781B	0_2_0061781B
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_0060997D	0_2_0060997D
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_005F7920	0_2_005F7920
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_006119B0	0_2_006119B0
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_00617A4A	0_2_00617A4A
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_00611C77	0_2_00611C77
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_00617CA7	0_2_00617CA7
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_0067BE44	0_2_0067BE44
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_00629EEE	0_2_00629EEE
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_005FBF40	0_2_005FBF40
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_00611F32	0_2_00611F32
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_01B1B290	0_2_01B1B290
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 3_2_01131EA8	3_2_01131EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00408C60	4_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040DC11	4_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00407C3F	4_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418CCC	4_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00406CA0	4_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004028B0	4_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041A4BE	4_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418244	4_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00401650	4_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00402F20	4_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004193C4	4_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418788	4_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00402F89	4_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00402B90	4_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004073A0	4_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02041437	4_2_02041437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02041448	4_2_02041448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02041199	4_2_02041199
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_020411A8	4_2_020411A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC5568	4_2_05BC5568
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC3048	4_2_05BC3048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC0040	4_2_05BC0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC06A0	4_2_05BC06A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC62C8	4_2_05BC62C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC8DB8	4_2_05BC8DB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC8DA8	4_2_05BC8DA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCBD80	4_2_05BCBD80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCC1D8	4_2_05BCC1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCE5D0	4_2_05BCE5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCC1C8	4_2_05BCC1C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCE5C1	4_2_05BCE5C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCB928	4_2_05BCB928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCDD20	4_2_05BCDD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCB918	4_2_05BCB918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCDD11	4_2_05BCDD11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCE178	4_2_05BCE178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCBD70	4_2_05BCBD70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCE168	4_2_05BCE168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCD8BA	4_2_05BCD8BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCB4D0	4_2_05BCB4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCD8C8	4_2_05BCD8C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCB4C1	4_2_05BCB4C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCAC20	4_2_05BCAC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCD018	4_2_05BCD018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCAC10	4_2_05BCAC10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCD009	4_2_05BCD009
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC0006	4_2_05BC0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCB078	4_2_05BCB078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCD470	4_2_05BCD470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCB068	4_2_05BCB068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCD461	4_2_05BCD461
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCA7B9	4_2_05BCA7B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCCBB0	4_2_05BCCBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC2798	4_2_05BC2798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC2788	4_2_05BC2788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC2BF0	4_2_05BC2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC87E8	4_2_05BC87E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC2BE0	4_2_05BC2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCA7C8	4_2_05BCA7C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCCBC0	4_2_05BCCBC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC2331	4_2_05BC2331
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC9F18	4_2_05BC9F18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC9F09	4_2_05BC9F09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCA370	4_2_05BCA370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCC768	4_2_05BCC768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCA360	4_2_05BCA360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCC757	4_2_05BCC757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC2340	4_2_05BC2340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC9AB0	4_2_05BC9AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC1A90	4_2_05BC1A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC0691	4_2_05BC0691
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCEE80	4_2_05BCEE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC1A80	4_2_05BC1A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC1EE8	4_2_05BC1EE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC1ED8	4_2_05BC1ED8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC9AC0	4_2_05BC9AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC1638	4_2_05BC1638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCEA28	4_2_05BCEA28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC1627	4_2_05BC1627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCEA18	4_2_05BCEA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC9210	4_2_05BC9210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC9200	4_2_05BC9200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BCEE70	4_2_05BCEE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC9668	4_2_05BC9668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05BC965A	4_2_05BC965A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: String function: 0060F9F2 appears 40 times
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: String function: 005F9CB3 appears 31 times
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: String function: 00610A30 appears 46 times

Source: MACHINE SPECIFICATION.exe, 00000000.00000003.1411571697.00000000043A3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs MACHINE SPECIFICATION.exe
Source: MACHINE SPECIFICATION.exe, 00000000.00000003.1411298607.000000000454D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs MACHINE SPECIFICATION.exe
Source: MACHINE SPECIFICATION.exe, 00000000.00000002.1419250581.0000000002580000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs MACHINE SPECIFICATION.exe
Source: MACHINE SPECIFICATION.exe, 00000003.00000003.1431365627.0000000003CC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs MACHINE SPECIFICATION.exe
Source: MACHINE SPECIFICATION.exe, 00000003.00000003.1432666962.0000000003E6D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs MACHINE SPECIFICATION.exe
Source: MACHINE SPECIFICATION.exe, 00000003.00000002.1437380212.0000000003590000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs MACHINE SPECIFICATION.exe

Source: MACHINE SPECIFICATION.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.349e590.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.349e590.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.2430000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.21f1b4e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.2430000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.21f1b4e.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.4ad0000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.4ad0000.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.MACHINE SPECIFICATION.exe.2580000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.349e590.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.3476458.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.3476458.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.349e590.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.21f0c66.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.21f0c66.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.2430000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.3476458.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.2430000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.3475570.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.3475570.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.4ad0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.3476458.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.4ad0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.3475570.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.21f1b4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.3475570.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.21f1b4e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.2430ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.2430ee8.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.2430ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.2430ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.21f0c66.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.21f0c66.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.MACHINE SPECIFICATION.exe.3590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.2648810250.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.1437380212.0000000003590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.1419250581.0000000002580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7840, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: Melber.0.dr

Binary or memory string: 0ZXDVTG%M\K\FQXT1]A\VAIND58XY5RDDSQE5HYYTCTRL4X[XSDOZA0.T\0\XAVOG0MXKQFEXI1QA]V]I_D58QY%R]D[QB5PYNTET]L"XDX]DLZ_0=T^0WXSVTG5L[HPBQ]J7^G_QCNRL80\Q8ZQM_XN<DPA^L^RF;RKR\NCPN:3_R;YSO]ZL>FR@_MXT@=TMTZHEVH<4XU<^THZ]K9AUGXJXT@<ULU[IDWI=5YT=_UI[\J8@TFYKYUA<ULVXJGTJ>6ZW>\VJX_I;CWEZHZVB?VOVXJGTJ>6ZW>\VJX_I;CWEZHZVB?VOVXJGTJ?7[V?]WKY^H:BVD[I[WC>WNWYKFUK?7[V?]WKY^H:BVD[I[WC>WNWYKFUK?7[V?]XDF@U'^J_@R@MY$MWN@R_LR&/CN'EOSAI_-UASL^L@T)@Y@N]PC])!M@)KA]OH^,WCQN\NBV+B[BL^S@^*"NC*HB^LK]/WCQO]OCW*CZCM_RA_+#OB+IC_MJ\.VBPO]ODP-D]DJXUFX,$HE,NDXJM[)QEWHZHDP-D]DJXUFX,$HE,NDXJM[)QEWHZHDP-D]DKYTGY-%ID-OEYKLZ(PDVI[IEQ,E\EKYTGY-%ID-OEYKLZ(PDVI[IEQ,E\EKYTGY-8U[3V]BQYO<DSA_MXT@=ULU[JGTJ?7[V BHTFAW%\HZEWEI]#JSJDV[HW#+GJ#AKPBES!YM_@R@LX%LUMCQ\OQ%-AL%GMQCDQ#[O]BPBNZ'NWN@R^MS'/CN'EOSAFP"ZASL^L@T)@Y@N\QB\( LA(J@\NI_-UASL_MAU(AXAO]PC])!M@)KA]OH^,T@RM_MAV+B[BL^S@^*"NC*HB^LK]/WCQN\NBV+BZCM_RA_+#OB+IC_MJ\.VBPO]OCW*CZCJDIZD18TY2RXDUQG5IYKTCTXL7XAXQDIZL08TS0RXHVQG;MYKDFTXX1XA@VDIFD08tY0RpDVQw5MYsTFT

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/1@3/3

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_006637B5 GetLastError,FormatMessageW,

0_2_006637B5

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_006510BF AdjustTokenPrivileges,CloseHandle,		0_2_006510BF
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_006516C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_006516C3

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_006651CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_006651CD

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_0067A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0067A67C

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_0066648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0066648E

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_005F42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_005F42A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

File created: C:\Users\user\AppData\Local\Temp\Melber

Jump to behavior

Source: MACHINE SPECIFICATION.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000004.00000002.2649833145.00000000025EE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.00000000025FA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.00000000025BB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.00000000025D9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2651225944.00000000034EE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.00000000025CB000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: MACHINE SPECIFICATION.exe	Virustotal: Detection: 36%
Source: MACHINE SPECIFICATION.exe	ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe "C:\Users\user\Desktop\MACHINE SPECIFICATION.exe"
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\MACHINE SPECIFICATION.exe"
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Process created: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe "C:\Users\user\Desktop\MACHINE SPECIFICATION.exe"
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\MACHINE SPECIFICATION.exe"
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\MACHINE SPECIFICATION.exe"	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Process created: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe "C:\Users\user\Desktop\MACHINE SPECIFICATION.exe"	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\MACHINE SPECIFICATION.exe"	Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: MACHINE SPECIFICATION.exe

Static file information: File size 1612288 > 1048576

Source: MACHINE SPECIFICATION.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: MACHINE SPECIFICATION.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: MACHINE SPECIFICATION.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: MACHINE SPECIFICATION.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MACHINE SPECIFICATION.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: MACHINE SPECIFICATION.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: MACHINE SPECIFICATION.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: MACHINE SPECIFICATION.exe, 00000000.00000003.1411710198.0000000004420000.00000004.00001000.00020000.00000000.sdmp, MACHINE SPECIFICATION.exe, 00000000.00000003.1411166296.0000000004280000.00000004.00001000.00020000.00000000.sdmp, MACHINE SPECIFICATION.exe, 00000003.00000003.1432414737.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, MACHINE SPECIFICATION.exe, 00000003.00000003.1433610097.0000000003D40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: MACHINE SPECIFICATION.exe, 00000000.00000003.1411710198.0000000004420000.00000004.00001000.00020000.00000000.sdmp, MACHINE SPECIFICATION.exe, 00000000.00000003.1411166296.0000000004280000.00000004.00001000.00020000.00000000.sdmp, MACHINE SPECIFICATION.exe, 00000003.00000003.1432414737.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, MACHINE SPECIFICATION.exe, 00000003.00000003.1433610097.0000000003D40000.00000004.00001000.00020000.00000000.sdmp

Source: MACHINE SPECIFICATION.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: MACHINE SPECIFICATION.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: MACHINE SPECIFICATION.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: MACHINE SPECIFICATION.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: MACHINE SPECIFICATION.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_005F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005F42DE

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_00610A76 push ecx; ret	0_2_00610A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041C40C push cs; iretd	4_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00423149 push eax; ret	4_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041C50E push cs; iretd	4_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004231C8 push eax; ret	4_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040E21D push ecx; ret	4_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041C6BE push ebx; ret	4_2_0041C6BF

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_0060F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0060F98E
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_00681C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00681C41

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RegSvcs.exe PID: 7840, type: MEMORYSTR

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96194

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	API/Special instruction interceptor: Address: 1B1AEB4
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	API/Special instruction interceptor: Address: 1131ACC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

4_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7804			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2056			Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

API coverage: 3.4 %

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_0062C2A2 FindFirstFileExW,	0_2_0062C2A2
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_006668EE FindFirstFileW,FindClose,	0_2_006668EE
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_0066698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0066698F
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_0065D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0065D076
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_0065D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0065D3A9
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_00669642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00669642
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_0066979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0066979D
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_00669B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00669B2B
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_0065DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0065DBBE
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_00665C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00665C97

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_005F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005F42DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99120	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98793	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97113	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96975	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96682	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96575	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96459	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96314	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96193	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94967	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94634	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94422	Jump to behavior

Source: RegSvcs.exe, 00000004.00000002.2648902531.0000000000509000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_0066EAA2 BlockInput,

0_2_0066EAA2

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_00622622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00622622

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

4_2_004019F0

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_005F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005F42DE

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_00614CE8 mov eax, dword ptr fs:[00000030h]	0_2_00614CE8
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_01B1B180 mov eax, dword ptr fs:[00000030h]	0_2_01B1B180
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_01B1B120 mov eax, dword ptr fs:[00000030h]	0_2_01B1B120
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_01B19AE0 mov eax, dword ptr fs:[00000030h]	0_2_01B19AE0
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 3_2_01131D98 mov eax, dword ptr fs:[00000030h]	3_2_01131D98
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 3_2_01131D38 mov eax, dword ptr fs:[00000030h]	3_2_01131D38
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 3_2_011306F8 mov eax, dword ptr fs:[00000030h]	3_2_011306F8

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_00650B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00650B62

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_00622622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00622622
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_0061083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0061083F
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_006109D5 SetUnhandledExceptionFilter,	0_2_006109D5
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_00610C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00610C21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004123F1 SetUnhandledExceptionFilter,	4_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 2FC008

Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

0_2_00651201

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_00632BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00632BA5

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_0065B226 SendInput,keybd_event,

0_2_0065B226

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_006722DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_006722DA

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\MACHINE SPECIFICATION.exe"			Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\MACHINE SPECIFICATION.exe"			Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

0_2_00650B62

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_00651663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00651663

Source: MACHINE SPECIFICATION.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: MACHINE SPECIFICATION.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_00610698 cpuid

0_2_00610698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

4_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_00668195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00668195

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_0064D27A GetUserNameW,

0_2_0064D27A

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_0062B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0062B952

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

Code function: 0_2_005F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005F42DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 4.2.RegSvcs.exe.349e590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f1b4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4ad0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.349e590.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3476458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f0c66.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3476458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3475570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4ad0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f1b4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3475570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f0c66.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7840, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 4.2.RegSvcs.exe.349e590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f1b4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4ad0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.349e590.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3476458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f0c66.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3476458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3475570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4ad0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3475570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f1b4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f0c66.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 4.2.RegSvcs.exe.349e590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f1b4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4ad0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.349e590.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3476458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f0c66.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3476458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3475570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4ad0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3475570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f1b4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f0c66.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7840, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: MACHINE SPECIFICATION.exe	Binary or memory string: WIN_81
Source: MACHINE SPECIFICATION.exe	Binary or memory string: WIN_XP
Source: MACHINE SPECIFICATION.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: MACHINE SPECIFICATION.exe	Binary or memory string: WIN_XPe
Source: MACHINE SPECIFICATION.exe	Binary or memory string: WIN_VISTA
Source: MACHINE SPECIFICATION.exe	Binary or memory string: WIN_7
Source: MACHINE SPECIFICATION.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 4.2.RegSvcs.exe.349e590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f1b4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4ad0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.349e590.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3476458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f0c66.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3476458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3475570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4ad0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f1b4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3475570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f0c66.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7840, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 4.2.RegSvcs.exe.349e590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f1b4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4ad0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.349e590.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3476458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f0c66.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3476458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3475570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4ad0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f1b4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3475570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f0c66.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7840, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 4.2.RegSvcs.exe.349e590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f1b4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4ad0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.349e590.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3476458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f0c66.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3476458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3475570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4ad0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3475570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f1b4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f0c66.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 4.2.RegSvcs.exe.349e590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f1b4e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4ad0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.349e590.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3476458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f0c66.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3476458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3475570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4ad0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3475570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f1b4e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2430ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.21f0c66.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7840, type: MEMORYSTR

Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_00671204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00671204
Source: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe	Code function: 0_2_00671806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00671806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	137 System Information Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	231 Security Software Discovery	SSH	3 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	111 Virtualization/Sandbox Evasion	Cached Domain Credentials	111 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MACHINE SPECIFICATION.exe	36%	Virustotal		Browse
MACHINE SPECIFICATION.exe	39%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
MACHINE SPECIFICATION.exe	100%	Avira	DR/AutoIt.Gen8
MACHINE SPECIFICATION.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://kianaenergy.com	0%	Avira URL Cloud	safe
http://mail.kianaenergy.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
kianaenergy.com	5.144.131.244	true	true	unknown
reallyfreegeoip.org	104.21.16.1	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
mail.kianaenergy.com	unknown	unknown	true	unknown
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	RegSvcs.exe, 00000004.00000002.2649833145.000000000255C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://kianaenergy.com	RegSvcs.exe, 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	RegSvcs.exe, 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r10.i.lencr.org/0-	RegSvcs.exe, 00000004.00000002.2652223776.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2648902531.0000000000509000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	RegSvcs.exe, 00000004.00000002.2652223776.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2648902531.0000000000509000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	RegSvcs.exe, 00000004.00000002.2652223776.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2648902531.0000000000509000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	RegSvcs.exe, 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	RegSvcs.exe, 00000004.00000002.2649833145.0000000002578000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	RegSvcs.exe, 00000004.00000002.2649833145.000000000255C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r10.o.lencr.org0#	RegSvcs.exe, 00000004.00000002.2652223776.0000000004DF2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2648902531.0000000000582000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2648902531.0000000000509000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	RegSvcs.exe, 00000004.00000002.2649833145.000000000255C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.0000000002550000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	RegSvcs.exe, 00000004.00000002.2649833145.000000000255C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.kianaenergy.com	RegSvcs.exe, 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000004.00000002.2649833145.00000000024D9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot-/sendDocument?chat_id=	RegSvcs.exe, 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	RegSvcs.exe, 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649833145.000000000255C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.16.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
5.144.131.244	kianaenergy.com	Iran (ISLAMIC Republic Of)	59441	HOSTIRAN-NETWORKIR	true
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592546
Start date and time:	2025-01-16 09:16:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MACHINE SPECIFICATION.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/1@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 45 Number of non-executed functions: 294
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:17:48	API Interceptor	65x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.16.1	MACHINE SPECIFICATIONS.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	1001-13.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/utww/
	trow.exe	Get hash	malicious	Unknown	Browse	www.wifi4all.nl/
	8L6MBxaJ2m.exe	Get hash	malicious	FormBook	Browse	www.rafconstrutora.online/0xli/
	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	www.kkpmoneysocial.top/86am/
	JNKHlxGvw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php
5.144.131.244	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
193.122.130.0	MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	PDF6UU0CVUO2W-YGVUIO.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	PO#_1100015533.scr	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	1nl3hc.ps1	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	50201668.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	MB263350411AE_1.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	ORDER-202577008.lnk	Get hash	malicious	Unknown	Browse	193.122.6.168
	INQUIRY LIST 292.vbs	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	Contrarre.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	PI ITS15235 (2).doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	rDEKONT-1_16_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	JHGFDFG.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	New PO.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
reallyfreegeoip.org	54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	ORDER-202577008.lnk	Get hash	malicious	Unknown	Browse	104.21.96.1
	INQUIRY LIST 292.vbs	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	Contrarre.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	PI ITS15235 (2).doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	rDEKONT-1_16_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	JHGFDFG.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	New PO.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
	WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://56.hanagibenewe.ru/Y7MD/	Get hash	malicious	Unknown	Browse	104.17.25.14
	creal.exe	Get hash	malicious	Python Stealer, Creal Stealer	Browse	104.26.13.205
	54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	http://links.888brands.net/ctt?m=34615482&r=LTg3OTY1NDQ3MDYS1&b=0&j=Mjc2MDE1OTMzMwS2&mt=1&kt=12&kx=1&k=email-router-cross_secureutils&kd=//american-faucet-and-coatings-corporation.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse	162.159.128.70
	55ryoipjfdr.exe	Get hash	malicious	Trickbot	Browse	104.26.12.205
	ORDER-202577008.lnk	Get hash	malicious	Unknown	Browse	104.21.96.1
	INQUIRY LIST 292.vbs	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	Contrarre.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	PI ITS15235 (2).doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	QT202515010642.JPG.PDF.vbs	Get hash	malicious	Unknown	Browse	104.17.151.117
HOSTIRAN-NETWORKIR	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	5.144.131.244
	IDR-500000000.pdf	Get hash	malicious	Unknown	Browse	5.144.130.41
	DHL airwaybill # 6913321715 & BL Draft copy.exe	Get hash	malicious	FormBook	Browse	5.144.130.52
	p4LNUqyKZM.exe	Get hash	malicious	FormBook	Browse	5.144.130.52
	PO_987654345678.exe	Get hash	malicious	FormBook	Browse	5.144.130.52
	DOCUMENTS.vbs	Get hash	malicious	AgentTesla	Browse	5.144.130.41
	INV20240828.exe	Get hash	malicious	FormBook	Browse	5.144.130.52
	Payment-Details.scr.exe	Get hash	malicious	AgentTesla	Browse	5.144.130.41
	rDHL_PT563857935689275783656385FV-GDS3535353.bat	Get hash	malicious	FormBook, GuLoader	Browse	185.83.114.124
	rFV-452747284IN.bat	Get hash	malicious	FormBook, GuLoader	Browse	185.83.114.124
ORACLE-BMC-31898US	ORDER-202577008.lnk	Get hash	malicious	Unknown	Browse	193.122.6.168
	INQUIRY LIST 292.vbs	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	JHGFDFG.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	New PO.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	MV Nicos Tomasos Vessel Parts.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Execute.ps1	Get hash	malicious	Metasploit	Browse	158.101.196.44
	Invoice No 1122207 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	PDF6UU0CVUO2W-YGVUIO.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	ORDER-202577008.lnk	Get hash	malicious	Unknown	Browse	104.21.16.1
	INQUIRY LIST 292.vbs	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	Contrarre.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	PI ITS15235 (2).doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	rDEKONT-1_16_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	JHGFDFG.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	New PO.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATION.exe
File Type:	data
Category:	dropped
Size (bytes):	209920
Entropy (8bit):	7.8443596385995535
Encrypted:	false
SSDEEP:	6144:/Q0Sl9+yc7j7Oyh2kHwG9oSG5iWfLN+GH5:/Qr9+yc37qkHN9+P5
MD5:	68B2132656C136EE123F2EC28EC84F57
SHA1:	8D3C04459D481137ACC70CC73106F1485A9E55C2
SHA-256:	4CAE5BCDADBC67BCECF20ED026E8D96E68B96873567E11E5A1493A6D6278061B
SHA-512:	F2A1B8A0CD9A76047DB98DB37DDE4F1136ADCF37F0989E6EB32C835953BD1A934B9A46C2AF396193C48B3C44EAF7F7BCAD4A1C21B7EBEDBE283A3BC21E613729
Malicious:	false
Reputation:	low
Preview:	}..DUQG5IYKT..XL.XAXVDIZ.08TY0RXDVQG5MYKTFTXL1XAXVDIZD08TY0R.DVQI.WK.O.y.0..y., )d@J;>B35d50)["-k6#t9_x(6v...d]W0<._UNrQG5MYKT.D.a.).&z5.$hA.k.-&{'.9>..5.7.&`@.?.'.7hg^FH(.,jg?/.D.'yw=u=.&.15,e+.N8TY0RXDVQG5MYKTF.6..XAXV..ZD\|9PYD.X.VQG5MYKT.T{M:YHXV.HZD.9TY0RXk.QG5]YKT.UXL1.AXFDIZF08QY0RXDVQB5MYKTFTX.2XA\VD.aF0:TY.RXTVQW5MYKDFTHL1XAXVTIZD08TY0RXD.DE5.YKTF4ZLuJ@XVDIZD08TY0RXDVQG5MYKTFTX..YADVDIZD08TY0RXDVQG5MYKTFTXL1X.UTD.ZD08TY0RXDVQ.4M.JTFTXL1XAXVDIZD08TY0RXDVQG5c-.,2TXL).@XVTIZD.9TY4RXDVQG5MYKTFTXl1X!v$ (.%08.40RX.WQG[MYK.GTXL1XAXVDIZD0xTYp\|<%"0G5M.{TFTxN1XWXVDCXD08TY0RXDVQG5.YK.h&+>RXAX.VHZDP:TY$SXDvSG5MYKTFTXL1XA.VD.ZD08TY0RXDVQG5MYKTFTXL1XAXVDIZD08TY0RXDVQG5MYKTFTXL1XAXVDIZD08TY0RXDVQG5MYKTFTXL1XAXVDIZD08TY0RXDVQG5MYKTFTXL1XAXVDIZD08TY0RXDVQG5MYKTFTXL1XAXVDIZD08TY0RXDVQG5MYKTFTXL1XAXVDIZD08TY0RXDVQG5MYKTFTXL1XAXVDIZD08TY0RXDVQG5MYKTFTXL1XAXVDIZD08TY0RXDVQG5MYKTFTXL1XAXVDIZD08TY0RXDVQG5MYKTFTXL1XAXVDIZD08TY0RXDVQG5MYKTFTXL1XAXVDIZD08TY0RXDVQG5MYKTFTXL1XAXVDIZD08TY0RXDVQG5MYKTFT

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.225620299381016
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	MACHINE SPECIFICATION.exe
File size:	1'612'288 bytes
MD5:	d1c6ab3629f6d71840186bd535086505
SHA1:	5591a31837bb82615ddb484a3e21c8db35420dbf
SHA256:	0c1418234d0411468fb45398076b8eed5b2a889472c9a97311069d7fb858c803
SHA512:	62eb373ee385e7a573c338860f783e72a11ecb9df4fbd729530fe6f1af4668a07633dbd5177c5b7fd6c1ff9df20ed5e6a152f4dc05365a6fc2770c40a75e014b
SSDEEP:	24576:bqDEvCTbMWu7rQYlBQcBiT6rprG8aAlWp6l08jgOIcODaJ+lF/vxW/PgHce:bTvC/MTQYxsWR7af0KDlO+lF/pYH
TLSH:	A175E1027391C0A3FFAB85734F5AF22156BC796A4167A51F13982E79B9702B1023E773
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	0327272d2d246021

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67885D39 [Thu Jan 16 01:13:29 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F24588345C3h
jmp 00007F2458833ECFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F24588340ADh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F245883407Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F2458836C6Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F2458836CB8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F2458836CA1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xb2fa0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x187000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xb2fa0	0xb3000	3c1ece804ff529fcfbbb7e03c27d186d	False	0.8334920020076816	data	7.647697463119012	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x187000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45d8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4700	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd4828	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4950	0x96b5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	Great Britain	0.9954900080350432
RT_ICON	0xde008	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	Great Britain	0.24154146456879214
RT_ICON	0xee830	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	Great Britain	0.31343283582089554
RT_ICON	0xf7cd8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	Great Britain	0.34329944547134933
RT_ICON	0xfd160	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	Great Britain	0.33644307982994803
RT_ICON	0x101388	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.3856846473029046
RT_ICON	0x103930	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.4573170731707317
RT_ICON	0x1049d8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	Great Britain	0.530327868852459
RT_ICON	0x105360	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.5106382978723404
RT_MENU	0x1057c8	0x50	data	English	Great Britain	0.9
RT_STRING	0x105818	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0x105dac	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0x106438	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0x1068c8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0x106ec4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0x107520	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0x107988	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0x107ae0	0x7ef34	data			1.0003192381362647
RT_GROUP_ICON	0x186a14	0x84	data	English	Great Britain	0.75
RT_GROUP_ICON	0x186a98	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x186aac	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x186ac0	0x14	data	English	Great Britain	1.25
RT_VERSION	0x186ad4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x186bb0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-16T09:17:43.757109+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49706	193.122.130.0	80	TCP
2025-01-16T09:17:50.147663+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49706	193.122.130.0	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 09:17:43.141562939 CET	49706	80	192.168.2.8	193.122.130.0
Jan 16, 2025 09:17:43.146436930 CET	80	49706	193.122.130.0	192.168.2.8
Jan 16, 2025 09:17:43.146596909 CET	49706	80	192.168.2.8	193.122.130.0
Jan 16, 2025 09:17:43.146889925 CET	49706	80	192.168.2.8	193.122.130.0
Jan 16, 2025 09:17:43.151645899 CET	80	49706	193.122.130.0	192.168.2.8
Jan 16, 2025 09:17:43.602319002 CET	80	49706	193.122.130.0	192.168.2.8
Jan 16, 2025 09:17:43.610403061 CET	49706	80	192.168.2.8	193.122.130.0
Jan 16, 2025 09:17:43.615380049 CET	80	49706	193.122.130.0	192.168.2.8
Jan 16, 2025 09:17:43.709948063 CET	80	49706	193.122.130.0	192.168.2.8
Jan 16, 2025 09:17:43.722716093 CET	49707	443	192.168.2.8	104.21.16.1
Jan 16, 2025 09:17:43.722757101 CET	443	49707	104.21.16.1	192.168.2.8
Jan 16, 2025 09:17:43.722850084 CET	49707	443	192.168.2.8	104.21.16.1
Jan 16, 2025 09:17:43.735551119 CET	49707	443	192.168.2.8	104.21.16.1
Jan 16, 2025 09:17:43.735584021 CET	443	49707	104.21.16.1	192.168.2.8
Jan 16, 2025 09:17:43.757108927 CET	49706	80	192.168.2.8	193.122.130.0
Jan 16, 2025 09:17:44.229775906 CET	443	49707	104.21.16.1	192.168.2.8
Jan 16, 2025 09:17:44.229948044 CET	49707	443	192.168.2.8	104.21.16.1
Jan 16, 2025 09:17:44.295584917 CET	49707	443	192.168.2.8	104.21.16.1
Jan 16, 2025 09:17:44.295624018 CET	443	49707	104.21.16.1	192.168.2.8
Jan 16, 2025 09:17:44.296277046 CET	443	49707	104.21.16.1	192.168.2.8
Jan 16, 2025 09:17:44.350857973 CET	49707	443	192.168.2.8	104.21.16.1
Jan 16, 2025 09:17:44.690916061 CET	49707	443	192.168.2.8	104.21.16.1
Jan 16, 2025 09:17:44.731332064 CET	443	49707	104.21.16.1	192.168.2.8
Jan 16, 2025 09:17:44.806585073 CET	443	49707	104.21.16.1	192.168.2.8
Jan 16, 2025 09:17:44.806696892 CET	443	49707	104.21.16.1	192.168.2.8
Jan 16, 2025 09:17:44.806767941 CET	49707	443	192.168.2.8	104.21.16.1
Jan 16, 2025 09:17:44.815277100 CET	49707	443	192.168.2.8	104.21.16.1
Jan 16, 2025 09:17:49.979737997 CET	49706	80	192.168.2.8	193.122.130.0
Jan 16, 2025 09:17:49.985508919 CET	80	49706	193.122.130.0	192.168.2.8
Jan 16, 2025 09:17:50.097162008 CET	80	49706	193.122.130.0	192.168.2.8
Jan 16, 2025 09:17:50.147663116 CET	49706	80	192.168.2.8	193.122.130.0
Jan 16, 2025 09:17:50.618047953 CET	49708	587	192.168.2.8	5.144.131.244
Jan 16, 2025 09:17:50.622924089 CET	587	49708	5.144.131.244	192.168.2.8
Jan 16, 2025 09:17:50.623025894 CET	49708	587	192.168.2.8	5.144.131.244
Jan 16, 2025 09:17:52.098376989 CET	587	49708	5.144.131.244	192.168.2.8
Jan 16, 2025 09:17:52.098781109 CET	49708	587	192.168.2.8	5.144.131.244
Jan 16, 2025 09:17:52.103667021 CET	587	49708	5.144.131.244	192.168.2.8
Jan 16, 2025 09:17:52.365220070 CET	587	49708	5.144.131.244	192.168.2.8
Jan 16, 2025 09:17:52.365592957 CET	49708	587	192.168.2.8	5.144.131.244
Jan 16, 2025 09:17:52.370454073 CET	587	49708	5.144.131.244	192.168.2.8
Jan 16, 2025 09:17:52.635127068 CET	587	49708	5.144.131.244	192.168.2.8
Jan 16, 2025 09:17:52.635977030 CET	49708	587	192.168.2.8	5.144.131.244
Jan 16, 2025 09:17:52.641242027 CET	587	49708	5.144.131.244	192.168.2.8
Jan 16, 2025 09:17:52.918718100 CET	587	49708	5.144.131.244	192.168.2.8
Jan 16, 2025 09:17:52.918765068 CET	587	49708	5.144.131.244	192.168.2.8
Jan 16, 2025 09:17:52.918803930 CET	587	49708	5.144.131.244	192.168.2.8
Jan 16, 2025 09:17:52.918837070 CET	49708	587	192.168.2.8	5.144.131.244
Jan 16, 2025 09:17:52.961751938 CET	49708	587	192.168.2.8	5.144.131.244
Jan 16, 2025 09:17:53.009557009 CET	587	49708	5.144.131.244	192.168.2.8
Jan 16, 2025 09:17:53.038079023 CET	49708	587	192.168.2.8	5.144.131.244
Jan 16, 2025 09:17:53.042903900 CET	587	49708	5.144.131.244	192.168.2.8
Jan 16, 2025 09:17:53.309005022 CET	587	49708	5.144.131.244	192.168.2.8
Jan 16, 2025 09:17:53.313455105 CET	49708	587	192.168.2.8	5.144.131.244
Jan 16, 2025 09:17:53.318232059 CET	587	49708	5.144.131.244	192.168.2.8
Jan 16, 2025 09:17:53.580461979 CET	587	49708	5.144.131.244	192.168.2.8
Jan 16, 2025 09:17:53.595870018 CET	49708	587	192.168.2.8	5.144.131.244
Jan 16, 2025 09:17:53.600784063 CET	587	49708	5.144.131.244	192.168.2.8
Jan 16, 2025 09:17:53.862775087 CET	587	49708	5.144.131.244	192.168.2.8
Jan 16, 2025 09:17:53.863951921 CET	49708	587	192.168.2.8	5.144.131.244
Jan 16, 2025 09:17:53.868926048 CET	587	49708	5.144.131.244	192.168.2.8
Jan 16, 2025 09:17:57.164422035 CET	587	49708	5.144.131.244	192.168.2.8
Jan 16, 2025 09:17:57.164748907 CET	49708	587	192.168.2.8	5.144.131.244
Jan 16, 2025 09:17:57.169595957 CET	587	49708	5.144.131.244	192.168.2.8
Jan 16, 2025 09:17:57.431421041 CET	587	49708	5.144.131.244	192.168.2.8
Jan 16, 2025 09:17:57.432873964 CET	587	49708	5.144.131.244	192.168.2.8
Jan 16, 2025 09:17:57.432929039 CET	49708	587	192.168.2.8	5.144.131.244
Jan 16, 2025 09:17:57.442214012 CET	49708	587	192.168.2.8	5.144.131.244
Jan 16, 2025 09:17:57.447082043 CET	587	49708	5.144.131.244	192.168.2.8
Jan 16, 2025 09:18:40.117134094 CET	49706	80	192.168.2.8	193.122.130.0
Jan 16, 2025 09:18:40.122522116 CET	80	49706	193.122.130.0	192.168.2.8
Jan 16, 2025 09:18:40.122591972 CET	49706	80	192.168.2.8	193.122.130.0

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 09:17:43.126526117 CET	56854	53	192.168.2.8	1.1.1.1
Jan 16, 2025 09:17:43.135103941 CET	53	56854	1.1.1.1	192.168.2.8
Jan 16, 2025 09:17:43.712402105 CET	50187	53	192.168.2.8	1.1.1.1
Jan 16, 2025 09:17:43.721513987 CET	53	50187	1.1.1.1	192.168.2.8
Jan 16, 2025 09:17:50.106781960 CET	64685	53	192.168.2.8	1.1.1.1
Jan 16, 2025 09:17:50.616203070 CET	53	64685	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 16, 2025 09:17:43.126526117 CET	192.168.2.8	1.1.1.1	0xcf12	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:17:43.712402105 CET	192.168.2.8	1.1.1.1	0x31ed	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:17:50.106781960 CET	192.168.2.8	1.1.1.1	0x3d26	Standard query (0)	mail.kianaenergy.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 16, 2025 09:17:43.135103941 CET	1.1.1.1	192.168.2.8	0xcf12	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 09:17:43.135103941 CET	1.1.1.1	192.168.2.8	0xcf12	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:17:43.135103941 CET	1.1.1.1	192.168.2.8	0xcf12	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:17:43.135103941 CET	1.1.1.1	192.168.2.8	0xcf12	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:17:43.135103941 CET	1.1.1.1	192.168.2.8	0xcf12	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:17:43.135103941 CET	1.1.1.1	192.168.2.8	0xcf12	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:17:43.721513987 CET	1.1.1.1	192.168.2.8	0x31ed	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:17:43.721513987 CET	1.1.1.1	192.168.2.8	0x31ed	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:17:43.721513987 CET	1.1.1.1	192.168.2.8	0x31ed	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:17:43.721513987 CET	1.1.1.1	192.168.2.8	0x31ed	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:17:43.721513987 CET	1.1.1.1	192.168.2.8	0x31ed	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:17:43.721513987 CET	1.1.1.1	192.168.2.8	0x31ed	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:17:43.721513987 CET	1.1.1.1	192.168.2.8	0x31ed	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:17:50.616203070 CET	1.1.1.1	192.168.2.8	0x3d26	No error (0)	mail.kianaenergy.com	kianaenergy.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 09:17:50.616203070 CET	1.1.1.1	192.168.2.8	0x3d26	No error (0)	kianaenergy.com		5.144.131.244	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	193.122.130.0	80	7840	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 09:17:43.146889925 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 09:17:43.602319002 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 08:17:43 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7501eb7caaaad9c7912e31219369d02e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 16, 2025 09:17:43.610403061 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 16, 2025 09:17:43.709948063 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 08:17:43 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 157a588cb05e43ca1ea07d21b8c9a2d7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 16, 2025 09:17:49.979737997 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 16, 2025 09:17:50.097162008 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 08:17:50 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 65c95170ba8467fc846e7c9a42f90645 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49707	104.21.16.1	443	7840	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 08:17:44 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 08:17:44 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 08:17:44 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2330253 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W822OmKBMvPU0CAM1PiRb1Mq%2FE5GPATHWmQ1eRYWlxSuWscg2gQN2vVreOM2STpyM%2B5tC%2BwDQUt5QotRx70PD4uYxWM%2Bpkbyo2kWH5zvLCz5PdYUlSwpJlNX4QCYJyRWqCVH0Oje"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902cabbeaa1241ba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1670&min_rtt=1666&rtt_var=632&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1719670&cwnd=192&unsent_bytes=0&cid=8fd072a971197e3c&ts=593&x=0"
2025-01-16 08:17:44 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 16, 2025 09:17:52.098376989 CET	587	49708	5.144.131.244	192.168.2.8	220-linux33.centraldnserver.com ESMTP Exim 4.96.2 #2 Thu, 16 Jan 2025 11:47:51 +0330 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 16, 2025 09:17:52.098781109 CET	49708	587	192.168.2.8	5.144.131.244	EHLO 116938
Jan 16, 2025 09:17:52.365220070 CET	587	49708	5.144.131.244	192.168.2.8	250-linux33.centraldnserver.com Hello 116938 [8.46.123.189] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jan 16, 2025 09:17:52.365592957 CET	49708	587	192.168.2.8	5.144.131.244	STARTTLS
Jan 16, 2025 09:17:52.635127068 CET	587	49708	5.144.131.244	192.168.2.8	220 TLS go ahead

Target ID:	0
Start time:	03:17:38
Start date:	16/01/2025
Path:	C:\Users\user\Desktop\MACHINE SPECIFICATION.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MACHINE SPECIFICATION.exe"
Imagebase:	0x5f0000
File size:	1'612'288 bytes
MD5 hash:	D1C6AB3629F6D71840186BD535086505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.1419250581.0000000002580000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:17:39
Start date:	16/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\MACHINE SPECIFICATION.exe"
Imagebase:	0x3d0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:17:39
Start date:	16/01/2025
Path:	C:\Users\user\Desktop\MACHINE SPECIFICATION.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MACHINE SPECIFICATION.exe"
Imagebase:	0x5f0000
File size:	1'612'288 bytes
MD5 hash:	D1C6AB3629F6D71840186BD535086505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000003.00000002.1437380212.0000000003590000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:17:41
Start date:	16/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MACHINE SPECIFICATION.exe"
Imagebase:	0x10000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000002.2649771693.0000000002430000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000004.00000002.2648810250.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000002.2651965370.0000000004AD0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.2651225944.0000000003471000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.2649833145.0000000002631000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.2649642452.00000000021B0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	1.2%
Signature Coverage:	3.6%
Total number of Nodes:	1599
Total number of Limit Nodes:	33

Executed Functions

Function 005F42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 005F430D

Part of subcall function 005F6B57: _wcslen.LIBCMT ref: 005F6B6A

GetCurrentProcess.KERNEL32(?,0068CB64,00000000,?,?), ref: 005F4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 005F4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 005F4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 005F4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 005F4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 005F447B
GetSystemInfo.KERNEL32(?,?,?), ref: 005F44A0

Strings

kernel32.dll, xrefs: 005F444F
GetNativeSystemInfo, xrefs: 005F4460
|O, xrefs: 006336F8

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 37c043122bdd9c552812379c29e87b8bf5240ef78dae037f5dd5e941808cfdff
Instruction ID: e8d085d3155f8112fd6bef9e18a596612b0f07d306f69e106df655162333c569
Opcode Fuzzy Hash: 37c043122bdd9c552812379c29e87b8bf5240ef78dae037f5dd5e941808cfdff
Instruction Fuzzy Hash: BEA1E57191A2E4DFCB12EB687C859F53FA77B67308B047998D089AFB23D2344508CB61

Function 005F42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,005F50AA,?,?,00000000,00000000), ref: 005F42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,005F50AA,?,?,00000000,00000000), ref: 005F42C9
LoadResource.KERNEL32(?,00000000,?,?,005F50AA,?,?,00000000,00000000,?,?,?,?,?,?,005F4F20), ref: 006335BE
SizeofResource.KERNEL32(?,00000000,?,?,005F50AA,?,?,00000000,00000000,?,?,?,?,?,?,005F4F20), ref: 006335D3
LockResource.KERNEL32(005F50AA,?,?,005F50AA,?,?,00000000,00000000,?,?,?,?,?,?,005F4F20,?), ref: 006335E6

Strings

SCRIPT, xrefs: 005F42BF

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 9bae2e1a4cdb735d44d2a2a5ea0c318f3349b98b833f9e9b41920910b1970eb0
Instruction ID: f17eb4da31904e7a1e1934c9b1847627d1781d8362aebb331d5c2f14a952d2d7
Opcode Fuzzy Hash: 9bae2e1a4cdb735d44d2a2a5ea0c318f3349b98b833f9e9b41920910b1970eb0
Instruction Fuzzy Hash: 10117974200704BFEB218BA5DC48F677FBAEBC5B61F208269B502966A0DB71D9009B70

Function 00632BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 005F2B6B

Part of subcall function 005F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,006C1418,?,005F2E7F,?,?,?,00000000), ref: 005F3A78

Part of subcall function 005F9CB3: _wcslen.LIBCMT ref: 005F9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,006B2224), ref: 00632C10
ShellExecuteW.SHELL32(00000000,?,?,006B2224), ref: 00632C17

Strings

runas, xrefs: 00632C0B

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: c8daf6e36d2278a4b051586a0e9dcbb563fd5e3919fa2c1ce5f03382e0f6361d
Instruction ID: 487d1f8f165dee8a446b45f4fca9b4885244e2173b68919e85d3bccc24b57c1c
Opcode Fuzzy Hash: c8daf6e36d2278a4b051586a0e9dcbb563fd5e3919fa2c1ce5f03382e0f6361d
Instruction Fuzzy Hash: 7A11C37110824B6AD705FF20D859EBE7FE6BBD2350F04542DF642460A2CF298A4A8712

Function 005FD730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 005FD807
timeGetTime.WINMM ref: 005FDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005FDB28
TranslateMessage.USER32(?), ref: 005FDB7B
DispatchMessageW.USER32(?), ref: 005FDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005FDB9F
Sleep.KERNEL32(0000000A), ref: 005FDBB1

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: bb0147706fe6eb481244d826ea907d12bd478de03932be34a76f4c34236629cd
Instruction ID: 8a26de843d7dde7bc260266eb3d77d904c5608c5b67882b55d9e1755e0fc596d
Opcode Fuzzy Hash: bb0147706fe6eb481244d826ea907d12bd478de03932be34a76f4c34236629cd
Instruction Fuzzy Hash: A942E330604246DFD728DF24C894BBABBB3BF46304F544A1DF99587291D778E884CBA2

Function 005F2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 005F2D07
RegisterClassExW.USER32(00000030), ref: 005F2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005F2D42
InitCommonControlsEx.COMCTL32(?), ref: 005F2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005F2D6F
LoadIconW.USER32(000000A9), ref: 005F2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005F2D94

Strings

0, xrefs: 005F2CE9
TaskbarCreated, xrefs: 005F2D37
AutoIt v3 GUI, xrefs: 005F2D23
+, xrefs: 005F2CF0

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 9f7a7b5ed06d2450fd0b4b6e4e95e7c4939fc532d9dcd6716c94bd350b52da28
Instruction ID: 7675aeb103dcfecb2e1f40fc892b0c765ab136a033f9e8a37368d0340ca3df3b
Opcode Fuzzy Hash: 9f7a7b5ed06d2450fd0b4b6e4e95e7c4939fc532d9dcd6716c94bd350b52da28
Instruction Fuzzy Hash: 0921F4B1D01348AFDB00DFA4EC49BEDBBB6FB0A711F00521AF911AA2A0D7B14540CFA1

Function 0063065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0063039A: CreateFileW.KERNELBASE(00000000,00000000,?,00630704,?,?,00000000,?,00630704,00000000,0000000C), ref: 006303B7

GetLastError.KERNEL32 ref: 0063076F
__dosmaperr.LIBCMT ref: 00630776
GetFileType.KERNELBASE(00000000), ref: 00630782
GetLastError.KERNEL32 ref: 0063078C
__dosmaperr.LIBCMT ref: 00630795
CloseHandle.KERNEL32(00000000), ref: 006307B5
CloseHandle.KERNEL32(?), ref: 006308FF
GetLastError.KERNEL32 ref: 00630931
__dosmaperr.LIBCMT ref: 00630938

Strings

H, xrefs: 006308BD

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: f9811d32de05572e1f25adb7435651aaadd4abb10fcfe1fac36b1c6aa8458f39
Instruction ID: cbd3b0a3bfe6086ecbe3228b68a7606be2630ba97a4be938e98506c73de49630
Opcode Fuzzy Hash: f9811d32de05572e1f25adb7435651aaadd4abb10fcfe1fac36b1c6aa8458f39
Instruction Fuzzy Hash: 3FA10432A001189FEF19AF68D862BEE7BB2AB06320F14015DF8159B3D1DB319957CBD5

Function 005F344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,006C1418,?,005F2E7F,?,?,?,00000000), ref: 005F3A78

Part of subcall function 005F3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 005F3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 005F356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0063318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 006331CE
RegCloseKey.ADVAPI32(?), ref: 00633210
_wcslen.LIBCMT ref: 00633277
_wcslen.LIBCMT ref: 00633286

Strings

Software\AutoIt v3\AutoIt, xrefs: 005F3560
\Include\, xrefs: 005F3527
\, xrefs: 0063328C
Include, xrefs: 00633184, 006331C5

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: cfc761a692cbc290c3ebe36253e0e5afee95a325e55ecc42ab488a0be5fcf044
Instruction ID: 2ad496fabc0eb4dbffa06f85c5bfedd3acd59676b22c99ecf7842375a3a32436
Opcode Fuzzy Hash: cfc761a692cbc290c3ebe36253e0e5afee95a325e55ecc42ab488a0be5fcf044
Instruction Fuzzy Hash: F071A4714043469EC314EF65DC95DBBBBEAFF84750F40192DF949832A0EB749A48CBA2

Function 005F2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 005F2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 005F2B9D
LoadIconW.USER32(00000063), ref: 005F2BB3
LoadIconW.USER32(000000A4), ref: 005F2BC5
LoadIconW.USER32(000000A2), ref: 005F2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 005F2BEF
RegisterClassExW.USER32(?), ref: 005F2C40

Part of subcall function 005F2CD4: GetSysColorBrush.USER32(0000000F), ref: 005F2D07
Part of subcall function 005F2CD4: RegisterClassExW.USER32(00000030), ref: 005F2D31
Part of subcall function 005F2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005F2D42
Part of subcall function 005F2CD4: InitCommonControlsEx.COMCTL32(?), ref: 005F2D5F
Part of subcall function 005F2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005F2D6F
Part of subcall function 005F2CD4: LoadIconW.USER32(000000A9), ref: 005F2D85
Part of subcall function 005F2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005F2D94

Strings

AutoIt v3, xrefs: 005F2C2F
0, xrefs: 005F2C0F
#, xrefs: 005F2C16

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 90cca932981831b3a4e51aa7e3c0dab939db3ef56a76b8cfb5bf353330f89459
Instruction ID: c15fa77d33c8a1449f6e0570860430ca7bad924a7ad8da8341942fc0d0fde1df
Opcode Fuzzy Hash: 90cca932981831b3a4e51aa7e3c0dab939db3ef56a76b8cfb5bf353330f89459
Instruction Fuzzy Hash: 29214C70E00358ABDB109FA5EC45EA97FB6FB4AB54F00111AE608AA6A1D3B54A50CF90

Function 005FB710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005FBB4E

Strings

p#l, xrefs: 0064024F
x#l, xrefs: 00640168
p%l, xrefs: 005FBB32
p%l, xrefs: 005FB8DC
p#l, xrefs: 00640263
x#l, xrefs: 00640207
p#l, xrefs: 005FBA72
p#l, xrefs: 005FBB6B

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#l$p#l$p#l$p#l$p%l$p%l$x#l$x#l
API String ID: 1385522511-3037114512
Opcode ID: 7e48748e81de0cfbeeca78129e2bd7fa5b133d03e826941b47ea873deed45a7f
Instruction ID: e9a254a6e56b6be71172cf85feeff683d34af266b08cf2872119c69f3f6f1506
Opcode Fuzzy Hash: 7e48748e81de0cfbeeca78129e2bd7fa5b133d03e826941b47ea873deed45a7f
Instruction Fuzzy Hash: 52329E74A0021ADFEB14DF54C994EBABBB6FF44340F14845AEA05AB391C7B8ED41CB91

Function 005F3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,005F316A,?,?), ref: 005F31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,005F316A,?,?), ref: 005F3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 005F3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,005F316A,?,?), ref: 005F3232
CreatePopupMenu.USER32 ref: 005F3246
PostQuitMessage.USER32(00000000), ref: 005F3267

Strings

TaskbarCreated, xrefs: 005F322D

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 8774da2423da763e049d7df59ba060e1a57dab666a353c0978c0aba6de14ea8d
Instruction ID: 4ad2322354f94002f7ccc177ea3ea153867f09e2ab04ced511ac57982419a881
Opcode Fuzzy Hash: 8774da2423da763e049d7df59ba060e1a57dab666a353c0978c0aba6de14ea8d
Instruction Fuzzy Hash: D841F635240209AAFB142B68DD2DFB93E5BFB47354F04111AFB068A292C6798A40C7A5

Function 005FDFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 006432B7
D%l, xrefs: 005FE1E0
D%l, xrefs: 005FE4B1
D%l, xrefs: 0064302D
D%lD%l, xrefs: 005FE27E
D%l, xrefs: 00642FDA

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID:
String ID: D%l$D%l$D%l$D%l$D%lD%l$Variable must be of type 'Object'.
API String ID: 0-600123511
Opcode ID: 193526acc55c04845ce589eda6d01bf3a62c05d81acc4bd68e47b79ae703b3e3
Instruction ID: ef746df5f9393eacc59f994a4f577e7e89017d685689e9b9bf1f5665e806a97d
Opcode Fuzzy Hash: 193526acc55c04845ce589eda6d01bf3a62c05d81acc4bd68e47b79ae703b3e3
Instruction Fuzzy Hash: 66C28F74A00219CFCB24DF58C886ABDBBB2FF05310F248569EA45AB3A1D779ED41CB51

Function 01B1A270 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01B1A341
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01B1A567

Memory Dump Source

Source File: 00000000.00000002.1418153012.0000000001B17000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B17000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b17000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction ID: f7f8dd6c99d97427b912334387496f44a84266473ea35d7b072ba994209aa5a6
Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction Fuzzy Hash: E8A13970E01209EBDB18CFA4C898BEEBBB5FF48304F608199E105BB284D775AA41CF54

Function 005F2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 005F2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 005F2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,005F1CAD,?), ref: 005F2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,005F1CAD,?), ref: 005F2CCF

Strings

AutoIt v3, xrefs: 005F2C89, 005F2C8E, 005F2C8F
edit, xrefs: 005F2CAC

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ae580e109e38a5cf9406a86d049a088dd35c25455ff60c4ee6f8fa39fa2dce3e
Instruction ID: d6c719ddcd42e67bc5e351a2cfc6a4e695a42992dbd80afacb8ef720539840a9
Opcode Fuzzy Hash: ae580e109e38a5cf9406a86d049a088dd35c25455ff60c4ee6f8fa39fa2dce3e
Instruction Fuzzy Hash: CBF0B275A402D07AEB211B27AC08E773EBED7CBF64B01205BF908EA5A1C6751850DAB0

Function 01B1A020 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01B19F10: Sleep.KERNELBASE(000001F4), ref: 01B19F21

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01B1A15A

Strings

0RXDVQG5MYKTFTXL1XAXVDIZD08TY, xrefs: 01B1A1BD, 01B1A1C0

Memory Dump Source

Source File: 00000000.00000002.1418153012.0000000001B17000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B17000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b17000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CreateFileSleep
String ID: 0RXDVQG5MYKTFTXL1XAXVDIZD08TY
API String ID: 2694422964-1149502661
Opcode ID: bf2a9acdcc21adf6b377db4776e1dd0a8e3b5b9eebdc49531f9ce1cd28e65abc
Instruction ID: 4293475ca8a1cf5ad17b13d910a18ef13695bd450230d6ed38cafdcefae073c8
Opcode Fuzzy Hash: bf2a9acdcc21adf6b377db4776e1dd0a8e3b5b9eebdc49531f9ce1cd28e65abc
Instruction Fuzzy Hash: 5C618070D04288DAEF15D7B8C858BDFBBB4AF15304F444199E6587B2C1C7BA1A48CBA5

Function 005F3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,005F3B0F,SwapMouseButtons,00000004,?), ref: 005F3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,005F3B0F,SwapMouseButtons,00000004,?), ref: 005F3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,005F3B0F,SwapMouseButtons,00000004,?), ref: 005F3B83

Strings

Control Panel\Mouse, xrefs: 005F3B3E

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: f4ff0f0e1a0072742db8fb389d6b5c69a971097ad6cb21dffa7a07bb6e7d63f7
Instruction ID: bb6d005eab086c1a5030ac82957732d9eb89bb6496aff01d476b707bdafd2769
Opcode Fuzzy Hash: f4ff0f0e1a0072742db8fb389d6b5c69a971097ad6cb21dffa7a07bb6e7d63f7
Instruction Fuzzy Hash: 80112AB5511208FFEB218FA5DC54ABFBBB9FF04794B10495AA905D7110E2359E409760

Function 01B18F10 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01B1973D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01B19761
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01B19783
TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 01B19A8C

Memory Dump Source

Source File: 00000000.00000002.1418153012.0000000001B17000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B17000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b17000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
String ID:
API String ID: 572931308-0
Opcode ID: dd5ff2c0333f679b22dfbad47a12c49e5bc70870eaab63e39cb7295a27d4d700
Instruction ID: 1ce62c7dfcad55f37c42e52a35eed6469444f4d5e5f6a767f7b51d595546e1f6
Opcode Fuzzy Hash: dd5ff2c0333f679b22dfbad47a12c49e5bc70870eaab63e39cb7295a27d4d700
Instruction Fuzzy Hash: BE622C30A14258DBEB28CFA4C850BDEB772EF58304F5091A9D10DEB394E7769E81CB59

Function 005F3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 006333A2

Part of subcall function 005F6B57: _wcslen.LIBCMT ref: 005F6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 005F3A04

Strings

Line: , xrefs: 006333EB

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: c7347433589cbbe9961958783d4fba94b42d398d1db2e44443598b617fe4a512
Instruction ID: 783ad2f31d9c48c66bca52bfd4e8545a9f1a9dfafd73d86b38b34cb066df320a
Opcode Fuzzy Hash: c7347433589cbbe9961958783d4fba94b42d398d1db2e44443598b617fe4a512
Instruction Fuzzy Hash: 9C31C771408359AAE321EB10DC49FFB7BD9BB81714F10492EF69983191EF789A44C7D2

Function 005F2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00632C8C

Part of subcall function 005F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005F3A97,?,?,005F2E7F,?,?,?,00000000), ref: 005F3AC2

Part of subcall function 005F2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005F2DC4

Strings

`ek, xrefs: 00632C85
X, xrefs: 00632C5A

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`ek
API String ID: 779396738-1798088556
Opcode ID: eba3f3ab4a67553fcfd8e38964d6dbc06ca243b5ae0d2930ab7d4c46c2a07ecb
Instruction ID: 85364c83ae9f8f3c5070ab2fcaf97e5cd56c08ae12cc6838498dec10a5721526
Opcode Fuzzy Hash: eba3f3ab4a67553fcfd8e38964d6dbc06ca243b5ae0d2930ab7d4c46c2a07ecb
Instruction Fuzzy Hash: 952196B1A0025C9BDF41DF94C849BEE7FFDAF89314F008059E505AB241DBB859898FA1

Function 0060FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00610668

Part of subcall function 006132A4: RaiseException.KERNEL32(?,?,?,0061068A,?,006C1444,?,?,?,?,?,?,0061068A,005F1129,006B8738,005F1129), ref: 00613304

__CxxThrowException@8.LIBVCRUNTIME ref: 00610685

Strings

Unknown exception, xrefs: 00610692

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: ccc51e3eb2100dfa9ac5e457a56c2486ae68a5fdba399fea1b60b6293564b4d5
Instruction ID: d47c5636fa9886848db07c25e667af8257236a8ddf11b8404f9113127efd3e85
Opcode Fuzzy Hash: ccc51e3eb2100dfa9ac5e457a56c2486ae68a5fdba399fea1b60b6293564b4d5
Instruction Fuzzy Hash: 43F0AF3490020DA7CF54BB64D846CDE7B6F5E00350B684139B91496AE2EFB1DAE6CAC4

Function 00677F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 006782F5
TerminateProcess.KERNEL32(00000000), ref: 006782FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 006784DD

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 590cd263fcefe63ec53989bfae5a8e9ebf863929597a956bf38f1a3cf3fac68a
Instruction ID: 36aa9d1e2fbb8c10d8cbc5e20451c20d206f3dbbdb4f1767fbe13374948c5dc0
Opcode Fuzzy Hash: 590cd263fcefe63ec53989bfae5a8e9ebf863929597a956bf38f1a3cf3fac68a
Instruction Fuzzy Hash: 34127D719083019FC714DF28C488B6ABBE2BF84314F04895DE9998B352DB75ED45CF92

Function 005F10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 005F1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 005F1BF4
Part of subcall function 005F1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 005F1BFC
Part of subcall function 005F1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 005F1C07
Part of subcall function 005F1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 005F1C12
Part of subcall function 005F1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 005F1C1A
Part of subcall function 005F1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 005F1C22

Part of subcall function 005F1B4A: RegisterWindowMessageW.USER32(00000004,?,005F12C4), ref: 005F1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 005F136A
OleInitialize.OLE32 ref: 005F1388
CloseHandle.KERNEL32(00000000,00000000), ref: 006324AB

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: dd962ef61700fb723da358c7f29f6fe34ca56327473049cf42e9e2a9731453e2
Instruction ID: cf0c3f65f75a26b7fede8d55236e2aee9181ed46897ea813dde02aa4fabb837e
Opcode Fuzzy Hash: dd962ef61700fb723da358c7f29f6fe34ca56327473049cf42e9e2a9731453e2
Instruction Fuzzy Hash: C271ABF49152058EC784EF69A959E753EE3FB8B350794A22AD10ACF363EB3484018F55

Function 006286AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,006285CC,?,006B8CC8,0000000C), ref: 00628704
GetLastError.KERNEL32(?,006285CC,?,006B8CC8,0000000C), ref: 0062870E
__dosmaperr.LIBCMT ref: 00628739

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 91b85612e6789ba09ef1ca7765028acf7ae7a9b00a8747b78755098277c1d84b
Instruction ID: 34585da3217772971d8660525b4bc9aa904d30642e17d6e78646d6c55ad3f935
Opcode Fuzzy Hash: 91b85612e6789ba09ef1ca7765028acf7ae7a9b00a8747b78755098277c1d84b
Instruction Fuzzy Hash: 2C012B32606E302ED674A3347C49BBE675B4B91775F39121DF8158B2D3EEB08C818A94

Function 00601310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006017F6

Strings

CALL, xrefs: 006017C6

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: a364e435a1d3602b25388aa278f6a54b7024253c3fb57786161931ef09f1aa1f
Instruction ID: ad05855e6c3cdbdbb5bea94b6f2be0850c2d80fbbe5a81fdf735030d7d6efa09
Opcode Fuzzy Hash: a364e435a1d3602b25388aa278f6a54b7024253c3fb57786161931ef09f1aa1f
Instruction Fuzzy Hash: 2D228BB06482419FC718DF14C894A6BBBF3BF86314F14896DF4968B3A1D772E941CB92

Function 01B19FA0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 01B19FFA

Strings

D, xrefs: 01B19FB4

Memory Dump Source

Source File: 00000000.00000002.1418153012.0000000001B17000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B17000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b17000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CreateProcess
String ID: D
API String ID: 963392458-2746444292
Opcode ID: efdf82a1e48cd01f1f44ac0dffb6eebfaf3faa77ee3fda0e7163886e06ef651f
Instruction ID: 8ed6f31291a7da2d0585ba772274179fc55f3670b4f94f4e9e1fe537a77a6bb4
Opcode Fuzzy Hash: efdf82a1e48cd01f1f44ac0dffb6eebfaf3faa77ee3fda0e7163886e06ef651f
Instruction Fuzzy Hash: 46011271541358ABDB24EBF0CC49FFE777CAF48701F808549A6159B184EB74A6488BA1

Function 01B18F0D Relevance: 3.4, APIs: 2, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01B1973D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01B19761
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01B19783
TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 01B19A8C

Memory Dump Source

Source File: 00000000.00000002.1418153012.0000000001B17000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B17000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b17000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
String ID:
API String ID: 572931308-0
Opcode ID: 1255ff05a3a391cede1f89d856dff3995fd10eb49087fc5ba29911cf4b5d1436
Instruction ID: 90a270e47e5d4f3a73b9a30f800123bd2c3188553754034b5b596d693f4eda21
Opcode Fuzzy Hash: 1255ff05a3a391cede1f89d856dff3995fd10eb49087fc5ba29911cf4b5d1436
Instruction Fuzzy Hash: 7612DC24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 005F3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 005F3908

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: da811637751f466e4bc50d35b909be60f045af5a38821749b47f6f6ccf9c53c4
Instruction ID: d45be11bd5f5f5b077e79b7878af5b0ba3347037798f402abd35ef4b15ab6b7a
Opcode Fuzzy Hash: da811637751f466e4bc50d35b909be60f045af5a38821749b47f6f6ccf9c53c4
Instruction Fuzzy Hash: AB31C3705053459FE720DF24D884BA7BBE5FB4A748F00092EFA9987241E779AA44CB92

Function 005F5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,005F949C,?,00008000), ref: 005F5773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,005F949C,?,00008000), ref: 00634052

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 40bad75b40a593d63630e5c5c7bd6a08437d0d4446e3713fc90130c1b8194994
Instruction ID: 7482a326ede39086c4bde859981deeef92629d2368146bf9d110af86c61c772e
Opcode Fuzzy Hash: 40bad75b40a593d63630e5c5c7bd6a08437d0d4446e3713fc90130c1b8194994
Instruction Fuzzy Hash: 45018030245225B6E3711A2ADC4EFA77F99EF027B0F108300BB9C5A1E1DBB45854CB90

Function 0067709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 668c221f1273dbc018810384070f707b24f1dda815ccd76dea26872629cfdd01
Instruction ID: ae1942da82000afc4d8262540b1c602e31e2f3e28b925dc87ccb28887e54f116
Opcode Fuzzy Hash: 668c221f1273dbc018810384070f707b24f1dda815ccd76dea26872629cfdd01
Instruction Fuzzy Hash: 42D14D74A0410ADFCB14DF98C4819EEBBB6FF48314F548159E919AB391D730AD81CB91

Function 0060FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0060FD1F

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: e91cee3e5f07d6ebb310f7db5361f50a11c7c519f61060b76578fb4dae7f9e21
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: DE310674A40109DBD728CF59D4919AAF7A2FF49300B2486A5E809CFB95D731EDC1CBC0

Function 005F4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 005F4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,005F4EDD,?,006C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005F4E9C
Part of subcall function 005F4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 005F4EAE
Part of subcall function 005F4E90: FreeLibrary.KERNEL32(00000000,?,?,005F4EDD,?,006C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005F4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005F4EFD

Part of subcall function 005F4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00633CDE,?,006C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005F4E62
Part of subcall function 005F4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 005F4E74
Part of subcall function 005F4E59: FreeLibrary.KERNEL32(00000000,?,?,00633CDE,?,006C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005F4E87

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 95a3c2877a96358974fac79832112f1ecbbc079c8f56aa7fb36d5b083745c48d
Instruction ID: 9e6ecf663254981054f9f5b9f859a348ee7e8b46966ce9a470314e671c7abf39
Opcode Fuzzy Hash: 95a3c2877a96358974fac79832112f1ecbbc079c8f56aa7fb36d5b083745c48d
Instruction Fuzzy Hash: 1E11E73165020AABCF14BB60DC1AFBE7BA6BF80710F10442DF746A62C1EE799A459B50

Function 00628402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00628440

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 2413647f2043a3a5eddd6028bd633cca19c69fb792a0273e19c714610c69dd56
Instruction ID: 36af3b46a394dc17563226a11f2f32d4f922ddb18701374444d1abe7993f07f4
Opcode Fuzzy Hash: 2413647f2043a3a5eddd6028bd633cca19c69fb792a0273e19c714610c69dd56
Instruction Fuzzy Hash: 8211187590410AAFDB05DF58E9419DA7BF5EF48314F144059F808AB352DA31DA21CBA5

Function 00625000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00624C7D: RtlAllocateHeap.NTDLL(00000008,005F1129,00000000,?,00622E29,00000001,00000364,?,?,?,0061F2DE,00623863,006C1444,?,0060FDF5,?), ref: 00624CBE

_free.LIBCMT ref: 0062506C

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 43e481c2c90ce83af03022345f38d8aceb8a3969d3e647ba4fcbef41ce7e3953
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: BF014E72604B156BE3318F55EC4199AFBEEFB89370F65051DE185832C0EB306845CB74

Function 0061E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 44a522d3229daf512ba32876a4f78e98f5bcca3204f36bcef280d672f1394e21
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 86F0F932511E20AAC6313A659C05BD6339B9F52371F180B1DF821932D2CB75D4828AED

Function 00624C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,005F1129,00000000,?,00622E29,00000001,00000364,?,?,?,0061F2DE,00623863,006C1444,?,0060FDF5,?), ref: 00624CBE

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4e11439ecdaa18def37e52d37ab04aa3bb30ef5f7c858afff6bc93292a1f2f5d
Instruction ID: f92b2cceb4271d22f16921c983dff88aad5e4f09b7bb88bdce617c2f1d0c6456
Opcode Fuzzy Hash: 4e11439ecdaa18def37e52d37ab04aa3bb30ef5f7c858afff6bc93292a1f2f5d
Instruction Fuzzy Hash: 5CF0B431702A3467DB215F6AFC09BDA379BAF417A0B184125B819AB3D1CE71D8018AA0

Function 00623820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,006C1444,?,0060FDF5,?,?,005FA976,00000010,006C1440,005F13FC,?,005F13C6,?,005F1129), ref: 00623852

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 60c36f49fa55373fe44924c7d4f83c3444eecceaa4e7f8a72a456c4ccbc423a3
Instruction ID: 3cbb6a9f4e5465667bb0b8d7bf30e811fc99eded88a722834a5560b59eaca7a0
Opcode Fuzzy Hash: 60c36f49fa55373fe44924c7d4f83c3444eecceaa4e7f8a72a456c4ccbc423a3
Instruction Fuzzy Hash: 95E0E532100A3466D7212666BC04BDA365BAF42BB0F1A0124BD069E791CB2DDE028BE4

Function 005F4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,006C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005F4F6D

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: e1d542ea450eec7173698df8f54a2a706ba8c476d3bf51ce043ee5a702a89994
Instruction ID: 00f33e4e9eaba0140155fd17ccc2ec97bb74de78af67bf9e84d8cf4b803b8518
Opcode Fuzzy Hash: e1d542ea450eec7173698df8f54a2a706ba8c476d3bf51ce043ee5a702a89994
Instruction Fuzzy Hash: 10F01571505796CFDB349F64D494823BBE5BF143293248A6EE2EE82621CB369888DF50

Function 0065CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,0063EE51,006B3630,00000002), ref: 0065CD26

Part of subcall function 0065CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,0065CD19,?,?,?), ref: 0065CC59
Part of subcall function 0065CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,0065CD19,?,?,?,?,0063EE51,006B3630,00000002), ref: 0065CC6E
Part of subcall function 0065CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,0065CD19,?,?,?,?,0063EE51,006B3630,00000002), ref: 0065CC7A

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: 88d08ad7a478853121cb87b273edf7f39d14656ddc78c9bcfaa6cf4b1dd9f690
Instruction ID: adbdeae6df0561043dd9d22a76615f3b3c61a1abf005901dea9e02368d09302e
Opcode Fuzzy Hash: 88d08ad7a478853121cb87b273edf7f39d14656ddc78c9bcfaa6cf4b1dd9f690
Instruction Fuzzy Hash: E0E06D7A400704FFC7219F8ADD408AABBF9FF84761710862FE996C2510D3B1AA14DBA0

Function 005F2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005F2DC4

Part of subcall function 005F6B57: _wcslen.LIBCMT ref: 005F6B6A

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 530d135729cbeffa3860c9fabfd8c338648bae2dabc1dae6f01629237fdff40c
Instruction ID: 1c63552915c024519ba8585efe9272d2f2b4c8a35ec17a54a806e69e0b8cc653
Opcode Fuzzy Hash: 530d135729cbeffa3860c9fabfd8c338648bae2dabc1dae6f01629237fdff40c
Instruction Fuzzy Hash: B5E0CD726001245BC71092589C05FEA77DDDFC8790F044175FD09D7248D974AD808690

Function 005F2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 005F3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 005F3908

Part of subcall function 005FD730: GetInputState.USER32 ref: 005FD807

SetCurrentDirectoryW.KERNEL32(?), ref: 005F2B6B

Part of subcall function 005F30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 005F314E

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 4a684469910b51c270a233e5c8c06bf220d4a9d57cfef3fb50de96d4323e2385
Instruction ID: c0b7564ce4e7d5232ab8b177672ccb2fbb3fa7921467673e6ea29706536ed02e
Opcode Fuzzy Hash: 4a684469910b51c270a233e5c8c06bf220d4a9d57cfef3fb50de96d4323e2385
Instruction Fuzzy Hash: 49E0263130024E07D708BB30981AABDAF9AFBD2392F40253EF34287163CE2C86464321

Function 0063039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00630704,?,?,00000000,?,00630704,00000000,0000000C), ref: 006303B7

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 42367a8c4d2f1adcc52b9d7c0adfe2d8ffbffe9c4dca19796baf92d1b6649c85
Instruction ID: 1c43fb7599ecbe42d1743bb6ea6367ccaba05552523f6068873b8ecc8febdfd3
Opcode Fuzzy Hash: 42367a8c4d2f1adcc52b9d7c0adfe2d8ffbffe9c4dca19796baf92d1b6649c85
Instruction Fuzzy Hash: 4DD06C3204010DBBDF028F84DD46EDA3BAAFB48714F014100BE5856020C732E821AB90

Function 005F1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 005F1CBC

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 61c067573d75c7b18648f4668d011661700aeadd37d74130ad7d02eaff4039f9
Instruction ID: 2f76612ff52690814967cdbb15c09db03337d1f6827cc034c49b3c7f107ebf69
Opcode Fuzzy Hash: 61c067573d75c7b18648f4668d011661700aeadd37d74130ad7d02eaff4039f9
Instruction Fuzzy Hash: C1C09B35280305AFF7145780BC5AF217756A349B14F445001F60D595E3C3F11430D751

Function 0066744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 005F5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,005F949C,?,00008000), ref: 005F5773

GetLastError.KERNEL32(00000002,00000000), ref: 006676DE

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 09cb85226e52d9250fffd7a1be31d2f8775dc723a09ece40ce2ca4806d5095db
Instruction ID: 65566b3d5acc0347d5feb16c09d86f7cc11817d38dff92347ccaa084e2fbdf34
Opcode Fuzzy Hash: 09cb85226e52d9250fffd7a1be31d2f8775dc723a09ece40ce2ca4806d5095db
Instruction Fuzzy Hash: 0B81A3302087069FC714EF28C495BA9BBE2BF88354F04456DF9869B392DB74ED45CB92

Function 01B19F0C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01B19F21

Memory Dump Source

Source File: 00000000.00000002.1418153012.0000000001B17000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B17000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b17000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 1041d1ecdac054593c60ef94ac2585297c74cb6430b96190064699c29feb16aa
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 2AE0BF7494410DEFDB00EFA4D5496DE7BB4EF04301F1005A1FD05D7681DB319E54CA62

Function 005F6246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,006324E0), ref: 005F6266

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 45c9697aaa797628de4d079e8a248273348289f0be5d1fc510a1b55cd8f21611
Instruction ID: 6b6b6d4c3d152db277a52828996d44b017a9646115440be0960693ac5568f517
Opcode Fuzzy Hash: 45c9697aaa797628de4d079e8a248273348289f0be5d1fc510a1b55cd8f21611
Instruction Fuzzy Hash: E2E0B679400B01DFC3314F1AE804422FBF6FFE13613204A2ED2E592660D7B458869F50

Function 01B19F10 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01B19F21

Memory Dump Source

Source File: 00000000.00000002.1418153012.0000000001B17000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B17000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b17000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 440d80e26788f8874063743cb7efe8b4c68628fc17c68ad2e4ecb5648a321786
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 25E0BF7494410DAFDB00EFA4D54969E7BB4EF04301F1001A1FD0192281D7319A508A62

Non-executed Functions

Function 00689576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00609BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00609BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0068961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0068965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0068969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006896C9
SendMessageW.USER32 ref: 006896F2
GetKeyState.USER32(00000011), ref: 0068978B
GetKeyState.USER32(00000009), ref: 00689798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006897AE
GetKeyState.USER32(00000010), ref: 006897B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006897E9
SendMessageW.USER32 ref: 00689810
SendMessageW.USER32(?,00001030,?,00687E95), ref: 00689918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0068992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00689941
SetCapture.USER32(?), ref: 0068994A
ClientToScreen.USER32(?,?), ref: 006899AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 006899BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006899D6
ReleaseCapture.USER32 ref: 006899E1
GetCursorPos.USER32(?), ref: 00689A19
ScreenToClient.USER32(?,?), ref: 00689A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00689A80
SendMessageW.USER32 ref: 00689AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00689AEB
SendMessageW.USER32 ref: 00689B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00689B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00689B4A
GetCursorPos.USER32(?), ref: 00689B68
ScreenToClient.USER32(?,?), ref: 00689B75
GetParent.USER32(?), ref: 00689B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00689BFA
SendMessageW.USER32 ref: 00689C2B
ClientToScreen.USER32(?,?), ref: 00689C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00689CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00689CDE
SendMessageW.USER32 ref: 00689D01
ClientToScreen.USER32(?,?), ref: 00689D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00689D82

Part of subcall function 00609944: GetWindowLongW.USER32(?,000000EB), ref: 00609952

GetWindowLongW.USER32(?,000000F0), ref: 00689E05

Strings

p#l, xrefs: 00689990
F, xrefs: 00689D07
@GUI_DRAGID, xrefs: 0068997D

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#l
API String ID: 3429851547-2936908030
Opcode ID: c7ac21e706e76dff095b6d09225d8159c97b4a3b5beeb2337d6493c92efb25a7
Instruction ID: 33d36eec20dae8cbb3a5c788abf66858ff654c248a1379db7302fd212a7e5063
Opcode Fuzzy Hash: c7ac21e706e76dff095b6d09225d8159c97b4a3b5beeb2337d6493c92efb25a7
Instruction Fuzzy Hash: 3E426F74204241AFE725DF24CC48EBABBE6FF4A320F180719F659872A1E731D895CB61

Function 00684873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 006848F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00684908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00684927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0068494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0068495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0068497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 006849AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 006849D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00684A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00684A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00684A7E
IsMenu.USER32(?), ref: 00684A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00684AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00684B20
GetWindowLongW.USER32(?,000000F0), ref: 00684B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00684BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00684C82
wsprintfW.USER32 ref: 00684CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00684CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00684CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00684D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00684D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00684D5A

Strings

%d/%02d/%02d, xrefs: 00684CA8

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 95c0b76e9719745be9a8e0a01e8c1ce3d906a4df9720c7a1a0a5857458ac97e4
Instruction ID: 414beda06205a1cbe63c97d7faacdc53c57d0b8f08cd9e5eff6c72991c3aafe7
Opcode Fuzzy Hash: 95c0b76e9719745be9a8e0a01e8c1ce3d906a4df9720c7a1a0a5857458ac97e4
Instruction Fuzzy Hash: 1E12E071600256ABEB24AF28CC49FEE7BFAEF85710F104229F515EB2E1DB749941CB50

Function 0060F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0060F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0064F474
IsIconic.USER32(00000000), ref: 0064F47D
ShowWindow.USER32(00000000,00000009), ref: 0064F48A
SetForegroundWindow.USER32(00000000), ref: 0064F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0064F4AA
GetCurrentThreadId.KERNEL32 ref: 0064F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0064F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0064F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0064F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0064F4DE
SetForegroundWindow.USER32(00000000), ref: 0064F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0064F4F6
keybd_event.USER32(00000012,00000000), ref: 0064F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0064F50B
keybd_event.USER32(00000012,00000000), ref: 0064F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0064F519
keybd_event.USER32(00000012,00000000), ref: 0064F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0064F528
keybd_event.USER32(00000012,00000000), ref: 0064F52D
SetForegroundWindow.USER32(00000000), ref: 0064F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0064F557

Strings

Shell_TrayWnd, xrefs: 0064F46F

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 9f2233e3c96e1da6e7ca6265a2b516ba546bbeaa1ed0ff2f43334b0fe7b020e8
Instruction ID: a28b4cc4a63110227b4bda87bf751e610e52b0d750ff3d782f22b994771b18bd
Opcode Fuzzy Hash: 9f2233e3c96e1da6e7ca6265a2b516ba546bbeaa1ed0ff2f43334b0fe7b020e8
Instruction Fuzzy Hash: 60317471A40218BBEB206BB59C4AFBF7E6EEB44B60F101125F601E61D1D6B05D10AB71

Function 00651201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 006516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0065170D
Part of subcall function 006516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0065173A
Part of subcall function 006516C3: GetLastError.KERNEL32 ref: 0065174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00651286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 006512A8
CloseHandle.KERNEL32(?), ref: 006512B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 006512D1
GetProcessWindowStation.USER32 ref: 006512EA
SetProcessWindowStation.USER32(00000000), ref: 006512F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00651310

Part of subcall function 006510BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006511FC), ref: 006510D4
Part of subcall function 006510BF: CloseHandle.KERNEL32(?,?,006511FC), ref: 006510E9

Strings

default, xrefs: 0065130B
, xrefs: 0065125A
Zk, xrefs: 00651392
winsta0, xrefs: 006512CC

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Zk
API String ID: 22674027-699051852
Opcode ID: c029aaaf473d3cd3a821d35fe90b059bb3ee8dabb8f8d3ce437b092d4eca997c
Instruction ID: 4332c005405e0782eaf4411cb22cd4bd71ed1e53c4656c37a741d0bb1317a292
Opcode Fuzzy Hash: c029aaaf473d3cd3a821d35fe90b059bb3ee8dabb8f8d3ce437b092d4eca997c
Instruction Fuzzy Hash: B9819B71900209BFDF209FA4DC49FEE7BBAEF05705F145229FE11AA2A0D7758949CB60

Function 00650B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00651114
Part of subcall function 006510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00650B9B,?,?,?), ref: 00651120
Part of subcall function 006510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00650B9B,?,?,?), ref: 0065112F
Part of subcall function 006510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00650B9B,?,?,?), ref: 00651136
Part of subcall function 006510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0065114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00650BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00650C00
GetLengthSid.ADVAPI32(?), ref: 00650C17
GetAce.ADVAPI32(?,00000000,?), ref: 00650C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00650C6D
GetLengthSid.ADVAPI32(?), ref: 00650C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00650C8C
HeapAlloc.KERNEL32(00000000), ref: 00650C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00650CB4
CopySid.ADVAPI32(00000000), ref: 00650CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00650CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00650D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00650D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00650D45
HeapFree.KERNEL32(00000000), ref: 00650D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00650D55
HeapFree.KERNEL32(00000000), ref: 00650D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00650D65
HeapFree.KERNEL32(00000000), ref: 00650D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00650D78
HeapFree.KERNEL32(00000000), ref: 00650D7F

Part of subcall function 00651193: GetProcessHeap.KERNEL32(00000008,00650BB1,?,00000000,?,00650BB1,?), ref: 006511A1
Part of subcall function 00651193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00650BB1,?), ref: 006511A8
Part of subcall function 00651193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00650BB1,?), ref: 006511B7

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 174307207ec599d65e4acbc910cbb74afa06880da05e9a1a56e823a6b37868a1
Instruction ID: f20d9a0805d8dec0ea9e4f734c957530a01fd6d732b51002b5f520abc72ae635
Opcode Fuzzy Hash: 174307207ec599d65e4acbc910cbb74afa06880da05e9a1a56e823a6b37868a1
Instruction Fuzzy Hash: 06714A7290020ABBEF109FE4DC48BEEBBBABF09351F144615ED15A6291D771E909CB70

Function 0066EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0068CC08), ref: 0066EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0066EB37
GetClipboardData.USER32(0000000D), ref: 0066EB43
CloseClipboard.USER32 ref: 0066EB4F
GlobalLock.KERNEL32(00000000), ref: 0066EB87
CloseClipboard.USER32 ref: 0066EB91
GlobalUnlock.KERNEL32(00000000), ref: 0066EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0066EBC9
GetClipboardData.USER32(00000001), ref: 0066EBD1
GlobalLock.KERNEL32(00000000), ref: 0066EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0066EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0066EC38
GetClipboardData.USER32(0000000F), ref: 0066EC44
GlobalLock.KERNEL32(00000000), ref: 0066EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0066EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0066EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0066ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0066ECF3
CountClipboardFormats.USER32 ref: 0066ED14
CloseClipboard.USER32 ref: 0066ED59

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 4e89e31d38b0450b80163f98a340c42bf301792304dc820ce5afba8f0082135a
Instruction ID: 24151819f8ad26993412503a8f8f32920662c1e937aee061f4fbe0699281464d
Opcode Fuzzy Hash: 4e89e31d38b0450b80163f98a340c42bf301792304dc820ce5afba8f0082135a
Instruction Fuzzy Hash: 4B61D038204206AFD300EF20D898F7A7BA6FF84764F14561DF556972A2DB32DD46CB62

Function 0066698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 006669BE
FindClose.KERNEL32(00000000), ref: 00666A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00666A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00666A75

Part of subcall function 005F9CB3: _wcslen.LIBCMT ref: 005F9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00666AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00666ADF

Strings

%03d, xrefs: 00666DA2
%4d%02d%02d%02d%02d%02d, xrefs: 00666B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00666B32
%02d, xrefs: 00666C00, 00666C0A, 00666C5A, 00666CAA, 00666CFA, 00666D4A
%4d, xrefs: 00666BB1

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 4358b55d397fd7591833404fcbaa05172c7dc370f9c35c22678414e12bd740d9
Instruction ID: 22e07147dcde622cf7e7baf8b9ac0320dc744e3803863020f09800d755d25837
Opcode Fuzzy Hash: 4358b55d397fd7591833404fcbaa05172c7dc370f9c35c22678414e12bd740d9
Instruction Fuzzy Hash: 36D16071508345AFC314EBA4D895EBBBBEDBF88704F04491DF685C6291EB38DA44CB62

Function 00669642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00669663
GetFileAttributesW.KERNEL32(?), ref: 006696A1
SetFileAttributesW.KERNEL32(?,?), ref: 006696BB
FindNextFileW.KERNEL32(00000000,?), ref: 006696D3
FindClose.KERNEL32(00000000), ref: 006696DE
FindFirstFileW.KERNEL32(*.*,?), ref: 006696FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0066974A
SetCurrentDirectoryW.KERNEL32(006B6B7C), ref: 00669768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00669772
FindClose.KERNEL32(00000000), ref: 0066977F
FindClose.KERNEL32(00000000), ref: 0066978F

Strings

*.*, xrefs: 006696F5

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: f0ca864ad695b783b3198b41bfbb797c1d56c5627078a086a7c2ce5046d2a96b
Instruction ID: 04a77240055fb6cbe37a247407607f78cc170a5145c97e3022bf4895e4268a5d
Opcode Fuzzy Hash: f0ca864ad695b783b3198b41bfbb797c1d56c5627078a086a7c2ce5046d2a96b
Instruction Fuzzy Hash: 2131C272500219BEDF14EFB4EC18AEE77AE9F49320F144165F805E2190DB34DA84CB34

Function 0066979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 006697BE
FindNextFileW.KERNEL32(00000000,?), ref: 00669819
FindClose.KERNEL32(00000000), ref: 00669824
FindFirstFileW.KERNEL32(*.*,?), ref: 00669840
SetCurrentDirectoryW.KERNEL32(?), ref: 00669890
SetCurrentDirectoryW.KERNEL32(006B6B7C), ref: 006698AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 006698B8
FindClose.KERNEL32(00000000), ref: 006698C5
FindClose.KERNEL32(00000000), ref: 006698D5

Part of subcall function 0065DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0065DB00

Strings

*.*, xrefs: 0066983B

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 97934aebae76a14806688d8b25bd5447e8396a69cec83c6472c955e940a51ad8
Instruction ID: 5698d7288bbe98ffea38776bc9001458995d4a0b61a2919106802c17933f1353
Opcode Fuzzy Hash: 97934aebae76a14806688d8b25bd5447e8396a69cec83c6472c955e940a51ad8
Instruction Fuzzy Hash: 22319332540619BEDB10EFA4EC48ADE77BE9F46320F144659E814A32D0DB74DA85CB74

Function 00668195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00668257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00668267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00668273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00668310
SetCurrentDirectoryW.KERNEL32(?), ref: 00668324
SetCurrentDirectoryW.KERNEL32(?), ref: 00668356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0066838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00668395

Strings

*.*, xrefs: 0066839B

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: af1da14264cb415f3433206cb056ce388688fe32a23fe47dbb11986ddf0f9bec
Instruction ID: 9451467544458baace9c0610641004979b0801a80b2f04de80217c450fc431dc
Opcode Fuzzy Hash: af1da14264cb415f3433206cb056ce388688fe32a23fe47dbb11986ddf0f9bec
Instruction Fuzzy Hash: EC616DB25043069FDB10EF60C8549AEB7EAFF89310F044A1DF989D7251EB35EA45CB92

Function 0065D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005F3A97,?,?,005F2E7F,?,?,?,00000000), ref: 005F3AC2

Part of subcall function 0065E199: GetFileAttributesW.KERNEL32(?,0065CF95), ref: 0065E19A

FindFirstFileW.KERNEL32(?,?), ref: 0065D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0065D1DD
MoveFileW.KERNEL32(?,?), ref: 0065D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0065D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0065D237

Part of subcall function 0065D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0065D21C,?,?), ref: 0065D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0065D253
FindClose.KERNEL32(00000000), ref: 0065D264

Strings

\*.*, xrefs: 0065D0CD, 0065D0D6, 0065D0EB

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 7dc0fea81cd2bf735178021e05882dc88651f9b719d9548b43aad932b803c1f7
Instruction ID: 09552f183c6c7b74f5ddc07d7f42b419ac5a1913e98b4c06b8c301b41e361168
Opcode Fuzzy Hash: 7dc0fea81cd2bf735178021e05882dc88651f9b719d9548b43aad932b803c1f7
Instruction Fuzzy Hash: C7617E3180110EAACF15EBE0CA569FDBBB6BF55341F204169E90177291EB355F0DCB61

Function 0066ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0066ED91
EmptyClipboard.USER32 ref: 0066ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0066EDAC
CloseClipboard.USER32 ref: 0066EEA3

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 7a174170568bbdd0e4d64e1f47aa7ae7f374f312856ff56cf5679164bb736be5
Instruction ID: cbf1d44a60de1c8992c4030286a1a1fb2d56d5d549876a173f687c2f3b05f5cf
Opcode Fuzzy Hash: 7a174170568bbdd0e4d64e1f47aa7ae7f374f312856ff56cf5679164bb736be5
Instruction Fuzzy Hash: 9E41A039204612AFE710DF15D888F69BBE6FF44328F14C1A9E4158B7A2D736ED42CB90

Function 0065E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 006516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0065170D
Part of subcall function 006516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0065173A
Part of subcall function 006516C3: GetLastError.KERNEL32 ref: 0065174A

ExitWindowsEx.USER32(?,00000000), ref: 0065E932

Strings

@, xrefs: 0065E925
SeShutdownPrivilege, xrefs: 0065E902
, xrefs: 0065E95C
, xrefs: 0065E920

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 5cfd2d3468321850fe90b93948fdebd2c2b1be68abd8b65e20d5eeabb36289f4
Instruction ID: a1837933b6c773d3d16a9f79a35286938106d5f81d07d1907515b6af272520c6
Opcode Fuzzy Hash: 5cfd2d3468321850fe90b93948fdebd2c2b1be68abd8b65e20d5eeabb36289f4
Instruction Fuzzy Hash: 19012672A10211BFEF5826B4AC86FFF729F9B14753F150522FC03E21D2D5A25E4882A4

Function 00671204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00671276
WSAGetLastError.WSOCK32 ref: 00671283
bind.WSOCK32(00000000,?,00000010), ref: 006712BA
WSAGetLastError.WSOCK32 ref: 006712C5
closesocket.WSOCK32(00000000), ref: 006712F4
listen.WSOCK32(00000000,00000005), ref: 00671303
WSAGetLastError.WSOCK32 ref: 0067130D
closesocket.WSOCK32(00000000), ref: 0067133C

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 92d9d093a12cb75370d6b343f03c8a3ccd4d93e950762129280978734976f94e
Instruction ID: 99d769fd8b1ca3fec23096afdaaa0c88d37bd9be3efd17fdc679e949215a29b8
Opcode Fuzzy Hash: 92d9d093a12cb75370d6b343f03c8a3ccd4d93e950762129280978734976f94e
Instruction Fuzzy Hash: BC419171600101AFD710DF28C498B69BBE6BF86324F18C199D96A9F393C771ED81CBA0

Function 0062B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0062B9D4
_free.LIBCMT ref: 0062B9F8
_free.LIBCMT ref: 0062BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00693700), ref: 0062BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,006C121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0062BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,006C1270,000000FF,?,0000003F,00000000,?), ref: 0062BC36
_free.LIBCMT ref: 0062BD4B

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: c488cf6042cc37d74984c6ab1c6c72b5e6b8cc10ec993e3e7250269477dd6a79
Instruction ID: 743743c37397d089cf9a2201942e09d39f66e110b93cf1a11587b73119bd90e6
Opcode Fuzzy Hash: c488cf6042cc37d74984c6ab1c6c72b5e6b8cc10ec993e3e7250269477dd6a79
Instruction Fuzzy Hash: 0AC12A75904A25AFCB10DF68A851BEA7BBBEF46310F18615EE490DB392DB308E418F54

Function 0065D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005F3A97,?,?,005F2E7F,?,?,?,00000000), ref: 005F3AC2

Part of subcall function 0065E199: GetFileAttributesW.KERNEL32(?,0065CF95), ref: 0065E19A

FindFirstFileW.KERNEL32(?,?), ref: 0065D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0065D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0065D481
FindClose.KERNEL32(00000000), ref: 0065D498
FindClose.KERNEL32(00000000), ref: 0065D4A1

Strings

\*.*, xrefs: 0065D3F2

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: a43c3611c04382b5c403df36f82238e49fea79ce21451ae2c2339581aabadbba
Instruction ID: d135c348f159b4d8d7462231108318a314064ce259e57dae5fa833e2db30ddd7
Opcode Fuzzy Hash: a43c3611c04382b5c403df36f82238e49fea79ce21451ae2c2339581aabadbba
Instruction Fuzzy Hash: 1A317E71008346ABC310EF64C8558BF7BE9BED1351F404A2DF9D5922D1EB34AA09C763

Function 0062E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0062E645

Strings

1#SNAN, xrefs: 0062F844
1#IND, xrefs: 0062F83D
1#INF, xrefs: 0062F852
1#QNAN, xrefs: 0062F84B

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: ad27071a220d109767f46bfda01e3d9d23f8049dc4cbe479fae294230d97fade
Instruction ID: 3e0864fb6740f8d3efd3eac5bfcd3ba1286169298b1a1f4c15ddae37a6fe943b
Opcode Fuzzy Hash: ad27071a220d109767f46bfda01e3d9d23f8049dc4cbe479fae294230d97fade
Instruction Fuzzy Hash: C8C23871E04A298FDB65CF28AD407EAB7B6EB44305F1441FAD84DE7241E779AE818F40

Function 0066648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006664DC
CoInitialize.OLE32(00000000), ref: 00666639
CoCreateInstance.OLE32(0068FCF8,00000000,00000001,0068FB68,?), ref: 00666650
CoUninitialize.OLE32 ref: 006668D4

Strings

.lnk, xrefs: 006664BA, 00666524, 006665E0

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 48b33c6345c280290fe8791bff0862d204e3e2780ffc6d22cdf17cde55c9f501
Instruction ID: 33e6631193fd110533a6f862bf2cd39a40982ee76a2c04e88027216e1092ae4c
Opcode Fuzzy Hash: 48b33c6345c280290fe8791bff0862d204e3e2780ffc6d22cdf17cde55c9f501
Instruction Fuzzy Hash: 12D14A71508205AFC304EF24D885AABBBE9FFD8704F10496DF5968B291DB70ED45CBA2

Function 006722DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 006722E8

Part of subcall function 0066E4EC: GetWindowRect.USER32(?,?), ref: 0066E504

GetDesktopWindow.USER32 ref: 00672312
GetWindowRect.USER32(00000000), ref: 00672319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00672355
GetCursorPos.USER32(?), ref: 00672381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 006723DF

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 05be21b8a9bc4afe7b0947d671d7abad69cfb0355d006a183b6ebe00a941b5fd
Instruction ID: 0ed438332b7ba7b2e171f613e25b912f798390e8bb9af109bc7b6fc19780a0a7
Opcode Fuzzy Hash: 05be21b8a9bc4afe7b0947d671d7abad69cfb0355d006a183b6ebe00a941b5fd
Instruction Fuzzy Hash: 6531C372504316ABDB20DF14D845A9B779AFF84320F004A1DF98997281D735EA08CBA2

Function 00669B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 005F9CB3: _wcslen.LIBCMT ref: 005F9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00669B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00669C8B

Part of subcall function 00663874: GetInputState.USER32 ref: 006638CB
Part of subcall function 00663874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00663966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00669BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00669C75

Strings

*.*, xrefs: 00669B5D

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 092a609713df4de0a80a6646d6da82fb92c4b423484ff6178d1cc4146e0cb533
Instruction ID: f2ac00128e7bb2c0a7d444956ec93b3e67696d12432c57dfc2ece705bdc7670a
Opcode Fuzzy Hash: 092a609713df4de0a80a6646d6da82fb92c4b423484ff6178d1cc4146e0cb533
Instruction Fuzzy Hash: 2A41717190020AAFDF54EF64C989AEEBBFAFF45350F244155F805A2291EB309E84CF60

Function 0060997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00609BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00609BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00609A4E
GetSysColor.USER32(0000000F), ref: 00609B23
SetBkColor.GDI32(?,00000000), ref: 00609B36

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 4a7df459aed3523cb44df73476c7abbda29a94a0b2171b5b27fbe69f87810711
Instruction ID: 5be76f3b75518f3a509385e4a5044e2aa293b0c87b076017da72722f56089f51
Opcode Fuzzy Hash: 4a7df459aed3523cb44df73476c7abbda29a94a0b2171b5b27fbe69f87810711
Instruction Fuzzy Hash: 4EA1E770289444BEE72CAA2C8C58EBB3A9FDB87350B15420DF502DA7D3CB259D02D376

Function 00671806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0067304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0067307A
Part of subcall function 0067304E: _wcslen.LIBCMT ref: 0067309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0067185D
WSAGetLastError.WSOCK32 ref: 00671884
bind.WSOCK32(00000000,?,00000010), ref: 006718DB
WSAGetLastError.WSOCK32 ref: 006718E6
closesocket.WSOCK32(00000000), ref: 00671915

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: abf1f65f5a3773689c8bcbba567a7b9c5f0c7a2b7f4861e9f274aea5c04be762
Instruction ID: 426ecdaa4245387724b3957f91628bd42d19db29ba391113286224833f4f94f7
Opcode Fuzzy Hash: abf1f65f5a3773689c8bcbba567a7b9c5f0c7a2b7f4861e9f274aea5c04be762
Instruction Fuzzy Hash: 9251C671A40204AFE710AF24C88AF7A7BE6AB85718F14C05DFA095F3C3D775AD418BA1

Function 00681C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00681CC0
IsWindowEnabled.USER32 ref: 00681CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00681CDB
IsIconic.USER32 ref: 00681CE9
IsZoomed.USER32 ref: 00681CF7

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 74d35d4506f67a5b377dd8347c4935b5a98e6126a3ca96d7105def8d4b98b8eb
Instruction ID: b3afd02eb63f635636ee4d09f7f4abd7fea6c0083748f9680cec4186993e103f
Opcode Fuzzy Hash: 74d35d4506f67a5b377dd8347c4935b5a98e6126a3ca96d7105def8d4b98b8eb
Instruction Fuzzy Hash: 5D21A3317402115FD720AF1AD854B6A7BEAFF86324B199168E846CF352D775DC43CBA0

Function 005F8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 005F813C
VUUU, xrefs: 005F83FA
VUUU, xrefs: 005F843C
VUUU, xrefs: 005F83E8
VUUU, xrefs: 00635DF0

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: d4f4a7748c7f085ae1bd7bb60e289facf159ff25f86cb311f9d2c6a1fe08c657
Instruction ID: 9ac4df604970d0406e392e9e9bbee308d891a3b335f4360c5066ef9be4ecde0d
Opcode Fuzzy Hash: d4f4a7748c7f085ae1bd7bb60e289facf159ff25f86cb311f9d2c6a1fe08c657
Instruction Fuzzy Hash: 0AA27E71A0061ACBDF24CF58C9407FEBBB2BF54314F2485A9E916AB385DB749D81CB90

Function 00658298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 006582AA

Strings

(, xrefs: 006582F0
tbk, xrefs: 006584F4
|, xrefs: 006582DA

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: lstrlen
String ID: ($tbk$|
API String ID: 1659193697-2359782994
Opcode ID: 6a30a1bf5b467227ba84c85f7d3b8aa9748bea14bcf88b3abfebf724fd5030c6
Instruction ID: 4631c4acf7707f6316bb3b5f588b2886b4b1e2208754d6d9e629007ddafb069f
Opcode Fuzzy Hash: 6a30a1bf5b467227ba84c85f7d3b8aa9748bea14bcf88b3abfebf724fd5030c6
Instruction Fuzzy Hash: 5F323774A007059FCB28CF59C4819AAB7F1FF48710F15856EE89AEB7A1EB70E941CB44

Function 0067A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0067A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0067A6BA

Part of subcall function 005F9CB3: _wcslen.LIBCMT ref: 005F9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0067A79C
CloseHandle.KERNEL32(00000000), ref: 0067A7AB

Part of subcall function 0060CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00633303,?), ref: 0060CE8A

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 736fbba296c2ed7a70fca98e1e86235841631f1160cd1cc9074d82148ed01e2b
Instruction ID: b0ce3851378dd88050bd9269b7ca03ec2a069b9803b77dbc2effc22c1db10cd5
Opcode Fuzzy Hash: 736fbba296c2ed7a70fca98e1e86235841631f1160cd1cc9074d82148ed01e2b
Instruction Fuzzy Hash: FD518C71508305AFD314EF24C886A6BBBE9FFC8754F00892DF58997292EB34D904CB92

Function 0065AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0065AAAC
SetKeyboardState.USER32(00000080), ref: 0065AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0065AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0065AB88

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1bed22550cce0df967b9c3a0b1fc07a7f3213c0e49c69c30109dcf3d7a37b3a4
Instruction ID: dd26c1711e2aec2e6ee825e960c461edce7420fc77d61fec85e812e973a57503
Opcode Fuzzy Hash: 1bed22550cce0df967b9c3a0b1fc07a7f3213c0e49c69c30109dcf3d7a37b3a4
Instruction Fuzzy Hash: 6431C770A40248AFEB358BA5CC05BFA7BA7AB44322F04431AF981562D1D3758989C7A6

Function 0066CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0066CE89
GetLastError.KERNEL32(?,00000000), ref: 0066CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0066CEFE

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 82cc46eafe2b60be71db5dcc554c151415c564141c5f5e66fda158559787d255
Instruction ID: afd3e60bc54a947767f07e00e158223095169f8ed37585b205476ea8e9b51f89
Opcode Fuzzy Hash: 82cc46eafe2b60be71db5dcc554c151415c564141c5f5e66fda158559787d255
Instruction Fuzzy Hash: CE21CFB1600B05ABDB20DF65C988BA7B7FEEF10324F10441EE686D2251E771EE45CBA4

Function 0065DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00635222), ref: 0065DBCE
GetFileAttributesW.KERNEL32(?), ref: 0065DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0065DBEE
FindClose.KERNEL32(00000000), ref: 0065DBFA

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: f5077931b3bad83a64087816489a7d23d4797b7af5182f35c4e13f3a4332489a
Instruction ID: b25b7f3f46ef1876aeee8e38c669a90607a4a75621bce28aee51dc2044203fb1
Opcode Fuzzy Hash: f5077931b3bad83a64087816489a7d23d4797b7af5182f35c4e13f3a4332489a
Instruction Fuzzy Hash: DFF0A070810910A7C3306B78AC0D8AE37AE9E01376F104702F876C22E0EBB05A5986A5

Function 00622622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0062271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00622724
UnhandledExceptionFilter.KERNEL32(?), ref: 00622731

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 7c0f2beb64cb091223816e010dee30958711bf8f6df85a46f4fd131257d1c662
Instruction ID: 150398247aff603c1b1dc0949bad5e8e18643130917cb71136d4265baf984261
Opcode Fuzzy Hash: 7c0f2beb64cb091223816e010dee30958711bf8f6df85a46f4fd131257d1c662
Instruction Fuzzy Hash: 9331C474901229ABCB61DF68DC887D9B7B9AF08310F5042EAE41CA6261E7709F818F44

Function 006651CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006651DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00665238
SetErrorMode.KERNEL32(00000000), ref: 006652A1

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 051fed4831eee1486bbe522409488d45e34a78dd082621c73f96225586224916
Instruction ID: 0982a90493ac4427f4b033b97513bbc82f238f7883a4811fec4f406803474c86
Opcode Fuzzy Hash: 051fed4831eee1486bbe522409488d45e34a78dd082621c73f96225586224916
Instruction Fuzzy Hash: 09318075A00509DFDB00DF54D8D8EADBBB5FF48314F048099E905AB392DB35E946CB60

Function 006516C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0060FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00610668
Part of subcall function 0060FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00610685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0065170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0065173A
GetLastError.KERNEL32 ref: 0065174A

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: e319582bdb87b95680fbaa091e5df9012b40d9b5cad95b9fdd27f1bf4fb1115b
Instruction ID: 2c2ddfa55cc1216337ed189c6e1f923e4b9894de6fe7e2973bee477f4a0af0f6
Opcode Fuzzy Hash: e319582bdb87b95680fbaa091e5df9012b40d9b5cad95b9fdd27f1bf4fb1115b
Instruction Fuzzy Hash: 141101B2400304BFD7289F64EC86E6BB7BAEF44721B20852EE45657281EB70BC418B20

Function 0065D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0065D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0065D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0065D650

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: c374fc0834d7e5bcb5bca4c97110fca2bc36e12f578e52c53f09685ce10c9658
Instruction ID: 8df1f5d46158167447a9dbaf6244cc1bb12b03dbbc63e8d44296ae5f5c4632a2
Opcode Fuzzy Hash: c374fc0834d7e5bcb5bca4c97110fca2bc36e12f578e52c53f09685ce10c9658
Instruction Fuzzy Hash: 54115E75E05228BFDB208F95DC45FAFBBBDEB45B60F108115F904E7290D6704A058BA1

Function 00651663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0065168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 006516A1
FreeSid.ADVAPI32(?), ref: 006516B1

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 5f0a456a6eff1aaa5543441d56e893adf7b7f65f472324a55568e551e20184e5
Instruction ID: ba1af1b30c8b13fbf7d0abab72e9eddc400ad49cd9034c36a1da94a1cd0b95d9
Opcode Fuzzy Hash: 5f0a456a6eff1aaa5543441d56e893adf7b7f65f472324a55568e551e20184e5
Instruction Fuzzy Hash: 2AF04471940308FBDB00CFE0DC89EAEBBBDEB08250F104560E900E2180E331AA448B60

Function 00614CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(006228E9,?,00614CBE,006228E9,006B88B8,0000000C,00614E15,006228E9,00000002,00000000,?,006228E9), ref: 00614D09
TerminateProcess.KERNEL32(00000000,?,00614CBE,006228E9,006B88B8,0000000C,00614E15,006228E9,00000002,00000000,?,006228E9), ref: 00614D10
ExitProcess.KERNEL32 ref: 00614D22

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8e0f17accd9dd7c9a0b5652ccd418d06b4a9f84af19165018d9a4d58f704b207
Instruction ID: 099afc04980a3732f3f73fdd4dc10537c5f3ba1afd78751dcb6edfb57a07e5eb
Opcode Fuzzy Hash: 8e0f17accd9dd7c9a0b5652ccd418d06b4a9f84af19165018d9a4d58f704b207
Instruction Fuzzy Hash: 9CE0B631400548BBCF11AF54ED09A983B6BFF41B91B144118FD098B222CF35DD82DB94

Function 0062C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0062C36C

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: a68d775e8e7140f91cf57c31c7c3c746e7de63a9f94bb00a346928322bea8773
Instruction ID: b70c63177d80a37181a7cb572e53c18d780e117d8f094ef2c9434a671bff1d1f
Opcode Fuzzy Hash: a68d775e8e7140f91cf57c31c7c3c746e7de63a9f94bb00a346928322bea8773
Instruction Fuzzy Hash: 42412A71500A29ABCB20DFB9EC48DEF777AEB84364F10466DF905C7280E6319E418F54

Function 0064D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0064D28C

Strings

X64, xrefs: 0064D2A8

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: dca31d32c42593b5fac5603aaf9b094bb1160352432ac277b0e0245b36afcbfc
Instruction ID: aa37c5cdfe7b2c9d7f915fddc4b99e5e736b3d7b7a3d6a3a88941baedbce089a
Opcode Fuzzy Hash: dca31d32c42593b5fac5603aaf9b094bb1160352432ac277b0e0245b36afcbfc
Instruction Fuzzy Hash: 6FD0CAB480112DFBCB94CBA0EC88DDAB3BDBB04345F100292F20AA2140DB71964A9F20

Function 0061CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 0a7bf937c64fb738ef19fbf1fe555e515343d66cc1672db21b5cc1e4b4405412
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: A302FB71E402199FDF14CFA9D8806EDBBF2EF48324F298169D919EB384D731AD418B94

Function 005FCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#l, xrefs: 005FCF7F
Variable is not of type 'Object'., xrefs: 00640C40

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#l
API String ID: 0-366451294
Opcode ID: b4a2d7fd17f8cc6e9a19700da259fb3f7cca9ebe1a105464d36af650b349080b
Instruction ID: b4da89ad46904718ca649eac2634f7fec215d0f6a5aa1b94c56b549854966520
Opcode Fuzzy Hash: b4a2d7fd17f8cc6e9a19700da259fb3f7cca9ebe1a105464d36af650b349080b
Instruction Fuzzy Hash: 16329B7090021DDBDF14DF90CA85AFDBFB6BF45304F104469EA06AB292D779AE46CB60

Function 006668EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00666918
FindClose.KERNEL32(00000000), ref: 00666961

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 7f4eb1d8e0f3093fee4d0ac087d63d68f17ef5b45093f559025acc385ddf225d
Instruction ID: 57e039d555d4484e0f47aaf13d9a26c5ba7443ae513894a7f519bce791edff2f
Opcode Fuzzy Hash: 7f4eb1d8e0f3093fee4d0ac087d63d68f17ef5b45093f559025acc385ddf225d
Instruction Fuzzy Hash: 7B1193316042069FD710DF29D488A26BBE5FF85328F14C6A9F9698F7A2C734EC05CB91

Function 006637B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00674891,?,?,00000035,?), ref: 006637E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00674891,?,?,00000035,?), ref: 006637F4

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: e414652b13aae318ac9cacac7341e4928f7a99a317e6378aa2876c102e4b6f02
Instruction ID: 896e6324aabf95385b79a22cc78fe1b159fe0d695cc5312b7d0e19173f233a0f
Opcode Fuzzy Hash: e414652b13aae318ac9cacac7341e4928f7a99a317e6378aa2876c102e4b6f02
Instruction Fuzzy Hash: 31F0A0B06043292AE72017669C4DFEB3AAFEFC5761F000265F509D2281D960990487B4

Function 0065B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0065B25D
keybd_event.USER32(?,76C1C0D0,?,00000000), ref: 0065B270

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 12456a0699b49d2a4022688d09524ed3cee1ad334bb61fbc335409390de2e689
Instruction ID: cbefd334b6a9c73e5abd4a914b51900f1726e6a9c9f4c92f7165e2384f89d12c
Opcode Fuzzy Hash: 12456a0699b49d2a4022688d09524ed3cee1ad334bb61fbc335409390de2e689
Instruction Fuzzy Hash: 12F01D7180424DABDF059FA0C805BFE7BB5FF04315F009009F955A5191C77986159FA4

Function 006510BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006511FC), ref: 006510D4
CloseHandle.KERNEL32(?,?,006511FC), ref: 006510E9

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: f7b4fa4b6db916e6f6802f654219b30c63d1b49e07854ea5c00cc8cede1317b1
Instruction ID: a682bb2d06ede22a50d066a1081c29ce341d5f05b398d1d11dfefa62205e4396
Opcode Fuzzy Hash: f7b4fa4b6db916e6f6802f654219b30c63d1b49e07854ea5c00cc8cede1317b1
Instruction Fuzzy Hash: 0CE04F32004601BFE7252B61FC05E7377AAEF04320F20892DF5A5804F1DB72AC90DB64

Function 0062676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00626766,?,?,00000008,?,?,0062FEFE,00000000), ref: 00626998

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 4b369ce5982286722b3ac31e85069a523e7e11a3e0bb1576a1c26e343062a2a9
Instruction ID: bd51ce3507c576791aaf6f91390838c2d4bf35cbc02eed28a9ff4470f8400223
Opcode Fuzzy Hash: 4b369ce5982286722b3ac31e85069a523e7e11a3e0bb1576a1c26e343062a2a9
Instruction Fuzzy Hash: 5DB15B31610A199FD719CF28D486BA57BE1FF05364F258658F89ACF2A2C735E982CF40

Function 0060B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0064851F

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 0fbaa150acffc6d641ea5f0111421b3195e4356dd1f031a34cf8f0218802dc4b
Instruction ID: c14f2173ccda49f6f8fc3ddb62e4a382ea75c6e44700487a9f7f6420d65711bf
Opcode Fuzzy Hash: 0fbaa150acffc6d641ea5f0111421b3195e4356dd1f031a34cf8f0218802dc4b
Instruction Fuzzy Hash: 7C1261719002299FDB58CF58C8806EEB7F6FF48710F14819AE849EB295DB349E81CF90

Function 0066EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0066EABD

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: afbef4faf036801bfa97ad985ad67d62927ae3851472c9ead562430c5e2045d3
Instruction ID: ee4a135b83808ef5469fd0bfcb65604db4dcb47cc391f29a1741ffaeb83e60d0
Opcode Fuzzy Hash: afbef4faf036801bfa97ad985ad67d62927ae3851472c9ead562430c5e2045d3
Instruction Fuzzy Hash: 4FE04F35200209AFD710EF99D848E9AFBEABF98770F008426FD49C7351DB75E8418BA0

Function 006109D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,006103EE), ref: 006109DA

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f7463f2e414268628500d1acaa64381d43e0ea8909c9dd101ff095dd371b7888
Instruction ID: c1de2aac84ac1a9e3a1fbcf7de00c4dded3d6e53dd48cb87cd76e675bc7549aa
Opcode Fuzzy Hash: f7463f2e414268628500d1acaa64381d43e0ea8909c9dd101ff095dd371b7888
Instruction Fuzzy Hash:

Function 0061781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0061798B

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: c8b70a1584e6af5f9d70a2376f4e45bc122c61a84b8e8ce84bd25705a89c586b
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 22517B7161C7455BDBB84568885D7FE23BB9B12300F1C092EE882C7382CA15DECAD35A

Function 00662046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&l, xrefs: 00662053

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID:
String ID: 0&l
API String ID: 0-1559270101
Opcode ID: de620fc38209527d6fbcc01e6f6586b75d2244a64a03f34d081c09cfe444e3b2
Instruction ID: 0e62463eb472cedb263dec7201152f786a3869e8bda5858d2125fdbb69848db9
Opcode Fuzzy Hash: de620fc38209527d6fbcc01e6f6586b75d2244a64a03f34d081c09cfe444e3b2
Instruction Fuzzy Hash: D621BB326605168BD728CF79C8236BE73E6A754310F15862EE4A7C37D0DE35A944C794

Function 00626DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b164f22d1d28d828325b5b22e90e13f8265069049ad7781994f85a993836732e
Instruction ID: eb850145fe1343978edc2913ef827c8ab56cdc85fbdadb3a07cfcdb000196816
Opcode Fuzzy Hash: b164f22d1d28d828325b5b22e90e13f8265069049ad7781994f85a993836732e
Instruction Fuzzy Hash: 2C321321D29F124DD7239A34E872335A28EAFB73C5F15D737E81AB5EA5EB29C4834500

Function 0060CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c64f292e85a8b9069bf9c6c40702357f6747ce2f5c0fe60135ff49c1b88a2c9
Instruction ID: d3e9d7abc9414359da8b03e74bae88cdc923a81a0ecd49626acadbb2296df11c
Opcode Fuzzy Hash: 4c64f292e85a8b9069bf9c6c40702357f6747ce2f5c0fe60135ff49c1b88a2c9
Instruction Fuzzy Hash: 91320531A411158BDF68CF29C4D06FE7BA3EF45334F29866AD85A9B792D230DD82DB40

Function 005F7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b9c5f23081448ae82d4949fb9c8a51f5acd15c21e65221b97c073add2992a67
Instruction ID: 09801a07a69d0ac08b2db49b40015c8cae8af9b87489bb5c0c5d5bb3dcc3d260
Opcode Fuzzy Hash: 5b9c5f23081448ae82d4949fb9c8a51f5acd15c21e65221b97c073add2992a67
Instruction Fuzzy Hash: CB2290B0A0460A9FDF14CF64C941AFEB7F6FF48300F144529E816A7291EB39AD55CB90

Function 005F91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f1597f5ed40f66c8ffe434d2ab05663ec856be8de03fbbb54c03b6aedc6967
Instruction ID: e3853406aba39a8e72b5d03b2d82641d4ebb3f273a3b0fcc4d210f4c47779475
Opcode Fuzzy Hash: d5f1597f5ed40f66c8ffe434d2ab05663ec856be8de03fbbb54c03b6aedc6967
Instruction Fuzzy Hash: 0102C7B0A0010AEBDF04DF54D881AAEBBB2FF44300F108569E9169B3D1EB35AE51CBD5

Function 00611C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: fdb7a7f670aa62e901cc11f1f6de8b93f6664657ee0430bff0f597e6f06709d1
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: E89186726080A34ADB29467A95340FEFFE25E933A131E079DD5F2CE2D1FE248995D620

Function 006119B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: c4d88e62df8ea8064b2c03534774c4487e6a8d6421da2b49caf9f206a008dfad
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 1E91527260D0A34ADB29427A85740FDFFE25A933A131E079DD5F2CE2C1FD2496A5D620

Function 00617A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1375894a92b73200d103717df4c9715d947ef065916540871068d88e8eb25192
Instruction ID: 125ab39a609f1b45ec09c186d0f9cb26c2bd31a0c56f8b2fea823c0f549dba88
Opcode Fuzzy Hash: 1375894a92b73200d103717df4c9715d947ef065916540871068d88e8eb25192
Instruction Fuzzy Hash: CD61667120C709AADA749E288D95BFE23B7DF51704F2C091EF842DB391DB11AEC28359

Function 00611706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: d22536304924df2464a2c3740bb7ba53ef40dbb75ddc7e74b44cc79abaf9e047
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 238165326090A30ADB6D423A85344FEFFE35A933A131E479DD5F2CE2C1EE249594E620

Function 00672ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00672B30
DeleteObject.GDI32(00000000), ref: 00672B43
DestroyWindow.USER32 ref: 00672B52
GetDesktopWindow.USER32 ref: 00672B6D
GetWindowRect.USER32(00000000), ref: 00672B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00672CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00672CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00672CF8
GetClientRect.USER32(00000000,?), ref: 00672D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00672D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00672D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00672D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00672D80
GlobalLock.KERNEL32(00000000), ref: 00672D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00672D98
GlobalUnlock.KERNEL32(00000000), ref: 00672DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00672DA8
GlobalFree.KERNEL32(00000000), ref: 00672DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00672DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0068FC38,00000000), ref: 00672DDB
GlobalFree.KERNEL32(00000000), ref: 00672DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00672E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00672E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00672E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0067303F

Strings

AutoIt v3, xrefs: 00672CF2
static, xrefs: 00672D3A, 00672E91
, xrefs: 00672FC5
DISPLAY, xrefs: 00672EA2

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 0f2bdcc72e94cbd563b92fa77f2acf9aa48a0c1643b8e365918c1cce3bb3a556
Instruction ID: 5b5c773283820c1421a62e1d3062f45746613e899b8658ef8cf1b02e08535c1a
Opcode Fuzzy Hash: 0f2bdcc72e94cbd563b92fa77f2acf9aa48a0c1643b8e365918c1cce3bb3a556
Instruction Fuzzy Hash: DA027C71500209EFDB14DF64CC99EAE7BBAFB49724F008259F919AB2A1D774ED01CB60

Function 006870D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0068712F
GetSysColorBrush.USER32(0000000F), ref: 00687160
GetSysColor.USER32(0000000F), ref: 0068716C
SetBkColor.GDI32(?,000000FF), ref: 00687186
SelectObject.GDI32(?,?), ref: 00687195
InflateRect.USER32(?,000000FF,000000FF), ref: 006871C0
GetSysColor.USER32(00000010), ref: 006871C8
CreateSolidBrush.GDI32(00000000), ref: 006871CF
FrameRect.USER32(?,?,00000000), ref: 006871DE
DeleteObject.GDI32(00000000), ref: 006871E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00687230
FillRect.USER32(?,?,?), ref: 00687262
GetWindowLongW.USER32(?,000000F0), ref: 00687284

Part of subcall function 006873E8: GetSysColor.USER32(00000012), ref: 00687421
Part of subcall function 006873E8: SetTextColor.GDI32(?,?), ref: 00687425
Part of subcall function 006873E8: GetSysColorBrush.USER32(0000000F), ref: 0068743B
Part of subcall function 006873E8: GetSysColor.USER32(0000000F), ref: 00687446
Part of subcall function 006873E8: GetSysColor.USER32(00000011), ref: 00687463
Part of subcall function 006873E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00687471
Part of subcall function 006873E8: SelectObject.GDI32(?,00000000), ref: 00687482
Part of subcall function 006873E8: SetBkColor.GDI32(?,00000000), ref: 0068748B
Part of subcall function 006873E8: SelectObject.GDI32(?,?), ref: 00687498
Part of subcall function 006873E8: InflateRect.USER32(?,000000FF,000000FF), ref: 006874B7
Part of subcall function 006873E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006874CE
Part of subcall function 006873E8: GetWindowLongW.USER32(00000000,000000F0), ref: 006874DB

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 145f406deeadff42ab87f2362566113c3f25d96a19883af2e17d49ebdeea27a4
Instruction ID: c4db005e7f44e28ff24a74f4f24c97ac60d3da6771946ea05048c8d43669c5ca
Opcode Fuzzy Hash: 145f406deeadff42ab87f2362566113c3f25d96a19883af2e17d49ebdeea27a4
Instruction Fuzzy Hash: 23A1A172008301BFDB10AF64DC58E5B7BAAFB49330F201B19F9A2961E1D771E944DB62

Function 00608D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00608E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00646AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00646AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00646F43

Part of subcall function 00608F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00608BE8,?,00000000,?,?,?,?,00608BBA,00000000,?), ref: 00608FC5

SendMessageW.USER32(?,00001053), ref: 00646F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00646F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00646FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00646FB7

Strings

0, xrefs: 00646DCF

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 6a7f254a015894472a9b7bdeb0ebf87ca111f173416965e912a59d5e47b26585
Instruction ID: a3524b0cfcf364817b6dffe89ab20c3a486615c3ef52a09db4bfffd54cf51ff8
Opcode Fuzzy Hash: 6a7f254a015894472a9b7bdeb0ebf87ca111f173416965e912a59d5e47b26585
Instruction Fuzzy Hash: 24129B30605211EFDB25CF24C898BA6BBE7FF46310F544569F5898B6A2CB31EC52CB52

Function 00672711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0067273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0067286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 006728A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 006728B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00672900
GetClientRect.USER32(00000000,?), ref: 0067290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00672955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00672964
GetStockObject.GDI32(00000011), ref: 00672974
SelectObject.GDI32(00000000,00000000), ref: 00672978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00672988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00672991
DeleteDC.GDI32(00000000), ref: 0067299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 006729C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 006729DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00672A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00672A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00672A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00672A77
GetStockObject.GDI32(00000011), ref: 00672A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00672A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00672A97

Strings

AutoIt v3, xrefs: 006728F8
msctls_progress32, xrefs: 00672A13
static, xrefs: 0067294F, 00672A71
DISPLAY, xrefs: 0067295A

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: fa1c2ff398bd79b9d91809c702fc67fbd0af6da6d1a662d12f63876e798376f9
Instruction ID: 4911cdf2fc21956e9e92f9df64296b6cc94823de8cb55c522b7e13aff843c6d9
Opcode Fuzzy Hash: fa1c2ff398bd79b9d91809c702fc67fbd0af6da6d1a662d12f63876e798376f9
Instruction Fuzzy Hash: 66B15F71A00209BFEB14DF68CD89EAE7BAAFB49714F008115F915EB291D774ED40CBA0

Function 00664ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00664AED
GetDriveTypeW.KERNEL32(?,0068CB68,?,\\.\,0068CC08), ref: 00664BCA
SetErrorMode.KERNEL32(00000000,0068CB68,?,\\.\,0068CC08), ref: 00664D36

Strings

Fixed, xrefs: 00664C09
iSCSI, xrefs: 00664CC2
CDROM, xrefs: 00664BFB
\\.\, xrefs: 00664B3F
SSD, xrefs: 00664C4A
Removable, xrefs: 00664C10, 00664C15
PhysicalDrive, xrefs: 00664B76
SAS, xrefs: 00664CC9
SSA, xrefs: 00664CA6
SATA, xrefs: 00664CD0
USB, xrefs: 00664CB4
SCSI, xrefs: 00664C8A
FileBackedVirtual, xrefs: 00664CEC
ATA, xrefs: 00664C98
Virtual, xrefs: 00664CE5
RAMDisk, xrefs: 00664BF4
Unknown, xrefs: 00664BED, 00664C83
RAID, xrefs: 00664CBB
Network, xrefs: 00664C02
1394, xrefs: 00664C9F
MMC, xrefs: 00664CDE
Fibre, xrefs: 00664CAD
ATAPI, xrefs: 00664C91

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 63fffaf9898529cb78011869eea019bf95cb7cb42149215a924d46c4268e486f
Instruction ID: 1c82d33e3c4c781bf4b08dcf68910977c06d70018b71e1406cd31a02f80efdba
Opcode Fuzzy Hash: 63fffaf9898529cb78011869eea019bf95cb7cb42149215a924d46c4268e486f
Instruction Fuzzy Hash: 5C61B2B070610A9BCB54DF28CA869FD7BA3EF84344B244415F806AB791DF39ED82DB51

Function 006873E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00687421
SetTextColor.GDI32(?,?), ref: 00687425
GetSysColorBrush.USER32(0000000F), ref: 0068743B
GetSysColor.USER32(0000000F), ref: 00687446
CreateSolidBrush.GDI32(?), ref: 0068744B
GetSysColor.USER32(00000011), ref: 00687463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00687471
SelectObject.GDI32(?,00000000), ref: 00687482
SetBkColor.GDI32(?,00000000), ref: 0068748B
SelectObject.GDI32(?,?), ref: 00687498
InflateRect.USER32(?,000000FF,000000FF), ref: 006874B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006874CE
GetWindowLongW.USER32(00000000,000000F0), ref: 006874DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0068752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00687554
InflateRect.USER32(?,000000FD,000000FD), ref: 00687572
DrawFocusRect.USER32(?,?), ref: 0068757D
GetSysColor.USER32(00000011), ref: 0068758E
SetTextColor.GDI32(?,00000000), ref: 00687596
DrawTextW.USER32(?,006870F5,000000FF,?,00000000), ref: 006875A8
SelectObject.GDI32(?,?), ref: 006875BF
DeleteObject.GDI32(?), ref: 006875CA
SelectObject.GDI32(?,?), ref: 006875D0
DeleteObject.GDI32(?), ref: 006875D5
SetTextColor.GDI32(?,?), ref: 006875DB
SetBkColor.GDI32(?,?), ref: 006875E5

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: d8ab17cc389a2ebecc5b62d6b64bbee76046f8494675054b87ff0e6f73145740
Instruction ID: 372522994f2b4608721718c08886c470ae3e32cffa82015f3ac3631edd8d225d
Opcode Fuzzy Hash: d8ab17cc389a2ebecc5b62d6b64bbee76046f8494675054b87ff0e6f73145740
Instruction Fuzzy Hash: D8616D72900218BFDF119FA4DC49EEE7FBAEB09330F215215F915AB2A1D7749940DBA0

Function 00680FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00681128
GetDesktopWindow.USER32 ref: 0068113D
GetWindowRect.USER32(00000000), ref: 00681144
GetWindowLongW.USER32(?,000000F0), ref: 00681199
DestroyWindow.USER32(?), ref: 006811B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 006811ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0068120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0068121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00681232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00681245
IsWindowVisible.USER32(00000000), ref: 006812A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 006812BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 006812D0
GetWindowRect.USER32(00000000,?), ref: 006812E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0068130E
GetMonitorInfoW.USER32(00000000,?), ref: 00681328
CopyRect.USER32(?,?), ref: 0068133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 006813AA

Strings

0, xrefs: 006810D3
tooltips_class32, xrefs: 006811E6
(, xrefs: 0068131B

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 6e387e3b454f65ce71465a572b7691eb2e85a5bfce97f22632d8c371c34b9a1e
Instruction ID: 87a9e5ad1ad30f1b7512b34c93b72cd8fe6a79c371389fa4b1e129b2541c1d0b
Opcode Fuzzy Hash: 6e387e3b454f65ce71465a572b7691eb2e85a5bfce97f22632d8c371c34b9a1e
Instruction Fuzzy Hash: 65B18171604341EFD714DF64C888BAABBEAFF85350F008A1CF9999B261D771D845CB61

Function 00680241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006802E5
_wcslen.LIBCMT ref: 0068031F
_wcslen.LIBCMT ref: 00680389
_wcslen.LIBCMT ref: 006803F1
_wcslen.LIBCMT ref: 00680475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 006804C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00680504

Part of subcall function 0060F9F2: _wcslen.LIBCMT ref: 0060F9FD

Part of subcall function 0065223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00652258
Part of subcall function 0065223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0065228A

Strings

GETSELECTEDCOUNT, xrefs: 00680470, 0068048B
GETTEXT, xrefs: 006803EC, 00680407
SELECTCLEAR, xrefs: 0068052D
VIEWCHANGE, xrefs: 00680675
DESELECT, xrefs: 0068059C
FINDITEM, xrefs: 00680627
ISSELECTED, xrefs: 006804DD
SELECTALL, xrefs: 00680515
GETSELECTED, xrefs: 006805E1
GETITEMCOUNT, xrefs: 00680316, 00680337
SELECTINVERT, xrefs: 0068057E
SELECT, xrefs: 00680548
GETSUBITEMCOUNT, xrefs: 00680384, 0068039F

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: c3c2ce8f8d3a2da39fc87092fe7b23f3949e1aa4a9ab93f3746b0dcdd424fc44
Instruction ID: c0b799573f5ef12a28f414bb4c9aa69e48f912903608296b4d31c966e041f467
Opcode Fuzzy Hash: c3c2ce8f8d3a2da39fc87092fe7b23f3949e1aa4a9ab93f3746b0dcdd424fc44
Instruction Fuzzy Hash: 69E18C712082028FD794EF24C55186AB7E7BFC8314F144A6CF8969B3A1DB34ED8ACB51

Function 00608891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00608968
GetSystemMetrics.USER32(00000007), ref: 00608970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0060899B
GetSystemMetrics.USER32(00000008), ref: 006089A3
GetSystemMetrics.USER32(00000004), ref: 006089C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 006089E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 006089F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00608A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00608A3C
GetClientRect.USER32(00000000,000000FF), ref: 00608A5A
GetStockObject.GDI32(00000011), ref: 00608A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00608A81

Part of subcall function 0060912D: GetCursorPos.USER32(?), ref: 00609141
Part of subcall function 0060912D: ScreenToClient.USER32(00000000,?), ref: 0060915E
Part of subcall function 0060912D: GetAsyncKeyState.USER32(00000001), ref: 00609183
Part of subcall function 0060912D: GetAsyncKeyState.USER32(00000002), ref: 0060919D

SetTimer.USER32(00000000,00000000,00000028,006090FC), ref: 00608AA8

Strings

AutoIt v3 GUI, xrefs: 00608A20

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: f3bf7078de02b6285a3f936f2c3c5771ff9981e54bf9e4535f479ac8e94c23a3
Instruction ID: 782990834b69bb2d15599fa204d5a2264deebce5cb201746f9772e8ff191b09f
Opcode Fuzzy Hash: f3bf7078de02b6285a3f936f2c3c5771ff9981e54bf9e4535f479ac8e94c23a3
Instruction Fuzzy Hash: 9AB16D71A40209AFDF14DF68CC55BEA3BB6FB49314F104229FA15AB2D0DB74E841CB65

Function 00650D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00651114
Part of subcall function 006510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00650B9B,?,?,?), ref: 00651120
Part of subcall function 006510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00650B9B,?,?,?), ref: 0065112F
Part of subcall function 006510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00650B9B,?,?,?), ref: 00651136
Part of subcall function 006510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0065114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00650DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00650E29
GetLengthSid.ADVAPI32(?), ref: 00650E40
GetAce.ADVAPI32(?,00000000,?), ref: 00650E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00650E96
GetLengthSid.ADVAPI32(?), ref: 00650EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00650EB5
HeapAlloc.KERNEL32(00000000), ref: 00650EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00650EDD
CopySid.ADVAPI32(00000000), ref: 00650EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00650F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00650F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00650F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00650F6E
HeapFree.KERNEL32(00000000), ref: 00650F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00650F7E
HeapFree.KERNEL32(00000000), ref: 00650F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00650F8E
HeapFree.KERNEL32(00000000), ref: 00650F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00650FA1
HeapFree.KERNEL32(00000000), ref: 00650FA8

Part of subcall function 00651193: GetProcessHeap.KERNEL32(00000008,00650BB1,?,00000000,?,00650BB1,?), ref: 006511A1
Part of subcall function 00651193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00650BB1,?), ref: 006511A8
Part of subcall function 00651193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00650BB1,?), ref: 006511B7

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 29fa3293441d2a7d3276c327ee3068b671bc1c13fc8816e1e1ef73e80f5a8c74
Instruction ID: 6ffffc10df5e89c321febcb849195f2ea05aa693840e694540eb62ae292d062c
Opcode Fuzzy Hash: 29fa3293441d2a7d3276c327ee3068b671bc1c13fc8816e1e1ef73e80f5a8c74
Instruction Fuzzy Hash: 6B714D7190020ABBEB209FA4DC49FEEBBBABF05351F148215FD59A6291D731D909CB70

Function 0067C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0067C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0068CC08,00000000,?,00000000,?,?), ref: 0067C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0067C5A4
_wcslen.LIBCMT ref: 0067C5F4
_wcslen.LIBCMT ref: 0067C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0067C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0067C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0067C84D
RegCloseKey.ADVAPI32(?), ref: 0067C881
RegCloseKey.ADVAPI32(00000000), ref: 0067C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0067C960

Strings

REG_BINARY, xrefs: 0067C913
REG_SZ, xrefs: 0067C644
REG_DWORD, xrefs: 0067C804
REG_MULTI_SZ, xrefs: 0067C6F5
REG_QWORD, xrefs: 0067C8C3
REG_EXPAND_SZ, xrefs: 0067C5CD

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 569ad78deb465bf9f4eb7ff11cb993301dfa8c57ed662f8658554539dace9da3
Instruction ID: 026234f435220ee2af883bd9d737ca1b229c50ac1caaf2b4d106355ef7776be0
Opcode Fuzzy Hash: 569ad78deb465bf9f4eb7ff11cb993301dfa8c57ed662f8658554539dace9da3
Instruction Fuzzy Hash: D9128A352042059FD714DF24C885E6ABBE6FF88724F04885CF98A9B3A2DB35EC45CB85

Function 0068091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006809C6
_wcslen.LIBCMT ref: 00680A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00680A54
_wcslen.LIBCMT ref: 00680A8A
_wcslen.LIBCMT ref: 00680B06
_wcslen.LIBCMT ref: 00680B81

Part of subcall function 0060F9F2: _wcslen.LIBCMT ref: 0060F9FD

Part of subcall function 00652BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00652BFA

Strings

UNCHECK, xrefs: 00680D3E
COLLAPSE, xrefs: 00680B01, 00680B1C
CHECK, xrefs: 00680A85, 00680AA0
GETTEXT, xrefs: 00680C97
GETSELECTED, xrefs: 00680C4E
GETITEMCOUNT, xrefs: 00680C1E
SELECT, xrefs: 00680D11
ISCHECKED, xrefs: 00680CE1
EXPAND, xrefs: 00680BF8
GETTOTALCOUNT, xrefs: 006809F2, 00680A17
EXISTS, xrefs: 00680B7C, 00680B97

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 88e59d4c55988f336f31bbf5a7887b54d0d4b6770bf5dd371c1df06648a24eaa
Instruction ID: 1eb20e97a584700d583c5cde8b05a7a26d127d04a4075718bdcda92b01db556d
Opcode Fuzzy Hash: 88e59d4c55988f336f31bbf5a7887b54d0d4b6770bf5dd371c1df06648a24eaa
Instruction Fuzzy Hash: 5AE18D752083029FD754EF24C45096ABBE2BF98314F148E5CF8969B3A2D731ED49CB81

Function 0067C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0067B6AE,?,?), ref: 0067C9B5
_wcslen.LIBCMT ref: 0067C9F1
_wcslen.LIBCMT ref: 0067CA68
_wcslen.LIBCMT ref: 0067CA9E
_wcslen.LIBCMT ref: 0067CAF9
_wcslen.LIBCMT ref: 0067CB2F
_wcslen.LIBCMT ref: 0067CB7F

Strings

HKCR, xrefs: 0067CB29, 0067CB2E
HKEY_LOCAL_MACHINE, xrefs: 0067CA62, 0067CA67
HKEY_CURRENT_USER, xrefs: 0067CBBD
HKEY_CURRENT_CONFIG, xrefs: 0067CB79, 0067CB7E
HKCC, xrefs: 0067CBAC
HKEY_USERS, xrefs: 0067CBDF
HKCU, xrefs: 0067CBCE
HKLM, xrefs: 0067CA98, 0067CA9D
HKEY_CLASSES_ROOT, xrefs: 0067CAF3, 0067CAF8
HKU, xrefs: 0067CBF0

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 29e4174692a33f84b974a63dbe81f450978cfeb9b4cbd110c0d4317fa6ebb669
Instruction ID: 3c95d43ba0dd928d64afb639fc5b854476c2dff81a099c9d10aa4325cf9cc4fb
Opcode Fuzzy Hash: 29e4174692a33f84b974a63dbe81f450978cfeb9b4cbd110c0d4317fa6ebb669
Instruction Fuzzy Hash: 2171F57260016A8BCB20DF7CC9515FF3793ABA1774B25852CF85EA7384EA31CD8583A0

Function 0068833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0068835A
_wcslen.LIBCMT ref: 0068836E
_wcslen.LIBCMT ref: 00688391
_wcslen.LIBCMT ref: 006883B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 006883F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00685BF2), ref: 0068844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00688487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 006884CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00688501
FreeLibrary.KERNEL32(?), ref: 0068850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0068851D
DestroyIcon.USER32(?,?,?,?,?,00685BF2), ref: 0068852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00688549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00688555

Strings

.dll, xrefs: 006883AB
.exe, xrefs: 00688388
.icl, xrefs: 00688368

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: c3eda0e300f2cbe0846464a59bff6d8a403b560baf577829d720de84dbfad597
Instruction ID: 85ac5263f51233390f0eed88ec7ef179697fac8b03c0615c2628e6e68285d978
Opcode Fuzzy Hash: c3eda0e300f2cbe0846464a59bff6d8a403b560baf577829d720de84dbfad597
Instruction Fuzzy Hash: D161BE72500209BEEB14AF64CC45BFE77AABF48721F504609F915E71D1DFB4A990C7A0

Function 005F7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#ce, xrefs: 005F78ED
#include, xrefs: 005F7847
", xrefs: 00635153
#comments-end, xrefs: 005F78D9
#notrayicon, xrefs: 005F77E7
#comments-start, xrefs: 005F785F, 005F78B1
Cannot parse #include, xrefs: 00635279
#OnAutoItStartRegister, xrefs: 005F7817
Bad directive syntax error, xrefs: 0063519A
', xrefs: 00635169
Unterminated group of comments, xrefs: 0063528C
#cs, xrefs: 005F7873, 005F78C5
#include-once, xrefs: 005F782F
#pragma compile, xrefs: 005F77D3
#requireadmin, xrefs: 005F77FF

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 1485f8b7b88fe72d0c41aaddc4429022ea86c81507d4b172d5e2946d8f6b70f9
Instruction ID: a19de80a1ac112cc39040c0fcb4c935b7958ade891c01328639fab9cf9432f5c
Opcode Fuzzy Hash: 1485f8b7b88fe72d0c41aaddc4429022ea86c81507d4b172d5e2946d8f6b70f9
Instruction Fuzzy Hash: 8681B371644609AADB20BF60CC46FFB3BA6FF59300F044428FA05AB196EB749A51C7A5

Function 00655A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00655A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00655A40
SetWindowTextW.USER32(?,?), ref: 00655A57
GetDlgItem.USER32(?,000003EA), ref: 00655A6C
SetWindowTextW.USER32(00000000,?), ref: 00655A72
GetDlgItem.USER32(?,000003E9), ref: 00655A82
SetWindowTextW.USER32(00000000,?), ref: 00655A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00655AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00655AC3
GetWindowRect.USER32(?,?), ref: 00655ACC
_wcslen.LIBCMT ref: 00655B33
SetWindowTextW.USER32(?,?), ref: 00655B6F
GetDesktopWindow.USER32 ref: 00655B75
GetWindowRect.USER32(00000000), ref: 00655B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00655BD3
GetClientRect.USER32(?,?), ref: 00655BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00655C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00655C2F

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 7fda0316c5b8f51655c7be3287c445e454e1a38c48e3b53e8e705c479bb0a1f6
Instruction ID: 327d286f14b43ed60d0d00f72c045e8da0f0a2369c7d5e2c0c2f3acbf6464867
Opcode Fuzzy Hash: 7fda0316c5b8f51655c7be3287c445e454e1a38c48e3b53e8e705c479bb0a1f6
Instruction Fuzzy Hash: 3C716031900B05EFDB20DFA8CE59AAEBBF6FF48715F104618E543A26A0D775E944CB60

Function 006530F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0065318D
_wcslen.LIBCMT ref: 006531F8

Strings

CLASSNN, xrefs: 006531F3, 00653204
CLASS, xrefs: 00653188, 006531A5
INSTANCE, xrefs: 00653453
NAME, xrefs: 00653335, 00653346
TEXT, xrefs: 0065347C
REGEXPCLASS, xrefs: 00653255, 00653266
[k, xrefs: 0065339A

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[k
API String ID: 176396367-979300270
Opcode ID: d2348a9694dc4143e8081762f35689455b3d34c9575c719eeef35accbddad4c3
Instruction ID: 18ab90db6e2bdc4067be9e3aae1a72e8fa17aa0e145061f736ea233519b50e6c
Opcode Fuzzy Hash: d2348a9694dc4143e8081762f35689455b3d34c9575c719eeef35accbddad4c3
Instruction Fuzzy Hash: C5E1B732A005269BCB149F74C4517EEFBB6BF54B91F548129E856E7340DB30AF8D8790

Function 006100C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 006100C6

Part of subcall function 006100ED: InitializeCriticalSectionAndSpinCount.KERNEL32(006C070C,00000FA0,EB20A118,?,?,?,?,006323B3,000000FF), ref: 0061011C
Part of subcall function 006100ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,006323B3,000000FF), ref: 00610127
Part of subcall function 006100ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,006323B3,000000FF), ref: 00610138
Part of subcall function 006100ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0061014E
Part of subcall function 006100ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0061015C
Part of subcall function 006100ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0061016A
Part of subcall function 006100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00610195
Part of subcall function 006100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006101A0

___scrt_fastfail.LIBCMT ref: 006100E7

Part of subcall function 006100A3: __onexit.LIBCMT ref: 006100A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00610122
kernel32.dll, xrefs: 00610133
InitializeConditionVariable, xrefs: 00610148
SleepConditionVariableCS, xrefs: 00610154
WakeAllConditionVariable, xrefs: 00610162

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: e9378796526e63a757079b5bdd6a506711c8d311cd27f47bc3df99c029d44bf7
Instruction ID: 0f56fd771d4d0bfea842a1d3ece2dd7277e8a63b9c88996d924907c352dd7b8f
Opcode Fuzzy Hash: e9378796526e63a757079b5bdd6a506711c8d311cd27f47bc3df99c029d44bf7
Instruction Fuzzy Hash: 4E21DA32644710BBFB146BA4AC4ABAA3397DF44B61F150239F901E2791DBB498808BA4

Function 006644C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0068CC08), ref: 00664527
_wcslen.LIBCMT ref: 0066453B
_wcslen.LIBCMT ref: 00664599
_wcslen.LIBCMT ref: 006645F4
_wcslen.LIBCMT ref: 0066463F
_wcslen.LIBCMT ref: 006646A7

Part of subcall function 0060F9F2: _wcslen.LIBCMT ref: 0060F9FD

GetDriveTypeW.KERNEL32(?,006B6BF0,00000061), ref: 00664743

Strings

all, xrefs: 00664531, 00664536
unknown, xrefs: 00664708
cdrom, xrefs: 0066458F, 00664594
ramdisk, xrefs: 006646F1
network, xrefs: 0066469D, 006646A2
removable, xrefs: 006645EA, 006645EF
fixed, xrefs: 00664635, 0066463A

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 6910749306c13a30383b22f1fdb66f4b02e284e8cae0ad58834c2bb0bc6e54eb
Instruction ID: c71d6ccac1d5a441a27601f631d4f39f9f10d30d162a7f88e35b2c489f2c66fd
Opcode Fuzzy Hash: 6910749306c13a30383b22f1fdb66f4b02e284e8cae0ad58834c2bb0bc6e54eb
Instruction Fuzzy Hash: 82B1DF716083029FC710DF28C890ABABBE6BFA5760F50491DF596C7391DB34D985CBA2

Function 0068911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00609BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00609BB2

DragQueryPoint.SHELL32(?,?), ref: 00689147

Part of subcall function 00687674: ClientToScreen.USER32(?,?), ref: 0068769A
Part of subcall function 00687674: GetWindowRect.USER32(?,?), ref: 00687710
Part of subcall function 00687674: PtInRect.USER32(?,?,00688B89), ref: 00687720

SendMessageW.USER32(?,000000B0,?,?), ref: 006891B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 006891BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 006891DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00689225
SendMessageW.USER32(?,000000B0,?,?), ref: 0068923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00689255
SendMessageW.USER32(?,000000B1,?,?), ref: 00689277
DragFinish.SHELL32(?), ref: 0068927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00689371

Strings

@GUI_DRAGFILE, xrefs: 00689320
@GUI_DRAGID, xrefs: 006892E9
@GUI_DROPID, xrefs: 0068929E
p#l, xrefs: 006892BB

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#l
API String ID: 221274066-877461806
Opcode ID: 9810fcfa572d6b9857ac6432a625338a71f4338f26902bf14d1619aa920d63eb
Instruction ID: d7efc2bb4a7312de4c7fd0b7f533c39726153efb240f7522831af2ac9b5206dc
Opcode Fuzzy Hash: 9810fcfa572d6b9857ac6432a625338a71f4338f26902bf14d1619aa920d63eb
Instruction Fuzzy Hash: EB614C71108305AFC701EF54DC89DABBBEAFFC9750F000A2DF695921A1DB709A49CB62

Function 0067AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0067B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0067B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0067B1D4
_wcslen.LIBCMT ref: 0067B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0067B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0067B236
_wcslen.LIBCMT ref: 0067B332

Part of subcall function 006605A7: GetStdHandle.KERNEL32(000000F6), ref: 006605C6

_wcslen.LIBCMT ref: 0067B34B
_wcslen.LIBCMT ref: 0067B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0067B3B6
GetLastError.KERNEL32(00000000), ref: 0067B407
CloseHandle.KERNEL32(?), ref: 0067B439
CloseHandle.KERNEL32(00000000), ref: 0067B44A
CloseHandle.KERNEL32(00000000), ref: 0067B45C
CloseHandle.KERNEL32(00000000), ref: 0067B46E
CloseHandle.KERNEL32(?), ref: 0067B4E3

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: c0913cb31123a2d07ff1545717fcd1c912e5bb77acfd26760092808ea1ceed91
Instruction ID: b4b7d175c81909df837e4a3a155a50068ce8e9e2806045a3045dc93fa73c98a4
Opcode Fuzzy Hash: c0913cb31123a2d07ff1545717fcd1c912e5bb77acfd26760092808ea1ceed91
Instruction Fuzzy Hash: F4F1AA315083459FC724EF24C895B6EBBE2BF85314F18895DF8998B2A2DB30EC44CB52

Function 005F326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(006C1990), ref: 00632F8D
GetMenuItemCount.USER32(006C1990), ref: 0063303D
GetCursorPos.USER32(?), ref: 00633081
SetForegroundWindow.USER32(00000000), ref: 0063308A
TrackPopupMenuEx.USER32(006C1990,00000000,?,00000000,00000000,00000000), ref: 0063309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006330A9

Strings

0, xrefs: 005F327D

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: bbcbcebbbf46db9354c03dcbbb934cd9e6fde107dcb2e1e94ccf44eb1494db14
Instruction ID: 259932b3eda9f09c3646eaaf36c89f0d297fb70d28d975a850c2fa2b523034e6
Opcode Fuzzy Hash: bbcbcebbbf46db9354c03dcbbb934cd9e6fde107dcb2e1e94ccf44eb1494db14
Instruction Fuzzy Hash: D0712B7064021ABEFB259F24CC59FEABF66FF05364F20421AF6146A2E1C7B1AD10C791

Function 00686CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00686DEB

Part of subcall function 005F6B57: _wcslen.LIBCMT ref: 005F6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00686E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00686E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00686E94
DestroyWindow.USER32(?), ref: 00686EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,005F0000,00000000), ref: 00686EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00686EFD
GetDesktopWindow.USER32 ref: 00686F16
GetWindowRect.USER32(00000000), ref: 00686F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00686F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00686F4D

Part of subcall function 00609944: GetWindowLongW.USER32(?,000000EB), ref: 00609952

Strings

tooltips_class32, xrefs: 00686E58, 00686EDD
0, xrefs: 00686D98

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 3f5ef89e6828009d36c73b51883d26b49a54eda51b18d0b5f0807f48e334acb6
Instruction ID: dee98e569b9a072d062a4058ddff1a26a1f33fa890c4bd45ccb18b2bc71d1351
Opcode Fuzzy Hash: 3f5ef89e6828009d36c73b51883d26b49a54eda51b18d0b5f0807f48e334acb6
Instruction Fuzzy Hash: 7D715774104244AFDB21DF18D848EBABBFAFB89314F04461DFA9997261D770E946CB21

Function 0066C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0066C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0066C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0066C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0066C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0066C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0066C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0066C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0066C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0066C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0066C5F0
InternetCloseHandle.WININET(00000000), ref: 0066C5FB

Strings

, xrefs: 0066C575

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 869e7e49bd0f679b83291d954ec380bd0c48207def1a57f62fcec5b56b6ff8de
Instruction ID: 635f72ed933a5ba9af4b0ef892563b7590d9e95684959d71e164979aa7a6710a
Opcode Fuzzy Hash: 869e7e49bd0f679b83291d954ec380bd0c48207def1a57f62fcec5b56b6ff8de
Instruction Fuzzy Hash: 95516FB0500A08BFDB218F64CD48ABB7BFEFF48764F00451AF986D6250DB34E9549B60

Function 0068856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00688592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006885A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006885AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006885BA
GlobalLock.KERNEL32(00000000), ref: 006885C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006885D7
GlobalUnlock.KERNEL32(00000000), ref: 006885E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006885E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006885F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0068FC38,?), ref: 00688611
GlobalFree.KERNEL32(00000000), ref: 00688621
GetObjectW.GDI32(?,00000018,?), ref: 00688641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00688671
DeleteObject.GDI32(?), ref: 00688699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 006886AF

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 2c726658d13a80b89fa6f3eb46c68b5f712505e0fe9808fcc36c85ef45dddc05
Instruction ID: fb33334eeaa076554bc4e68fabdc078d3a34c0d4928b5606f2dce92880129346
Opcode Fuzzy Hash: 2c726658d13a80b89fa6f3eb46c68b5f712505e0fe9808fcc36c85ef45dddc05
Instruction Fuzzy Hash: DD410C75600204BFDB11DFA5DC88EAA7BBAFF89B21F104258F905E7261DB709E41DB60

Function 006614BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00661502
VariantCopy.OLEAUT32(?,?), ref: 0066150B
VariantClear.OLEAUT32(?), ref: 00661517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 006615FB
VarR8FromDec.OLEAUT32(?,?), ref: 00661657
VariantInit.OLEAUT32(?), ref: 00661708
SysFreeString.OLEAUT32(?), ref: 0066178C
VariantClear.OLEAUT32(?), ref: 006617D8
VariantClear.OLEAUT32(?), ref: 006617E7
VariantInit.OLEAUT32(00000000), ref: 00661823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00661625
Default, xrefs: 006616AF

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 18fc54b3a5ed77b8d5037a81c9ee6b4f133bb168d4b08e99f4e5a8bb940d3503
Instruction ID: d13e782f778e7bfb892df0b5fb49aa89a23002d3384114fee743167451844619
Opcode Fuzzy Hash: 18fc54b3a5ed77b8d5037a81c9ee6b4f133bb168d4b08e99f4e5a8bb940d3503
Instruction Fuzzy Hash: 42D1F2B1A00105EBDB149F65D885BB9FBB7BF46700F18815AE407AF680EB34EC42DB61

Function 0067B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 005F9CB3: _wcslen.LIBCMT ref: 005F9CBD

Part of subcall function 0067C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0067B6AE,?,?), ref: 0067C9B5
Part of subcall function 0067C998: _wcslen.LIBCMT ref: 0067C9F1
Part of subcall function 0067C998: _wcslen.LIBCMT ref: 0067CA68
Part of subcall function 0067C998: _wcslen.LIBCMT ref: 0067CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0067B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0067B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0067B80A
RegCloseKey.ADVAPI32(?), ref: 0067B87E
RegCloseKey.ADVAPI32(?), ref: 0067B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0067B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0067B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0067B922
FreeLibrary.KERNEL32(00000000), ref: 0067B983
RegCloseKey.ADVAPI32(00000000), ref: 0067B994

Strings

RegDeleteKeyExW, xrefs: 0067B8FE
advapi32.dll, xrefs: 0067B8ED

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 6a2c60ac4f36307fa383556f66ee6ee2f432d83702c565b9b8a8c6a0163680e4
Instruction ID: f306726c231335ae7d0ea384379a790883159eff2f768e12aff9db9a2d0c4a35
Opcode Fuzzy Hash: 6a2c60ac4f36307fa383556f66ee6ee2f432d83702c565b9b8a8c6a0163680e4
Instruction Fuzzy Hash: ECC17D30204202AFD714DF14C498F6ABBE6BF85318F14D55CE5AA8B3A2CB75ED45CB92

Function 0067255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 006725D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 006725E8
CreateCompatibleDC.GDI32(?), ref: 006725F4
SelectObject.GDI32(00000000,?), ref: 00672601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0067266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 006726AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 006726D0
SelectObject.GDI32(?,?), ref: 006726D8
DeleteObject.GDI32(?), ref: 006726E1
DeleteDC.GDI32(?), ref: 006726E8
ReleaseDC.USER32(00000000,?), ref: 006726F3

Strings

(, xrefs: 0067268D

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 2354e94fcf5b1792b77409edb1e9451affd202fecbc6e9ace4e012a2c37641fd
Instruction ID: 3496a9ac31c6f4d1b21bdba35dddd8ea6e62104351e451da2a5469f873febee0
Opcode Fuzzy Hash: 2354e94fcf5b1792b77409edb1e9451affd202fecbc6e9ace4e012a2c37641fd
Instruction Fuzzy Hash: 5B61F475D00219EFCF14CFA4D894AAEBBF6FF48310F20852AE559A7250D771A941CF64

Function 0062DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0062DAA1

Part of subcall function 0062D63C: _free.LIBCMT ref: 0062D659
Part of subcall function 0062D63C: _free.LIBCMT ref: 0062D66B
Part of subcall function 0062D63C: _free.LIBCMT ref: 0062D67D
Part of subcall function 0062D63C: _free.LIBCMT ref: 0062D68F
Part of subcall function 0062D63C: _free.LIBCMT ref: 0062D6A1
Part of subcall function 0062D63C: _free.LIBCMT ref: 0062D6B3
Part of subcall function 0062D63C: _free.LIBCMT ref: 0062D6C5
Part of subcall function 0062D63C: _free.LIBCMT ref: 0062D6D7
Part of subcall function 0062D63C: _free.LIBCMT ref: 0062D6E9
Part of subcall function 0062D63C: _free.LIBCMT ref: 0062D6FB
Part of subcall function 0062D63C: _free.LIBCMT ref: 0062D70D
Part of subcall function 0062D63C: _free.LIBCMT ref: 0062D71F
Part of subcall function 0062D63C: _free.LIBCMT ref: 0062D731

_free.LIBCMT ref: 0062DA96

Part of subcall function 006229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0062D7D1,00000000,00000000,00000000,00000000,?,0062D7F8,00000000,00000007,00000000,?,0062DBF5,00000000), ref: 006229DE
Part of subcall function 006229C8: GetLastError.KERNEL32(00000000,?,0062D7D1,00000000,00000000,00000000,00000000,?,0062D7F8,00000000,00000007,00000000,?,0062DBF5,00000000,00000000), ref: 006229F0

_free.LIBCMT ref: 0062DAB8
_free.LIBCMT ref: 0062DACD
_free.LIBCMT ref: 0062DAD8
_free.LIBCMT ref: 0062DAFA
_free.LIBCMT ref: 0062DB0D
_free.LIBCMT ref: 0062DB1B
_free.LIBCMT ref: 0062DB26
_free.LIBCMT ref: 0062DB5E
_free.LIBCMT ref: 0062DB65
_free.LIBCMT ref: 0062DB82
_free.LIBCMT ref: 0062DB9A

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 24fe5b28eab129214489cdc46cf994db9fab9973acd2a1f922e0334ec6705ff4
Instruction ID: 4a30a43ed25705e3f35a2b706b739493bf195e405d8e301b62d3e0716fed0f50
Opcode Fuzzy Hash: 24fe5b28eab129214489cdc46cf994db9fab9973acd2a1f922e0334ec6705ff4
Instruction Fuzzy Hash: 41317A71A04A26AFEB61AB39F855B9A77EAFF04711F50441DE449D7291DA30AC808F24

Function 0065365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0065369C
_wcslen.LIBCMT ref: 006536A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00653797
GetClassNameW.USER32(?,?,00000400), ref: 0065380C
GetDlgCtrlID.USER32(?), ref: 0065385D
GetWindowRect.USER32(?,?), ref: 00653882
GetParent.USER32(?), ref: 006538A0
ScreenToClient.USER32(00000000), ref: 006538A7
GetClassNameW.USER32(?,?,00000100), ref: 00653921
GetWindowTextW.USER32(?,?,00000400), ref: 0065395D

Strings

%s%u, xrefs: 00653734

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 11ab2d17ad56d5dc25e549046ae7b17d9265b93c3f4f21df8b4964ebc02d872f
Instruction ID: 3c4708e88391878eaf1d4b4f5216720f0f5616ce96afa321fe69dc12be041c61
Opcode Fuzzy Hash: 11ab2d17ad56d5dc25e549046ae7b17d9265b93c3f4f21df8b4964ebc02d872f
Instruction Fuzzy Hash: ED91E771204616AFD709DF24C885FEAF7AAFF44791F004629FD99C6250EB30EA49CB91

Function 00654954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00654994
GetWindowTextW.USER32(?,?,00000400), ref: 006549DA
_wcslen.LIBCMT ref: 006549EB
CharUpperBuffW.USER32(?,00000000), ref: 006549F7
_wcsstr.LIBVCRUNTIME ref: 00654A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00654A64
GetWindowTextW.USER32(?,?,00000400), ref: 00654A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00654AE6
GetClassNameW.USER32(?,?,00000400), ref: 00654B20
GetWindowRect.USER32(?,?), ref: 00654B8B

Strings

ThumbnailClass, xrefs: 00654A6F, 00654AF1

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 495e4477820c578838d5abeece08146056ec49c93aa86d45438ebf42ff0b8914
Instruction ID: 5af8a650a72f8401fb45e07056851e2268d49807319350d35d7d38caae48aa2f
Opcode Fuzzy Hash: 495e4477820c578838d5abeece08146056ec49c93aa86d45438ebf42ff0b8914
Instruction Fuzzy Hash: 1E91BF710042059FDB04CF14C985BEA77EAFF84319F0485A9FD859A295EF34ED89CBA1

Function 00688D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00609BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00609BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00688D5A
GetFocus.USER32 ref: 00688D6A
GetDlgCtrlID.USER32(00000000), ref: 00688D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00688E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00688ECF
GetMenuItemCount.USER32(?), ref: 00688EEC
GetMenuItemID.USER32(?,00000000), ref: 00688EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00688F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00688F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00688FA1

Strings

0, xrefs: 00688E9F

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 0dc9d0af7f1cd7b4e8bb199978306ff75e247a31b2222036bd9912c2124c5805
Instruction ID: 89948add29d672884f8daf44b7033f5b829aa395d86ac0994f847c4f0e929137
Opcode Fuzzy Hash: 0dc9d0af7f1cd7b4e8bb199978306ff75e247a31b2222036bd9912c2124c5805
Instruction Fuzzy Hash: DB818F71508301AFDB20EF14D888AAB7BEBFF89354F540A1DFA9597291DB70D901CB62

Function 0067CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0067CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0067CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0067CD48

Part of subcall function 0067CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0067CCAA
Part of subcall function 0067CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0067CCBD
Part of subcall function 0067CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0067CCCF
Part of subcall function 0067CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0067CD05
Part of subcall function 0067CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0067CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0067CCF3

Strings

RegDeleteKeyExW, xrefs: 0067CCC9
advapi32.dll, xrefs: 0067CCB8

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 68cc940ec8a50638bba283f77c8f3bb608d5f4e80c0b940a226791df79829a3e
Instruction ID: fdacc82a8ca90594a6f2092b5ba58131a31fd6eb7d9bd7f8b89e4b02a24b6932
Opcode Fuzzy Hash: 68cc940ec8a50638bba283f77c8f3bb608d5f4e80c0b940a226791df79829a3e
Instruction Fuzzy Hash: 28316171901129BBD7218B54DC88EFFBB7EEF45764F004169B909E2240D7749A45DBB0

Function 0065E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0065E6B4

Part of subcall function 0060E551: timeGetTime.WINMM(?,?,0065E6D4), ref: 0060E555

Sleep.KERNEL32(0000000A), ref: 0065E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0065E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0065E727
SetActiveWindow.USER32 ref: 0065E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0065E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0065E773
Sleep.KERNEL32(000000FA), ref: 0065E77E
IsWindow.USER32 ref: 0065E78A
EndDialog.USER32(00000000), ref: 0065E79B

Strings

BUTTON, xrefs: 0065E719

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: e0c2c23b44ce5c87559d68bff6cb32ddac149f22af0aa9efaebdc4ba4fc48722
Instruction ID: 693badf18d4f51e72746e4c2d73f15e08aa74b0b9d589a408a5ae64c74398d25
Opcode Fuzzy Hash: e0c2c23b44ce5c87559d68bff6cb32ddac149f22af0aa9efaebdc4ba4fc48722
Instruction Fuzzy Hash: 83218EB0240241BFEF045F21EC99E363B6BAB5579AF102424FC55812A1DF72ED489B34

Function 0065E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 005F9CB3: _wcslen.LIBCMT ref: 005F9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0065EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0065EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0065EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0065EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0065EAA7

Strings

status PlayMe mode, xrefs: 0065EA58
close PlayMe, xrefs: 0065EA6E, 0065EA9B
play PlayMe wait, xrefs: 0065EA91
alias PlayMe, xrefs: 0065EA36
open , xrefs: 0065EA0C
play PlayMe, xrefs: 0065EAA2

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 357157a157bf0bfab929e09512ac75a433013e7120d91a35f5c278b96c191b07
Instruction ID: a6fac0f2fe23dee892197374a0bb3d5e6f67ca9d5af85cd49039edac9b7e20bb
Opcode Fuzzy Hash: 357157a157bf0bfab929e09512ac75a433013e7120d91a35f5c278b96c191b07
Instruction Fuzzy Hash: C011547169022E79E724B761DC4ADFF6A7DFBD1B40F0104257911A20D1EAB40A45C6B0

Function 00608BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00608F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00608BE8,?,00000000,?,?,?,?,00608BBA,00000000,?), ref: 00608FC5

DestroyWindow.USER32(?), ref: 00608C81
KillTimer.USER32(00000000,?,?,?,?,00608BBA,00000000,?), ref: 00608D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00646973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00608BBA,00000000,?), ref: 006469A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00608BBA,00000000,?), ref: 006469B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00608BBA,00000000), ref: 006469D4
DeleteObject.GDI32(00000000), ref: 006469E6

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 7da760a9b59ccb04f25de9d98c38bcbed72d2dbff62714fc4f2873ce94ab637e
Instruction ID: ad6ee1ed56512c3182cf6f3ad62e17241074c91a66149c2be5065d46b0af3b75
Opcode Fuzzy Hash: 7da760a9b59ccb04f25de9d98c38bcbed72d2dbff62714fc4f2873ce94ab637e
Instruction Fuzzy Hash: 0E619B30142701DFEB29DF14D948B6677B3FB42322F14661DE0829BAA0CB71AC91DFA5

Function 00609838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00609944: GetWindowLongW.USER32(?,000000EB), ref: 00609952

GetSysColor.USER32(0000000F), ref: 00609862

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 5048b18cd5263b0a6b600351630afdb0d046dae995f0d950ad3613c9b82d8c79
Instruction ID: 0d5fc71591bcdca6ee531095889910d401002ef63331d997ff12f2ee56c2e8dd
Opcode Fuzzy Hash: 5048b18cd5263b0a6b600351630afdb0d046dae995f0d950ad3613c9b82d8c79
Instruction Fuzzy Hash: BC417071144644AFDB245F389C88BBA37A7AB56330F149B15E9A28B3E3D7319842DB31

Function 00628D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.a, xrefs: 0062903A, 00628FD0, 00628FF2

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID:
String ID: .a
API String ID: 0-2467499776
Opcode ID: 289cb3d1c9ea52183610559299a19a69c5316a4e39c00d0fe47cef1bd92cc26d
Instruction ID: 23a56064bd266f02aecbc59e90a319612f09f68618459321f69dbbfd90ab614a
Opcode Fuzzy Hash: 289cb3d1c9ea52183610559299a19a69c5316a4e39c00d0fe47cef1bd92cc26d
Instruction Fuzzy Hash: 7BC1E175E04669AFDB119FA8EC41BEDBBB2AF49310F08409DE815A7392CB349941CF71

Function 006596E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0063F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00659717
LoadStringW.USER32(00000000,?,0063F7F8,00000001), ref: 00659720

Part of subcall function 005F9CB3: _wcslen.LIBCMT ref: 005F9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0063F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00659742
LoadStringW.USER32(00000000,?,0063F7F8,00000001), ref: 00659745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00659866

Strings

Line %d (File "%s"):, xrefs: 0065978F
%s (%d) : ==> %s: %s %s, xrefs: 0065984A
^ ERROR, xrefs: 006597FB
Line %d:, xrefs: 006597A0
Error: , xrefs: 0065981D

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: f9b8da6e231b0683842ac2f2ba67fe435a04aa8d241d1547f3a5f31721aa9bde
Instruction ID: bd37964dee7fe670ca62bc78d9b23c4820b0e038c272022abe92347f2d4b0c52
Opcode Fuzzy Hash: f9b8da6e231b0683842ac2f2ba67fe435a04aa8d241d1547f3a5f31721aa9bde
Instruction Fuzzy Hash: 1F413D7280021EAADB04FBA0DD4AEFE7B79AF55341F100465F60572092EA396F48CB71

Function 006506DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 005F6B57: _wcslen.LIBCMT ref: 005F6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 006507A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 006507BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 006507DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00650804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0065082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00650837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0065083C

Strings

SOFTWARE\Classes\, xrefs: 0065070E
\CLSID, xrefs: 00650724
\IPC$, xrefs: 00650784

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 2df3d0068c9ddd203c423c4804666d41ba5252713d0fe93bb53832e261203d8e
Instruction ID: 9c45bd9096ad03756fb14c852cc1b7e2c31258bb0ba24cc2096f4a95be213584
Opcode Fuzzy Hash: 2df3d0068c9ddd203c423c4804666d41ba5252713d0fe93bb53832e261203d8e
Instruction Fuzzy Hash: FF410A71C1022DABDF11EB94DC99DFDB779BF48350F144129E905A32A1EB749E44CBA0

Function 00673C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00673C5C
CoInitialize.OLE32(00000000), ref: 00673C8A
CoUninitialize.OLE32 ref: 00673C94
_wcslen.LIBCMT ref: 00673D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00673DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00673ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00673F0E
CoGetObject.OLE32(?,00000000,0068FB98,?), ref: 00673F2D
SetErrorMode.KERNEL32(00000000), ref: 00673F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00673FC4
VariantClear.OLEAUT32(?), ref: 00673FD8

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 1922bc2cbda1d729d2506650cb2530214096d615b006b766f779b4e80a08c2b6
Instruction ID: d6a57c83dc7e171ff1cd72b88c229378b29bf66be351dadb8f164bd592249a16
Opcode Fuzzy Hash: 1922bc2cbda1d729d2506650cb2530214096d615b006b766f779b4e80a08c2b6
Instruction Fuzzy Hash: BDC12371608215AFD700DF68C88496BBBEAFF89744F10891DF98A9B310DB31EE05CB52

Function 00667A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00667AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00667B8F
SHGetDesktopFolder.SHELL32(?), ref: 00667BA3
CoCreateInstance.OLE32(0068FD08,00000000,00000001,006B6E6C,?), ref: 00667BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00667C74
CoTaskMemFree.OLE32(?,?), ref: 00667CCC
SHBrowseForFolderW.SHELL32(?), ref: 00667D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00667D7A
CoTaskMemFree.OLE32(00000000), ref: 00667D81
CoTaskMemFree.OLE32(00000000), ref: 00667DD6
CoUninitialize.OLE32 ref: 00667DDC

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: a2ef6528429145532a16f59e04f42427add8f1cfd0f27b93bf4eab560a226469
Instruction ID: dddbd39c25c63c149978be6e3e2d0d5c37eeba2115feea8a37b8acb725d11829
Opcode Fuzzy Hash: a2ef6528429145532a16f59e04f42427add8f1cfd0f27b93bf4eab560a226469
Instruction Fuzzy Hash: 2EC11A75A04109AFCB14DFA4C888DAEBBFAFF48314F148599E9199B361D730EE45CB90

Function 0068541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00685504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00685515
CharNextW.USER32(00000158), ref: 00685544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00685585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0068559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006855AC

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 60483627ef01b55a36982c41581bd01b075efe6a02091ac5bd603a2ec8575e17
Instruction ID: b98f45386d4f0c54c07f2bab534d78000059b8f295fd8801d3c8e0c52210d081
Opcode Fuzzy Hash: 60483627ef01b55a36982c41581bd01b075efe6a02091ac5bd603a2ec8575e17
Instruction Fuzzy Hash: C9618074904608EFDF10AF54CC84DFE7BBBEF0A721F104255F926AA2A1D7748A81DB61

Function 0064FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0064FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0064FB08
VariantInit.OLEAUT32(?), ref: 0064FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0064FB3A
VariantCopy.OLEAUT32(?,?), ref: 0064FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0064FBA1
VariantClear.OLEAUT32(?), ref: 0064FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0064FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0064FBCC
VariantClear.OLEAUT32(?), ref: 0064FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0064FBE9

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 381e342caa1a8804c191f87d583098c12ddaa6319de2658f6d1c96cb718f0ed2
Instruction ID: 17de6b10796d05bbafc83ac481db3df7633405e46e30e30ef032afae903d5be2
Opcode Fuzzy Hash: 381e342caa1a8804c191f87d583098c12ddaa6319de2658f6d1c96cb718f0ed2
Instruction Fuzzy Hash: 00414075A00219EFCB04DF64DC58DEEBBBAFF48354F008169E955A7261CB34A985CFA0

Function 00659C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00659CA1
GetAsyncKeyState.USER32(000000A0), ref: 00659D22
GetKeyState.USER32(000000A0), ref: 00659D3D
GetAsyncKeyState.USER32(000000A1), ref: 00659D57
GetKeyState.USER32(000000A1), ref: 00659D6C
GetAsyncKeyState.USER32(00000011), ref: 00659D84
GetKeyState.USER32(00000011), ref: 00659D96
GetAsyncKeyState.USER32(00000012), ref: 00659DAE
GetKeyState.USER32(00000012), ref: 00659DC0
GetAsyncKeyState.USER32(0000005B), ref: 00659DD8
GetKeyState.USER32(0000005B), ref: 00659DEA

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 855fb5b312f3e8e009dd50f8ef803f1da09a2fa6db27632a4e9d272e3530371f
Instruction ID: d338330f095e787675f17785ad61549ff97c87307aec6652c52d6d0320ed0852
Opcode Fuzzy Hash: 855fb5b312f3e8e009dd50f8ef803f1da09a2fa6db27632a4e9d272e3530371f
Instruction Fuzzy Hash: B841A534504BCAADFF31966088043E5BEB26F11345F08815ADEC6567C2EBA599CCC7B2

Function 0067055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 006705BC
inet_addr.WSOCK32(?), ref: 0067061C
gethostbyname.WSOCK32(?), ref: 00670628
IcmpCreateFile.IPHLPAPI ref: 00670636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 006706C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 006706E5
IcmpCloseHandle.IPHLPAPI(?), ref: 006707B9
WSACleanup.WSOCK32 ref: 006707BF

Strings

Ping, xrefs: 00670676

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 6af0a6f689638fc61648fea7ef4e99775668ed8d1fad66c3acb7192efa9e80e7
Instruction ID: 8823455fff95c00866b187d17301d4d98e858db24621e4ba051c994225236c5e
Opcode Fuzzy Hash: 6af0a6f689638fc61648fea7ef4e99775668ed8d1fad66c3acb7192efa9e80e7
Instruction Fuzzy Hash: 82917A35604201EFE324CF15C988B5ABBE2AF84318F14C5A9E5698B7A2C774ED41CFA1

Function 00678CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00678CF3

Part of subcall function 00658E54: _wcslen.LIBCMT ref: 00658E77

_wcslen.LIBCMT ref: 00678D4E
_wcslen.LIBCMT ref: 00678D9C
_wcslen.LIBCMT ref: 00678DDC
_wcslen.LIBCMT ref: 00678E6E

Strings

stdcall, xrefs: 00678DD6, 00678DDB
cdecl, xrefs: 00678D48, 00678D4D
none, xrefs: 00678E65, 00678E6A
winapi, xrefs: 00678D96, 00678D9B

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 2439f0a3199f6b6e3fbd9a82749eafab9038ed6833ef045010ce84c88c22cbac
Instruction ID: 90836bace821bff2edd62db71a5370a3af3360072560d8be9f873b8b22460612
Opcode Fuzzy Hash: 2439f0a3199f6b6e3fbd9a82749eafab9038ed6833ef045010ce84c88c22cbac
Instruction Fuzzy Hash: D8519E71A405169FCB24DF68C9549FEB7A7BF64320B248229E92AE73C4EB34DD40C790

Function 0067372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00673774
CoUninitialize.OLE32 ref: 0067377F
CoCreateInstance.OLE32(?,00000000,00000017,0068FB78,?), ref: 006737D9
IIDFromString.OLE32(?,?), ref: 0067384C
VariantInit.OLEAUT32(?), ref: 006738E4
VariantClear.OLEAUT32(?), ref: 00673936

Strings

Failed to create object, xrefs: 006737E4, 0067389A
Invalid parameter, xrefs: 00673865
NULL Pointer assignment, xrefs: 0067381E

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 45e5b386ffa7dc8ab8e50b0f90cc3e0041413c8b2052047ec67e051d0f8a559d
Instruction ID: bcd85c281ec67bcc63ff693c272d51ec39d6b7dc7bee85f9a6fcc1dead299ff7
Opcode Fuzzy Hash: 45e5b386ffa7dc8ab8e50b0f90cc3e0041413c8b2052047ec67e051d0f8a559d
Instruction Fuzzy Hash: 0D6191B0608311AFD310DF54C849BAABBE6EF89710F10490DF9899B391D770EE49DB96

Function 00688B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00609BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00609BB2

Part of subcall function 0060912D: GetCursorPos.USER32(?), ref: 00609141
Part of subcall function 0060912D: ScreenToClient.USER32(00000000,?), ref: 0060915E
Part of subcall function 0060912D: GetAsyncKeyState.USER32(00000001), ref: 00609183
Part of subcall function 0060912D: GetAsyncKeyState.USER32(00000002), ref: 0060919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00688B6B
ImageList_EndDrag.COMCTL32 ref: 00688B71
ReleaseCapture.USER32 ref: 00688B77
SetWindowTextW.USER32(?,00000000), ref: 00688C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00688C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00688CFF

Strings

@GUI_DRAGFILE, xrefs: 00688C9A
p#l, xrefs: 00688C71
@GUI_DROPID, xrefs: 00688C51

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#l
API String ID: 1924731296-948109662
Opcode ID: e461283110647df183206401b248661ebba1bf50e1238e385c50b73026557513
Instruction ID: e50a07f7f39866d4847c25ad80b58b41cbedc59a61b4567b0157fb194f39ed4d
Opcode Fuzzy Hash: e461283110647df183206401b248661ebba1bf50e1238e385c50b73026557513
Instruction Fuzzy Hash: 1D518A70104204AFD704EF24DC5AFBA7BE6FB89750F40062DF9569B2E2DB749944CB62

Function 00663388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 006633CF

Part of subcall function 005F9CB3: _wcslen.LIBCMT ref: 005F9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 006633F0

Strings

Line %d (File "%s"):, xrefs: 00663443, 0066345C
"%s" (%d) : ==> %s:%s%s, xrefs: 00663504
^ ERROR , xrefs: 0066349E
"%s" (%d) : ==> %s:, xrefs: 00663522
Incorrect parameters to object property !, xrefs: 006634AB
Error: , xrefs: 006634D1

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 920784539e8c565ee1a660b358486bc14c3acc6a8602d8352baf92e8ff90d951
Instruction ID: 023515b2eda59dfb5f803bf623ec14347e081f43476293cec46800451ad8be57
Opcode Fuzzy Hash: 920784539e8c565ee1a660b358486bc14c3acc6a8602d8352baf92e8ff90d951
Instruction Fuzzy Hash: A751AF7180061AAADF15EBA0CD46EFEBBBABF45340F104165F505721A2EB392F58CB60

Function 0065B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0065B5FC
_wcslen.LIBCMT ref: 0065B608
_wcslen.LIBCMT ref: 0065B64D
_wcslen.LIBCMT ref: 0065B68C
_wcslen.LIBCMT ref: 0065B6C7

Strings

APPEND, xrefs: 0065B6C1, 0065B6C6
KEYS, xrefs: 0065B647, 0065B64C
REMOVE, xrefs: 0065B602, 0065B607
EXISTS, xrefs: 0065B686, 0065B68B

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: fe77b71ab2d9dba5dda1042106bc6e9874f9b7d6ae40ffc27fa2c62482fd6f16
Instruction ID: 8cd7e82b2f396049adec1c840541d44cdbcf68285514f0dc2338d9bb02988c9d
Opcode Fuzzy Hash: fe77b71ab2d9dba5dda1042106bc6e9874f9b7d6ae40ffc27fa2c62482fd6f16
Instruction Fuzzy Hash: 5641B432A000279ACB105F7DC8905FE7BA7ABA1755F245129E821D7384EB35CD85C790

Function 00665393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006653A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00665416
GetLastError.KERNEL32 ref: 00665420
SetErrorMode.KERNEL32(00000000,READY), ref: 006654A7

Strings

UNKNOWN, xrefs: 00665444
READY, xrefs: 00665460, 00665468
INVALID, xrefs: 00665459
NOTREADY, xrefs: 0066544B
READONLY, xrefs: 00665452

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 8ca39637439615d457441324fdb353bad255d43ad5065bcc11489e44c9cc16da
Instruction ID: a06e9a09cd33c891070bb730e8b5f45e4d7d64d2425c12e087f907bc82441fc6
Opcode Fuzzy Hash: 8ca39637439615d457441324fdb353bad255d43ad5065bcc11489e44c9cc16da
Instruction Fuzzy Hash: B331B275A006099FC710DF68C48AAEABBF6FF44305F1480A5E506DB392DB75DD86CBA0

Function 00683C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00683C79
SetMenu.USER32(?,00000000), ref: 00683C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00683D10
IsMenu.USER32(?), ref: 00683D24
CreatePopupMenu.USER32 ref: 00683D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00683D5B
DrawMenuBar.USER32 ref: 00683D63

Strings

0, xrefs: 00683C54
F, xrefs: 00683D4E

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: f5498c1d2e5acff1cf77181aba16378bda16a262f9db3791be6f2fb5f8b3197f
Instruction ID: 6ba61859df375adeadd4a88930f0f8c31c91721cd12e9284ab521397c36b1aad
Opcode Fuzzy Hash: f5498c1d2e5acff1cf77181aba16378bda16a262f9db3791be6f2fb5f8b3197f
Instruction Fuzzy Hash: CB418975A01219AFDF14DF64E844EEA7BB6FF49310F144228F906A7360D730AA10CFA4

Function 00683A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00683A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00683AA0
GetWindowLongW.USER32(?,000000F0), ref: 00683AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00683AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00683B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00683BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00683BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00683BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00683BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00683C13

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 04671d69e6a7d1afdee4f3ad9340b5077a49e3bc32fc432083b22828046d1879
Instruction ID: c0bbe7941528195ff4e8b752142c268d6d6f3916c83d5e8c3ffaa4ab60b9da2c
Opcode Fuzzy Hash: 04671d69e6a7d1afdee4f3ad9340b5077a49e3bc32fc432083b22828046d1879
Instruction Fuzzy Hash: 98618CB5900258AFDB10EFA8CC81EEE77B9EF09700F100199FA15AB392D774AE41DB50

Function 0065B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0065B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0065A1E1,?,00000001), ref: 0065B165
GetWindowThreadProcessId.USER32(00000000), ref: 0065B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0065A1E1,?,00000001), ref: 0065B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0065B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0065A1E1,?,00000001), ref: 0065B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0065A1E1,?,00000001), ref: 0065B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0065A1E1,?,00000001), ref: 0065B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0065A1E1,?,00000001), ref: 0065B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0065A1E1,?,00000001), ref: 0065B21D

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 608c2d87445c76f300944305b3209b578c120212e1209196394fd2e2ec56818c
Instruction ID: e278b54ff6584edfe415fb1e73695fe159cd3d49aab8c256c4d4702df85fe724
Opcode Fuzzy Hash: 608c2d87445c76f300944305b3209b578c120212e1209196394fd2e2ec56818c
Instruction Fuzzy Hash: 70314876600614BFDB209F64EC48FBD7BABAB51322F14A115FA05D6390D7B49A448F70

Function 00622C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00622C94

Part of subcall function 006229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0062D7D1,00000000,00000000,00000000,00000000,?,0062D7F8,00000000,00000007,00000000,?,0062DBF5,00000000), ref: 006229DE
Part of subcall function 006229C8: GetLastError.KERNEL32(00000000,?,0062D7D1,00000000,00000000,00000000,00000000,?,0062D7F8,00000000,00000007,00000000,?,0062DBF5,00000000,00000000), ref: 006229F0

_free.LIBCMT ref: 00622CA0
_free.LIBCMT ref: 00622CAB
_free.LIBCMT ref: 00622CB6
_free.LIBCMT ref: 00622CC1
_free.LIBCMT ref: 00622CCC
_free.LIBCMT ref: 00622CD7
_free.LIBCMT ref: 00622CE2
_free.LIBCMT ref: 00622CED
_free.LIBCMT ref: 00622CFB

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2f87c9e69e72920a2f0c154296c7e05a78aeea42542c4d2bc1811ba92769a8c4
Instruction ID: 12b86aba1af57402286ce15d86ab5ced7448532985c0798194de8510b16fbeed
Opcode Fuzzy Hash: 2f87c9e69e72920a2f0c154296c7e05a78aeea42542c4d2bc1811ba92769a8c4
Instruction Fuzzy Hash: CA111936500419BFCB42EF55E852CDC3BA6FF09740F8040A8F9485F262D631EE909F94

Function 005F1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 005F1459
OleUninitialize.OLE32(?,00000000), ref: 005F14F8
UnregisterHotKey.USER32(?), ref: 005F16DD
DestroyWindow.USER32(?), ref: 006324B9
FreeLibrary.KERNEL32(?), ref: 0063251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0063254B

Strings

close all, xrefs: 005F1454

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: da9ac75ae2502005d559a1131c3909192c1a595003fa86ccfb67a363bb71f521
Instruction ID: 259aedfc7c021cd334f1c9bca48df9a51a65d71a05acfbacc9b8b9ac30cbcc4b
Opcode Fuzzy Hash: da9ac75ae2502005d559a1131c3909192c1a595003fa86ccfb67a363bb71f521
Instruction Fuzzy Hash: EAD19D31701613CFCB29EF15C4A9A69FBA2BF45710F1442ADE54AAB352CB30AD12CF94

Function 005F5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 005F5C7A

Part of subcall function 005F5D0A: GetClientRect.USER32(?,?), ref: 005F5D30
Part of subcall function 005F5D0A: GetWindowRect.USER32(?,?), ref: 005F5D71
Part of subcall function 005F5D0A: ScreenToClient.USER32(?,?), ref: 005F5D99

GetDC.USER32 ref: 006346F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00634708
SelectObject.GDI32(00000000,00000000), ref: 00634716
SelectObject.GDI32(00000000,00000000), ref: 0063472B
ReleaseDC.USER32(?,00000000), ref: 00634733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 006347C4

Strings

U, xrefs: 00634693

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 1f5570aec514130c7b0e7a10f470330d0371d56de9c8685179f0549b31abe5a9
Instruction ID: 2fedaf7d41a3d5f9d3b713c069ce4dfac949601c62f7d84092d8eaa8aa97a26e
Opcode Fuzzy Hash: 1f5570aec514130c7b0e7a10f470330d0371d56de9c8685179f0549b31abe5a9
Instruction Fuzzy Hash: 5871C331400209DFCF218F64C985AFABFB7FF46360F144269EA565A266DB35AC41DF90

Function 0066359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 006635E4

Part of subcall function 005F9CB3: _wcslen.LIBCMT ref: 005F9CBD

LoadStringW.USER32(006C2390,?,00000FFF,?), ref: 0066360A

Strings

Line %d (File "%s"):, xrefs: 0066366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00663724
^ ERROR, xrefs: 006636C9
"%s" (%d) : ==> %s:, xrefs: 00663742
Error: , xrefs: 006636EF

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: c61e10dd1052d6cc0010a5d40fdd143a62545cad2282476f7b9e06dc0a0147a4
Instruction ID: f3577da94da76c9b5fe27aa927669983f6200809083e666b9ccc194dac71dfa0
Opcode Fuzzy Hash: c61e10dd1052d6cc0010a5d40fdd143a62545cad2282476f7b9e06dc0a0147a4
Instruction Fuzzy Hash: C1517C7180021EAADF15EBA0CC46EFEBB7ABF45340F144125F605722A2EB351A99DB64

Function 0066C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0066C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0066C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0066C2CA
GetLastError.KERNEL32 ref: 0066C322
SetEvent.KERNEL32(?), ref: 0066C336
InternetCloseHandle.WININET(00000000), ref: 0066C341

Strings

, xrefs: 0066C2BB

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: f2529fb98fba5443b229077dd997198e5ccee8c0b74e96cb9274741c2f5804a2
Instruction ID: dd5016f9c01fbb12b0f778e58193c7d4c2698f47c67a6ed56d49841dd0d66aa7
Opcode Fuzzy Hash: f2529fb98fba5443b229077dd997198e5ccee8c0b74e96cb9274741c2f5804a2
Instruction Fuzzy Hash: 4F316BB1600A08BFD7219F649888ABB7AFEEB49764B14851EF486A2300DB34DD059B70

Function 0065989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00633AAF,?,?,Bad directive syntax error,0068CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 006598BC
LoadStringW.USER32(00000000,?,00633AAF,?), ref: 006598C3

Part of subcall function 005F9CB3: _wcslen.LIBCMT ref: 005F9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00659987

Strings

Line %d (File "%s"):, xrefs: 0065992D
., xrefs: 0065996D
%s (%d) : ==> %s.: %s %s, xrefs: 006598F1
Line %d:, xrefs: 00659912
Error: , xrefs: 00659955

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: c9f62ff4cb272cc72ebb727a4eec99d7f35be230c6cd15eae615300c5ec5ccff
Instruction ID: 7a66476d38a255c201cb212dc66a089313ff658072c67b4a151ddd59ddad47f8
Opcode Fuzzy Hash: c9f62ff4cb272cc72ebb727a4eec99d7f35be230c6cd15eae615300c5ec5ccff
Instruction Fuzzy Hash: 7C215E7180021EEBDF15EF90CC0AEFE7BB6BF18341F044469F615660A2EB759A58DB60

Function 0065209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 006520AB
GetClassNameW.USER32(00000000,?,00000100), ref: 006520C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0065214D

Strings

SHELLDLL_DefView, xrefs: 006520CC
smallicons, xrefs: 00652115
list, xrefs: 0065212F
details, xrefs: 006520FB
largeicons, xrefs: 006520E1

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: ea301925ac97ac357fe165c78c6cf37c7640ac85bb97da39297e6054d47f03a5
Instruction ID: 5f82166e1c912d6e3d35f3d8f877135ddfbbb2e4d385396bdcb78f3a3bc057ad
Opcode Fuzzy Hash: ea301925ac97ac357fe165c78c6cf37c7640ac85bb97da39297e6054d47f03a5
Instruction Fuzzy Hash: 27113AB6284B07B9F6252320DC27DE7339FCF06325F21012AFF05A50D1FE6158865718

Function 0062CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0062CEB7
_free.LIBCMT ref: 0062CF22
_free.LIBCMT ref: 0062CF48
_free.LIBCMT ref: 0062CF71
_free.LIBCMT ref: 0062CFA9
_free.LIBCMT ref: 0062CFDA
_free.LIBCMT ref: 0062D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0062D09C
_free.LIBCMT ref: 0062D0B5

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 1d0ddb96c21d8669c255b8e3fc1c10dc50fde40bae6638cc306267732410133b
Instruction ID: fce50fbc092e7ee65d51158e222e394980cd20a925ba22692b471a72907c8dc8
Opcode Fuzzy Hash: 1d0ddb96c21d8669c255b8e3fc1c10dc50fde40bae6638cc306267732410133b
Instruction Fuzzy Hash: D0616971A04B71AFDB21AFB8BD51ABD7B97AF05320F04026EF84597381D6319D418F90

Function 006850D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00685186
ShowWindow.USER32(?,00000000), ref: 006851C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 006851CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 006851D1

Part of subcall function 00686FBA: DeleteObject.GDI32(00000000), ref: 00686FE6

GetWindowLongW.USER32(?,000000F0), ref: 0068520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0068521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0068524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00685287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00685296

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 3b782646bc34ad2098d901740922b7137c8851fbf7feaa1ec7f37e8284413df2
Instruction ID: 6cdb275196cbb3843f47021c91966fea3cba10469e54ebf19e68a81774bbb05c
Opcode Fuzzy Hash: 3b782646bc34ad2098d901740922b7137c8851fbf7feaa1ec7f37e8284413df2
Instruction Fuzzy Hash: DA51C130A50A08FEEF20AF24CC59BD93B67FB05321F144215F656963E1CB75AA90DB51

Function 00608B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00646890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 006468A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 006468B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 006468D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 006468F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00608874,00000000,00000000,00000000,000000FF,00000000), ref: 00646901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0064691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00608874,00000000,00000000,00000000,000000FF,00000000), ref: 0064692D

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: d57bb16a69daa45a75050226bb8e1179272422ff258c138f9384aad1d75a77c1
Instruction ID: b773e3d687379ca364626312a4ee5d4afde7e2dd5d1d21bd3dc91ecec989f982
Opcode Fuzzy Hash: d57bb16a69daa45a75050226bb8e1179272422ff258c138f9384aad1d75a77c1
Instruction Fuzzy Hash: 06516870640209EFDB24CF24CC55FAA7BB7EB99760F104618F946972E0DB70E991DB60

Function 0066C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0066C182
GetLastError.KERNEL32 ref: 0066C195
SetEvent.KERNEL32(?), ref: 0066C1A9

Part of subcall function 0066C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0066C272
Part of subcall function 0066C253: GetLastError.KERNEL32 ref: 0066C322
Part of subcall function 0066C253: SetEvent.KERNEL32(?), ref: 0066C336
Part of subcall function 0066C253: InternetCloseHandle.WININET(00000000), ref: 0066C341

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 8ecee84f90908c2092396d98b69feca106b4f1a5263c8d6f02baab0ad5f678bd
Instruction ID: 038a17deb9d8a02779ca115119cd2db9056a01f63600cc939f25890cd202da1a
Opcode Fuzzy Hash: 8ecee84f90908c2092396d98b69feca106b4f1a5263c8d6f02baab0ad5f678bd
Instruction Fuzzy Hash: 2C318F71200A05BFDB219FA5DC54AB7BBFEFF58320B00851DF99A82610D731E9159BA0

Function 006525A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00653A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00653A57
Part of subcall function 00653A3D: GetCurrentThreadId.KERNEL32 ref: 00653A5E
Part of subcall function 00653A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006525B3), ref: 00653A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 006525BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 006525DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 006525DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 006525E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00652601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00652605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0065260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00652623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00652627

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 504aedbe7561b1e864c437937468c3527f6402972aad2f761956b549b76403ca
Instruction ID: e2ce753f8b89517438fcdbda3467535c69f72a3068ecf06e0ebd3f4566727e7c
Opcode Fuzzy Hash: 504aedbe7561b1e864c437937468c3527f6402972aad2f761956b549b76403ca
Instruction Fuzzy Hash: 7F01D431390220BBFB106768DCCEF593F6ADB4EB62F101115F758AE1D5C9F224889A79

Function 00651803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00651449,?,?,00000000), ref: 0065180C
HeapAlloc.KERNEL32(00000000,?,00651449,?,?,00000000), ref: 00651813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00651449,?,?,00000000), ref: 00651828
GetCurrentProcess.KERNEL32(?,00000000,?,00651449,?,?,00000000), ref: 00651830
DuplicateHandle.KERNEL32(00000000,?,00651449,?,?,00000000), ref: 00651833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00651449,?,?,00000000), ref: 00651843
GetCurrentProcess.KERNEL32(00651449,00000000,?,00651449,?,?,00000000), ref: 0065184B
DuplicateHandle.KERNEL32(00000000,?,00651449,?,?,00000000), ref: 0065184E
CreateThread.KERNEL32(00000000,00000000,00651874,00000000,00000000,00000000), ref: 00651868

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: b402058a4e38c9adc230ceed91a5b394151872cc7cd4599b0f512b50c22aa8d0
Instruction ID: 0da58575b4d03dafaa2e561014009239c89c2d145b100d48c0d1bbbb5dfa4d5c
Opcode Fuzzy Hash: b402058a4e38c9adc230ceed91a5b394151872cc7cd4599b0f512b50c22aa8d0
Instruction Fuzzy Hash: A701BBB5240308BFE710ABA5DC8DF6B3BADEB89B11F015511FA05DB2A1DA719800DB30

Function 0067A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0065D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0065D501
Part of subcall function 0065D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0065D50F
Part of subcall function 0065D4DC: CloseHandle.KERNEL32(00000000), ref: 0065D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0067A16D
GetLastError.KERNEL32 ref: 0067A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0067A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0067A268
GetLastError.KERNEL32(00000000), ref: 0067A273
CloseHandle.KERNEL32(00000000), ref: 0067A2C4

Strings

SeDebugPrivilege, xrefs: 0067A18F

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 22073feae19029693bb209f712c2027ff013b5094837e9c9fdb9c83a17cebdb5
Instruction ID: e066e18698d65ff68527f7cca1a11433f04372a062d72c6d48d0a556be7bbde6
Opcode Fuzzy Hash: 22073feae19029693bb209f712c2027ff013b5094837e9c9fdb9c83a17cebdb5
Instruction Fuzzy Hash: FB619131204242AFD710DF54C498F69BBE2AF84318F58C49CE56A4B7A3C776ED45CB92

Function 00683886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00683925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0068393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00683954
_wcslen.LIBCMT ref: 00683999
SendMessageW.USER32(?,00001057,00000000,?), ref: 006839C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 006839F4

Strings

SysListView32, xrefs: 006838F7

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: d35c1d30e87d8039febc823b981edba6f5c385eae8a758efcdcee307984a6f69
Instruction ID: 32ecee77efcf174865509b894e344dac2e5c6fa4d635ffc775576cc235222849
Opcode Fuzzy Hash: d35c1d30e87d8039febc823b981edba6f5c385eae8a758efcdcee307984a6f69
Instruction Fuzzy Hash: C941A671900219ABDF21AF64CC45FEA77AAEF08750F10062AF554E7381D7719A84CB94

Function 0065BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0065BCFD
IsMenu.USER32(00000000), ref: 0065BD1D
CreatePopupMenu.USER32 ref: 0065BD53
GetMenuItemCount.USER32(01805EB0), ref: 0065BDA4
InsertMenuItemW.USER32(01805EB0,?,00000001,00000030), ref: 0065BDCC

Strings

2, xrefs: 0065BD37
0, xrefs: 0065BCA8

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 24fa272e27db9faecf763601503b3eb58d75ec1ef4891369d9f7756173717bb7
Instruction ID: 0c5e5c97efc30cc74dabe8196f390be6e7e171e0423227df0bd04cb030c42677
Opcode Fuzzy Hash: 24fa272e27db9faecf763601503b3eb58d75ec1ef4891369d9f7756173717bb7
Instruction Fuzzy Hash: 7A519D70A00209ABDF10CFA8D888BEEBBF6BF45326F146359EC1197391D7709949CB61

Function 00612D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00612D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00612D53
_ValidateLocalCookies.LIBCMT ref: 00612DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00612E0C
_ValidateLocalCookies.LIBCMT ref: 00612E61

Strings

&Ha, xrefs: 00612DFE, 00612E07, 00612E18
csm, xrefs: 00612DF6

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Ha$csm
API String ID: 1170836740-1851598266
Opcode ID: 39e09437f4106ccdbe03d7f339f200f4d33b142746e0702cb43680d9a20494e7
Instruction ID: 1545675f3f75474cd297b5f9c004533ff9247adfd50cc37c8e3ebc0347e8684f
Opcode Fuzzy Hash: 39e09437f4106ccdbe03d7f339f200f4d33b142746e0702cb43680d9a20494e7
Instruction Fuzzy Hash: DF41E734E0021AAFCF10DF68D855ADEBBB7BF44324F188159E8156B392D7319AA1CBD0

Function 0065C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0065C913

Strings

stop, xrefs: 0065C8E4
blank, xrefs: 0065C895
question, xrefs: 0065C8CC
warning, xrefs: 0065C8FC
info, xrefs: 0065C8B4

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 943de1c1a347a802fb4ab2f7e381f0e46b084a5a4f338d75aae6c99b6164306b
Instruction ID: db644eee257d28e7bf5caa2f5a74ab7ac28f79a380ff234fa21d8bcb35899eb9
Opcode Fuzzy Hash: 943de1c1a347a802fb4ab2f7e381f0e46b084a5a4f338d75aae6c99b6164306b
Instruction Fuzzy Hash: C7112B32689306BEE7005B15DC82CEA679EDF15736F21003EF904A62C2DF745D845368

Function 0065ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0065ED2A
_wcslen.LIBCMT ref: 0065ED3B
_wcslen.LIBCMT ref: 0065ED79
_wcslen.LIBCMT ref: 0065EDAF
_wcslen.LIBCMT ref: 0065EDDF
_wcslen.LIBCMT ref: 0065EDEF
_wcslen.LIBCMT ref: 0065EE2B
_wcslen.LIBCMT ref: 0065EE5A

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: b53aff3f79f0e46df2a71ed619f45c39d98f43c48a50451e39506eff57d8d5bd
Instruction ID: f56a748d688f6c454ef55ebebc8783e3aa5381581a1a65a03a1c2897ab544daa
Opcode Fuzzy Hash: b53aff3f79f0e46df2a71ed619f45c39d98f43c48a50451e39506eff57d8d5bd
Instruction Fuzzy Hash: 5341A265C1021875CB51EBF4C88A9CFB7AAAF45710F54896AF914E3122FB34E385C3E9

Function 0060F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0064682C,00000004,00000000,00000000), ref: 0060F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0064682C,00000004,00000000,00000000), ref: 0064F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0064682C,00000004,00000000,00000000), ref: 0064F454

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 5ee6b25c4772284ad0c96b7faf099ef5b8b0c06ed9fbe6238793072255b84951
Instruction ID: 25dc70fc16f2513c680ef1875c0ca586aa4cc0daf96936715a95358efe6d3a7b
Opcode Fuzzy Hash: 5ee6b25c4772284ad0c96b7faf099ef5b8b0c06ed9fbe6238793072255b84951
Instruction Fuzzy Hash: BE413B31248680BEC73D8F28D888BAB7BD7AB86320F14553DF08756FE1D671A881C751

Function 00682D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00682D1B
GetDC.USER32(00000000), ref: 00682D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00682D2E
ReleaseDC.USER32(00000000,00000000), ref: 00682D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00682D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00682D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00685A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00682DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00682DE1

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 83db03147fecb2fedfe341d5595545e23702e27b831940c2d5bb9869f306c974
Instruction ID: 4cc2b1be4367de0b25009e12eb9bc06f92601b39176dfc7b911fad55bc3d9f5a
Opcode Fuzzy Hash: 83db03147fecb2fedfe341d5595545e23702e27b831940c2d5bb9869f306c974
Instruction Fuzzy Hash: 18319C72201214BFEB118F50CC8AFEB3FAAEF09761F044165FE089A291D6759C40CBB4

Function 00655622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00655637
_memcmp.LIBVCRUNTIME ref: 00655659
_memcmp.LIBVCRUNTIME ref: 00655671
_memcmp.LIBVCRUNTIME ref: 00655684
_memcmp.LIBVCRUNTIME ref: 0065569E
_memcmp.LIBVCRUNTIME ref: 006556B1
_memcmp.LIBVCRUNTIME ref: 006556C9
_memcmp.LIBVCRUNTIME ref: 006556E4

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b569d8da36d8288a80e085e2f8b70ac922bd9460fa604204d32d5eadd0b06417
Instruction ID: fe21ee7260f76b01986278f44ace48020d57d453e41beb8a30558a9b8dcc15aa
Opcode Fuzzy Hash: b569d8da36d8288a80e085e2f8b70ac922bd9460fa604204d32d5eadd0b06417
Instruction Fuzzy Hash: CD213E61740A0DB7D21467118DB6FFB335FAF11386F540024FE065E751FB21EE1982A9

Function 00674FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00675007
NULL Pointer assignment, xrefs: 0067502E, 00675383

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 855a49790bdee3c0f8062ebfa85c7085ad5dde2ca6a2a5d09409f4be7870f4a2
Instruction ID: d262cc5bb060198a255eaf3d1806e41972d5182b75c570391b9eb5ad651374a1
Opcode Fuzzy Hash: 855a49790bdee3c0f8062ebfa85c7085ad5dde2ca6a2a5d09409f4be7870f4a2
Instruction Fuzzy Hash: C5D1A271A0060A9FDB10CF58C881BEEB7B6BF48354F14C1A9E91AAB391E7B1DD45CB50

Function 00631522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,006317FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 006315CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,006317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00631651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,006317FB,?,006317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006316E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,006317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006316FB

Part of subcall function 00623820: RtlAllocateHeap.NTDLL(00000000,?,006C1444,?,0060FDF5,?,?,005FA976,00000010,006C1440,005F13FC,?,005F13C6,?,005F1129), ref: 00623852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,006317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00631777
__freea.LIBCMT ref: 006317A2
__freea.LIBCMT ref: 006317AE

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: a33dfa3795c2f3844d1974e7723ff18fa6bd925a0cf7f1d8540d3172a0962114
Instruction ID: 2443d64564c8093438d978f2f5e117567e81cc73c60530cdbd0e58d687551c3f
Opcode Fuzzy Hash: a33dfa3795c2f3844d1974e7723ff18fa6bd925a0cf7f1d8540d3172a0962114
Instruction Fuzzy Hash: 189170B1E102169ADF218FA4C891AEE7BB7DF4A720F184659E805EB241DB35DD418BE0

Function 00674523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00674648
VariantInit.OLEAUT32(?), ref: 00674749
VariantClear.OLEAUT32(?), ref: 00674753
VariantClear.OLEAUT32(?), ref: 006747B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0067472C
Null Object assignment in FOR..IN loop, xrefs: 006745D8, 00674706, 006747BE

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 1bb247b7db6c2731447a46a15328fafcd327293de361a327fbf5eb76231c0f36
Instruction ID: 84c740572820eab7a08f86ad9e09d6ac86212c9308dde84d549681251054c9bf
Opcode Fuzzy Hash: 1bb247b7db6c2731447a46a15328fafcd327293de361a327fbf5eb76231c0f36
Instruction Fuzzy Hash: 83917471A00219EBDF24CFA5C848FEE7BBAEF45714F108559F519AB280DB709941CFA0

Function 00661187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0066125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00661284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 006612A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006612D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0066135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006613C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00661430

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 777c594945ffca96908d8aac9da53994b9c6f6f2574ff7c77ebb9f4508cdbdb1
Instruction ID: 8ddd0b519530d0364420f0b17fc9d7c0c0977fa9d1f055fd9a0dd5ad40cc3941
Opcode Fuzzy Hash: 777c594945ffca96908d8aac9da53994b9c6f6f2574ff7c77ebb9f4508cdbdb1
Instruction Fuzzy Hash: 8D91B271900219AFDB00DFA4C895BBEB7BAFF46315F184029E501EB291D774A981CB94

Function 0060948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ed15910d6c2681e4f586aaa4705867aecd9f184eb1fa9546f640533824ebe1de
Instruction ID: f23d8c8083085d797c4a2847fe5fdc22ade1496c8ef0165e14d9f5eeaf45f0f0
Opcode Fuzzy Hash: ed15910d6c2681e4f586aaa4705867aecd9f184eb1fa9546f640533824ebe1de
Instruction Fuzzy Hash: 30914A71D40209EFCB15CFA9CC84AEEBBBAFF49320F144549E515B7291D375A942CB60

Function 00673947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0067396B
CharUpperBuffW.USER32(?,?), ref: 00673A7A
_wcslen.LIBCMT ref: 00673A8A
VariantClear.OLEAUT32(?), ref: 00673C1F

Part of subcall function 00660CDF: VariantInit.OLEAUT32(00000000), ref: 00660D1F
Part of subcall function 00660CDF: VariantCopy.OLEAUT32(?,?), ref: 00660D28
Part of subcall function 00660CDF: VariantClear.OLEAUT32(?), ref: 00660D34

Strings

Incorrect Parameter format, xrefs: 006739A6, 00673BA1
AUTOIT.ERROR, xrefs: 00673A80, 00673A85

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 69ef287518aa101b30b6dd692f98ef51d646000526880eebfbacb1bebab2b2ac
Instruction ID: 1b922eda22df45e6cbbb35bbe31c8d5d0660c1bec8d1f9a3ecb70e16269dfdac
Opcode Fuzzy Hash: 69ef287518aa101b30b6dd692f98ef51d646000526880eebfbacb1bebab2b2ac
Instruction Fuzzy Hash: FC919A756083059FC704EF24C48596ABBE6FF88714F14892DF98A9B351DB30EE45CB92

Function 00674BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0065000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0064FF41,80070057,?,?,?,0065035E), ref: 0065002B
Part of subcall function 0065000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0064FF41,80070057,?,?), ref: 00650046
Part of subcall function 0065000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0064FF41,80070057,?,?), ref: 00650054
Part of subcall function 0065000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0064FF41,80070057,?), ref: 00650064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00674C51
_wcslen.LIBCMT ref: 00674D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00674DCF
CoTaskMemFree.OLE32(?), ref: 00674DDA

Strings

NULL Pointer assignment, xrefs: 00674E23, 00674E52

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 292b17b18c3eba2e3df7de7bfa28ccef639311618dc8545a3d0ae08faf05bfe6
Instruction ID: 4f6462c1e584d6055f1f7e61e6a55398cec66246807d37ac91963d11c1cc02d0
Opcode Fuzzy Hash: 292b17b18c3eba2e3df7de7bfa28ccef639311618dc8545a3d0ae08faf05bfe6
Instruction Fuzzy Hash: 3F913871D0021DAFDF14DFA4C895AEEBBBAFF48310F108169E919A7241EB749A45CF60

Function 006820FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00682183
GetMenuItemCount.USER32(00000000), ref: 006821B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 006821DD
_wcslen.LIBCMT ref: 00682213
GetMenuItemID.USER32(?,?), ref: 0068224D
GetSubMenu.USER32(?,?), ref: 0068225B

Part of subcall function 00653A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00653A57
Part of subcall function 00653A3D: GetCurrentThreadId.KERNEL32 ref: 00653A5E
Part of subcall function 00653A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006525B3), ref: 00653A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006822E3

Part of subcall function 0065E97B: Sleep.KERNEL32 ref: 0065E9F3

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: c9a82ce0b2002da3abd23702dff1221c6b7ffbf775c33093aea35e2e4d7f27aa
Instruction ID: 2da0f460280c56935febad6a48bda0f19febec8d501b25335836c9d8aeb32a2b
Opcode Fuzzy Hash: c9a82ce0b2002da3abd23702dff1221c6b7ffbf775c33093aea35e2e4d7f27aa
Instruction Fuzzy Hash: 1B719375E00206AFCB14EF64C855AAEBBF2FF88310F148569E956EB351D734EE418B90

Function 0065AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0065AEF9
GetKeyboardState.USER32(?), ref: 0065AF0E
SetKeyboardState.USER32(?), ref: 0065AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0065AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0065AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0065AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0065B020

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: fb03487fead02f0a76330f98beafd427d3e9191f0f2ead644bf3a4f1c6e64670
Instruction ID: f473469d74511230e052bb7c9b90d5ae0a6efdd5f2ce66ae3327c520415df8cb
Opcode Fuzzy Hash: fb03487fead02f0a76330f98beafd427d3e9191f0f2ead644bf3a4f1c6e64670
Instruction Fuzzy Hash: F15103B06047D53DFB364274CC45BFABEAA5B06305F088689E9D9455C2D3E8ACCCD761

Function 0065ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0065AD19
GetKeyboardState.USER32(?), ref: 0065AD2E
SetKeyboardState.USER32(?), ref: 0065AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0065ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0065ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0065AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0065AE38

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 26f816e0f617a20ec862a67aa4811d09ce6f513f1ccf70beb1e2ab5d7d5f3474
Instruction ID: 95f8e18518ca25ae5fe8d7c9cc170c243cd15b24cbd848f6599ca6cce77567e4
Opcode Fuzzy Hash: 26f816e0f617a20ec862a67aa4811d09ce6f513f1ccf70beb1e2ab5d7d5f3474
Instruction Fuzzy Hash: 3F5108B15047D53DFB3253B48C46BBABEAA6F05302F088788E5D5569C2D294EC8CE762

Function 0062542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00633CD6,?,?,?,?,?,?,?,?,00625BA3,?,?,00633CD6,?,?), ref: 00625470
__fassign.LIBCMT ref: 006254EB
__fassign.LIBCMT ref: 00625506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00633CD6,00000005,00000000,00000000), ref: 0062552C
WriteFile.KERNEL32(?,00633CD6,00000000,00625BA3,00000000,?,?,?,?,?,?,?,?,?,00625BA3,?), ref: 0062554B
WriteFile.KERNEL32(?,?,00000001,00625BA3,00000000,?,?,?,?,?,?,?,?,?,00625BA3,?), ref: 00625584

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 14c3ae0d0512691cda356c173d54bbe4b2961917801c180a27e41d40c4690f26
Instruction ID: 565eb28d119483b287aac890edcf443144284d4089b131115bfb8be8868001ff
Opcode Fuzzy Hash: 14c3ae0d0512691cda356c173d54bbe4b2961917801c180a27e41d40c4690f26
Instruction Fuzzy Hash: F051D870900A189FDB20CFA8E845AEEBBF6EF09310F14415AF556F7291D7309A41CF60

Function 006710B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0067304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0067307A
Part of subcall function 0067304E: _wcslen.LIBCMT ref: 0067309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00671112
WSAGetLastError.WSOCK32 ref: 00671121
WSAGetLastError.WSOCK32 ref: 006711C9
closesocket.WSOCK32(00000000), ref: 006711F9

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 18f3e54aef97198de10bc588e9d52e42948847dbd1d64edaff61c35c42b60c70
Instruction ID: 7c4f47f8a1b9b190cbd70248bb9c4705c5af7af2d019b5cafa4f679dc5c24eee
Opcode Fuzzy Hash: 18f3e54aef97198de10bc588e9d52e42948847dbd1d64edaff61c35c42b60c70
Instruction Fuzzy Hash: 8841E431600209AFDB109F58C844BE9BBEAFF46324F54C16AF9199F391D774AD41CBA0

Function 0065CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0065DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0065CF22,?), ref: 0065DDFD

Part of subcall function 0065DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0065CF22,?), ref: 0065DE16

lstrcmpiW.KERNEL32(?,?), ref: 0065CF45
MoveFileW.KERNEL32(?,?), ref: 0065CF7F
_wcslen.LIBCMT ref: 0065D005
_wcslen.LIBCMT ref: 0065D01B
SHFileOperationW.SHELL32(?), ref: 0065D061

Strings

\*.*, xrefs: 0065CFF3

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 186a01dd57aaf5afcb5fa413d1d2ad2ef0928e54c8a5ae78b59a13c0d79fdee9
Instruction ID: f16b1e137687527aeca86f2fc97a4e55446f12e2b75e2de07a2db530c3b83d98
Opcode Fuzzy Hash: 186a01dd57aaf5afcb5fa413d1d2ad2ef0928e54c8a5ae78b59a13c0d79fdee9
Instruction Fuzzy Hash: 404176718052195FDF62EFA4CD81ADEB7BAAF48381F0000EAE505EB141EB34A788CB54

Function 00682DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00682E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00682E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00682E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00682EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00682EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00682EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00682F0B

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 547e376a4893b3b95250bff734c928cbb2b49d7b35eb8bfa666d1bc8078c2658
Instruction ID: c216f75d1e6306bafe985b2859b0465605e289b2ce8542ea358018c6cfd384b8
Opcode Fuzzy Hash: 547e376a4893b3b95250bff734c928cbb2b49d7b35eb8bfa666d1bc8078c2658
Instruction Fuzzy Hash: 87313730644142AFDB21DF18DC98FA537E2FB4A720F141265FA008F2B2CB71AC80DB15

Function 00657726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00657769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0065778F
SysAllocString.OLEAUT32(00000000), ref: 00657792
SysAllocString.OLEAUT32(?), ref: 006577B0
SysFreeString.OLEAUT32(?), ref: 006577B9
StringFromGUID2.OLE32(?,?,00000028), ref: 006577DE
SysAllocString.OLEAUT32(?), ref: 006577EC

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: cbd0ccc88e9330a5430eb1ff740bcfc72b35f476d4c21f99cd631888aee9872c
Instruction ID: 58b98686f0fc26a27afcb0c24d5186e9902163da108948affb41de72a6244a6f
Opcode Fuzzy Hash: cbd0ccc88e9330a5430eb1ff740bcfc72b35f476d4c21f99cd631888aee9872c
Instruction Fuzzy Hash: F3219C76604219BFDB10DFA8EC88CFB77AEEB09364B008125FE04DB290D670DC858764

Function 006577FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00657842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00657868
SysAllocString.OLEAUT32(00000000), ref: 0065786B
SysAllocString.OLEAUT32 ref: 0065788C
SysFreeString.OLEAUT32 ref: 00657895
StringFromGUID2.OLE32(?,?,00000028), ref: 006578AF
SysAllocString.OLEAUT32(?), ref: 006578BD

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7c55b3107be0d8a8ea43f11c603a5fe3eba7320697ec51faeb75b96439848adc
Instruction ID: 154cbbedd877885a121925ebb4dfe0866c762fcc22b825a447734a35f37ce736
Opcode Fuzzy Hash: 7c55b3107be0d8a8ea43f11c603a5fe3eba7320697ec51faeb75b96439848adc
Instruction Fuzzy Hash: 1E217431604114BFDB109FA9EC8CDAA77EDEB09761B108235F915CB2A1D674DC45CB74

Function 006604D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 006604F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0066052E

Strings

nul, xrefs: 00660567

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: fd64bc2584360204da0c3a945f7bd70f486f7071dceb2d31af067b680961fac2
Instruction ID: c29fc16215a976612c95eb5f29844bb93e166c2276f6f874d82552951ec34978
Opcode Fuzzy Hash: fd64bc2584360204da0c3a945f7bd70f486f7071dceb2d31af067b680961fac2
Instruction Fuzzy Hash: FD217FB5500305AFEF209F29DD44A9B77B6AF44724F204A29F9A2E72E0E7709941CF20

Function 006605A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 006605C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00660601

Strings

nul, xrefs: 00660639

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: b5f1d7d3f0f864561a8f64fa4a43aa2e3fd4e76035c720eb33fd10e71e0f6794
Instruction ID: 3264934d0c00ccb18873ea6728dac6cca59f18c0cb0c2118bce4e2adac437ded
Opcode Fuzzy Hash: b5f1d7d3f0f864561a8f64fa4a43aa2e3fd4e76035c720eb33fd10e71e0f6794
Instruction Fuzzy Hash: F5218175500305ABEB209F69CC54A9B77E6AF95730F200B29F9A1E73E0D7B09961CB24

Function 006840AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 005F604C
Part of subcall function 005F600E: GetStockObject.GDI32(00000011), ref: 005F6060
Part of subcall function 005F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 005F606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00684112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0068411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0068412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00684139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00684145

Strings

Msctls_Progress32, xrefs: 006840E3

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 14c7c8a3adc7ebce9e89060f5d30e50335081a6141538c35dfeee87c36606da9
Instruction ID: dcd943302cfcbc2a622e2bef607669bc454277abc93f1925cdcaf2027b7c0fb5
Opcode Fuzzy Hash: 14c7c8a3adc7ebce9e89060f5d30e50335081a6141538c35dfeee87c36606da9
Instruction Fuzzy Hash: 3711D3B115021A7EEF109F64CC85EE77F5EEF09398F014210B618A2150CA769C61DBA4

Function 0062D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0062D7A3: _free.LIBCMT ref: 0062D7CC

_free.LIBCMT ref: 0062D82D

Part of subcall function 006229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0062D7D1,00000000,00000000,00000000,00000000,?,0062D7F8,00000000,00000007,00000000,?,0062DBF5,00000000), ref: 006229DE
Part of subcall function 006229C8: GetLastError.KERNEL32(00000000,?,0062D7D1,00000000,00000000,00000000,00000000,?,0062D7F8,00000000,00000007,00000000,?,0062DBF5,00000000,00000000), ref: 006229F0

_free.LIBCMT ref: 0062D838
_free.LIBCMT ref: 0062D843
_free.LIBCMT ref: 0062D897
_free.LIBCMT ref: 0062D8A2
_free.LIBCMT ref: 0062D8AD
_free.LIBCMT ref: 0062D8B8

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 2491efe933b7a0ea8b64cb6c32943772c77ec79fed4a0654c80777399500648d
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: DC117F71940F24BAD5A1BFB0EC07FCB7BDE6F04700F80082DB2D9A6092DA28F5454E55

Function 0065DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0065DA74
LoadStringW.USER32(00000000), ref: 0065DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0065DA91
LoadStringW.USER32(00000000), ref: 0065DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0065DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0065DAB9

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 2ee8d856d77f53db9c68c9fb9b34d6bbed59acd35dd12d0825c37768a7fecba4
Instruction ID: 65348a7059f188cbbeac0301bffd87719a91eb7a0680098fb015c06338749f25
Opcode Fuzzy Hash: 2ee8d856d77f53db9c68c9fb9b34d6bbed59acd35dd12d0825c37768a7fecba4
Instruction Fuzzy Hash: 8D0186F25002087FE710ABA4DD89EE7376DE708311F4055A6B746E2141E6749E844F74

Function 0066096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(017FE070,017FE070), ref: 0066097B
EnterCriticalSection.KERNEL32(017FE050,00000000), ref: 0066098D
TerminateThread.KERNEL32(00000004,000001F6), ref: 0066099B
WaitForSingleObject.KERNEL32(00000004,000003E8), ref: 006609A9
CloseHandle.KERNEL32(00000004), ref: 006609B8
InterlockedExchange.KERNEL32(017FE070,000001F6), ref: 006609C8
LeaveCriticalSection.KERNEL32(017FE050), ref: 006609CF

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 64eac82117e4698c057340aadba8f18db75b5809d96f922123b71f4cf2d2f9b4
Instruction ID: c899ab6dfb6c3459a4a2af2c457968d6b8088e849aca0345b437dff775558dd6
Opcode Fuzzy Hash: 64eac82117e4698c057340aadba8f18db75b5809d96f922123b71f4cf2d2f9b4
Instruction Fuzzy Hash: 35F0C932442A12BBE7515BA4EE8DAD6BB3ABF05722F403225F202908A1C7759565DFA0

Function 00671C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00671DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00671DE1
WSAGetLastError.WSOCK32 ref: 00671DF2
htons.WSOCK32(?,?,?,?,?), ref: 00671EDB
inet_ntoa.WSOCK32(?), ref: 00671E8C

Part of subcall function 006539E8: _strlen.LIBCMT ref: 006539F2

Part of subcall function 00673224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0066EC0C), ref: 00673240

_strlen.LIBCMT ref: 00671F35

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 830223788a69facfb4d5d4bb77ccc5fa665296068ff0b39adca8fbd695c5b522
Instruction ID: b46cb5282103e044762d2f4d994709ac7af1f3ab52dd802e87de952ced2dd2d2
Opcode Fuzzy Hash: 830223788a69facfb4d5d4bb77ccc5fa665296068ff0b39adca8fbd695c5b522
Instruction Fuzzy Hash: 2BB1CA70204301AFD324DF28C895E6A7BE6AF86318F54894DF55A4F3A2DB35ED42CB91

Function 006201B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 006200BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006200D6
__allrem.LIBCMT ref: 006200ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0062010B
__allrem.LIBCMT ref: 00620122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00620140

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 5165b028791b539ad022143883bf66c2a92d4b351bfe89647e2d07f55ce31574
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: BB81F572A00B169FE7209F68DC41BAA73EBAF41364F28452DF511DA392E7B0D9418B94

Function 006261FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,006182D9,006182D9,?,?,?,0062644F,00000001,00000001,8BE85006), ref: 00626258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0062644F,00000001,00000001,8BE85006,?,?,?), ref: 006262DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 006263D8
__freea.LIBCMT ref: 006263E5

Part of subcall function 00623820: RtlAllocateHeap.NTDLL(00000000,?,006C1444,?,0060FDF5,?,?,005FA976,00000010,006C1440,005F13FC,?,005F13C6,?,005F1129), ref: 00623852

__freea.LIBCMT ref: 006263EE
__freea.LIBCMT ref: 00626413

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: cce0ebefa67374a4f811c60f04297ee33b323887616d697afb34eb8898d965bc
Instruction ID: 748bbece390121b1d4161d14c35ab26ded63f68fa1bf69d525a344b155ad97f5
Opcode Fuzzy Hash: cce0ebefa67374a4f811c60f04297ee33b323887616d697afb34eb8898d965bc
Instruction Fuzzy Hash: CD51BE72600A26ABEB259F64EC81EEF76ABEF44750F154669F805D6280DB34DD40CBA0

Function 0067BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005F9CB3: _wcslen.LIBCMT ref: 005F9CBD

Part of subcall function 0067C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0067B6AE,?,?), ref: 0067C9B5
Part of subcall function 0067C998: _wcslen.LIBCMT ref: 0067C9F1
Part of subcall function 0067C998: _wcslen.LIBCMT ref: 0067CA68
Part of subcall function 0067C998: _wcslen.LIBCMT ref: 0067CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0067BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0067BD25
RegCloseKey.ADVAPI32(00000000), ref: 0067BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0067BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0067BDF3
RegCloseKey.ADVAPI32(?), ref: 0067BDFF

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 142cdfc8ee01b169a93ced4c7ebc772e3079e3cb95d1c5471de3f28077aae7bb
Instruction ID: f4abcbbce5a976463a4a37715eaff874ee4001bcad77e811922aaae799b7aeea
Opcode Fuzzy Hash: 142cdfc8ee01b169a93ced4c7ebc772e3079e3cb95d1c5471de3f28077aae7bb
Instruction Fuzzy Hash: 75819E70208241EFD714DF24C885E6ABBE6FF84348F14896CF5598B2A2DB31ED45CB92

Function 0064F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0064F7B9
SysAllocString.OLEAUT32(00000001), ref: 0064F860
VariantCopy.OLEAUT32(0064FA64,00000000), ref: 0064F889
VariantClear.OLEAUT32(0064FA64), ref: 0064F8AD
VariantCopy.OLEAUT32(0064FA64,00000000), ref: 0064F8B1
VariantClear.OLEAUT32(?), ref: 0064F8BB

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: bab1916f6ef16445afbce3417fbeafdf3c6d4418966f4b9c475e73957e561b65
Instruction ID: 94adaf7038f2f4b296edbd4fbb11e45abca5240fd50506601fb0f6c64f0a1510
Opcode Fuzzy Hash: bab1916f6ef16445afbce3417fbeafdf3c6d4418966f4b9c475e73957e561b65
Instruction Fuzzy Hash: FE51E631A00310FADF64AF65D895B79B3E6EF45310F24946BE905DF292DB708C41CBAA

Function 0066910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 005F7620: _wcslen.LIBCMT ref: 005F7625

Part of subcall function 005F6B57: _wcslen.LIBCMT ref: 005F6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 006694E5
_wcslen.LIBCMT ref: 00669506
_wcslen.LIBCMT ref: 0066952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00669585

Strings

X, xrefs: 00669412

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 86522d4f04c9573ac5e357c3a4b27ab6fe62f842da69e890d5dc814d4462cb10
Instruction ID: b0469372911b7cbf255ba90f3b00af14d56b2255702306db8268bf63f848d455
Opcode Fuzzy Hash: 86522d4f04c9573ac5e357c3a4b27ab6fe62f842da69e890d5dc814d4462cb10
Instruction Fuzzy Hash: 80E1B131504341DFD724DF24C885AAABBE6BF85310F04896DF9899B3A2DB35DD05CBA2

Function 0060920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00609BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00609BB2

BeginPaint.USER32(?,?,?), ref: 00609241
GetWindowRect.USER32(?,?), ref: 006092A5
ScreenToClient.USER32(?,?), ref: 006092C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 006092D3
EndPaint.USER32(?,?,?,?,?), ref: 00609321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 006471EA

Part of subcall function 00609339: BeginPath.GDI32(00000000), ref: 00609357

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 52c3a9a440ca577a101ab2898a1273350e5f61732ce442517762ec021925cdfc
Instruction ID: 1adcc530a69812faef78fd9caee057461e3b74b788b4e2d5405036b71ad7720a
Opcode Fuzzy Hash: 52c3a9a440ca577a101ab2898a1273350e5f61732ce442517762ec021925cdfc
Instruction Fuzzy Hash: DD419C70144200AFD721DF24CC88FBB7BABEB46320F140629F9A48B2E2C7719845DB71

Function 006607EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0066080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00660847
EnterCriticalSection.KERNEL32(?), ref: 00660863
LeaveCriticalSection.KERNEL32(?), ref: 006608DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 006608F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00660921

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 21f9181800dc4fae837feeb959b3c22b44bfe157a8ae4dd3eb3b8d7c3123662e
Instruction ID: 017c0fe922b7b72cef60b2cc73b382a47a50591af73b8db5a7a8e7ad5d4b6f48
Opcode Fuzzy Hash: 21f9181800dc4fae837feeb959b3c22b44bfe157a8ae4dd3eb3b8d7c3123662e
Instruction Fuzzy Hash: 82415771900205ABEF14EF54DC85AAB77BAFF44310F1441B9E9009B296DB70DEA4DBA4

Function 006881DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0064F3AB,00000000,?,?,00000000,?,0064682C,00000004,00000000,00000000), ref: 0068824C
EnableWindow.USER32(00000000,00000000), ref: 00688272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 006882D1
ShowWindow.USER32(00000000,00000004), ref: 006882E5
EnableWindow.USER32(00000000,00000001), ref: 0068830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0068832F

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 79a0ee708bed86a3e65d5c25183192ebdac29138dfc162540860ab028159886a
Instruction ID: db03a08a9cf65ce0f8a406d839e5e9750cd7f8b062040f343ee36b4fbd48ea83
Opcode Fuzzy Hash: 79a0ee708bed86a3e65d5c25183192ebdac29138dfc162540860ab028159886a
Instruction Fuzzy Hash: 45418334601644AFDB22EF55D8A9FE47BF2BB0A714F585369E5088F362CB31A941CB90

Function 00654C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00654C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00654CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00654CEA
_wcslen.LIBCMT ref: 00654D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00654D10
_wcsstr.LIBVCRUNTIME ref: 00654D1A

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 30d3aa3b201f0a92859caf951fee9e70ce9edd7fb283ab4cbf8bbe7e1a68fbe3
Instruction ID: 88d33f4f47a96f2f5ca001b246ada8fc33da655318d3163fc9c079047bb5e4f6
Opcode Fuzzy Hash: 30d3aa3b201f0a92859caf951fee9e70ce9edd7fb283ab4cbf8bbe7e1a68fbe3
Instruction Fuzzy Hash: 1F21D731204200BBEB255B25DC49EBB7BAADF45765F10417DFC05CA291EE61DC8597A0

Function 0066581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 005F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005F3A97,?,?,005F2E7F,?,?,?,00000000), ref: 005F3AC2

_wcslen.LIBCMT ref: 0066587B
CoInitialize.OLE32(00000000), ref: 00665995
CoCreateInstance.OLE32(0068FCF8,00000000,00000001,0068FB68,?), ref: 006659AE
CoUninitialize.OLE32 ref: 006659CC

Strings

.lnk, xrefs: 00665876, 006658C1, 00665985

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: bb680f52e1c81a3d7bf670240961686bc4761a8386ce20804cb1bbb51ab558ab
Instruction ID: add292f85503e66d406bc8a23d2305870cee814a33a0a62215aa9568ce4f35ef
Opcode Fuzzy Hash: bb680f52e1c81a3d7bf670240961686bc4761a8386ce20804cb1bbb51ab558ab
Instruction Fuzzy Hash: BED150706087069FC714DF24C495A6ABBE2FF89720F14895DF88A9B361DB31EC45CB92

Function 0065175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00650FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00650FCA
Part of subcall function 00650FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00650FD6
Part of subcall function 00650FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00650FE5
Part of subcall function 00650FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00650FEC
Part of subcall function 00650FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00651002

GetLengthSid.ADVAPI32(?,00000000,00651335), ref: 006517AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 006517BA
HeapAlloc.KERNEL32(00000000), ref: 006517C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 006517DA
GetProcessHeap.KERNEL32(00000000,00000000,00651335), ref: 006517EE
HeapFree.KERNEL32(00000000), ref: 006517F5

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 8a02e39bfe15697ba055ca002db127e55578c489b3c6f6485e6a8ea18089527f
Instruction ID: 11b0746e05c06c3ffc3972c8b2fdc288559f31edad40e19334970659046b8a00
Opcode Fuzzy Hash: 8a02e39bfe15697ba055ca002db127e55578c489b3c6f6485e6a8ea18089527f
Instruction Fuzzy Hash: CF119631500205FFDB109FA8DC89BEF77BAEF46366F104258F8819B210D7359948DB60

Function 006514CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006514FF
OpenProcessToken.ADVAPI32(00000000), ref: 00651506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00651515
CloseHandle.KERNEL32(00000004), ref: 00651520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0065154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00651563

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 2493f7033ae34c2342dd30572a4cb122d59df761ab8a03f68142616d43d758ee
Instruction ID: fd2bdd392b97b2f4610edf3aca8d688c547116c08385feee4bbe31d027cf3351
Opcode Fuzzy Hash: 2493f7033ae34c2342dd30572a4cb122d59df761ab8a03f68142616d43d758ee
Instruction Fuzzy Hash: 4611677210020ABBDB11CFA8ED09FDA3BAAEB49755F044124FE05A6160D3768E65EB60

Function 00613382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00613379,00612FE5), ref: 00613390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0061339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006133B7
SetLastError.KERNEL32(00000000,?,00613379,00612FE5), ref: 00613409

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6e7348904260c03be15b777ff3df9741fa63330bc96462f3643c3aebbef811cf
Instruction ID: 86d59fdff77520dcad216e33990cb6c0f37fe8a69f68242f6e0321f4d6a5748f
Opcode Fuzzy Hash: 6e7348904260c03be15b777ff3df9741fa63330bc96462f3643c3aebbef811cf
Instruction Fuzzy Hash: 4B01F532608331BEE7143B747C955D62A97DB15375328032DF422893F0EF124EC25598

Function 00622D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00625686,00633CD6,?,00000000,?,00625B6A,?,?,?,?,?,0061E6D1,?,006B8A48), ref: 00622D78
_free.LIBCMT ref: 00622DAB
_free.LIBCMT ref: 00622DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0061E6D1,?,006B8A48,00000010,005F4F4A,?,?,00000000,00633CD6), ref: 00622DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0061E6D1,?,006B8A48,00000010,005F4F4A,?,?,00000000,00633CD6), ref: 00622DEC
_abort.LIBCMT ref: 00622DF2

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 600a3075f90ec3c1d543a339ff1c7af60e023533d19f42fdf4a31f102e93856c
Instruction ID: 85b49386361ead8a966b8e82b6b62b4162ecd3689b8c49a31e8c9acb1c79af9a
Opcode Fuzzy Hash: 600a3075f90ec3c1d543a339ff1c7af60e023533d19f42fdf4a31f102e93856c
Instruction Fuzzy Hash: FEF0F436505E3277C3522738BC36E9A266BAFC1BB1B20091CF824922D2EF3489425E24

Function 00688A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00609639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00609693
Part of subcall function 00609639: SelectObject.GDI32(?,00000000), ref: 006096A2
Part of subcall function 00609639: BeginPath.GDI32(?), ref: 006096B9
Part of subcall function 00609639: SelectObject.GDI32(?,00000000), ref: 006096E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00688A4E
LineTo.GDI32(?,00000003,00000000), ref: 00688A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00688A70
LineTo.GDI32(?,00000000,00000003), ref: 00688A80
EndPath.GDI32(?), ref: 00688A90
StrokePath.GDI32(?), ref: 00688AA0

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: f765c96d2e31ae72dc3138b4a2e19b5eb5e6c6e7a1d58c1b5924062d742c8433
Instruction ID: c1fc485a590cd8a7702369bf2acf65579b143e09ea09a88cb9a3cb00a44ef14f
Opcode Fuzzy Hash: f765c96d2e31ae72dc3138b4a2e19b5eb5e6c6e7a1d58c1b5924062d742c8433
Instruction Fuzzy Hash: D111CC7604010DFFDB119F94DC88EAA7F6EEB053A4F048111BA159A1A1C7729D55DBB0

Function 006551FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00655218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00655229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00655230
ReleaseDC.USER32(00000000,00000000), ref: 00655238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0065524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00655261

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 7c63519444a80001962d661deee033b33bab506d62eb890589d888b54fe27e7c
Instruction ID: 3f5e5bd20d752ea3c9c20700424987ae8085b4fb9b1d4710931f76ba129f918e
Opcode Fuzzy Hash: 7c63519444a80001962d661deee033b33bab506d62eb890589d888b54fe27e7c
Instruction Fuzzy Hash: F3018F75A00708BBEB109BB59C49E4EBFB9EF48361F044165FA05E7280DA709904CBA0

Function 005F1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 005F1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 005F1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 005F1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 005F1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 005F1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 005F1C22

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 637331e5194e827eadbcb90887ce6dd5b78c3723d1687c75a6cbf3bb664f68a1
Instruction ID: d995a7a8b4f5861f4d8242df008c452c5559796697b438145abc2932ef1084ed
Opcode Fuzzy Hash: 637331e5194e827eadbcb90887ce6dd5b78c3723d1687c75a6cbf3bb664f68a1
Instruction Fuzzy Hash: D1016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5

Function 0065EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0065EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0065EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0065EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0065EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0065EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0065EB75

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 8b616f16f8992214029ca2539e0d3a4f97188152b44e341ef8d51cea336dc865
Instruction ID: 02e19d283201fac98fa0016c4e960d45faa7f1b1ce50dcac6c5c166a1da3f40f
Opcode Fuzzy Hash: 8b616f16f8992214029ca2539e0d3a4f97188152b44e341ef8d51cea336dc865
Instruction Fuzzy Hash: F3F05E72240558BBE7215B629C4EEEF3E7EEFCAB21F001268FA01D1191E7B05A41D7B5

Function 00647439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00647452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00647469
GetWindowDC.USER32(?), ref: 00647475
GetPixel.GDI32(00000000,?,?), ref: 00647484
ReleaseDC.USER32(?,00000000), ref: 00647496
GetSysColor.USER32(00000005), ref: 006474B0

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: f545a789288ec32cf587ae04f12faae1de179b7a8a7bb7124306e7c1f59bd3cb
Instruction ID: d6b7e5a2838b053d81223779ef32dfdbde4ff3ce972069c916d4b56722a612fa
Opcode Fuzzy Hash: f545a789288ec32cf587ae04f12faae1de179b7a8a7bb7124306e7c1f59bd3cb
Instruction Fuzzy Hash: 8C012831400215FFDB615FA4EC08BAA7BB7FB04321F515664F915A21A1CB312E51AB61

Function 00651874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0065187F
UnloadUserProfile.USERENV(?,?), ref: 0065188B
CloseHandle.KERNEL32(?), ref: 00651894
CloseHandle.KERNEL32(?), ref: 0065189C
GetProcessHeap.KERNEL32(00000000,?), ref: 006518A5
HeapFree.KERNEL32(00000000), ref: 006518AC

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 81840a0517914ff7599c1425712b67ab5a30ef57e382d68eb487ab5422b2dfcb
Instruction ID: a23ee9f59f671a508ca0b64b43e37f1b3ba872cec091c0220536238eff8c936b
Opcode Fuzzy Hash: 81840a0517914ff7599c1425712b67ab5a30ef57e382d68eb487ab5422b2dfcb
Instruction Fuzzy Hash: D7E0C236004901BBDB015BA1ED0CD0ABB3AFB49B32B109320F32581474CB329421EB60

Function 005FBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005FBEB3

Strings

D%lD%l, xrefs: 005FBCA5
D%l, xrefs: 005FBCA2
D%l, xrefs: 005FBDED, 005FBD91, 005FBD1B
D%l, xrefs: 005FBE9A

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%l$D%l$D%l$D%lD%l
API String ID: 1385522511-2840419919
Opcode ID: 6ba3c4c861848b384f7ce979b16fc5f1c9bc529cbb5d0d269558918e2c06ef71
Instruction ID: 7afb5a68d51d14179dc1c3d192d0548ffab352fcbde234ad1de1ed43dcd127a9
Opcode Fuzzy Hash: 6ba3c4c861848b384f7ce979b16fc5f1c9bc529cbb5d0d269558918e2c06ef71
Instruction Fuzzy Hash: C9913875A0020ACFDB18CF58C090ABABBF2FF58310B64856EDA45AB351D735ED81CB91

Function 00677B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00610242: EnterCriticalSection.KERNEL32(006C070C,006C1884,?,?,0060198B,006C2518,?,?,?,005F12F9,00000000), ref: 0061024D
Part of subcall function 00610242: LeaveCriticalSection.KERNEL32(006C070C,?,0060198B,006C2518,?,?,?,005F12F9,00000000), ref: 0061028A

Part of subcall function 005F9CB3: _wcslen.LIBCMT ref: 005F9CBD

Part of subcall function 006100A3: __onexit.LIBCMT ref: 006100A9

__Init_thread_footer.LIBCMT ref: 00677BFB

Part of subcall function 006101F8: EnterCriticalSection.KERNEL32(006C070C,?,?,00608747,006C2514), ref: 00610202
Part of subcall function 006101F8: LeaveCriticalSection.KERNEL32(006C070C,?,00608747,006C2514), ref: 00610235

Strings

Variable must be of type 'Object'., xrefs: 00677C3A
G, xrefs: 00677C7F
5, xrefs: 00677C78
+Td, xrefs: 00677E2E

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +Td$5$G$Variable must be of type 'Object'.
API String ID: 535116098-1213845825
Opcode ID: d86d6e9f2a19cd072dce7e5cd8ba4909153ba95d40fe6a8b7988c9f84c42e4fe
Instruction ID: 9e9f91a3323e6f281680e4d44819fa8a637281033ec4e6d7d3ccc7deeb12de04
Opcode Fuzzy Hash: d86d6e9f2a19cd072dce7e5cd8ba4909153ba95d40fe6a8b7988c9f84c42e4fe
Instruction Fuzzy Hash: A8914870A04209AFCB15EF94D9959BDBBB2FF48304F14805DF80A9B392DB71AE81CB51

Function 0065C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005F7620: _wcslen.LIBCMT ref: 005F7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0065C6EE
_wcslen.LIBCMT ref: 0065C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0065C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0065C7CA

Strings

0, xrefs: 0065C6AF

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 8c27aa73aa939682a8bcda09dd89b7dd3fd73a5dd19258071dbf29be3d6c2337
Instruction ID: a2aab11349ab3b1c4379704673c4d6d918dbc30aaa6813df7e90475c9c3f8cb7
Opcode Fuzzy Hash: 8c27aa73aa939682a8bcda09dd89b7dd3fd73a5dd19258071dbf29be3d6c2337
Instruction Fuzzy Hash: A751DE716043019FD7149F28C884BABBBE6EF8A321F040A2DFD95D36D1DB74D9088B92

Function 0067AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0067AEA3

Part of subcall function 005F7620: _wcslen.LIBCMT ref: 005F7625

GetProcessId.KERNEL32(00000000), ref: 0067AF38
CloseHandle.KERNEL32(00000000), ref: 0067AF67

Strings

<, xrefs: 0067AE6B
@, xrefs: 0067AE72

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 973392c04b5b91f4d357e6b5b2eeedd5bec91aa0e0102f3e15c8eb7a473a2847
Instruction ID: e7a1b5aef473575049e05a4b242f102d43995d84418797d892d5089b4181ed7a
Opcode Fuzzy Hash: 973392c04b5b91f4d357e6b5b2eeedd5bec91aa0e0102f3e15c8eb7a473a2847
Instruction Fuzzy Hash: 20717D70A00619DFCB14DFA4C484AAEBBF1FF88310F048499E85AAB352D778ED45CB91

Function 0065719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00657206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0065723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0065724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 006572CF

Strings

DllGetClassObject, xrefs: 00657242

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: b24c210501fd7cb0aa302ee3435aebbf0ed65f4018b7bf7f01c116b4a4f49a1f
Instruction ID: 0a4e71b35afd1cc3198c06055442dc6d2de6aa3dffff41b101dc83b605e954fe
Opcode Fuzzy Hash: b24c210501fd7cb0aa302ee3435aebbf0ed65f4018b7bf7f01c116b4a4f49a1f
Instruction Fuzzy Hash: 0F4152B1604204EFDB15CF54D884A9A7BBAEF44311F1581ADFD059F20AD7B1DE49CBA0

Function 00682F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00682F8D
LoadLibraryW.KERNEL32(?), ref: 00682F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00682FA9
DestroyWindow.USER32(?), ref: 00682FB1

Strings

SysAnimate32, xrefs: 00682F68

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: e7006c055064ff9b9b9e3f758b48261ffaabb2b7e57a7e183047d4356d08f724
Instruction ID: 06d8cab1f9f043620d185e4c77be0740e46fc3e2d051f9d39d28a6554151ec25
Opcode Fuzzy Hash: e7006c055064ff9b9b9e3f758b48261ffaabb2b7e57a7e183047d4356d08f724
Instruction Fuzzy Hash: 89219A7124420ABBEB206F64DCA4EBB37BAEF59764F100328FA50D6290D771DC91D760

Function 00614D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00614D1E,006228E9,?,00614CBE,006228E9,006B88B8,0000000C,00614E15,006228E9,00000002), ref: 00614D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00614DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00614D1E,006228E9,?,00614CBE,006228E9,006B88B8,0000000C,00614E15,006228E9,00000002,00000000), ref: 00614DC3

Strings

mscoree.dll, xrefs: 00614D86
CorExitProcess, xrefs: 00614D98

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 495a03414df29fea0fd912a157c16167ca5b1a1f01f382d1e5b224dcebb65782
Instruction ID: 8d2efb78300aa55e7820d1082834c37e40ef9bb674117e42af2e122fca621618
Opcode Fuzzy Hash: 495a03414df29fea0fd912a157c16167ca5b1a1f01f382d1e5b224dcebb65782
Instruction Fuzzy Hash: 9AF0A430940208BBDF105F90DC49BDDBFBAEF44722F040158F805A2650CF305984DB90

Function 005F4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,005F4EDD,?,006C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005F4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 005F4EAE
FreeLibrary.KERNEL32(00000000,?,?,005F4EDD,?,006C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005F4EC0

Strings

kernel32.dll, xrefs: 005F4E94
Wow64DisableWow64FsRedirection, xrefs: 005F4EA8

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: ad6538b68e7fd1cf47d8ca0d1abf94b9fa16f6a7fea551461efb4474f628740b
Instruction ID: efac2ca06af037bd833d4fe6a29e3c97d87021df17e495b85cd5ff27499f9d71
Opcode Fuzzy Hash: ad6538b68e7fd1cf47d8ca0d1abf94b9fa16f6a7fea551461efb4474f628740b
Instruction Fuzzy Hash: 05E08636A015226BD3322B257C5CB6B6959BF81F727050215FF00E2200DB74CD0586B1

Function 005F4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00633CDE,?,006C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005F4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 005F4E74
FreeLibrary.KERNEL32(00000000,?,?,00633CDE,?,006C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005F4E87

Strings

kernel32.dll, xrefs: 005F4E5B
Wow64RevertWow64FsRedirection, xrefs: 005F4E6E

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: d2eeb90f22e7650ec30ab5607b0bb7a38c0b1cbab05847532ad1d08bfe2c3199
Instruction ID: 1e93a041ad2c595f785704f6a26311a5737cd606003df7a8281957d844c4cf47
Opcode Fuzzy Hash: d2eeb90f22e7650ec30ab5607b0bb7a38c0b1cbab05847532ad1d08bfe2c3199
Instruction Fuzzy Hash: 30D0EC36602A216797221B257C1CE9B6A1EBF85B613460715AA45A2115CB78CD058BB1

Function 00662947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00662C05
DeleteFileW.KERNEL32(?), ref: 00662C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00662C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00662CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00662CC0

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 66c3712c82896bb68779b2e685d0f17f521db71153932800aa3e689c6f37d88c
Instruction ID: e29feb0ae956d4a4d307114b613d6a2d6a1b334afd31b816c443caec673ae515
Opcode Fuzzy Hash: 66c3712c82896bb68779b2e685d0f17f521db71153932800aa3e689c6f37d88c
Instruction Fuzzy Hash: 1EB17271D0051EABDF51DBA4CC99EDEBBBEEF48310F0040AAF609E6141EA319B448F65

Function 0067A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0067A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0067A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0067A468
CloseHandle.KERNEL32(?), ref: 0067A63D

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 35e65a866602cd6dfdcebb7704cdeb67e9a6d166067ba702a22843ddc1acaa54
Instruction ID: 95c25533bd3c307cdedfdc23103bbfa4f20ebd0f7fa712383d99ae064ae7ffb4
Opcode Fuzzy Hash: 35e65a866602cd6dfdcebb7704cdeb67e9a6d166067ba702a22843ddc1acaa54
Instruction Fuzzy Hash: 4BA18171604301AFE720DF24C886F2ABBE6AF84714F14895DF59A9B3D2D774EC418B92

Function 0062BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00693700), ref: 0062BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,006C121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0062BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,006C1270,000000FF,?,0000003F,00000000,?), ref: 0062BC36
_free.LIBCMT ref: 0062BB7F

Part of subcall function 006229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0062D7D1,00000000,00000000,00000000,00000000,?,0062D7F8,00000000,00000007,00000000,?,0062DBF5,00000000), ref: 006229DE
Part of subcall function 006229C8: GetLastError.KERNEL32(00000000,?,0062D7D1,00000000,00000000,00000000,00000000,?,0062D7F8,00000000,00000007,00000000,?,0062DBF5,00000000,00000000), ref: 006229F0

_free.LIBCMT ref: 0062BD4B

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 6bf69a32ff07495306ed09fb7597bfb103ecf8c37c9e849a8a23d8eeff0de6e3
Instruction ID: 5fc80c214cdca74fedc51b32c17273dbf03267cf2cace07a08899333a70ddbba
Opcode Fuzzy Hash: 6bf69a32ff07495306ed09fb7597bfb103ecf8c37c9e849a8a23d8eeff0de6e3
Instruction Fuzzy Hash: 0D51FB71900629AFCB10EF65AC819FEB7BFEF46320B10526EE554D7291DB309E818F54

Function 0065E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0065DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0065CF22,?), ref: 0065DDFD

Part of subcall function 0065DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0065CF22,?), ref: 0065DE16

Part of subcall function 0065E199: GetFileAttributesW.KERNEL32(?,0065CF95), ref: 0065E19A

lstrcmpiW.KERNEL32(?,?), ref: 0065E473
MoveFileW.KERNEL32(?,?), ref: 0065E4AC
_wcslen.LIBCMT ref: 0065E5EB
_wcslen.LIBCMT ref: 0065E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0065E650

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 197ae4b460f3b0ba19061de82d56bcf67832223a5656eb88057871c72439ae8f
Instruction ID: 85c7e229642336fcc7aa656601f61348455c2ff0d496ce90894667f4f84077fe
Opcode Fuzzy Hash: 197ae4b460f3b0ba19061de82d56bcf67832223a5656eb88057871c72439ae8f
Instruction Fuzzy Hash: F15193B24087455BCB68DB90CC819DFB3EDAF84341F00491EFA89D3191EF35A68C876A

Function 0067B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005F9CB3: _wcslen.LIBCMT ref: 005F9CBD

Part of subcall function 0067C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0067B6AE,?,?), ref: 0067C9B5
Part of subcall function 0067C998: _wcslen.LIBCMT ref: 0067C9F1
Part of subcall function 0067C998: _wcslen.LIBCMT ref: 0067CA68
Part of subcall function 0067C998: _wcslen.LIBCMT ref: 0067CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0067BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0067BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0067BB63
RegCloseKey.ADVAPI32(?,?), ref: 0067BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0067BBB3

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: ea64a14688267400218c472ad01628df4e00ca3f22781f5433a34026ae3e3edb
Instruction ID: a819c818203dd986cacea80d8e3e676019587539163b194c7fc4163bceac7a60
Opcode Fuzzy Hash: ea64a14688267400218c472ad01628df4e00ca3f22781f5433a34026ae3e3edb
Instruction Fuzzy Hash: 6661AD31208245AFD314DF24C494F6ABBE6FF84348F14996CF4998B2A2DB31ED45CB92

Function 00658BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00658BCD
VariantClear.OLEAUT32 ref: 00658C3E
VariantClear.OLEAUT32 ref: 00658C9D
VariantClear.OLEAUT32(?), ref: 00658D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00658D3B

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 9fa5b8061564cfe9ddab01f42e99a3b5e0447ee900169497bbf9d1777efdc333
Instruction ID: a4f147ca8c9cb3a87701fe43b67ef0c4f136e30cbfb81609bb6cc3d1cd4d162e
Opcode Fuzzy Hash: 9fa5b8061564cfe9ddab01f42e99a3b5e0447ee900169497bbf9d1777efdc333
Instruction Fuzzy Hash: DF5149B5A00619EFCB14CF68C894AAAB7F9FF89310F158559E905EB350E730E911CBA0

Function 00668AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00668BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00668BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00668C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00668C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00668C5F

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 3ab379cf1eb96e8e7a7505583916fe2a953875318de59f178948b83db92c15ff
Instruction ID: f68c00c4787a69c7bb2bbab7d19be0dfa18bd932ba587c6d469ccd0744449aca
Opcode Fuzzy Hash: 3ab379cf1eb96e8e7a7505583916fe2a953875318de59f178948b83db92c15ff
Instruction Fuzzy Hash: CB515035A00219AFCB14DF64C884E6DBBF6FF48314F048458E949AB3A2DB35ED45CB90

Function 00678EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00678F40
GetProcAddress.KERNEL32(00000000,?), ref: 00678FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00678FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00679032
FreeLibrary.KERNEL32(00000000), ref: 00679052

Part of subcall function 0060F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00661043,?,7735E610), ref: 0060F6E6
Part of subcall function 0060F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0064FA64,00000000,00000000,?,?,00661043,?,7735E610,?,0064FA64), ref: 0060F70D

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: eef14c8d36d29b4486d72c3197e7a1f2baf0f3e1e828143052738114dbc998b8
Instruction ID: 5ff91dff5cc1758e3d7d9241adf05343f49e71ff1810d8937a614d01a01aced8
Opcode Fuzzy Hash: eef14c8d36d29b4486d72c3197e7a1f2baf0f3e1e828143052738114dbc998b8
Instruction Fuzzy Hash: AF513A34600209DFCB15DF54C4989ADBBF2FF89364F048099E9099B362DB35ED86CB90

Function 00686B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00686C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00686C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00686C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0066AB79,00000000,00000000), ref: 00686C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00686CC7

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 55d22edc2fc5828775716deacfc9b206a21e01a85b55e0e3ff16fac950e75d98
Instruction ID: d1a7dc0722cbe1bc3d1699e6b9301c497f6ecacfb4427605575b3d038b7cd0d5
Opcode Fuzzy Hash: 55d22edc2fc5828775716deacfc9b206a21e01a85b55e0e3ff16fac950e75d98
Instruction Fuzzy Hash: 6041AD75A04104AFDB24EF28CC58FE97BA6EB0A360F140368F899A73A0C371AD51CB50

Function 00622051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006220C3
_free.LIBCMT ref: 006220E3

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3aedc582e6f573bb3c3e97ed0268c0a4274f5c053fdeb6ab50a231b5350657b3
Instruction ID: aec7cfd7f85987ab3d5a413b71057933766848bc213d815f1a06dcf67f4da2eb
Opcode Fuzzy Hash: 3aedc582e6f573bb3c3e97ed0268c0a4274f5c053fdeb6ab50a231b5350657b3
Instruction Fuzzy Hash: 3741E472A00611AFCB24DF78D890A9EB3A6EF88314F154568EA15EB391DB31AD01CB80

Function 0060912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00609141
ScreenToClient.USER32(00000000,?), ref: 0060915E
GetAsyncKeyState.USER32(00000001), ref: 00609183
GetAsyncKeyState.USER32(00000002), ref: 0060919D

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 74371194a75a80eb59bf03a23c873e73ae6e813d9db637c4a78346874d8b3f87
Instruction ID: 03e53515fab8e39fc9047057c568d497768aa7df97977b4af6082e2b6358d8c3
Opcode Fuzzy Hash: 74371194a75a80eb59bf03a23c873e73ae6e813d9db637c4a78346874d8b3f87
Instruction Fuzzy Hash: 1A415E71A0860AFBDF199F64C844BEEB776FF05324F248269E425A72D1C7306950CBA1

Function 00663874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 006638CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00663922
TranslateMessage.USER32(?), ref: 0066394B
DispatchMessageW.USER32(?), ref: 00663955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00663966

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 827585e7fdd9da7e10c5da6a16ee03470556e57fcbd0083df299586d7dd05e42
Instruction ID: b46c03c5cafadb50f5ca7af6bf42acccb6378aca367b359c392ac91c43b6df15
Opcode Fuzzy Hash: 827585e7fdd9da7e10c5da6a16ee03470556e57fcbd0083df299586d7dd05e42
Instruction Fuzzy Hash: EC31A670904366AEEB35CB34D848FF637AAEB06304F04166DE456C63A1F7B49A85CF21

Function 0066CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0066C21E,00000000), ref: 0066CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0066CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0066C21E,00000000), ref: 0066CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0066C21E,00000000), ref: 0066CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0066C21E,00000000), ref: 0066CFF2

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 2c792637ecdfc80f712f249fc843e9f9c41f48c775af1fc3f05c38037107cf62
Instruction ID: e212b07bb3cd99d55eef0ad1ac258f32d4db9e1a310340e9a08cb9be2fed0b88
Opcode Fuzzy Hash: 2c792637ecdfc80f712f249fc843e9f9c41f48c775af1fc3f05c38037107cf62
Instruction Fuzzy Hash: D4313A71600A05BFDB24DFA5D8849BBBBFBEF54360B10442EF556D2241DB30AE419B60

Function 00651901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00651915
PostMessageW.USER32(00000001,00000201,00000001), ref: 006519C1
Sleep.KERNEL32(00000000,?,?,?), ref: 006519C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 006519DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 006519E2

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 5b7fca7419993517ce830bd61a9b18444ed29d674b1cb11d43ee9f8d7ebe7a4a
Instruction ID: e2dc6e9f01e717f353a75a7639fdce931c79da3b75c593843612e2250215fed5
Opcode Fuzzy Hash: 5b7fca7419993517ce830bd61a9b18444ed29d674b1cb11d43ee9f8d7ebe7a4a
Instruction Fuzzy Hash: 9F31AF71900219EFCB00CFA8C999BDE7BB6EB45325F104229FD61AB2D1C7709948DB90

Function 00685706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00685745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0068579D
_wcslen.LIBCMT ref: 006857AF
_wcslen.LIBCMT ref: 006857BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00685816

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 6b5914aa7e1b3926dd555b0b90ff52442adbd01bc022624e354fe97384b4e794
Instruction ID: 0e984c62cba14f91b44358b24c43bd69026022965ba768d771cab8c76ca58c73
Opcode Fuzzy Hash: 6b5914aa7e1b3926dd555b0b90ff52442adbd01bc022624e354fe97384b4e794
Instruction Fuzzy Hash: 60218575904618AADF20AF60CC85AEDB7BAFF05724F108316E92AEB290D77089C5CF50

Function 00670930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00670951
GetForegroundWindow.USER32 ref: 00670968
GetDC.USER32(00000000), ref: 006709A4
GetPixel.GDI32(00000000,?,00000003), ref: 006709B0
ReleaseDC.USER32(00000000,00000003), ref: 006709E8

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: b0fc0ce7c6751b14ab7aa618d7a2d4bff759655a717b421177fcf8a39415b8e1
Instruction ID: 726bac268963b0400b2a269ad54681545acf3cda409d96c3aa179fdc9d08e42b
Opcode Fuzzy Hash: b0fc0ce7c6751b14ab7aa618d7a2d4bff759655a717b421177fcf8a39415b8e1
Instruction Fuzzy Hash: 16218135600204EFE714EF65D988AAEBBE6FF44710F04817CE94A97352DB34AC44CBA0

Function 0062CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0062CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0062CDE9

Part of subcall function 00623820: RtlAllocateHeap.NTDLL(00000000,?,006C1444,?,0060FDF5,?,?,005FA976,00000010,006C1440,005F13FC,?,005F13C6,?,005F1129), ref: 00623852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0062CE0F
_free.LIBCMT ref: 0062CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0062CE31

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 46c363187dac6da5fcbb4005506c35fd6d7e505dd29b19ab9c047e3e67eae937
Instruction ID: 4ce5326a85608920e40921468d7ffa3d1282a804604bed0cc15dad0e8a96ffbe
Opcode Fuzzy Hash: 46c363187dac6da5fcbb4005506c35fd6d7e505dd29b19ab9c047e3e67eae937
Instruction Fuzzy Hash: 4A01D872601A357FA321167A7C8CCBF696FDEC6BB1316022DF945D7200DA718D028AB1

Function 00609639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00609693
SelectObject.GDI32(?,00000000), ref: 006096A2
BeginPath.GDI32(?), ref: 006096B9
SelectObject.GDI32(?,00000000), ref: 006096E2

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c3d2058dad5b2eef63d3dea39de4c682d5e2977507448ff14a7d2cc248cadf31
Instruction ID: 19fd7934d02980b95a999ae6224aff642a72b8449b2031dfa515f4507bd41334
Opcode Fuzzy Hash: c3d2058dad5b2eef63d3dea39de4c682d5e2977507448ff14a7d2cc248cadf31
Instruction Fuzzy Hash: 48217170851305EBEB159F24EC18BFA3BA7BB43765F101216F4109B1E2D3719851CBE4

Function 00655711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00655726
_memcmp.LIBVCRUNTIME ref: 00655744
_memcmp.LIBVCRUNTIME ref: 00655757
_memcmp.LIBVCRUNTIME ref: 0065576F
_memcmp.LIBVCRUNTIME ref: 00655787

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 54f3d6d8e4108fef419025a2d2b5840163e52f9f3df198c6baff2084dad9a7dc
Instruction ID: c769eca1f221aa6625cd457714d813ccc167cd9a61bb486bb9827b4bc3c9e7cb
Opcode Fuzzy Hash: 54f3d6d8e4108fef419025a2d2b5840163e52f9f3df198c6baff2084dad9a7dc
Instruction Fuzzy Hash: 57012861341609BBD20862119DA6FFB735F9F25396F150024FE069F341FB20EE5583E4

Function 00622DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0061F2DE,00623863,006C1444,?,0060FDF5,?,?,005FA976,00000010,006C1440,005F13FC,?,005F13C6), ref: 00622DFD
_free.LIBCMT ref: 00622E32
_free.LIBCMT ref: 00622E59
SetLastError.KERNEL32(00000000,005F1129), ref: 00622E66
SetLastError.KERNEL32(00000000,005F1129), ref: 00622E6F

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 160c932188c76ddb5406cedb3d2236545579ef2b75a308ee54fe75c2ed7252bf
Instruction ID: 5e1b1fac4db73b3fcf163dab7aaf2bd093234ee4fa58a40a177462407f3e1918
Opcode Fuzzy Hash: 160c932188c76ddb5406cedb3d2236545579ef2b75a308ee54fe75c2ed7252bf
Instruction Fuzzy Hash: DC012632205E33B7C71223383C96DBB166FABD1771722012CF451A22D2EB348C026D20

Function 0065000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0064FF41,80070057,?,?,?,0065035E), ref: 0065002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0064FF41,80070057,?,?), ref: 00650046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0064FF41,80070057,?,?), ref: 00650054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0064FF41,80070057,?), ref: 00650064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0064FF41,80070057,?,?), ref: 00650070

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: dcc465858e3ddbfe7f2781398a265f69b570eee33beaf4e2f7311a68f909c6c1
Instruction ID: bb53a202007157526c5e4b4f4df72693317b1d3e86d819527d04e99289d478fc
Opcode Fuzzy Hash: dcc465858e3ddbfe7f2781398a265f69b570eee33beaf4e2f7311a68f909c6c1
Instruction Fuzzy Hash: 1701ADB2600204BFEB204F68DC04BAA7EEFEF487A2F145224FD05D2250E771DD448BA0

Function 0065E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0065E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0065E9A5
Sleep.KERNEL32(00000000), ref: 0065E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0065E9B7
Sleep.KERNEL32 ref: 0065E9F3

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 1e1b3beaac02916e4a407a4b85a5881fc7a8ccf8217761033555ee7a2545e707
Instruction ID: d0e9205fbe4a6a1997df85eb2200eac4a6b64f95c1476adaa80fcac85b781883
Opcode Fuzzy Hash: 1e1b3beaac02916e4a407a4b85a5881fc7a8ccf8217761033555ee7a2545e707
Instruction Fuzzy Hash: B1016D31C01529EBCF04AFE4DC996DDBB7AFF09312F000646E952B2240DB359659CBA1

Function 006510F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00651114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00650B9B,?,?,?), ref: 00651120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00650B9B,?,?,?), ref: 0065112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00650B9B,?,?,?), ref: 00651136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0065114D

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: ea3a94986d17d7dc5419c9646d186da87094cbec4a9c567afe0c09b4a3ae2514
Instruction ID: 90f6d175c2c03733d47a0d6970073ef8b83215fb0231489d1836e1b962b21468
Opcode Fuzzy Hash: ea3a94986d17d7dc5419c9646d186da87094cbec4a9c567afe0c09b4a3ae2514
Instruction Fuzzy Hash: F3014675200605BFDB114BA4EC89AAA3B6EEF8A3A1B210458FA41C6360DB31DC009B70

Function 00650FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00650FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00650FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00650FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00650FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00651002

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 42a546a151c95830797cb3a8a57a1e7984fc05381e1bdefc53ff51b7fded89a0
Instruction ID: 32e4a37677c8e68305099de6b142ec242506a46cb17088c3b98619fc6a65edac
Opcode Fuzzy Hash: 42a546a151c95830797cb3a8a57a1e7984fc05381e1bdefc53ff51b7fded89a0
Instruction Fuzzy Hash: E0F04935201311BBDB214FA4EC8DF963BAEEF8A762F504514FA45CA291CA71DC808B70

Function 00651014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0065102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00651036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00651045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0065104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00651062

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 8bba0b8ea09e6666244d268eeb1d88665f8ffd6cff3a214345ff21fe3abd32af
Instruction ID: 9e9c08cef9356a139699a923f61988d306f5ed5f5920bf6149f743dfade6b387
Opcode Fuzzy Hash: 8bba0b8ea09e6666244d268eeb1d88665f8ffd6cff3a214345ff21fe3abd32af
Instruction Fuzzy Hash: C6F04935200315BBDB215FA4EC89F963BAEEF8A762F200514FA45CA290CA71D8808B70

Function 0066030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0066017D,?,006632FC,?,00000001,00632592,?), ref: 00660324
CloseHandle.KERNEL32(?,?,?,?,0066017D,?,006632FC,?,00000001,00632592,?), ref: 00660331
CloseHandle.KERNEL32(?,?,?,?,0066017D,?,006632FC,?,00000001,00632592,?), ref: 0066033E
CloseHandle.KERNEL32(?,?,?,?,0066017D,?,006632FC,?,00000001,00632592,?), ref: 0066034B
CloseHandle.KERNEL32(?,?,?,?,0066017D,?,006632FC,?,00000001,00632592,?), ref: 00660358
CloseHandle.KERNEL32(?,?,?,?,0066017D,?,006632FC,?,00000001,00632592,?), ref: 00660365

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 460d99040cb5833fd61e9eefbeb790867dd51fbef8a56d64adcf1442a4988c11
Instruction ID: 5ee2d19c3657a44ae8600374c933f1ff7583efbb50c4d8d86232adb716cd847b
Opcode Fuzzy Hash: 460d99040cb5833fd61e9eefbeb790867dd51fbef8a56d64adcf1442a4988c11
Instruction Fuzzy Hash: 50019076800B169FD7319F66D880853F7F6BE502163158A3ED19662A31C371A955DF80

Function 0062D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0062D752

Part of subcall function 006229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0062D7D1,00000000,00000000,00000000,00000000,?,0062D7F8,00000000,00000007,00000000,?,0062DBF5,00000000), ref: 006229DE
Part of subcall function 006229C8: GetLastError.KERNEL32(00000000,?,0062D7D1,00000000,00000000,00000000,00000000,?,0062D7F8,00000000,00000007,00000000,?,0062DBF5,00000000,00000000), ref: 006229F0

_free.LIBCMT ref: 0062D764
_free.LIBCMT ref: 0062D776
_free.LIBCMT ref: 0062D788
_free.LIBCMT ref: 0062D79A

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fdb39166b2d2dd50f3e135101986dd6133c545c9e3bfd6a93983eb03ebb8cc08
Instruction ID: 3230933b4adb32e577e6ce36cb6d7ba23a39a448f1292c6a356b78242ae8a9ef
Opcode Fuzzy Hash: fdb39166b2d2dd50f3e135101986dd6133c545c9e3bfd6a93983eb03ebb8cc08
Instruction Fuzzy Hash: 6BF04F72904A25BBC661EB65F9C1C5A7BDFBB087207E41C09F048D7641C724FCC08E64

Function 00655C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00655C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00655C6F
MessageBeep.USER32(00000000), ref: 00655C87
KillTimer.USER32(?,0000040A), ref: 00655CA3
EndDialog.USER32(?,00000001), ref: 00655CBD

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 63e9dc40e28e62315a0b511fd7d0fe0cd0969b37342f7d6904d041b706355e11
Instruction ID: 072ff09294e6e9521a0b8055f67d06ca2279cd7746f7488610f19850fb9e4c7e
Opcode Fuzzy Hash: 63e9dc40e28e62315a0b511fd7d0fe0cd0969b37342f7d6904d041b706355e11
Instruction Fuzzy Hash: 43018B30500704ABEB205B14DD5EFE577B9BF04706F00166DA553614E1D7F459888B51

Function 006222A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006222BE

Part of subcall function 006229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0062D7D1,00000000,00000000,00000000,00000000,?,0062D7F8,00000000,00000007,00000000,?,0062DBF5,00000000), ref: 006229DE
Part of subcall function 006229C8: GetLastError.KERNEL32(00000000,?,0062D7D1,00000000,00000000,00000000,00000000,?,0062D7F8,00000000,00000007,00000000,?,0062DBF5,00000000,00000000), ref: 006229F0

_free.LIBCMT ref: 006222D0
_free.LIBCMT ref: 006222E3
_free.LIBCMT ref: 006222F4
_free.LIBCMT ref: 00622305

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fb1f564580eb5ff8782c7bdac6c4f31eb97d714b23c4009ce844d41397b87393
Instruction ID: 50de4e35f0fb1021686f174af2b7e45820179d6c8d2dd64b4f820ad673f617c3
Opcode Fuzzy Hash: fb1f564580eb5ff8782c7bdac6c4f31eb97d714b23c4009ce844d41397b87393
Instruction Fuzzy Hash: 4FF01DB4811932ABC752AF65BC11C683F67F71AB61741260EF420D72B2C73546D19FE8

Function 006095C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 006095D4
StrokeAndFillPath.GDI32(?,?,006471F7,00000000,?,?,?), ref: 006095F0
SelectObject.GDI32(?,00000000), ref: 00609603
DeleteObject.GDI32 ref: 00609616
StrokePath.GDI32(?), ref: 00609631

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: c0ec2520d2655e27a80dbaad4ff18f29c2f9e6f9b8aa280fb579756e97507937
Instruction ID: c7ee3ebfbf0ae3e4602b84540a0328ebc33ba8770294beb85da5e85345b9e421
Opcode Fuzzy Hash: c0ec2520d2655e27a80dbaad4ff18f29c2f9e6f9b8aa280fb579756e97507937
Instruction Fuzzy Hash: 73F0F630045608EBDB665F65ED1CBB53B63AB02376F04A314E465991F2C73289A1DFB0

Function 00620F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 006210F9
__freea.LIBCMT ref: 00621117

Part of subcall function 00621537: _free.LIBCMT ref: 0062154F

Strings

a/p, xrefs: 006211DE
am/pm, xrefs: 0062117A

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 586f6ad158bf7274b7f9f96245afce2f2c5ceba7d73194917033f8f1db2d5a91
Instruction ID: b6646b26c07a820af9df72fe219137fe4396334f45750db493f877807f97466a
Opcode Fuzzy Hash: 586f6ad158bf7274b7f9f96245afce2f2c5ceba7d73194917033f8f1db2d5a91
Instruction Fuzzy Hash: 83D1E131908A26DADB24CF68E8556FAB7B3EF27310F24411AE9019F750D7359E81CF91

Function 006761D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00610242: EnterCriticalSection.KERNEL32(006C070C,006C1884,?,?,0060198B,006C2518,?,?,?,005F12F9,00000000), ref: 0061024D
Part of subcall function 00610242: LeaveCriticalSection.KERNEL32(006C070C,?,0060198B,006C2518,?,?,?,005F12F9,00000000), ref: 0061028A

Part of subcall function 006100A3: __onexit.LIBCMT ref: 006100A9

__Init_thread_footer.LIBCMT ref: 00676238

Part of subcall function 006101F8: EnterCriticalSection.KERNEL32(006C070C,?,?,00608747,006C2514), ref: 00610202
Part of subcall function 006101F8: LeaveCriticalSection.KERNEL32(006C070C,?,00608747,006C2514), ref: 00610235

Part of subcall function 0066359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 006635E4
Part of subcall function 0066359C: LoadStringW.USER32(006C2390,?,00000FFF,?), ref: 0066360A

Strings

x#l, xrefs: 0067636F
x#l, xrefs: 0067633A
x#l, xrefs: 00676353

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#l$x#l$x#l
API String ID: 1072379062-3238366366
Opcode ID: 87a0973d2af057c2ef188472af274363c6c3f9787fd7e39c13a2c25df885ad69
Instruction ID: 1dccb525f72e055afb0ac397c25164724c8491b6264638407ef51aaa20adf91a
Opcode Fuzzy Hash: 87a0973d2af057c2ef188472af274363c6c3f9787fd7e39c13a2c25df885ad69
Instruction Fuzzy Hash: 93C15D71A0050AAFDB14DF58C895EBEB7BAFF48310F148069FA199B291DB70ED45CB90

Function 00625AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO_, xrefs: 00625BA8, 00625C6C

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID:
String ID: JO_
API String ID: 0-242863787
Opcode ID: f32882757998f5dbb2623e89a9d675bd12c7e4235c174f194a643b9b56b09c4d
Instruction ID: b97863e15de940502fa06be6a2dd1efcc033f6b14e77b644d18f3117afb46cbf
Opcode Fuzzy Hash: f32882757998f5dbb2623e89a9d675bd12c7e4235c174f194a643b9b56b09c4d
Instruction Fuzzy Hash: 3351D171E00E2AAFDB319FA4E845EFE7BB6AF45310F14005DF406A7291D6319A41CF66

Function 00628A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00628B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00628B7A
__dosmaperr.LIBCMT ref: 00628B81

Strings

.a, xrefs: 00628A63

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .a
API String ID: 2434981716-2467499776
Opcode ID: 3d26fc975f23e1c96a06b492d519725989c73fbc056c3f626193d121e283e26f
Instruction ID: 4c4c96acae3abbbd8c0b267e707f545b2d596b4ee64c6ba27ef49e9d2ea3cbcf
Opcode Fuzzy Hash: 3d26fc975f23e1c96a06b492d519725989c73fbc056c3f626193d121e283e26f
Instruction Fuzzy Hash: 8E418CB0605565AFDB249F24EC80ABD7FA7DB85301F2841ADF89587642DE318D438F90

Function 00652716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0065B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006521D0,?,?,00000034,00000800,?,00000034), ref: 0065B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00652760

Part of subcall function 0065B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006521FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0065B3F8

Part of subcall function 0065B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0065B355
Part of subcall function 0065B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00652194,00000034,?,?,00001004,00000000,00000000), ref: 0065B365
Part of subcall function 0065B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00652194,00000034,?,?,00001004,00000000,00000000), ref: 0065B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006527CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0065281A

Strings

@, xrefs: 00652832

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: edc2c6d9164762374fa11f01a75739a1160ad22bf9eba0f759b46eb87123dc8e
Instruction ID: 6318e923e44b17df8ab6326c0c5020b0cc44d0373c5fd9ac54085ebd8e7a3fb3
Opcode Fuzzy Hash: edc2c6d9164762374fa11f01a75739a1160ad22bf9eba0f759b46eb87123dc8e
Instruction Fuzzy Hash: BD414E72900219BFDB10DFA4CD95AEEBBB9EF09300F005059FA55B7181DB706E49CBA0

Function 0062172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\MACHINE SPECIFICATION.exe,00000104), ref: 00621769
_free.LIBCMT ref: 00621834
_free.LIBCMT ref: 0062183E

Strings

C:\Users\user\Desktop\MACHINE SPECIFICATION.exe, xrefs: 00621760, 00621767, 00621796, 006217CE

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\MACHINE SPECIFICATION.exe
API String ID: 2506810119-840538360
Opcode ID: c7e96f6efd006002b8d0f563a52ad906584ca8e803af4a2ab4528ba21671f2fd
Instruction ID: 6cd7d98bee14150f7ae35606b6fb1730720cda7d040f237d4d40aed15a855308
Opcode Fuzzy Hash: c7e96f6efd006002b8d0f563a52ad906584ca8e803af4a2ab4528ba21671f2fd
Instruction Fuzzy Hash: 32318675A04628BBDB11DF99A885DDEBBFEEF96310B14416AF4049B211D6748E80CF90

Function 0065C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0065C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0065C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,006C1990,01805EB0), ref: 0065C395

Strings

0, xrefs: 0065C2DF

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: e75f09aa974e76ca0a5c3c1814a9cd8777c126a03051f4abd8457a726701fb93
Instruction ID: 6fbafe96b6e3d522accd7ab99d7b2ecc1474b8d8b4b1f893f34638cabc5dc143
Opcode Fuzzy Hash: e75f09aa974e76ca0a5c3c1814a9cd8777c126a03051f4abd8457a726701fb93
Instruction Fuzzy Hash: C241BF312043059FDB20DF24D884B6ABBE6AF85321F048A1DFDA5973D1D730E908CB66

Function 00684416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0068CC08,00000000,?,?,?,?), ref: 006844AA
GetWindowLongW.USER32 ref: 006844C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 006844D7

Strings

SysTreeView32, xrefs: 0068447C

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: d9ab39211709656c4facd8f5c0299ce1b46a755ab3b59b5864ef31de1e3ef640
Instruction ID: da542508f7188a197a2f767eea8915a89ee90cee501972f56b4e0532bb74904b
Opcode Fuzzy Hash: d9ab39211709656c4facd8f5c0299ce1b46a755ab3b59b5864ef31de1e3ef640
Instruction Fuzzy Hash: D731B031210206AFDF20AE78DC45BEA7BAAEB09334F204725F975932D0DB74EC509760

Function 00656E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00656EED
VariantCopyInd.OLEAUT32(?,?), ref: 00656F08
VariantClear.OLEAUT32(?), ref: 00656F12

Strings

*je, xrefs: 00656E8B, 00656E90, 00656EF8

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *je
API String ID: 2173805711-1750142174
Opcode ID: 0cee2dc7e82c7f9ec27686c72ba7bf2c82628a46033cc2659546b68ade16e631
Instruction ID: 392ab029f9081ea20ef669fa846c47d1821cfee6617f5a97da0d8d5e4a39407f
Opcode Fuzzy Hash: 0cee2dc7e82c7f9ec27686c72ba7bf2c82628a46033cc2659546b68ade16e631
Instruction Fuzzy Hash: 8731B371A0420ADFDB04AFA5E8559BE3BB7FF84301F500498F9024B2B1C7349916DBA0

Function 0067304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0067335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00673077,?,?), ref: 00673378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0067307A
_wcslen.LIBCMT ref: 0067309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00673106

Strings

255.255.255.255, xrefs: 00673095, 0067309A

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 5b10713b39c67035a6159091b8111227f4fd7b3f4fd39129132e762d4c6bc738
Instruction ID: c78a81e226509c062b941d8239dff3a15fc0ae20dc0c5950f31d252603d76f7f
Opcode Fuzzy Hash: 5b10713b39c67035a6159091b8111227f4fd7b3f4fd39129132e762d4c6bc738
Instruction Fuzzy Hash: 2531D3392002159FCB20CF28C585EEA7BE2EF54318F64C159E9198B392DB32EE41D760

Function 00684653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00684705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00684713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0068471A

Strings

msctls_updown32, xrefs: 00684684

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 46789735d64460ba510bad5641e7c31e43f80d2fc11dcf48f118cbb1e66197fc
Instruction ID: 3123053855cc03d459ff0221afc9f07f1388359dffd3ad1c2ab14d210910e6d4
Opcode Fuzzy Hash: 46789735d64460ba510bad5641e7c31e43f80d2fc11dcf48f118cbb1e66197fc
Instruction Fuzzy Hash: F1213EB560020AAFDB10EF64DC95DB737AEEF9A3A8B140159FA009B351DB71EC51CB60

Function 006595AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0065961D

Strings

#OnAutoItStartRegister, xrefs: 006595F3
#notrayicon, xrefs: 006595B7
#requireadmin, xrefs: 006595D9

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 7243b24b53848269bb9bf0815420dc4582e854c009c2af0715f7fdc02f5ec1f9
Instruction ID: 06c4e564db99cffe46d766f942f06bcc3cbf5e53ffcf77f54fbaa6ee5b3b1af3
Opcode Fuzzy Hash: 7243b24b53848269bb9bf0815420dc4582e854c009c2af0715f7fdc02f5ec1f9
Instruction Fuzzy Hash: C1214632204211A6D731AB24D802FF7739AAF94311F44442AFD49D7282EB509D9EC2A5

Function 006837B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00683840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00683850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00683876

Strings

Listbox, xrefs: 0068380F

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 508b466ba08d704408a98ff19983d8916aee80040fd4481fabadb703d189fed3
Instruction ID: b65f02c85819b795632a32dd6c0b68402408fe48d29baeea5fcc48bd075aaa83
Opcode Fuzzy Hash: 508b466ba08d704408a98ff19983d8916aee80040fd4481fabadb703d189fed3
Instruction Fuzzy Hash: 582183726102287BEF119F54CC45EFB376FEF89B50F118214F9059B290D671DC5287A0

Function 006649F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00664A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00664A5C
SetErrorMode.KERNEL32(00000000,?,?,0068CC08), ref: 00664AD0

Strings

%lu, xrefs: 00664A6F

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: d97bcdfdf75b0843128d714b02e5546cb614046c839e4c254aa2e7f9592cb4be
Instruction ID: 28eacd2d05a654abbd2043909118b3b8fa07b08b7f42031f589b311b8cf07260
Opcode Fuzzy Hash: d97bcdfdf75b0843128d714b02e5546cb614046c839e4c254aa2e7f9592cb4be
Instruction Fuzzy Hash: 86318271A00109AFDB10DF54C885EAA7BF9EF48318F1480A9F909DB352DB75EE45CB61

Function 006841EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0068424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00684264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00684271

Strings

msctls_trackbar32, xrefs: 00684226

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 1d0139e1693d7f002d41fd3de10fb823b69caaf71d1477ac5fd74c052434e536
Instruction ID: 4de99544285cef32e25004d0c11325eb9ca7123a6d9c22fc76f6dc8aff1e2889
Opcode Fuzzy Hash: 1d0139e1693d7f002d41fd3de10fb823b69caaf71d1477ac5fd74c052434e536
Instruction Fuzzy Hash: 9E11E7312442097EEF206F24CC05FFB3BADEF95754F110214FA55E6190D671D8519710

Function 00652F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005F6B57: _wcslen.LIBCMT ref: 005F6B6A

Part of subcall function 00652DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00652DC5
Part of subcall function 00652DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00652DD6
Part of subcall function 00652DA7: GetCurrentThreadId.KERNEL32 ref: 00652DDD
Part of subcall function 00652DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00652DE4

GetFocus.USER32 ref: 00652F78

Part of subcall function 00652DEE: GetParent.USER32(00000000), ref: 00652DF9

GetClassNameW.USER32(?,?,00000100), ref: 00652FC3
EnumChildWindows.USER32(?,0065303B), ref: 00652FEB

Strings

%s%d, xrefs: 00652FFF

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 6ea5b193cca7004bd471a121bf2464357db2791ed174e432c93cf6d79f633dc6
Instruction ID: c275f94a8aa5301a18f9ce47a6bfdb8339f29b5d44dc8769aef4f031296a5688
Opcode Fuzzy Hash: 6ea5b193cca7004bd471a121bf2464357db2791ed174e432c93cf6d79f633dc6
Instruction Fuzzy Hash: C311AFB160021A6BCF947F648C99EEE376BAF85315F044179FD099B292EF3099498B70

Function 00685882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 006858C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 006858EE
DrawMenuBar.USER32(?), ref: 006858FD

Strings

0, xrefs: 0068588F

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: ca39899501b70f365879f070a5680e8e4a7194daf6452afa5a5867105867b0d0
Instruction ID: 2e3110231faf81acf9c2d95311012152f63b4411fcdf90d5bcb5c1b00a1bd5f5
Opcode Fuzzy Hash: ca39899501b70f365879f070a5680e8e4a7194daf6452afa5a5867105867b0d0
Instruction Fuzzy Hash: 9A016131500258EFDF61AF11DC44BAFBBB6FB45360F108199E849D6251DB308A94DF31

Function 0064D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0064D3BF
FreeLibrary.KERNEL32 ref: 0064D3E5

Strings

X64, xrefs: 0064D2A8
GetSystemWow64DirectoryW, xrefs: 0064D3B9

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: f722b74266bb3d628dd5036239e2298f5c7ba30cca98863daad27f9dc114df17
Instruction ID: 17b9331086a306e2810b51cfdf8e1c1bf6b747814dc63bdb6f3713391047dd5c
Opcode Fuzzy Hash: f722b74266bb3d628dd5036239e2298f5c7ba30cca98863daad27f9dc114df17
Instruction Fuzzy Hash: FCF05532D02B20EBC3362F108C48DAB3717AF12F00B948388F106F2298D7B0CA418792

Function 0065007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bab756972679a2057c7fee04a243c43c6da8581cbe0d6038c8eeb3560c524b7
Instruction ID: d0cfd88ae9a45f59af818d3aeee706c1a04dfb98c2e9b63651a5de6b13db7bb6
Opcode Fuzzy Hash: 6bab756972679a2057c7fee04a243c43c6da8581cbe0d6038c8eeb3560c524b7
Instruction Fuzzy Hash: FFC15E75A00216EFDB14CFA4C894EAEB7B6FF48705F208598E905EB251D731DE46CB90

Function 0067342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00673459
CoUninitialize.OLE32 ref: 00673463
VariantInit.OLEAUT32(?), ref: 0067346E
VariantClear.OLEAUT32(?), ref: 0067371B

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: d50996275794ed07c8b43627ea85b10d5194b1da910b221afad7395e722b7611
Instruction ID: 95b0c7cffa5612acbabdea7c4683dbfeda5d2b3909258f10dd5a9bb52cc7cf19
Opcode Fuzzy Hash: d50996275794ed07c8b43627ea85b10d5194b1da910b221afad7395e722b7611
Instruction Fuzzy Hash: C6A159752043159FD700DF28C485A2ABBE6FF88710F04885DF98A9B362EB74EE05DB91

Function 00650436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0068FC08,?), ref: 006505F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0068FC08,?), ref: 00650608
CLSIDFromProgID.OLE32(?,?,00000000,0068CC40,000000FF,?,00000000,00000800,00000000,?,0068FC08,?), ref: 0065062D
_memcmp.LIBVCRUNTIME ref: 0065064E

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 181a72d3b85d7849e25dcadc589bf4a4e34ca122d38feaa630eb45f3757adfcb
Instruction ID: 69c36c9e23216ace5a2074e6e65f87a8216d35bcf8ece8d7929edf1199c64579
Opcode Fuzzy Hash: 181a72d3b85d7849e25dcadc589bf4a4e34ca122d38feaa630eb45f3757adfcb
Instruction Fuzzy Hash: 50810F75A00109EFDB04DF94C984DEEB7BAFF89315F204558E916AB250DB71EE0ACB60

Function 00631391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006314C0

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4187950cd582a2b1211d1142e60f9a6b374b446f3a5d2fc95e77ae95a59311f2
Instruction ID: 1331a88847d739c7e62851f2dfd0dd2d6273e841ec9294147bb26663d3ca9dca
Opcode Fuzzy Hash: 4187950cd582a2b1211d1142e60f9a6b374b446f3a5d2fc95e77ae95a59311f2
Instruction Fuzzy Hash: D5412931A00510ABDB617FF99C466EE3AE7EF43370F184229F419DA293EA34894157E5

Function 00686278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0180EEC0,?), ref: 006862E2
ScreenToClient.USER32(?,?), ref: 00686315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00686382

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 3869d8501902dd321c38bf2a6de0c590493b1038e080d90d4e38da950c9266c5
Instruction ID: 51a65bda59095460c9fcb8b65dc652a19f3a261602d0fdb9947e878472ea8139
Opcode Fuzzy Hash: 3869d8501902dd321c38bf2a6de0c590493b1038e080d90d4e38da950c9266c5
Instruction Fuzzy Hash: 81510974A00209EFDB10EF68D884AAE7BB6FF45360F109269F9159B391D770EE81CB50

Function 00671AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00671AFD
WSAGetLastError.WSOCK32 ref: 00671B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00671B8A
WSAGetLastError.WSOCK32 ref: 00671B94

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 8cf75db8f0e4615b780093abec162cfe69517009192870969a1bc78e6f2609d6
Instruction ID: cea5583ff169a0b85503ac21e63192a66aeb8dab0a6ed416e82597e0ee0adb32
Opcode Fuzzy Hash: 8cf75db8f0e4615b780093abec162cfe69517009192870969a1bc78e6f2609d6
Instruction Fuzzy Hash: 8F41E334640201AFE720AF24C886F767BE6AB85718F54C448F6199F3D3D776DD418B90

Function 0062B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec8dcc7d301710c441e7136a82f7bad68c1394becd48d46766cff8878535816
Instruction ID: 6be6248b871e6e9d51115eb53aec1587908b1a54f502d968219fd7a99ed47353
Opcode Fuzzy Hash: 9ec8dcc7d301710c441e7136a82f7bad68c1394becd48d46766cff8878535816
Instruction Fuzzy Hash: 8F41F871A00B14BFD724AF78DC41BAA7BEBEB84710F10852EF541DB681D77199418B84

Function 006656D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00665783
GetLastError.KERNEL32(?,00000000), ref: 006657A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 006657CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 006657FA

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 3c8d2704b4ebcefa6b959d67d241492009f8bab2910bead00452cf156712c911
Instruction ID: 0b3c41cd23673fe7189ad3cc29204d31fe75fffae8321536eed77b4a6094a1d7
Opcode Fuzzy Hash: 3c8d2704b4ebcefa6b959d67d241492009f8bab2910bead00452cf156712c911
Instruction Fuzzy Hash: CA415E35200615DFCB10DF15C545A6EBBE2FF89320F188488E94AAB362DB78FD04CB91

Function 0062D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00616D71,00000000,00000000,006182D9,?,006182D9,?,00000001,00616D71,?,00000001,006182D9,006182D9), ref: 0062D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0062D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0062D9AB
__freea.LIBCMT ref: 0062D9B4

Part of subcall function 00623820: RtlAllocateHeap.NTDLL(00000000,?,006C1444,?,0060FDF5,?,?,005FA976,00000010,006C1440,005F13FC,?,005F13C6,?,005F1129), ref: 00623852

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 2c34dd433508422779f23334ef2220cdf0b928bf597a4c7c05a3079a00b65d5f
Instruction ID: 145b337dae551fb8ed0ad3c3b13fa7803afef6deef4003f1b7933d1d60a14bc9
Opcode Fuzzy Hash: 2c34dd433508422779f23334ef2220cdf0b928bf597a4c7c05a3079a00b65d5f
Instruction Fuzzy Hash: 8331A271A0062AABDF24DF64EC45EEE7BA6EB41310B154168FC04D7290D735CD91CB90

Function 006852C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00685352
GetWindowLongW.USER32(?,000000F0), ref: 00685375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00685382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006853A8

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 54ffcab6b0f6eb6aa0565be56e35fb2a0cf0cfd30c5a6d0a09bd38985e07f963
Instruction ID: 1b7e700581c956cce8ca6efb6d0834581e169d0e7823fbd90f9fb62f8ed4ef32
Opcode Fuzzy Hash: 54ffcab6b0f6eb6aa0565be56e35fb2a0cf0cfd30c5a6d0a09bd38985e07f963
Instruction Fuzzy Hash: 9131C234A55A08FFEF30AB14CC05FE93767AB05391F585301FA12963E1E7B49E809B92

Function 0065AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 0065ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0065AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0065AC74
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 0065ACC6

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 6eef0450358a7fce3b45c3d92e2982c8d63c494fb6ffd1ea66df7ee71c905d44
Instruction ID: 7126c4d346f75944813c4b9ee05e76f13e3d9efe4dd62e1633e644ba4f4282bd
Opcode Fuzzy Hash: 6eef0450358a7fce3b45c3d92e2982c8d63c494fb6ffd1ea66df7ee71c905d44
Instruction Fuzzy Hash: B5310930A00718AFEF35CBA58C057FA7BA7AB45322F04431EEC95563D1D37589898762

Function 00687674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0068769A
GetWindowRect.USER32(?,?), ref: 00687710
PtInRect.USER32(?,?,00688B89), ref: 00687720
MessageBeep.USER32(00000000), ref: 0068778C

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 46b2d35292877dadfcd02229fd5ad31c79eb0248ad461c0d1ed4bd495c5744ae
Instruction ID: f6827c7f25e6580474c6f6fdb264620041f9414733e3b68396d26f0924ed8163
Opcode Fuzzy Hash: 46b2d35292877dadfcd02229fd5ad31c79eb0248ad461c0d1ed4bd495c5744ae
Instruction Fuzzy Hash: D3418B34A05214EFCB01EF58D894EA9B7F6FB4A314F2942A8E9149F361D731E942CF90

Function 006816DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 006816EB

Part of subcall function 00653A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00653A57
Part of subcall function 00653A3D: GetCurrentThreadId.KERNEL32 ref: 00653A5E
Part of subcall function 00653A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006525B3), ref: 00653A65

GetCaretPos.USER32(?), ref: 006816FF
ClientToScreen.USER32(00000000,?), ref: 0068174C
GetForegroundWindow.USER32 ref: 00681752

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: c026d85affbeb4e06fa44c8a43c78780bb5baaa549fafbf9fe881d161752e61f
Instruction ID: 75b64de2bfa6dcb58ffe7fdd661565e4204f1c3b6aa6bb72761da78b680c4de9
Opcode Fuzzy Hash: c026d85affbeb4e06fa44c8a43c78780bb5baaa549fafbf9fe881d161752e61f
Instruction Fuzzy Hash: 91313E75D00149AFCB00EFA9C885CAEBBFEFF89304B5080A9E515E7311DA359E45CBA0

Function 0065D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0065D501
Process32FirstW.KERNEL32(00000000,?), ref: 0065D50F
Process32NextW.KERNEL32(00000000,?), ref: 0065D52F
CloseHandle.KERNEL32(00000000), ref: 0065D5DC

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 56f0f048b06588da1501750571efcbd6ab8a98a756e8128470fc8bacfe12a7de
Instruction ID: 0f0d0f3b1944fff37b587169d113f7f6940df3efdc25a89d1b2c81f8ba5abb03
Opcode Fuzzy Hash: 56f0f048b06588da1501750571efcbd6ab8a98a756e8128470fc8bacfe12a7de
Instruction Fuzzy Hash: 3131B3710083059FD310EF54C885ABFBBE9FFD9354F10092DF685822A1EB719A49CBA2

Function 00688FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00609BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00609BB2

GetCursorPos.USER32(?), ref: 00689001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00647711,?,?,?,?,?), ref: 00689016
GetCursorPos.USER32(?), ref: 0068905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00647711,?,?,?), ref: 00689094

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 6a8c40bfc3817dfe977443992a74a1b51dabc7e9cc25be208fbbab024aa1a13c
Instruction ID: eca7b118c6d9a07d75de80786b8b479f25dd1a5f4786132347bae0d1c5f24e6c
Opcode Fuzzy Hash: 6a8c40bfc3817dfe977443992a74a1b51dabc7e9cc25be208fbbab024aa1a13c
Instruction Fuzzy Hash: 0A217135600018FFDB199F94CC58EFA7BBBEB4A360F184259F5065B261C7359950DB70

Function 0065D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0068CB68), ref: 0065D2FB
GetLastError.KERNEL32 ref: 0065D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0065D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0068CB68), ref: 0065D376

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: c0f464a6f9a5a16d58523392326fc1a3e35495fa1ff0d1377c9ae72a32d7e81a
Instruction ID: ca37d32459f251930f4270b20f128e3a76c4c0546f6191603f41183015e58ce4
Opcode Fuzzy Hash: c0f464a6f9a5a16d58523392326fc1a3e35495fa1ff0d1377c9ae72a32d7e81a
Instruction Fuzzy Hash: 172186705056019FC710DF24C8858AA7BE5FF96365F104A1DF895C72E1DB31DA4ACB93

Function 00651571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00651014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0065102A
Part of subcall function 00651014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00651036
Part of subcall function 00651014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00651045
Part of subcall function 00651014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0065104C
Part of subcall function 00651014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00651062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006515BE
_memcmp.LIBVCRUNTIME ref: 006515E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00651617
HeapFree.KERNEL32(00000000), ref: 0065161E

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: b22b48fe7c2e1bd95ea12f77d91e77bdac536c00b461baa595305d96ce964673
Instruction ID: 5a2b04ee56e4a4d48b95da2ee4c947c2ea56a2c1cfcdd4a16c9f0f9f7f44aabb
Opcode Fuzzy Hash: b22b48fe7c2e1bd95ea12f77d91e77bdac536c00b461baa595305d96ce964673
Instruction Fuzzy Hash: DD21B071E40109EFDF00DFA4C949BEEB7BAEF45356F084459E851AB241E730AE09DBA0

Function 00682782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0068280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00682824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00682832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00682840

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 916b662cd377bbb18d8f5ee21f264c75d29022f52c160f30bd9744b318f601fc
Instruction ID: 5af7675cbe68294b963b9d7e207b22a9e833ac0417606dc60adb18c277791fa7
Opcode Fuzzy Hash: 916b662cd377bbb18d8f5ee21f264c75d29022f52c160f30bd9744b318f601fc
Instruction Fuzzy Hash: 9821C435204516AFDB14AB24C864FAA7B96EF85324F148258F4168B6D2C775FC42C790

Function 006578F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00658D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0065790A,?,000000FF,?,00658754,00000000,?,0000001C,?,?), ref: 00658D8C
Part of subcall function 00658D7D: lstrcpyW.KERNEL32(00000000,?,?,0065790A,?,000000FF,?,00658754,00000000,?,0000001C,?,?,00000000), ref: 00658DB2
Part of subcall function 00658D7D: lstrcmpiW.KERNEL32(00000000,?,0065790A,?,000000FF,?,00658754,00000000,?,0000001C,?,?), ref: 00658DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00658754,00000000,?,0000001C,?,?,00000000), ref: 00657923
lstrcpyW.KERNEL32(00000000,?,?,00658754,00000000,?,0000001C,?,?,00000000), ref: 00657949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00658754,00000000,?,0000001C,?,?,00000000), ref: 00657984

Strings

cdecl, xrefs: 0065797B

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: be0d7dbc700a88692bfd3b9c76cf71c7627a34afff9478830c11ca67f538bd2a
Instruction ID: 04d0a03d5a3b51a3c4b9f7b5595800f7a84b1f0aece7c1c5d7a7bfec1384c756
Opcode Fuzzy Hash: be0d7dbc700a88692bfd3b9c76cf71c7627a34afff9478830c11ca67f538bd2a
Instruction Fuzzy Hash: 1A11033A200242AFCB259F35E844EBB77AAFF85351F00412AFC42C73A4EB319805C7A1

Function 00685660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 006856BB
_wcslen.LIBCMT ref: 006856CD
_wcslen.LIBCMT ref: 006856D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00685816

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: a212607dcac43d36470e67a13b40f93667e243ffac16b2a8595445e5cda9168d
Instruction ID: 8bf7cfc7b6674030d8fa58480da336d11067a6575cbf8051d6aaf6e5074bddfc
Opcode Fuzzy Hash: a212607dcac43d36470e67a13b40f93667e243ffac16b2a8595445e5cda9168d
Instruction Fuzzy Hash: 1611D375600618A6DF20BF61CC85AEE77AEEF11760B10422AF916D6191EB70CAC4CBA4

Function 00651A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00651A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00651A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00651A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00651A8A

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 08f70a9d4d93168ee5c47b3879696a5c74acbb3ea23db3d2cbb7db633bd3ab02
Instruction ID: e5ba5db5ae553ca461cbcfce89131ee5aafe86aea5c5ff36966e71f86316e522
Opcode Fuzzy Hash: 08f70a9d4d93168ee5c47b3879696a5c74acbb3ea23db3d2cbb7db633bd3ab02
Instruction Fuzzy Hash: CB113C3AD01219FFEB11DBA4CD85FADBB79EB04750F200091EA00B7290D6716E50DB94

Function 0065E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0065E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0065E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0065E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0065E24D

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 925163ab3dfbd3063990713ce18660f3392fb2c41c205c4485ee19a30f7b5c73
Instruction ID: 0f138d6ef78261e473bac0f7c3d0d87fd2667076751b81b0286cf4111a66ae49
Opcode Fuzzy Hash: 925163ab3dfbd3063990713ce18660f3392fb2c41c205c4485ee19a30f7b5c73
Instruction Fuzzy Hash: 9211C876904254BBCB059FA8AC09EEE7FAEDB46325F044355F924D7291D6B18B0487B0

Function 0061D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0061CFF9,00000000,00000004,00000000), ref: 0061D218
GetLastError.KERNEL32 ref: 0061D224
__dosmaperr.LIBCMT ref: 0061D22B
ResumeThread.KERNEL32(00000000), ref: 0061D249

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 3fe0e720102c1346fd6d33597cf2a99e06fca0600f3821c56aeab33ee071912a
Instruction ID: 3c17a5fdc19b321d66f691880b27ef38acc24eff73aec814895cecd8d0feaeb1
Opcode Fuzzy Hash: 3fe0e720102c1346fd6d33597cf2a99e06fca0600f3821c56aeab33ee071912a
Instruction Fuzzy Hash: E401F536805204BBCB115BA5DC09BEE7B6BDF81331F280319FA35921E0DB71CA82C7A0

Function 005F600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 005F604C
GetStockObject.GDI32(00000011), ref: 005F6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 005F606A

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: c7e4a1984798bda6826dec10a3699b433c56b4c44789162508ffca707b40c5f6
Instruction ID: 259f51a3696532138a9a9a111da285e64481df789da3413b17b929b4b748798d
Opcode Fuzzy Hash: c7e4a1984798bda6826dec10a3699b433c56b4c44789162508ffca707b40c5f6
Instruction Fuzzy Hash: 80113972501548BFEB124FA49C58AFABF6EFF093A4F141215FA1552110DB369C609BA1

Function 00613B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00613B56

Part of subcall function 00613AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00613AD2
Part of subcall function 00613AA3: ___AdjustPointer.LIBCMT ref: 00613AED

_UnwindNestedFrames.LIBCMT ref: 00613B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00613B7C
CallCatchBlock.LIBVCRUNTIME ref: 00613BA4

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: e2973e7bcc1acf41160f796bb2194bd7d58e74869386b31bc7cf74a7c33775d6
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: F6014C72100148BBDF129E95CC42EEB3FBEEF58754F084018FE4956221D732E9A1DBA4

Function 00623073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,005F13C6,00000000,00000000,?,0062301A,005F13C6,00000000,00000000,00000000,?,0062328B,00000006,FlsSetValue), ref: 006230A5
GetLastError.KERNEL32(?,0062301A,005F13C6,00000000,00000000,00000000,?,0062328B,00000006,FlsSetValue,00692290,FlsSetValue,00000000,00000364,?,00622E46), ref: 006230B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0062301A,005F13C6,00000000,00000000,00000000,?,0062328B,00000006,FlsSetValue,00692290,FlsSetValue,00000000), ref: 006230BF

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: c515ba5baeacddc29a97924f2e4650be20501ab0b239c75e6c6792f2f07cf480
Instruction ID: 2bca53c9fd597df1860c21bf9c2e707e27a5eefda902bad53c7c03bd720fb5f7
Opcode Fuzzy Hash: c515ba5baeacddc29a97924f2e4650be20501ab0b239c75e6c6792f2f07cf480
Instruction Fuzzy Hash: 6101D832701A36ABC7214B78BC44997779A9F05B71B100720F915E7380C735D901CBF0

Function 00657464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0065747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00657497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 006574AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 006574CA

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: ea6ff80fe37a94e86dedb47d04fdecee68bd8d1a00f4a166621e61bef10a9cf2
Instruction ID: 5499b4f1fbbf6fcd58c440d9d58fbf198d67b4f74195f705f2b21fc4c0c05ba2
Opcode Fuzzy Hash: ea6ff80fe37a94e86dedb47d04fdecee68bd8d1a00f4a166621e61bef10a9cf2
Instruction Fuzzy Hash: 5B11ADB1205315ABE720CF24EC08F927BFEEB00B11F108569EE56D6191D7B0E948DB61

Function 0065B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0065ACD3,?,00008000), ref: 0065B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0065ACD3,?,00008000), ref: 0065B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0065ACD3,?,00008000), ref: 0065B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0065ACD3,?,00008000), ref: 0065B126

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: f172242ff822ae5aa61296d8146051e0565d78b2114009e441242bc257ba3191
Instruction ID: 17601c82f50a753863da2d304abab9367c0184ba7995f7cae7c18364c047d773
Opcode Fuzzy Hash: f172242ff822ae5aa61296d8146051e0565d78b2114009e441242bc257ba3191
Instruction Fuzzy Hash: F1118B30C0192DEBCF14AFE5ED986EEBB7AFF0A322F005185D981B2281CB3046548B61

Function 00652DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00652DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00652DD6
GetCurrentThreadId.KERNEL32 ref: 00652DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00652DE4

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 44a55d641bd411fecc66deb74c72d6ffe455117e21fda1710a892990b5758823
Instruction ID: ab26c033d59babf4df3644273386211710c6958579a25876a555da6ff346f6f3
Opcode Fuzzy Hash: 44a55d641bd411fecc66deb74c72d6ffe455117e21fda1710a892990b5758823
Instruction Fuzzy Hash: 57E06D711012257AD7201B62AC0DEEB7E7EEF43BB2F001325FA05D1080AAA48885D7B0

Function 00688863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00609639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00609693
Part of subcall function 00609639: SelectObject.GDI32(?,00000000), ref: 006096A2
Part of subcall function 00609639: BeginPath.GDI32(?), ref: 006096B9
Part of subcall function 00609639: SelectObject.GDI32(?,00000000), ref: 006096E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00688887
LineTo.GDI32(?,?,?), ref: 00688894
EndPath.GDI32(?), ref: 006888A4
StrokePath.GDI32(?), ref: 006888B2

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: a62aefdda7a1ab3fb5fcfd64f13349d0aa872b4dd7ab25b53308cec1fa95237a
Instruction ID: 801981e325437ecbf274f69451a6536ff95e9a385414b47f73a4b2926994a6ac
Opcode Fuzzy Hash: a62aefdda7a1ab3fb5fcfd64f13349d0aa872b4dd7ab25b53308cec1fa95237a
Instruction Fuzzy Hash: AEF03A36041258BAEB126F94AC09FDA3A5BAF06320F448200FA11A91E2C7B65511CBF9

Function 006098B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 006098CC
SetTextColor.GDI32(?,?), ref: 006098D6
SetBkMode.GDI32(?,00000001), ref: 006098E9
GetStockObject.GDI32(00000005), ref: 006098F1

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 16c9a93a63e28d1c07dca0c2aecabd25d068ff799a67b00365b091056d64c130
Instruction ID: 0f0cae82e88e0b0370dd9d8630c9735845ca0e5c217423027583275e5ccc405e
Opcode Fuzzy Hash: 16c9a93a63e28d1c07dca0c2aecabd25d068ff799a67b00365b091056d64c130
Instruction Fuzzy Hash: 87E06D31244280BEDB215B78BC1DBE93F63AB12336F04931AF6FA581E1C77156509B21

Function 0065162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00651634
OpenThreadToken.ADVAPI32(00000000,?,?,?,006511D9), ref: 0065163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,006511D9), ref: 00651648
OpenProcessToken.ADVAPI32(00000000,?,?,?,006511D9), ref: 0065164F

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 41f1c30c93cb55c37b023d1b3ad23620c9e864dad2282931f569dc7ef5e8c61f
Instruction ID: 5285026fe25ceb438445d11e050f6a354e790d89dda95367c3d25a743645ceb8
Opcode Fuzzy Hash: 41f1c30c93cb55c37b023d1b3ad23620c9e864dad2282931f569dc7ef5e8c61f
Instruction Fuzzy Hash: 25E08C32602211FBD7201FB0AE0DF863B7EAF467E2F158908F645CD080E6348445CB70

Function 0064D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0064D858
GetDC.USER32(00000000), ref: 0064D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0064D882
ReleaseDC.USER32(?), ref: 0064D8A3

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b2d6315da79e303bc6c2551e97ae9aa6354b7735679ca62079d846beb616abef
Instruction ID: 2f48d407352cade947a29a9e48db730f6de02863a3e9b562e247de64d4c48286
Opcode Fuzzy Hash: b2d6315da79e303bc6c2551e97ae9aa6354b7735679ca62079d846beb616abef
Instruction Fuzzy Hash: A5E01AB4800205EFCB41AFB0D90C66DFFB3FB48320F109229E906E7250D7384942AF60

Function 0064D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0064D86C
GetDC.USER32(00000000), ref: 0064D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0064D882
ReleaseDC.USER32(?), ref: 0064D8A3

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 33a933d367d7330a3221f7023c696c21228de3a1c28faed05f5bc85c4168a1de
Instruction ID: 59b07c55cfeedb0dcf5a8c111c6c7d0c5d1731d86112bc81fd5ada1ea94af45d
Opcode Fuzzy Hash: 33a933d367d7330a3221f7023c696c21228de3a1c28faed05f5bc85c4168a1de
Instruction Fuzzy Hash: 79E01A74800205EFCB409FB0D80C66DBFB2BB48320B109218E90AE7250D7385941AF60

Function 00664D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 005F7620: _wcslen.LIBCMT ref: 005F7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00664ED4

Strings

LPT, xrefs: 00664DFB
*, xrefs: 00664E10

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 73500db2c7fc3145fad0583353b908578a836783d094baaa990f799cb017e778
Instruction ID: eeadf98d6a0abc9d71a25851b7b8d9f903bada2759791a97f1a6af122b4d0f01
Opcode Fuzzy Hash: 73500db2c7fc3145fad0583353b908578a836783d094baaa990f799cb017e778
Instruction Fuzzy Hash: 06915475A00249DFCB14DF54C484EAABBF6BF88304F158099E40A9F3A2DB75ED85CB51

Function 0061E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0061E30D

Strings

pow, xrefs: 0061E2E5, 0061E302

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: e87f47e25db235a26e5367b405786ee8caca8819fef2bf431fc7df87544a52c4
Instruction ID: 9485e374615bd382c49abb7acdaca13ff18e50be41a0a9c9151122623269523a
Opcode Fuzzy Hash: e87f47e25db235a26e5367b405786ee8caca8819fef2bf431fc7df87544a52c4
Instruction Fuzzy Hash: F5518E61A0C51396CB157B24E911BFA3BAB9F00740F384D99E8E5423E9DB36CCD19E4A

Function 00677771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0064569E,00000000,?,0068CC08,?,00000000,00000000), ref: 006778DD

Part of subcall function 005F6B57: _wcslen.LIBCMT ref: 005F6B6A

CharUpperBuffW.USER32(0064569E,00000000,?,0068CC08,00000000,?,00000000,00000000), ref: 0067783B

Strings

<sk, xrefs: 006777C8

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sk
API String ID: 3544283678-205674243
Opcode ID: 92a94f8fbe65754c4abf0efb31765ac461023fb95516d05d182bebd12f120f41
Instruction ID: 545abd98e87329beff3584718f77db7caabf2c7c794d26f69c727fc90447b856
Opcode Fuzzy Hash: 92a94f8fbe65754c4abf0efb31765ac461023fb95516d05d182bebd12f120f41
Instruction Fuzzy Hash: 04618D7291411EAACF04FBA4CC95DFEB7B9BF54300B448529F606A3191EF785A05CBA1

Function 0060E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0060E1B1

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: c1df71631652d21f9edac2767e6a8b374e47de7e5f221fb277a8a91a01dacb71
Instruction ID: bcb4f2257844b0238232bb9cf110c788d014c14c98de9af9877481b03c056725
Opcode Fuzzy Hash: c1df71631652d21f9edac2767e6a8b374e47de7e5f221fb277a8a91a01dacb71
Instruction Fuzzy Hash: B3514335540256DFDB18EF28C481AFA7BAAFF56320F244459E8919B3D0D6369E43CBA0

Function 0060F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0060F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0060F2BB

Strings

@, xrefs: 0060F2AF

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: acf7ad785c524af590baf8edd0aaf6610281bfdad832e96ab467322dfa734735
Instruction ID: 44e1c50415842c3b9eef9f66100a3538c9e02f593c5d2df1b75ebfc43f3e853a
Opcode Fuzzy Hash: acf7ad785c524af590baf8edd0aaf6610281bfdad832e96ab467322dfa734735
Instruction Fuzzy Hash: 3651297140874A9BD320AF14D88ABABBBF8FFC5300F81485DF2D941195EF749929CB66

Function 00675745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 006757E0
_wcslen.LIBCMT ref: 006757EC

Strings

CALLARGARRAY, xrefs: 006757E6, 006757EB

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: ccabc1bd841d89be1848153457f88986be552c58e0eb9c8de812be30e8834970
Instruction ID: f09ec0265ce1a8201b7bf0e65b1595f90c6271ed3fa3fabeb44a63641cb2a437
Opcode Fuzzy Hash: ccabc1bd841d89be1848153457f88986be552c58e0eb9c8de812be30e8834970
Instruction Fuzzy Hash: F241AF71A001199FCB04DFA9C8859FEBBB6FF59320F10806DE50AA7391E7709D81CB91

Function 0066D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0066D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0066D13A

Strings

|, xrefs: 0066D10B

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 7c6e0d496541c745d7cd75438c8f57cb0deb95e954edc2b98c7b2746efb92da1
Instruction ID: 64ca2669b8ec5e801d8d2dc6b4f6da82ec3fdf3ec4b9da1340de84f7bd763719
Opcode Fuzzy Hash: 7c6e0d496541c745d7cd75438c8f57cb0deb95e954edc2b98c7b2746efb92da1
Instruction Fuzzy Hash: F0313D71D0020AABCF15EFA5CC85AEFBFBAFF45340F000019F915A6261D775AA56CB60

Function 0068356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00683621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0068365C

Strings

static, xrefs: 006835BC

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: da816ca4f669dc712047bed6a13ba3f5565879c4ecb881623465d17b66e9097d
Instruction ID: 4e426544483b031e313cf56ba1c6734ea706da857c9405cdd22ef09178aa393f
Opcode Fuzzy Hash: da816ca4f669dc712047bed6a13ba3f5565879c4ecb881623465d17b66e9097d
Instruction Fuzzy Hash: CA319071110604AEDB10EF68DC40EFB73AAFF88B20F10961DF9A597280DA35AD91C760

Function 00684537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0068461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00684634

Strings

', xrefs: 0068458E

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: de9d700fd547e7771d13261972207812f9af2dc99f00b07b25f4a99d81ca9725
Instruction ID: 30f2118fff9539891573688e5c31d8ef392484e24bc61844ad67d61e68c0b9dc
Opcode Fuzzy Hash: de9d700fd547e7771d13261972207812f9af2dc99f00b07b25f4a99d81ca9725
Instruction Fuzzy Hash: D1313974A0130A9FDB14DF69C990BEE7BB6FF49300F10416AE904AB341EB70A941CF90

Function 006831EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0068327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00683287

Strings

Combobox, xrefs: 00683249

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: fc275356ec0690425f12565ba92d29f329c32a4f83b724dc09c9d67c3fda5dd0
Instruction ID: 5910c3b08485c530ace229943df1d29eed6f430228df555a486e38058cc9ba91
Opcode Fuzzy Hash: fc275356ec0690425f12565ba92d29f329c32a4f83b724dc09c9d67c3fda5dd0
Instruction Fuzzy Hash: 0811E2713002187FEF21AF54DC94EFB3B6BEB98764F100228F91897390D6319E518760

Function 00683710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 005F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 005F604C
Part of subcall function 005F600E: GetStockObject.GDI32(00000011), ref: 005F6060
Part of subcall function 005F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 005F606A

GetWindowRect.USER32(00000000,?), ref: 0068377A
GetSysColor.USER32(00000012), ref: 00683794

Strings

static, xrefs: 00683757

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 934100a1eff824cf26f352afa0c9da60a11478f41e9b156af92702df5135c194
Instruction ID: a6a96e741e612185766b329a4e07316902b1960e7affb93faf0314664773a243
Opcode Fuzzy Hash: 934100a1eff824cf26f352afa0c9da60a11478f41e9b156af92702df5135c194
Instruction Fuzzy Hash: 981159B261020AAFDF00EFA8CC45EFA7BB9FB09314F004614F955E3250E734E8619B60

Function 0066CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0066CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0066CDA6

Strings

<local>, xrefs: 0066CD66

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: deb30843188792fd31547ed34419daca12b6675185cfe42d9a3c65c3df34f740
Instruction ID: 50a6243daa86fcf4ce7fd5d7a797618d6586c33f6be4d6980bb1de92f3a5c000
Opcode Fuzzy Hash: deb30843188792fd31547ed34419daca12b6675185cfe42d9a3c65c3df34f740
Instruction Fuzzy Hash: 0511C271205A31BAD7385B66CC49EF7BEAEEF527B4F00422AB18983180D7749845D6F0

Function 00683429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 006834AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006834BA

Strings

edit, xrefs: 0068348F

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: b7f6116422b6db3b622919faa89712ea71a3f344068cb2320d736ef70f5490c0
Instruction ID: aca2619c8fe81ebfe0c95d35e2e192c984a9181f8942fa9c24df8681a4d725b6
Opcode Fuzzy Hash: b7f6116422b6db3b622919faa89712ea71a3f344068cb2320d736ef70f5490c0
Instruction Fuzzy Hash: 1F116D71100118AAEF21AE64DC44AFA37ABEF45B74F504724FA61973D0C775DC519760

Function 00656C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 005F9CB3: _wcslen.LIBCMT ref: 005F9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00656CB6
_wcslen.LIBCMT ref: 00656CC2

Strings

STOP, xrefs: 00656CBC, 00656CC1

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 09dca335dc74307cd07f1d854fb71a39f311f37615843a904cabc06adad7a38a
Instruction ID: e90ffefd2b7c77420b64809e60810e547ace97ff9fd33f0fe2e26c97f3d32102
Opcode Fuzzy Hash: 09dca335dc74307cd07f1d854fb71a39f311f37615843a904cabc06adad7a38a
Instruction Fuzzy Hash: 7901A5326005278ACB119EBDDC859FF77B6FE61721F900924FD5297290EA35D948C650

Function 00651BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005F9CB3: _wcslen.LIBCMT ref: 005F9CBD

Part of subcall function 00653CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00653CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00651C46

Strings

ListBox, xrefs: 00651C10
ComboBox, xrefs: 00651BE5

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6cfe9a0e9c1b748217ee9bdfb8ac75ab3872390f0cccc093a0a2e47e74c4c47e
Instruction ID: 53230214b005bf96604c79cbdc592147d09159e56cbaf5f3544e2595b0ef976a
Opcode Fuzzy Hash: 6cfe9a0e9c1b748217ee9bdfb8ac75ab3872390f0cccc093a0a2e47e74c4c47e
Instruction Fuzzy Hash: CB01A77568110966CB04EB90CA55BFF77AAAF52381F140029ED0667281EA299E0CC7B1

Function 00651C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005F9CB3: _wcslen.LIBCMT ref: 005F9CBD

Part of subcall function 00653CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00653CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00651CC8

Strings

ListBox, xrefs: 00651C94
ComboBox, xrefs: 00651C69

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 269ff8a97a221170505223b516c7be2b3f0228b1a35e51395063e391569df1a6
Instruction ID: 4cd5a94d7a96bc754370e37cc6725c62bcdd806c7ce5d82492fc16a0d3170e76
Opcode Fuzzy Hash: 269ff8a97a221170505223b516c7be2b3f0228b1a35e51395063e391569df1a6
Instruction Fuzzy Hash: CB01DBB168011967CB04EB90CA15BFF77AAAB12381F140015BD0277381EA299F0CC771

Function 0060A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0060A529

Part of subcall function 005F9CB3: _wcslen.LIBCMT ref: 005F9CBD

Strings

,%l, xrefs: 0060A509
3yd, xrefs: 0060A545, 0060A54D, 0060A552

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%l$3yd
API String ID: 2551934079-596477441
Opcode ID: ce7a76c464c0b169f98c4dc0064cedd9f1cf6b6821ceb48f31e6e7aac7333d46
Instruction ID: 6e8731c3d26fec9464c0991807d65f2605b62661021e3909d6984e87beb7fa32
Opcode Fuzzy Hash: ce7a76c464c0b169f98c4dc0064cedd9f1cf6b6821ceb48f31e6e7aac7333d46
Instruction Fuzzy Hash: 1201D43168071597DA09B7A89C1BFEE3757AB45790F54002CFA01572C2DE945D41869A

Function 00688172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,006C3018,006C305C), ref: 006881BF
CloseHandle.KERNEL32 ref: 006881D1

Strings

\0l, xrefs: 0068818A

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0l
API String ID: 3712363035-27596102
Opcode ID: 9b86676bd02000dc1c2f2f300e5872bfa8a050f4d56f13a035b41c4a67cdeb60
Instruction ID: a2c7630e1f040cc0b17eb560bf0c68c8da603f427f6139225ae6d307626f7d5b
Opcode Fuzzy Hash: 9b86676bd02000dc1c2f2f300e5872bfa8a050f4d56f13a035b41c4a67cdeb60
Instruction Fuzzy Hash: 48F082B2740320BFE3207B65AC45FF77A5EEB04754F009425BB08D62A2D6768E5093F8

Function 0067747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00677493
_wcslen.LIBCMT ref: 006774B9

Strings

3, 3, 16, 1, xrefs: 00677483

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 6c7861fa76b0cd1b35e6d073fa490fc15cbdbd4bff04f5025bdb795e77572e17
Instruction ID: ebb9f4fc03bc7dc3258f5d8e249e655cd793e44c42692b665418e65ecd01176b
Opcode Fuzzy Hash: 6c7861fa76b0cd1b35e6d073fa490fc15cbdbd4bff04f5025bdb795e77572e17
Instruction Fuzzy Hash: 98E0E502204260509271126A9CC19FF57CBDEC5750718182EF989C226AEA948DD193A4

Function 00650B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00650B23

Strings

Error allocating memory., xrefs: 00650B1C
AutoIt, xrefs: 00650B17

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 357bc1b0fcb6798962494b968b50c0916d603daf7ae26df4084ad440bd88e863
Instruction ID: 3102ee957cb67f0f09d7c6ab3f456e15555a488ea25657bc46d801e0eba206d5
Opcode Fuzzy Hash: 357bc1b0fcb6798962494b968b50c0916d603daf7ae26df4084ad440bd88e863
Instruction Fuzzy Hash: 4AE0483128531936D2643754BC47FC97A879F05B61F10046AFB58555C38AE2649047FD

Function 00610D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0060F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00610D71,?,?,?,005F100A), ref: 0060F7CE

IsDebuggerPresent.KERNEL32(?,?,?,005F100A), ref: 00610D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,005F100A), ref: 00610D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00610D7F

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 975c37617847affe3e38c3844e283f87161e5a0ae1daf3f4c9c9912c07c6a494
Instruction ID: befca780d69f1a01c55d27c5cac68e6313fe0da5e9a31adc16b352e67ceb7f42
Opcode Fuzzy Hash: 975c37617847affe3e38c3844e283f87161e5a0ae1daf3f4c9c9912c07c6a494
Instruction Fuzzy Hash: E5E06D706003419BE770AFB8E8187927BE6AF04754F044A2DE486C6692DBF5E4848BA1

Function 0060E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0060E3D5

Strings

0%l, xrefs: 0060E3B5
8%l, xrefs: 0060E3CA

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%l$8%l
API String ID: 1385522511-2540897584
Opcode ID: 2a95cc4876941181d913328e1ba542514cb85aeaa368aac8c663580b01891461
Instruction ID: 70f50b6e0aa7f03601f7839401d44e578da25534e52ce21bf949f28a1ef4b71f
Opcode Fuzzy Hash: 2a95cc4876941181d913328e1ba542514cb85aeaa368aac8c663580b01891461
Instruction Fuzzy Hash: 2CE02631484D31CBCB0C9B18B875EEB3B57FB05320B94256CE9128B2D19F7168818648

Function 00663017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0066302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00663044

Strings

aut, xrefs: 00663038

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: a1b1fa8a67b4177d2aa99a791f930acef54cc3b811074f923f6d2f61a3fe6959
Instruction ID: 3ec6321ebb58d36f8df8ae946927e7a34056f940fa50e8c5447a3995f4c66a16
Opcode Fuzzy Hash: a1b1fa8a67b4177d2aa99a791f930acef54cc3b811074f923f6d2f61a3fe6959
Instruction Fuzzy Hash: 83D05EB250032877DB30A7A4AC0EFCB3A6CDB04760F0002A1B655E20E1DAB49A84CBE0

Function 0064D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0064D220

Strings

%.3d, xrefs: 0064D22B
X64, xrefs: 0064D2A8

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: f4b5ddee8bcc03ce06d04ebff94b67c29aea7f135a9977d556359f2c5ea85624
Instruction ID: 57ae7575912ac7cce191840a21311636037eea07d1b499becc67820245ad52c0
Opcode Fuzzy Hash: f4b5ddee8bcc03ce06d04ebff94b67c29aea7f135a9977d556359f2c5ea85624
Instruction Fuzzy Hash: 65D012B1C48109FACB9097D0CC498BBB3BEBB18301F508452FA0791080D674C74A6B61

Function 00682356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0068236C
PostMessageW.USER32(00000000), ref: 00682373

Part of subcall function 0065E97B: Sleep.KERNEL32 ref: 0065E9F3

Strings

Shell_TrayWnd, xrefs: 00682365

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0b292cbd42a917674197e237b5d99681080a45b6ba6a8aaacfbe1a337017d4e6
Instruction ID: f1e46100db0ea03c268eb8756c125acc06083fc5e66e5a85e5b65f943312ef83
Opcode Fuzzy Hash: 0b292cbd42a917674197e237b5d99681080a45b6ba6a8aaacfbe1a337017d4e6
Instruction Fuzzy Hash: B6D0A9323803007AEAA8A330DC0FFC666069B00B20F000A267601AA0D0C8B0A8458B28

Function 00682322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0068232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0068233F

Part of subcall function 0065E97B: Sleep.KERNEL32 ref: 0065E9F3

Strings

Shell_TrayWnd, xrefs: 00682325

Memory Dump Source

Source File: 00000000.00000002.1413625048.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.1413523419.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.000000000068C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414063510.00000000006B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414613605.00000000006BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1414644932.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_MACHINE SPECIFICATION.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 889bbf1a79dd17f51acc835d5dafe484a6d84833eadea486447dfde33d968fb4
Instruction ID: f264c54f7b864baea3262283da27f75eff47b75de58847a92ca1d102266da1a0
Opcode Fuzzy Hash: 889bbf1a79dd17f51acc835d5dafe484a6d84833eadea486447dfde33d968fb4
Instruction Fuzzy Hash: B4D02232380300B7EBB8B330DC0FFC67A079B00B20F000A267705AA0D0C8F0A845CB24

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MACHINE SPECIFICATION.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Melber

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
MACHINE SPECIFICATION.exe

Function 005F42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 005F42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00632BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 005F2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0063065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 005F344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 005F2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 005F3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 01B1A270 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 005F2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01B1A020 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151
fileCOMMON

Function 005F3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Function 01B18F10 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Function 005F3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre