Edit tour

Windows Analysis Report
FAR.N_2430-240009934.exe

Overview

General Information

Sample name:	FAR.N_2430-240009934.exe
Analysis ID:	1428835
MD5:	fc9c091daa95c1cab2b0fe8f5d355a71
SHA1:	b8162cfcf19d65735dadc64a928e755de6515141
SHA256:	fc83bfec2d58dfb71be0fec0c02f69996c5349845dd39c8048b520696003e1fc
Tags:	agentteslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Binary is likely a compiled AutoIt script file

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Found API chain indicative of sandbox detection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

FAR.N_2430-240009934.exe (PID: 1356 cmdline: "C:\Users\user\Desktop\FAR.N_2430-240009934.exe" MD5: FC9C091DAA95C1CAB2B0FE8F5D355A71)

RegSvcs.exe (PID: 6004 cmdline: "C:\Users\user\Desktop\FAR.N_2430-240009934.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

newfile.exe (PID: 6216 cmdline: "C:\Users\user\AppData\Roaming\newfile\newfile.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 6424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

newfile.exe (PID: 1196 cmdline: "C:\Users\user\AppData\Roaming\newfile\newfile.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.jmfresh.sg", "Username": "sales@jmfresh.sg", "Password": "rolandvirus66@gmail.com"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2456100583.000000000302E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.2452750846.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2452750846.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1223698471.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1223698471.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.1223698471.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1223698471.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x345fc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3466e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x346f8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3478a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x347f4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34866:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x348fc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3498c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000002.00000002.2456100583.0000000003001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2456100583.0000000003001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.2456100583.0000000003051000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: FAR.N_2430-240009934.exe PID: 1356	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: FAR.N_2430-240009934.exe PID: 1356	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: FAR.N_2430-240009934.exe PID: 1356	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 6004	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6004	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.FAR.N_2430-240009934.exe.3ee0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.FAR.N_2430-240009934.exe.3ee0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.FAR.N_2430-240009934.exe.3ee0000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.FAR.N_2430-240009934.exe.3ee0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x345fc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3466e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x346f8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3478a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x347f4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34866:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x348fc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3498c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x345fc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3466e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x346f8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3478a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x347f4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34866:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x348fc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3498c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.FAR.N_2430-240009934.exe.3ee0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.FAR.N_2430-240009934.exe.3ee0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.FAR.N_2430-240009934.exe.3ee0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x327fc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3286e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x328f8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3298a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x329f4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32a66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32afc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32b8c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 6 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\newfile\newfile.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6004, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newfile

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.jmfresh.sg", "Username": "sales@jmfresh.sg", "Password": "rolandvirus66@gmail.com"}

Multi AV Scanner detection for submitted file

Source: FAR.N_2430-240009934.exe

ReversingLabs: Detection: 47%

Machine Learning detection for sample

Source: FAR.N_2430-240009934.exe

Joe Sandbox ML: detected

Source: FAR.N_2430-240009934.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: RegSvcs.pdb, source: newfile.exe, 0000000C.00000000.1312650801.0000000000EC2000.00000002.00000001.01000000.00000006.sdmp, newfile.exe.2.dr
Source:	Binary string: wntdll.pdbUGP source: FAR.N_2430-240009934.exe, 00000000.00000003.1217018320.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, FAR.N_2430-240009934.exe, 00000000.00000003.1220124309.0000000004110000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: FAR.N_2430-240009934.exe, 00000000.00000003.1217018320.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, FAR.N_2430-240009934.exe, 00000000.00000003.1220124309.0000000004110000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: newfile.exe, 0000000C.00000000.1312650801.0000000000EC2000.00000002.00000001.01000000.00000006.sdmp, newfile.exe.2.dr

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_0087DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0087DBBE
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_0084C2A2 FindFirstFileExW,	0_2_0084C2A2
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_008868EE FindFirstFileW,FindClose,	0_2_008868EE
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_0088698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0088698F
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_0087D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0087D076
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_0087D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0087D3A9
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_00889642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00889642
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_0088979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0088979D
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_00889B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00889B2B
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_00885C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00885C97

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.FAR.N_2430-240009934.exe.3ee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1223698471.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.7:49701 -> 101.100.239.36:26

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 101.100.239.36 101.100.239.36

Source: Joe Sandbox View

ASN Name: VODIEN-AS-AP-LOC2VodienInternetSolutionsPteLtdSG VODIEN-AS-AP-LOC2VodienInternetSolutionsPteLtdSG

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_0088CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0088CE44

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: RegSvcs.exe, 00000002.00000002.2456100583.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: RegSvcs.exe, 00000002.00000002.2454399735.0000000001382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegSvcs.exe, 00000002.00000002.2456100583.0000000003034000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.jmfresh.sg
Source: RegSvcs.exe, 00000002.00000002.2458826782.0000000006524000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org
Source: RegSvcs.exe, 00000002.00000002.2458826782.0000000006524000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2453690028.00000000012B0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2454399735.0000000001382000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2456100583.0000000003034000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2454399735.0000000001370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0#
Source: RegSvcs.exe, 00000002.00000002.2458826782.0000000006524000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2453690028.00000000012B0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2454399735.0000000001382000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2456100583.0000000003034000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: RegSvcs.exe, 00000002.00000002.2456100583.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.2458826782.0000000006524000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2454399735.0000000001382000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2456100583.0000000003034000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2454399735.0000000001370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: RegSvcs.exe, 00000002.00000002.2454399735.0000000001370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.
Source: RegSvcs.exe, 00000002.00000002.2458826782.0000000006524000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2454399735.0000000001382000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2456100583.0000000003034000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: FAR.N_2430-240009934.exe, 00000000.00000002.1223698471.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2452750846.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.FAR.N_2430-240009934.exe.3ee0000.1.raw.unpack, 0V85.cs

.Net Code: ILlL223bNC

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_0088EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0088EAFF

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_0088ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0088ED6A

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

0_2_0088EAFF

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_0087AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0087AA57

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_008A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_008A9576

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.FAR.N_2430-240009934.exe.3ee0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.FAR.N_2430-240009934.exe.3ee0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1223698471.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: FAR.N_2430-240009934.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: FAR.N_2430-240009934.exe, 00000000.00000000.1207734611.00000000008D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_08b564ee-3
Source: FAR.N_2430-240009934.exe, 00000000.00000000.1207734611.00000000008D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_deffd0a2-7
Source: FAR.N_2430-240009934.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_339d99e9-b
Source: FAR.N_2430-240009934.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_2d931a7c-8

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_0087D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0087D5EB

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_00871201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00871201

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_0087E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0087E8F6

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_00882046	0_2_00882046
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_00818060	0_2_00818060
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_00878298	0_2_00878298
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_0084E4FF	0_2_0084E4FF
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_0084676B	0_2_0084676B
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_008A4873	0_2_008A4873
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_0083CAA0	0_2_0083CAA0
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_0081CAF0	0_2_0081CAF0
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_0082CC39	0_2_0082CC39
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_00846DD9	0_2_00846DD9
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_008191C0	0_2_008191C0
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_0082B119	0_2_0082B119
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_00831394	0_2_00831394
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_00831706	0_2_00831706
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_0083781B	0_2_0083781B
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_008319B0	0_2_008319B0
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_00817920	0_2_00817920
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_0082997D	0_2_0082997D
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_00837A4A	0_2_00837A4A
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_00837CA7	0_2_00837CA7
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_00831C77	0_2_00831C77
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_00849EEE	0_2_00849EEE
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_0089BE44	0_2_0089BE44
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_00831F32	0_2_00831F32
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_03ED3640	0_2_03ED3640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E34AD0	2_2_02E34AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E3D230	2_2_02E3D230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E33EB8	2_2_02E33EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E34200	2_2_02E34200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E3F858	2_2_02E3F858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E3DE00	2_2_02E3DE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06B4E780	2_2_06B4E780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06B48700	2_2_06B48700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06B4B2D8	2_2_06B4B2D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06B43200	2_2_06B43200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06B40040	2_2_06B40040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06B49B50	2_2_06B49B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06B458C8	2_2_06B458C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06B48E50	2_2_06B48E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06B4ABF8	2_2_06B4ABF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_071134D0	2_2_071134D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06B40006	2_2_06B40006

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: String function: 00830A30 appears 46 times
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: String function: 00819CB3 appears 31 times
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: String function: 0082F9F2 appears 40 times

Source: FAR.N_2430-240009934.exe, 00000000.00000003.1216783499.00000000041ED000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs FAR.N_2430-240009934.exe
Source: FAR.N_2430-240009934.exe, 00000000.00000003.1217443290.0000000004093000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs FAR.N_2430-240009934.exe
Source: FAR.N_2430-240009934.exe, 00000000.00000002.1223698471.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename218b2b83-c0ff-4b45-8f5b-484ff827509e.exe4 vs FAR.N_2430-240009934.exe

Source: FAR.N_2430-240009934.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.FAR.N_2430-240009934.exe.3ee0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.FAR.N_2430-240009934.exe.3ee0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1223698471.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.FAR.N_2430-240009934.exe.3ee0000.1.raw.unpack, 4Cl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.FAR.N_2430-240009934.exe.3ee0000.1.raw.unpack, 4Cl.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.FAR.N_2430-240009934.exe.3ee0000.1.raw.unpack, 5jodGRGeKF.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.FAR.N_2430-240009934.exe.3ee0000.1.raw.unpack, 5jodGRGeKF.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.FAR.N_2430-240009934.exe.3ee0000.1.raw.unpack, 33JmeoXaqT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.FAR.N_2430-240009934.exe.3ee0000.1.raw.unpack, 33JmeoXaqT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.FAR.N_2430-240009934.exe.3ee0000.1.raw.unpack, 33JmeoXaqT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.FAR.N_2430-240009934.exe.3ee0000.1.raw.unpack, 33JmeoXaqT.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: FAR.N_2430-240009934.exe, 00000000.00000002.1223028620.0000000001668000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBp;g

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/8@2/2

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_008837B5 GetLastError,FormatMessageW,

0_2_008837B5

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_008710BF AdjustTokenPrivileges,CloseHandle,		0_2_008710BF
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_008716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_008716C3

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_008851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008851CD

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_0089A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0089A67C

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_0088648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0088648E

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_008142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_008142A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\newfile

Jump to behavior

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_03

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

File created: C:\Users\user~1\AppData\Local\Temp\autFBB.tmp

Jump to behavior

Source: FAR.N_2430-240009934.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: FAR.N_2430-240009934.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\FAR.N_2430-240009934.exe "C:\Users\user\Desktop\FAR.N_2430-240009934.exe"
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\FAR.N_2430-240009934.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\FAR.N_2430-240009934.exe"	Jump to behavior

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: FAR.N_2430-240009934.exe

Static file information: File size 1104896 > 1048576

Source: FAR.N_2430-240009934.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: FAR.N_2430-240009934.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: FAR.N_2430-240009934.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: FAR.N_2430-240009934.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: FAR.N_2430-240009934.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: FAR.N_2430-240009934.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: FAR.N_2430-240009934.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RegSvcs.pdb, source: newfile.exe, 0000000C.00000000.1312650801.0000000000EC2000.00000002.00000001.01000000.00000006.sdmp, newfile.exe.2.dr
Source:	Binary string: wntdll.pdbUGP source: FAR.N_2430-240009934.exe, 00000000.00000003.1217018320.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, FAR.N_2430-240009934.exe, 00000000.00000003.1220124309.0000000004110000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: FAR.N_2430-240009934.exe, 00000000.00000003.1217018320.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, FAR.N_2430-240009934.exe, 00000000.00000003.1220124309.0000000004110000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: newfile.exe, 0000000C.00000000.1312650801.0000000000EC2000.00000002.00000001.01000000.00000006.sdmp, newfile.exe.2.dr

Source: FAR.N_2430-240009934.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: FAR.N_2430-240009934.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: FAR.N_2430-240009934.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: FAR.N_2430-240009934.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: FAR.N_2430-240009934.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_008142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008142DE

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_00830A76 push ecx; ret	0_2_00830A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_07113350 push cs; ret	2_2_07113352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_071133E9 push cs; ret	2_2_071133EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_07112A33 push es; ret	2_2_07112A36
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_07113259 push cs; ret	2_2_0711325A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_071132B0 push cs; ret	2_2_071132B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_071111B3 push es; ret	2_2_071111C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_07113418 push cs; ret	2_2_0711341A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\newfile\newfile.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfile			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfile			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Roaming\newfile\newfile.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_0082F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0082F98E
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_008A1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_008A1C41

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: FAR.N_2430-240009934.exe PID: 1356, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97423

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: FAR.N_2430-240009934.exe, 00000000.00000002.1223698471.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2452750846.0000000000402000.00000040.80000000.00040000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 1630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 3330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 3140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 17C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 3270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 3110000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2455			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7397			Jump to behavior

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

API coverage: 3.9 %

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe TID: 6220	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe TID: 3964	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_0087DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0087DBBE
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_0084C2A2 FindFirstFileExW,	0_2_0084C2A2
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_008868EE FindFirstFileW,FindClose,	0_2_008868EE
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_0088698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0088698F
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_0087D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0087D076
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_0087D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0087D3A9
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_00889642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00889642
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_0088979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0088979D
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_00889B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00889B2B
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_00885C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00885C97

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_008142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008142DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99647	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98325	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97216	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96996	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96508	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96267	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95811	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95698	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95589	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.2452750846.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000002.00000002.2452750846.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: RegSvcs.exe, 00000002.00000002.2458826782.0000000006524000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_02E370B8 CheckRemoteDebuggerPresent,

2_2_02E370B8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_0088EAA2 BlockInput,

0_2_0088EAA2

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_00842622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00842622

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_008142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008142DE

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_00834CE8 mov eax, dword ptr fs:[00000030h]	0_2_00834CE8
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_03ED3530 mov eax, dword ptr fs:[00000030h]	0_2_03ED3530
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_03ED34D0 mov eax, dword ptr fs:[00000030h]	0_2_03ED34D0
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_03ED1ED0 mov eax, dword ptr fs:[00000030h]	0_2_03ED1ED0

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_00870B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00870B62

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_00842622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00842622
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_0083083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0083083F
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_008309D5 SetUnhandledExceptionFilter,	0_2_008309D5
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_00830C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00830C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 107A008

Jump to behavior

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

0_2_00871201

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_00852BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00852BA5

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_0087B226 SendInput,keybd_event,

0_2_0087B226

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_008922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_008922DA

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\FAR.N_2430-240009934.exe"

Jump to behavior

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

0_2_00870B62

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_00871663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00871663

Source: FAR.N_2430-240009934.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: FAR.N_2430-240009934.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_00830698 cpuid

0_2_00830698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Users\user\AppData\Roaming\newfile\newfile.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Users\user\AppData\Roaming\newfile\newfile.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_00888195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00888195

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_0086D27A GetUserNameW,

0_2_0086D27A

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_0084B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0084B952

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe

Code function: 0_2_008142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008142DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.FAR.N_2430-240009934.exe.3ee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FAR.N_2430-240009934.exe.3ee0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2456100583.000000000302E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2452750846.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1223698471.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2456100583.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2456100583.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FAR.N_2430-240009934.exe PID: 1356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6004, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: FAR.N_2430-240009934.exe	Binary or memory string: WIN_81
Source: FAR.N_2430-240009934.exe	Binary or memory string: WIN_XP
Source: FAR.N_2430-240009934.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: FAR.N_2430-240009934.exe	Binary or memory string: WIN_XPe
Source: FAR.N_2430-240009934.exe	Binary or memory string: WIN_VISTA
Source: FAR.N_2430-240009934.exe	Binary or memory string: WIN_7
Source: FAR.N_2430-240009934.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 0.2.FAR.N_2430-240009934.exe.3ee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FAR.N_2430-240009934.exe.3ee0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2452750846.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1223698471.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2456100583.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FAR.N_2430-240009934.exe PID: 1356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6004, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.FAR.N_2430-240009934.exe.3ee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FAR.N_2430-240009934.exe.3ee0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2456100583.000000000302E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2452750846.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1223698471.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2456100583.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2456100583.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FAR.N_2430-240009934.exe PID: 1356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6004, type: MEMORYSTR

Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_00891204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00891204
Source: C:\Users\user\Desktop\FAR.N_2430-240009934.exe	Code function: 0_2_00891806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00891806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	38 System Information Discovery	Distributed Component Object Model	121 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	541 Security Software Discovery	SSH	3 Clipboard Data	2 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	251 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
FAR.N_2430-240009934.exe	47%	ReversingLabs	Win32.Ransomware.Strab
FAR.N_2430-240009934.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\newfile\newfile.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high
mail.jmfresh.sg	101.100.239.36	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://r3.o.lencr.org0	RegSvcs.exe, 00000002.00000002.2458826782.0000000006524000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2453690028.00000000012B0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2454399735.0000000001382000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2456100583.0000000003034000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.jmfresh.sg	RegSvcs.exe, 00000002.00000002.2456100583.0000000003034000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.dyn.com/	FAR.N_2430-240009934.exe, 00000000.00000002.1223698471.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2452750846.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.2456100583.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	RegSvcs.exe, 00000002.00000002.2458826782.0000000006524000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2454399735.0000000001382000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2456100583.0000000003034000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2454399735.0000000001370000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.	RegSvcs.exe, 00000002.00000002.2454399735.0000000001370000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://x1.i.lencr.org/0	RegSvcs.exe, 00000002.00000002.2458826782.0000000006524000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2454399735.0000000001382000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2456100583.0000000003034000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://r3.i.lencr.org/0#	RegSvcs.exe, 00000002.00000002.2458826782.0000000006524000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2453690028.00000000012B0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2454399735.0000000001382000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2456100583.0000000003034000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2454399735.0000000001370000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ip-api.com	RegSvcs.exe, 00000002.00000002.2456100583.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r3.i.lencr.org	RegSvcs.exe, 00000002.00000002.2458826782.0000000006524000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
101.100.239.36	mail.jmfresh.sg	Singapore		58621	VODIEN-AS-AP-LOC2VodienInternetSolutionsPteLtdSG	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428835
Start date and time:	2024-04-19 17:22:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FAR.N_2430-240009934.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/8@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 50 Number of non-executed functions: 297
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target newfile.exe, PID 1196 because it is empty
Execution Graph export aborted for target newfile.exe, PID 6216 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: FAR.N_2430-240009934.exe

Simulations

Behavior and APIs

Time	Type	Description
17:23:03	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run newfile C:\Users\user\AppData\Roaming\newfile\newfile.exe
17:23:04	API Interceptor	51x Sleep call for process: RegSvcs.exe modified
17:23:11	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run newfile C:\Users\user\AppData\Roaming\newfile\newfile.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	tems.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	00_datos de la transacci#U00f3n rechazada y n#U00famero de cuenta incorrecto.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	PO-095325.scr.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	UPDATED SSTATEMENT OF ACCOUNT.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	REMITTANCE COPY.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	New Voicemail_Daiichi-Sankyo.html	Get hash	malicious	HTMLPhisher	Browse	ip-api.com/json/?fields=status,country,regionName,city,query
	DHL.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	KjCBSM7Ukv.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	ip-api.com/line/?fields=hosting
	eO2bqORIJb.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
101.100.239.36	Documentos adjuntos.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Cintillo 2024.pdf.exe	Get hash	malicious	AgentTesla	Browse
	Documentos adjuntos.exe	Get hash	malicious	AgentTesla	Browse
	Ejecuci#U00f3n de t#U00edtulos judiciales.exe	Get hash	malicious	AgentTesla	Browse
	Ziraat_Bankas#U0131_Swift.exe	Get hash	malicious	AgentTesla, zgRAT	Browse
	Invoice.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.jmfresh.sg	Documentos adjuntos.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	101.100.239.36
	Cintillo 2024.pdf.exe	Get hash	malicious	AgentTesla	Browse	101.100.239.36
	Documentos adjuntos.exe	Get hash	malicious	AgentTesla	Browse	101.100.239.36
	Ejecuci#U00f3n de t#U00edtulos judiciales.exe	Get hash	malicious	AgentTesla	Browse	101.100.239.36
	Ziraat_Bankas#U0131_Swift.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	101.100.239.36
	Invoice.exe	Get hash	malicious	AgentTesla	Browse	101.100.239.36
ip-api.com	tems.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	00_datos de la transacci#U00f3n rechazada y n#U00famero de cuenta incorrecto.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PO-095325.scr.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	UPDATED SSTATEMENT OF ACCOUNT.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	REMITTANCE COPY.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	New Voicemail_Daiichi-Sankyo.html	Get hash	malicious	HTMLPhisher	Browse	208.95.112.1
	DHL.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	KjCBSM7Ukv.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	208.95.112.1
	eO2bqORIJb.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VODIEN-AS-AP-LOC2VodienInternetSolutionsPteLtdSG	Documentos adjuntos.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	101.100.239.36
	Cintillo 2024.pdf.exe	Get hash	malicious	AgentTesla	Browse	101.100.239.36
	Documentos adjuntos.exe	Get hash	malicious	AgentTesla	Browse	101.100.239.36
	Ejecuci#U00f3n de t#U00edtulos judiciales.exe	Get hash	malicious	AgentTesla	Browse	101.100.239.36
	SPe0uXr3N3.elf	Get hash	malicious	Gafgyt, Mirai	Browse	43.245.97.85
	wg2vKIF0SU.elf	Get hash	malicious	Gafgyt	Browse	43.245.97.36
	SO8J3K15us.elf	Get hash	malicious	Gafgyt	Browse	43.245.97.67
	dVbrHqaCf1.elf	Get hash	malicious	Gafgyt	Browse	43.245.97.44
	hOBk4rf0Jm.elf	Get hash	malicious	Gafgyt	Browse	43.245.97.68
	21whXUKd06.elf	Get hash	malicious	Gafgyt, Mirai	Browse	43.245.97.31
TUT-ASUS	tems.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	00_datos de la transacci#U00f3n rechazada y n#U00famero de cuenta incorrecto.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PO-095325.scr.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	UPDATED SSTATEMENT OF ACCOUNT.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	REMITTANCE COPY.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	New Voicemail_Daiichi-Sankyo.html	Get hash	malicious	HTMLPhisher	Browse	208.95.112.1
	DHL.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	KjCBSM7Ukv.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	208.95.112.1
	eO2bqORIJb.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\newfile\newfile.exe	tems.exe	Get hash	malicious	AgentTesla	Browse
	HBL.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Heur.15333.25205.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.FileRepMalware.7644.21541.exe	Get hash	malicious	AgentTesla	Browse
	Cintillo 2024.pdf.exe	Get hash	malicious	AgentTesla	Browse
	SHIPMENT ADVICE FOR CLEARTEX.exe	Get hash	malicious	AgentTesla	Browse
	REQUEST FOR QUOTATION.exe	Get hash	malicious	Unknown	Browse
	67002314579XX.exe	Get hash	malicious	AgentTesla	Browse
	Quotation 22001625_REV001.exe	Get hash	malicious	AgentTesla	Browse
	justificante - 2024-04-16T133815.900.exe	Get hash	malicious	AgentTesla	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newfile.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\Idonna

Download File

Process:	C:\Users\user\Desktop\FAR.N_2430-240009934.exe
File Type:	data
Category:	dropped
Size (bytes):	244736
Entropy (8bit):	6.560452042035801
Encrypted:	false
SSDEEP:	3072:ioC/cubecqgR03DhBKtLQpEWLcjyh2XnWTnj5ILCFOXH35+EffQZZrAJy:iow63LWcNiyh2XnW6WFkkvZryy
MD5:	B48DF5AC21C91F9118DC30F27A71EF2D
SHA1:	E87560FD201295615F1EE7F5B897E7418318CD5B
SHA-256:	70FF330D3D6482F9A4B2C062B837A2E303276C48B326EE86746C4BF59F8AD8E4
SHA-512:	4332635C59CC86A8595498C327E3C46C773E448DD10B64009F137A38C447FA9ED1EAEB63F4EB4427BA05D65D91E747E7953053E809F17ECBCEE328D2755E264A
Malicious:	false
Reputation:	low
Preview:	.m.7RKDGV0FY..E7.7QKDGR0.Y37E7A7QKDGR0FY37E7A7QKDGR0FY37E7A7.KDG\/.W3.L.`.P..f.X/.G7X&E0&d$3^(6G.'RaE$%d.<...`.(X%R.FIMv0FY37E7.rQK.FQ0%s.RE7A7QKDG.0DX86N7A.RKDOR0FY37..B7QkDGR.EY37.7A.QKDER0BY37E7A7UKDGR0FY3.A7A5QKDGR0DYs.E7Q7Q[DGR0VY3'E7A7QKTGR0FY37E7A7=.GG.0FY3.F7.2QKDGR0FY37E7A7QKDGR0BY?7E7A7QKDGR0FY37E7A7QKDGR0FY37E7A7QKDGR0FY37E7A7QKDGR.FY;7E7A7QKDGR0Ny37.7A7QKDGR0FY.C O57QK..Q0Fy37E.B7QIDGR0FY37E7A7QKdGRPh+@E&7A7.NDGR.EY31E7A.RKDGR0FY37E7A7.KD.\|B#5\TE7M7QKDGV0F[37E.B7QKDGR0FY37E7.7Q.DGR0FY37E7A7QKDG..EY37E7.7QKFGW0N.17!.@7RKDGS0F_37E7A7QKDGR0FY37E7A7QKDGR0FY37E7A7QKDGR0FY37E7A7L....g{J{=#0.m. .3.. ..N.x^.Q.)$.xqH....c2T..Y.8u...X...E.Q6ND.....\|'YAH1`@j8 .L.....g-s\|.1/.+...,..75.....mg....VGi...C..'(?.')C[ ..V76..2.X37E7....../!xmh4N)eY<......%=a..:GR0"Y3777A70KDG.0FY\7E7/7QK:GR08Y37.7A7.KDGe0FY.7E7,7QK`GR08Y37.JN8....!..Y37E7t..{.*........ .:.0....S.\|.mT..H:.1..p..O.. ..Eb-_.y.0@1UNF@V3Jd=\|...SO@BP7BZ?.K\|..j.a.....4....1.;R0FY37.7A.QKD..0.Y37.7.7..DGR..Y.7.7...K

C:\Users\user\AppData\Local\Temp\aut100A.tmp

Download File

Process:	C:\Users\user\Desktop\FAR.N_2430-240009934.exe
File Type:	data
Category:	dropped
Size (bytes):	9924
Entropy (8bit):	7.697209947807859
Encrypted:	false
SSDEEP:	192:25L1fjxqLCHVkDJtj/wsLwtO8/C7TGC5z3nyy9iCSfHdxnN03Yy:25LVELCHVE7wHGz3nJ9iCSf9Q
MD5:	BFAA5A194EB485C2C59FD45D48662F90
SHA1:	BBF7D8FA6A5E1492481540EE27655840B36DB094
SHA-256:	8CCEF98A8D1756594ED5B98212C0D818CFE910BD0A827F16ED2DBC299838CAF3
SHA-512:	E8AD17510DE6755CF14C468ECF9E75BC358B951D1F4DDCB9A03235CC20F8D9B2258F15AD4FF717AF89E96025EF3BBFB74BD0D10B82F2EB79D26BC838CC77CD69
Malicious:	false
Reputation:	low
Preview:	EA06..p.._....i.M....U8.M.Si\|._=.O.....U6.O&S.t.e:.O......S..c8....A>.6-`........,..H...k.O....oL......k..T.q\...../...@........6...o.\|........t..V....S.+T.u`... ....fs.t..c ._..w....d....H,.......Ai.H..g...X.F..=j...>.\|..C`.....02..O....u.<......zm\.L@]>......N.x>:.....O.j.:.....Z@j.:......j.:......'.n.5.....^..../Z.Lg.#^...h.#..z.c6.H....S...#....O.B=2.L@.......x....g.>_L.....@\|........`.R...K.u...a>...np.....{.........x.....I..l...$..6- ._...k...e...g.\..l\|2..rt......K.O.4.:.#G.\.h.+...o..6...e........./..<.....%v....Z@4.]..g.).u`...2.....xZfV...Z.)..F.>....ei....?..........,....Z..5...b]8..4....`....n....v.......h.O....F\...FV...X...."U?... ....,vV.....Wj.Z%...F`.Y.T..c.....-R..y...B3......;,.X.n._.X'..........c........l.d.h.?.....,vZ....._j..%`.........c.....'...q/...@......8.a..~.`.W@B)h.'e......j.[..'U...g;..Bv^...x..r...}2...@B...,v`.!..>.[..mS .M..@...X...\.K..@.D.a.Q...s...ZeS...c;..f.!...,vb...U..j........#. ....3*.L,.........;2.X...c

C:\Users\user\AppData\Local\Temp\autFBB.tmp

Download File

Process:	C:\Users\user\Desktop\FAR.N_2430-240009934.exe
File Type:	data
Category:	dropped
Size (bytes):	143114
Entropy (8bit):	7.8911786111220295
Encrypted:	false
SSDEEP:	3072:qoTved4v9RkGEzFWYmG/sW6JD8kSBkQowBh5G4N++BHmOvE0cS8:VxmzYYPl6JD8k7Gv++BdvE0cS8
MD5:	25CF481F73C6442D59C55FB557212598
SHA1:	8643B1F0204F84BEB0C7B06A46C81561384073F7
SHA-256:	02AF1891C9F1F9314EDAE479F9188425E45E1853BD06DB9E2E3A0BF08F397A85
SHA-512:	F12A20AD6F9575CB150F457495C4707EBEE855DB6789495B33A48F73CF04F57C1B783D337028411594DAE68281E4B5ECD2A0155322084D3B3F433F3BDD86BE43
Malicious:	false
Reputation:	low
Preview:	EA06.....[z3z...G.L(.g".7... ..Ja.....Y...;4`....W%....L.X1..>&...K.Q:<.&..$.I$.(.Q..z...$..%...-`..+.Z...I......Tip.5Fa%...@.Z.L(....7..@&.x..?~z..k.~:.P...7.....-JaB...T.kQz..5.....s.Qf...F....398.........x..s.M.. ..Y...~...4B.Y...v.y....].......q...f.`.....) .....R.Z%t.,..8..?31..0u ...#K.A.)..T....P.q[..1. ....7..@>?...A... ....W.S.s....@...s.5~f.....<.........W..a....9... .}i...z.Q.Jd.....H.s.8}e.eT...>.../..V9.\.....N.[....$..."c`.Z....3...!.ym......?.,.rf.X.r=..{.}....Q.1.gB...I.....SC..#1..U6.z.[......>..WM/..-...:Se.."?...)...l>.>..:..$@.......i.P."..pK.8...p.8@.[1G....`..X.8X..3.S....]!..@B.._.{.J.y>.....y....Vu..B2z/EO.\|.[j..."u......z....!..-.[_.^c....N.P.:U.{\|..j.>.B.M.U...\|...........Y.S..Lz3...n.....A..L...,.7...e.....8;~..#)..S..U...RID.o..Cl.{-.gX...b.1.Pf4...sL.[.S9.>;.B.tJ..J.tMgV.6Bk........J.M.4.wV.N..fs..D.p...).2.1......^q......oA........V.....3..m......M...}......$.=...H...G..f...Q...x.C..U.5

C:\Users\user\AppData\Local\Temp\preconform

Download File

Process:	C:\Users\user\Desktop\FAR.N_2430-240009934.exe
File Type:	ASCII text, with very long lines (28674), with no line terminators
Category:	modified
Size (bytes):	28674
Entropy (8bit):	4.528031056072201
Encrypted:	false
SSDEEP:	768:QmlIc4RZ8fcM4GiNgu1ISfUcNxmaWzPFk:dac4RZ8fcM4ZDmaWzPO
MD5:	EF9B87C28C7AF14F4D1B4C333F64DA9A
SHA1:	7F82097E12D1945D4BB4477EFCF1F91AC64D4758
SHA-256:	6DA4D902B1EE4379F9F57F28A6CB6CA7B33EBF845F219A8DEE36FEC30CA009FA
SHA-512:	BCF5A8F1EF8FF2A38233BAC021E517917856F4D6F0599D2599A80595C4A04D1EE253F153F1D7FB371DB6F806BF798394FFFDD9F2C57FF5CE275677A948BD7F1B
Malicious:	false
Reputation:	low
Preview:	~/;2h_i27_i]i866/</=\>0h6660<2?.;2:\?0;6660<2?.j2<\g186660<2?/;2>\>0k6660<2?.;2g\?0;6660<2?.j2i\g0i6660<2?/;2k\>-96660<2?.;36\?-86660<2?.j38\g,k6660<2?/;3:\>0:6660<2?.;3<\?0i6660<2?.j3>\g0i6660<2?/;3g-9]60<2?.;3i\?0k6660<2?2j.:`l`l`l\g1:6660<2?3;.<`l`l`l\>0:6660<2?2;.>`l`l`l\?0i6660<2?2j.g`l`l`l\g0i6660<2?3;.i`l`l`l\>,k6660<2?2;.k`l`l`l\?0:6660<2?2j/6`l`l`l\g0i6660<2?3;/8`l`l`l\>0i6660<2?2;/:`l`l`l-9]?0<2?2j/<`l`l`l\g1;6660<2?/;^6\>196660<2?.;^8\?0;6660<2?.j^:\g186660<2?/;^<\>-96660<2?.;^>\?-86660<2?.j^g\g,k6660<2?/;^i\>0:6660<2?.;^k\?0i6660<2?.j_6\g0i6660<2?/;_8-9]60<2?.;_:\?076660<2?2j0>`l`l`l\g0:6660<2?3;0g`l`l`l\>1<6660<2?2;0i`l`l`l\?076660<2?2j0k`l`l`l\g166660<2?3;16`l`l`l\>0?6660<2?2;18`l`l`l\?-96660<2?2j1:`l`l`l\g-86660<2?3;1<`l`l`l\>,k6660<2?2;1>`l`l`l\?0:6660<2?2j1g`l`l`l\g0i6660<2?3;1i`l`l`l\>0i6660<2?2;1k`l`l`l-9]?0<2?.j26\g196660<2?/;[6\>0>

C:\Users\user\AppData\Roaming\newfile\newfile.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45984
Entropy (8bit):	6.16795797263964
Encrypted:	false
SSDEEP:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
MD5:	9D352BC46709F0CB5EC974633A0C3C94
SHA1:	1969771B2F022F9A86D77AC4D4D239BECDF08D07
SHA-256:	2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
SHA-512:	13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: tems.exe, Detection: malicious, Browse Filename: HBL.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Heur.15333.25205.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.7644.21541.exe, Detection: malicious, Browse Filename: Cintillo 2024.pdf.exe, Detection: malicious, Browse Filename: SHIPMENT ADVICE FOR CLEARTEX.exe, Detection: malicious, Browse Filename: REQUEST FOR QUOTATION.exe, Detection: malicious, Browse Filename: 67002314579XX.exe, Detection: malicious, Browse Filename: Quotation 22001625_REV001.exe, Detection: malicious, Browse Filename: justificante - 2024-04-16T133815.900.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.442398121585593
Encrypted:	false
SSDEEP:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
MD5:	6FB4D27A716A8851BC0505666E7C7A10
SHA1:	AD2A232C6E709223532C4D1AB892303273D8C814
SHA-256:	1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
SHA-512:	3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.948433903107132
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FAR.N_2430-240009934.exe
File size:	1'104'896 bytes
MD5:	fc9c091daa95c1cab2b0fe8f5d355a71
SHA1:	b8162cfcf19d65735dadc64a928e755de6515141
SHA256:	fc83bfec2d58dfb71be0fec0c02f69996c5349845dd39c8048b520696003e1fc
SHA512:	692bc80b2f5c444d451a87c7c4f56945c15f8ab693ccb074d415d17d89001c333ae0b4f76f1829be60643c826e54ad0613b08fa561b824f6cfa8fef77b0f8d82
SSDEEP:	24576:GqDEvCTbMWu7rQYlBQcBiT6rprG8a9sRjvV:GTvC/MTQYxsWR7a98jv
TLSH:	4935AE0273D1C062FFAB92334B5AF6515BBC69260123E62F13981D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6621D335 [Fri Apr 19 02:13:09 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FB40D2303A3h
jmp 00007FB40D22FCAFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FB40D22FE8Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FB40D22FE5Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FB40D232A4Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FB40D232A98h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FB40D232A81h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x371fc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10c000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x371fc	0x37200	4e88ccf742828c380947198abd4bd9d8	False	0.8815414186507936	data	7.776527875397024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10c000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x2e492	data			1.0003481269714007
RT_GROUP_ICON	0x10ac4c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x10acc4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x10acd8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x10acec	0x14	data	English	Great Britain	1.25
RT_VERSION	0x10ad00	0x10c	data	English	Great Britain	0.585820895522388
RT_MANIFEST	0x10ae0c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 17:23:04.100807905 CEST	49700	80	192.168.2.7	208.95.112.1
Apr 19, 2024 17:23:04.217031002 CEST	80	49700	208.95.112.1	192.168.2.7
Apr 19, 2024 17:23:04.217228889 CEST	49700	80	192.168.2.7	208.95.112.1
Apr 19, 2024 17:23:04.218420982 CEST	49700	80	192.168.2.7	208.95.112.1
Apr 19, 2024 17:23:04.399208069 CEST	80	49700	208.95.112.1	192.168.2.7
Apr 19, 2024 17:23:04.448205948 CEST	49700	80	192.168.2.7	208.95.112.1
Apr 19, 2024 17:23:06.265100956 CEST	49701	26	192.168.2.7	101.100.239.36
Apr 19, 2024 17:23:06.604753017 CEST	26	49701	101.100.239.36	192.168.2.7
Apr 19, 2024 17:23:06.605010033 CEST	49701	26	192.168.2.7	101.100.239.36
Apr 19, 2024 17:23:07.284648895 CEST	26	49701	101.100.239.36	192.168.2.7
Apr 19, 2024 17:23:07.284919024 CEST	49701	26	192.168.2.7	101.100.239.36
Apr 19, 2024 17:23:07.624583960 CEST	26	49701	101.100.239.36	192.168.2.7
Apr 19, 2024 17:23:07.624908924 CEST	49701	26	192.168.2.7	101.100.239.36
Apr 19, 2024 17:23:07.966763973 CEST	26	49701	101.100.239.36	192.168.2.7
Apr 19, 2024 17:23:07.979166985 CEST	49701	26	192.168.2.7	101.100.239.36
Apr 19, 2024 17:23:08.329705954 CEST	26	49701	101.100.239.36	192.168.2.7
Apr 19, 2024 17:23:08.329771042 CEST	26	49701	101.100.239.36	192.168.2.7
Apr 19, 2024 17:23:08.329812050 CEST	26	49701	101.100.239.36	192.168.2.7
Apr 19, 2024 17:23:08.329847097 CEST	49701	26	192.168.2.7	101.100.239.36
Apr 19, 2024 17:23:08.370088100 CEST	49701	26	192.168.2.7	101.100.239.36
Apr 19, 2024 17:23:08.374058962 CEST	49701	26	192.168.2.7	101.100.239.36
Apr 19, 2024 17:23:08.713522911 CEST	26	49701	101.100.239.36	192.168.2.7
Apr 19, 2024 17:23:08.744704008 CEST	49701	26	192.168.2.7	101.100.239.36
Apr 19, 2024 17:23:09.085148096 CEST	26	49701	101.100.239.36	192.168.2.7
Apr 19, 2024 17:23:09.086910009 CEST	49701	26	192.168.2.7	101.100.239.36
Apr 19, 2024 17:23:09.426502943 CEST	26	49701	101.100.239.36	192.168.2.7
Apr 19, 2024 17:23:09.426948071 CEST	49701	26	192.168.2.7	101.100.239.36
Apr 19, 2024 17:23:09.805407047 CEST	26	49701	101.100.239.36	192.168.2.7
Apr 19, 2024 17:23:09.962063074 CEST	26	49701	101.100.239.36	192.168.2.7
Apr 19, 2024 17:23:09.962419987 CEST	49701	26	192.168.2.7	101.100.239.36
Apr 19, 2024 17:23:10.301827908 CEST	26	49701	101.100.239.36	192.168.2.7
Apr 19, 2024 17:23:10.301892996 CEST	26	49701	101.100.239.36	192.168.2.7
Apr 19, 2024 17:23:10.302135944 CEST	49701	26	192.168.2.7	101.100.239.36
Apr 19, 2024 17:23:10.664828062 CEST	26	49701	101.100.239.36	192.168.2.7
Apr 19, 2024 17:23:10.665070057 CEST	49701	26	192.168.2.7	101.100.239.36
Apr 19, 2024 17:23:11.004391909 CEST	26	49701	101.100.239.36	192.168.2.7
Apr 19, 2024 17:23:11.005110025 CEST	49701	26	192.168.2.7	101.100.239.36
Apr 19, 2024 17:23:11.005232096 CEST	49701	26	192.168.2.7	101.100.239.36
Apr 19, 2024 17:23:11.005276918 CEST	49701	26	192.168.2.7	101.100.239.36
Apr 19, 2024 17:23:11.005300045 CEST	49701	26	192.168.2.7	101.100.239.36
Apr 19, 2024 17:23:11.344302893 CEST	26	49701	101.100.239.36	192.168.2.7
Apr 19, 2024 17:23:11.344429970 CEST	26	49701	101.100.239.36	192.168.2.7
Apr 19, 2024 17:23:11.344469070 CEST	26	49701	101.100.239.36	192.168.2.7
Apr 19, 2024 17:23:11.344506025 CEST	26	49701	101.100.239.36	192.168.2.7
Apr 19, 2024 17:23:11.353245974 CEST	26	49701	101.100.239.36	192.168.2.7
Apr 19, 2024 17:23:11.395013094 CEST	49701	26	192.168.2.7	101.100.239.36
Apr 19, 2024 17:23:55.698307991 CEST	49700	80	192.168.2.7	208.95.112.1
Apr 19, 2024 17:23:55.815113068 CEST	80	49700	208.95.112.1	192.168.2.7
Apr 19, 2024 17:23:55.815236092 CEST	49700	80	192.168.2.7	208.95.112.1
Apr 19, 2024 17:24:45.713793039 CEST	49701	26	192.168.2.7	101.100.239.36
Apr 19, 2024 17:24:46.053067923 CEST	26	49701	101.100.239.36	192.168.2.7
Apr 19, 2024 17:24:46.056844950 CEST	49701	26	192.168.2.7	101.100.239.36

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 17:23:03.987452030 CEST	62470	53	192.168.2.7	1.1.1.1
Apr 19, 2024 17:23:04.093100071 CEST	53	62470	1.1.1.1	192.168.2.7
Apr 19, 2024 17:23:05.685163975 CEST	52644	53	192.168.2.7	1.1.1.1
Apr 19, 2024 17:23:06.264067888 CEST	53	52644	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 19, 2024 17:23:03.987452030 CEST	192.168.2.7	1.1.1.1	0x6eba	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Apr 19, 2024 17:23:05.685163975 CEST	192.168.2.7	1.1.1.1	0x202c	Standard query (0)	mail.jmfresh.sg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 19, 2024 17:23:04.093100071 CEST	1.1.1.1	192.168.2.7	0x6eba	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Apr 19, 2024 17:23:06.264067888 CEST	1.1.1.1	192.168.2.7	0x202c	No error (0)	mail.jmfresh.sg		101.100.239.36	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49700	208.95.112.1	80	6004	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 17:23:04.218420982 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Apr 19, 2024 17:23:04.399208069 CEST	174	IN	HTTP/1.1 200 OK Date: Fri, 19 Apr 2024 15:23:03 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 74 72 75 65 0a Data Ascii: true

Target ID:	0
Start time:	17:23:01
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\FAR.N_2430-240009934.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FAR.N_2430-240009934.exe"
Imagebase:	0x810000
File size:	1'104'896 bytes
MD5 hash:	FC9C091DAA95C1CAB2B0FE8F5D355A71
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1223698471.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1223698471.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1223698471.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1223698471.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:23:02
Start date:	19/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FAR.N_2430-240009934.exe"
Imagebase:	0xe30000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2456100583.000000000302E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2452750846.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2452750846.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2456100583.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2456100583.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2456100583.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	17:23:11
Start date:	19/04/2024
Path:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Imagebase:	0xec0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	17:23:11
Start date:	19/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	17:23:20
Start date:	19/04/2024
Path:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Imagebase:	0xe40000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	17:23:20
Start date:	19/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	2.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	46

Executed Functions

Function 008142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0081430D

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

GetCurrentProcess.KERNEL32(?,008ACB64,00000000,?,?), ref: 00814422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00814429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00814454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00814466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00814474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0081447B
GetSystemInfo.KERNEL32(?,?,?), ref: 008144A0

Strings

GetNativeSystemInfo, xrefs: 00814460
|O, xrefs: 008536F8
kernel32.dll, xrefs: 0081444F

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 9faee72a2a55bbe90d7303b3da3e735a3651f48f8e7c83d054a1454f8bb3573a
Instruction ID: 83609f7703a0f45fb60c0adcb8e95cb608e57befc78751362fbb09c8a3d61a69
Opcode Fuzzy Hash: 9faee72a2a55bbe90d7303b3da3e735a3651f48f8e7c83d054a1454f8bb3573a
Instruction Fuzzy Hash: EEA1C37290A2C4EFCF11C7697CC85DA7FE8FB26745B0858A9D481DBB22D6384948CB35

Uniqueness

Uniqueness Score: -1.00%

Function 008142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,008150AA,?,?,00000000,00000000), ref: 008142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008150AA,?,?,00000000,00000000), ref: 008142C9
LoadResource.KERNEL32(?,00000000,?,?,008150AA,?,?,00000000,00000000,?,?,?,?,?,?,00814F20), ref: 008535BE
SizeofResource.KERNEL32(?,00000000,?,?,008150AA,?,?,00000000,00000000,?,?,?,?,?,?,00814F20), ref: 008535D3
LockResource.KERNEL32(008150AA,?,?,008150AA,?,?,00000000,00000000,?,?,?,?,?,?,00814F20,?), ref: 008535E6

Strings

SCRIPT, xrefs: 008142BF

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 4420bf8b017cd4477b433d04a7f6e9f39d6b510a0ed5a9b8fa21bfcde4889206
Instruction ID: 69d716e3ada662d585f3211412857fb945031fe3a45963813708d1a083984510
Opcode Fuzzy Hash: 4420bf8b017cd4477b433d04a7f6e9f39d6b510a0ed5a9b8fa21bfcde4889206
Instruction Fuzzy Hash: FD117C70200701BFE7218B65DC48F677BBEFFC6B51F104169B412D6650DBB2D8408620

Uniqueness

Uniqueness Score: -1.00%

Function 00852BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00812B6B

Part of subcall function 00813A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008E1418,?,00812E7F,?,?,?,00000000), ref: 00813A78

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,008D2224), ref: 00852C10
ShellExecuteW.SHELL32(00000000,?,?,008D2224), ref: 00852C17

Strings

runas, xrefs: 00852C0B

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 933c54ed15f222ddf3065b96b36526942dddaf70f20610d20fa0de24e62cfe7e
Instruction ID: 66f61813ab1327c40b520d8b595b8889a53824e410f03777f951900cf97477be
Opcode Fuzzy Hash: 933c54ed15f222ddf3065b96b36526942dddaf70f20610d20fa0de24e62cfe7e
Instruction Fuzzy Hash: 0A11D531108345AACB04FF68E8559EEB7ADFF96310F44042EF192C22A2CF318AC98753

Uniqueness

Uniqueness Score: -1.00%

Function 0087DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00855222), ref: 0087DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0087DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0087DBEE
FindClose.KERNEL32(00000000), ref: 0087DBFA

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 79a831e996f4b30caced9c8f08668536dbe092cf4ce4f53e7358f5e694f794f9
Instruction ID: a5513b44b347b5da32322c2e019c3d4919a364a96d2411595eb2213206444bc7
Opcode Fuzzy Hash: 79a831e996f4b30caced9c8f08668536dbe092cf4ce4f53e7358f5e694f794f9
Instruction Fuzzy Hash: 7BF0E530810A145792216B7CAC0D8AA37BCFF82334B108702F83AC26F0EBB49D54C6D5

Uniqueness

Uniqueness Score: -1.00%

Function 0081D730 Relevance: 21.6, APIs: 14, Instructions: 623windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0081D807
timeGetTime.WINMM ref: 0081DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0081DB28
TranslateMessage.USER32(?), ref: 0081DB7B
DispatchMessageW.USER32(?), ref: 0081DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0081DB9F
Sleep.KERNEL32(0000000A), ref: 0081DBB1

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 6deafa1ff4d2fbc9335f6dcb81cbf89c5b62b6c029106fd1b38ea1b2b2512d63
Instruction ID: d87a02332ad2e66c82f2d7ae1ea759e4c9b6a081758c75e86d1e8f0a20b231cd
Opcode Fuzzy Hash: 6deafa1ff4d2fbc9335f6dcb81cbf89c5b62b6c029106fd1b38ea1b2b2512d63
Instruction Fuzzy Hash: 66421430608745DFDB29CF28C884BAABBE8FF46314F15456DE456CB291D774E884CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00812CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00812D07
RegisterClassExW.USER32(00000030), ref: 00812D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00812D42
InitCommonControlsEx.COMCTL32(?), ref: 00812D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00812D6F
LoadIconW.USER32(000000A9), ref: 00812D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00812D94

Strings

0, xrefs: 00812CE9
AutoIt v3 GUI, xrefs: 00812D23
+, xrefs: 00812CF0
TaskbarCreated, xrefs: 00812D37

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 682686a0f6687b36f11884cf974afd1c46cd5898393dfc308a56ce5c5cbced41
Instruction ID: 628822a5554d6cb8edb4362ea3450451fe2105f5ac1dc94147edf4f15b93f7f0
Opcode Fuzzy Hash: 682686a0f6687b36f11884cf974afd1c46cd5898393dfc308a56ce5c5cbced41
Instruction Fuzzy Hash: 9F21C3B5901258AFEF00EFA8E889BDDBFB4FB09700F00811AF611AA6A0D7B55544CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0085065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0085039A: CreateFileW.KERNELBASE(00000000,00000000,?,00850704,?,?,00000000,?,00850704,00000000,0000000C), ref: 008503B7

GetLastError.KERNEL32 ref: 0085076F
__dosmaperr.LIBCMT ref: 00850776
GetFileType.KERNELBASE(00000000), ref: 00850782
GetLastError.KERNEL32 ref: 0085078C
__dosmaperr.LIBCMT ref: 00850795
CloseHandle.KERNEL32(00000000), ref: 008507B5
CloseHandle.KERNEL32(?), ref: 008508FF
GetLastError.KERNEL32 ref: 00850931
__dosmaperr.LIBCMT ref: 00850938

Strings

H, xrefs: 008508BD

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 3b8ccc0a1b299a2f75b48142b519e28bd13b8578578e8cfc0dc729c3b3d19f08
Instruction ID: 47fc44fd7cfb72e10186c9529a0974024ee4aa2580bce8a5832cd7e1a42ffff3
Opcode Fuzzy Hash: 3b8ccc0a1b299a2f75b48142b519e28bd13b8578578e8cfc0dc729c3b3d19f08
Instruction Fuzzy Hash: E0A10332A001488FDF19AF68D891BAE7BA0FB46325F140159FC11DF392DA71981ACF92

Uniqueness

Uniqueness Score: -1.00%

Function 0081344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00813A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008E1418,?,00812E7F,?,?,?,00000000), ref: 00813A78

Part of subcall function 00813357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00813379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0081356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0085318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008531CE
RegCloseKey.ADVAPI32(?), ref: 00853210
_wcslen.LIBCMT ref: 00853277
_wcslen.LIBCMT ref: 00853286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00813560
\, xrefs: 0085328C
Include, xrefs: 00853184, 008531C5
\Include\, xrefs: 00813527

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 9b0990fd5344e3510bc9a62867b2323077eba82c2d4d18075ef04d44b6c6ae79
Instruction ID: f5a8d1759333075e14b3b029efbc512ade884b2e4a35cdfcecd61951b6ce5cc8
Opcode Fuzzy Hash: 9b0990fd5344e3510bc9a62867b2323077eba82c2d4d18075ef04d44b6c6ae79
Instruction Fuzzy Hash: 697149714043419EC314EF69EC829ABBBECFF85750F40052EF595D6271EB749A88CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00812B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00812B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00812B9D
LoadIconW.USER32(00000063), ref: 00812BB3
LoadIconW.USER32(000000A4), ref: 00812BC5
LoadIconW.USER32(000000A2), ref: 00812BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00812BEF
RegisterClassExW.USER32(?), ref: 00812C40

Part of subcall function 00812CD4: GetSysColorBrush.USER32(0000000F), ref: 00812D07
Part of subcall function 00812CD4: RegisterClassExW.USER32(00000030), ref: 00812D31
Part of subcall function 00812CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00812D42
Part of subcall function 00812CD4: InitCommonControlsEx.COMCTL32(?), ref: 00812D5F
Part of subcall function 00812CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00812D6F
Part of subcall function 00812CD4: LoadIconW.USER32(000000A9), ref: 00812D85
Part of subcall function 00812CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00812D94

Strings

0, xrefs: 00812C0F
AutoIt v3, xrefs: 00812C2F
#, xrefs: 00812C16

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 841ce70046bb376a8f7a34d3b337825a25546d0dcf586d5a8153c974930ca005
Instruction ID: 566497f35cd73b0777b6a1893f9670088470f49acf367bad21f69e2654847f03
Opcode Fuzzy Hash: 841ce70046bb376a8f7a34d3b337825a25546d0dcf586d5a8153c974930ca005
Instruction Fuzzy Hash: 8F211A74E00358AFDF109FA9EC99AAD7FB4FB48B50F04401AF600AABA0D7B91540CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00813170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0081316A,?,?), ref: 008131D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0081316A,?,?), ref: 00813204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00813227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0081316A,?,?), ref: 00813232
CreatePopupMenu.USER32 ref: 00813246
PostQuitMessage.USER32(00000000), ref: 00813267

Strings

TaskbarCreated, xrefs: 0081322D

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c032a49f4d6a3bbb6d8b05cb31ef993f42502d18908bbce722400976e20d3638
Instruction ID: e8f68c7162b920a4dcbb59bf89ff49f55794255c27d25def45f7c6c9e18b1f70
Opcode Fuzzy Hash: c032a49f4d6a3bbb6d8b05cb31ef993f42502d18908bbce722400976e20d3638
Instruction Fuzzy Hash: 0A411531240248ABEF156B7C9D4EBFD3A5DFF06345F040125F912CA6A2CB759AC497A2

Uniqueness

Uniqueness Score: -1.00%

Function 00848D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ca2a283f43fcf816b3fd5933dccb176b5d82d72a68527a9a564bebf7fc9ab8
Instruction ID: d2a2706be8c83b768b2bfb3ae96e9dd842ac08a2677cd3568d566c629d5b9065
Opcode Fuzzy Hash: 39ca2a283f43fcf816b3fd5933dccb176b5d82d72a68527a9a564bebf7fc9ab8
Instruction Fuzzy Hash: CDC1AD74E0424DEFDB21DFA8D841BAEBBB4FF49310F144199E954EB292CB709941CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03ED2620 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03ED26F1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03ED2917

Memory Dump Source

Source File: 00000000.00000002.1223683931.0000000003ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ed0000_FAR.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction ID: f1279a4ba3b6a243193e0f6689d898cc1365b877f3e6ef70de1ba11c90aeb23f
Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction Fuzzy Hash: 9FA12A74E00209EBDB14CFA4C894BEEB7B5FF48305F249699E611BB280D7759A42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00812C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00812C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00812CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00811CAD,?), ref: 00812CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00811CAD,?), ref: 00812CCF

Strings

edit, xrefs: 00812CAC
AutoIt v3, xrefs: 00812C89, 00812C8E, 00812C8F

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ad81e5eb9d52156ebea3113c01fd9f0ac2ad7f11d57f8bf1234f731d13d37831
Instruction ID: 447cfe78fe1fbf10c62469f5e124a9c3062d706b740986cf57ab7e71c8df0eaa
Opcode Fuzzy Hash: ad81e5eb9d52156ebea3113c01fd9f0ac2ad7f11d57f8bf1234f731d13d37831
Instruction Fuzzy Hash: D4F0DA755402D07AEB311717AC8CE772EBDF7C7F50B04005AFA00AAAA0C6791851DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 03ED2410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03ED2300: Sleep.KERNELBASE(000001F4), ref: 03ED2311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03ED250E

Strings

E7A7QKDGR0FY37, xrefs: 03ED2571, 03ED2574

Memory Dump Source

Source File: 00000000.00000002.1223683931.0000000003ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ed0000_FAR.jbxd

Similarity

API ID: CreateFileSleep
String ID: E7A7QKDGR0FY37
API String ID: 2694422964-2482346747
Opcode ID: 687fbd0832360862341ccd07561833d2445037e4e35919ac4e5e4d3429ea0603
Instruction ID: 30f3727b86134780c47500e3a1752bd31bd5f03aa84dab0020ec63c6fc251475
Opcode Fuzzy Hash: 687fbd0832360862341ccd07561833d2445037e4e35919ac4e5e4d3429ea0603
Instruction Fuzzy Hash: 52519370D04249DAEF11DBE4C814BEEBBB9AF44304F004699E709BB2C0D7791B45CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00882947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00882C05
DeleteFileW.KERNEL32(?), ref: 00882C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00882C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00882CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00882CC0

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 28686ff7a69c92397f297111eb005b7de97c7c12c7eeccbf9ccc8a1484cf8cf9
Instruction ID: d0ec38892414321d62ae7b0a1830bb7ac355c170860e7114373a24bcd1b96136
Opcode Fuzzy Hash: 28686ff7a69c92397f297111eb005b7de97c7c12c7eeccbf9ccc8a1484cf8cf9
Instruction Fuzzy Hash: ECB14F71D01129ABDF15EBA8CC85EEEB7BDFF49350F1040A6F509E6141EA319A448FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00813B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00813B0F,SwapMouseButtons,00000004,?), ref: 00813B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00813B0F,SwapMouseButtons,00000004,?), ref: 00813B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00813B0F,SwapMouseButtons,00000004,?), ref: 00813B83

Strings

Control Panel\Mouse, xrefs: 00813B3E

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 555d6b3fcd49969f67b2f031193bb0affcdf75a59aa527396e03a057a4bc27dd
Instruction ID: e4202eb08fc690a025dcae76af8a2a199f1c21b9492d0237cb49944bb0a52f58
Opcode Fuzzy Hash: 555d6b3fcd49969f67b2f031193bb0affcdf75a59aa527396e03a057a4bc27dd
Instruction Fuzzy Hash: 4A112AB5514208FFDB208FA5DC44AEFB7BCFF05754B104459A805D7110E2319E809760

Uniqueness

Uniqueness Score: -1.00%

Function 03ED1300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03ED1B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03ED1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03ED1B73

Memory Dump Source

Source File: 00000000.00000002.1223683931.0000000003ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ed0000_FAR.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction ID: 7fc4a702825a533318c066a858ecbc5e98772019eb9c122c5471afcaf7026e8d
Opcode Fuzzy Hash: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction Fuzzy Hash: 94621B34A14258DBEB24CFA4C840BEEB376EF58304F1095A9D10DEB394E7769E81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0081DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 008632B7

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 1b8b054af2c2968e139ea1ac24bd2d09000bae1ad491e3e0350f33dc2e7814c0
Instruction ID: 4592eadd0ac73b6ca2aa409e1ab54e7e6c9543c23afa4b504255d20140d78115
Opcode Fuzzy Hash: 1b8b054af2c2968e139ea1ac24bd2d09000bae1ad491e3e0350f33dc2e7814c0
Instruction Fuzzy Hash: DDC27871A00218CFCB24CF58D880AAEB7B9FF18314F258569ED56EB391D375AD81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00813923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008533A2

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00813A04

Strings

Line: , xrefs: 008533EB

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 96c2d523f2fb36ed11278af0ee52ba2eeeb0d24bb5f0a7f200246635f6cd9073
Instruction ID: f7ad172ad9bc62a971c3ad22bb4163d1ca81f594d342531531b8b6e67d2663e2
Opcode Fuzzy Hash: 96c2d523f2fb36ed11278af0ee52ba2eeeb0d24bb5f0a7f200246635f6cd9073
Instruction Fuzzy Hash: 0C31C071408344AAD721EB24DC49BEBB7ECFF45710F00452AF5A9D2291EB749A88C7C3

Uniqueness

Uniqueness Score: -1.00%

Function 0082FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00830668

Part of subcall function 008332A4: RaiseException.KERNEL32(?,?,?,0083068A,?,008E1444,?,?,?,?,?,?,0083068A,00811129,008D8738,00811129), ref: 00833304

__CxxThrowException@8.LIBVCRUNTIME ref: 00830685

Strings

Unknown exception, xrefs: 00830692

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 70f450372d2046d87ad7cb74f63b505c2541e4a74c343f62fd6fb0a99d3df6ff
Instruction ID: 1f9b1c075e757b0c57d5e5ec75beab75df3d570fc0cbec9dc52cbe26caf9fadc
Opcode Fuzzy Hash: 70f450372d2046d87ad7cb74f63b505c2541e4a74c343f62fd6fb0a99d3df6ff
Instruction Fuzzy Hash: A9F04F2490030DA78B00B6A8E856D9E776CFE90354FA04531BA24D6696EF71EAA5C9C2

Uniqueness

Uniqueness Score: -1.00%

Function 00883017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0088302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00883044

Strings

aut, xrefs: 00883038

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: a952069d7203b2fc5545cb149153b4abcbc31a347afea88ba88cad3c8140f0c1
Instruction ID: f138cb5a82abec90377433de8f33b86f40ed7874e53840673b3f74f947d3e15f
Opcode Fuzzy Hash: a952069d7203b2fc5545cb149153b4abcbc31a347afea88ba88cad3c8140f0c1
Instruction Fuzzy Hash: 21D05B7150032867DA209794AD0DFC73B6CE705750F0002527655D2191DAB49544CAD0

Uniqueness

Uniqueness Score: -1.00%

Function 00897F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 008982F5
TerminateProcess.KERNEL32(00000000), ref: 008982FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 008984DD

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 25818f7ff90d621d2e3b071e5801e4b84ac644b1960943acc41ac035efb0a4c2
Instruction ID: fc728ab48081ec8caff71a07e61676510e0e4bcd891129968d3492562147a6fc
Opcode Fuzzy Hash: 25818f7ff90d621d2e3b071e5801e4b84ac644b1960943acc41ac035efb0a4c2
Instruction Fuzzy Hash: D4125B71A08301DFDB14DF28C484B6ABBE5FF85318F18895DE899CB252DB31E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00845AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb3bef8ea2eccb84ed400354898a3f899cedda942c0ae2b07a1a5e61aacc2b2
Instruction ID: 57b70261d34c014633a8a4f72a0887ad4ca5e6189f994813a495025260dd9fe8
Opcode Fuzzy Hash: 1fb3bef8ea2eccb84ed400354898a3f899cedda942c0ae2b07a1a5e61aacc2b2
Instruction Fuzzy Hash: D2519E71D0060DDBDB219FA8C885FAE7BB8FF45324F14005AF405E7293D7759A018BA2

Uniqueness

Uniqueness Score: -1.00%

Function 008110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00811BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00811BF4
Part of subcall function 00811BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00811BFC
Part of subcall function 00811BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00811C07
Part of subcall function 00811BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00811C12
Part of subcall function 00811BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00811C1A
Part of subcall function 00811BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00811C22

Part of subcall function 00811B4A: RegisterWindowMessageW.USER32(00000004,?,008112C4), ref: 00811BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0081136A
OleInitialize.OLE32 ref: 00811388
CloseHandle.KERNEL32(00000000,00000000), ref: 008524AB

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: abdc362582c34a31939f49e048d1b5392abb1676fe61ac7541ee8e677d5f19ae
Instruction ID: 66d4253fc68642f6b399582e29ff7a58a7c123836cabdb7bf200b394822f1d9c
Opcode Fuzzy Hash: abdc362582c34a31939f49e048d1b5392abb1676fe61ac7541ee8e677d5f19ae
Instruction Fuzzy Hash: 9071AFB49113908ECF84DFBAADCD6993AE5FB8A344754823AD51ACF361EB304485CF45

Uniqueness

Uniqueness Score: -1.00%

Function 008154C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 0081556D
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 0081557D

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 47b303ab372dc230e7d46a68fce2d3e1d925d9e7a6db553e618520de4bcbec8d
Instruction ID: e5c121cb99906069b3440e7c924eb9e0965c0d53793e68293442d7152c008d89
Opcode Fuzzy Hash: 47b303ab372dc230e7d46a68fce2d3e1d925d9e7a6db553e618520de4bcbec8d
Instruction Fuzzy Hash: 32310A71A00609EFDB14CF68C880BD9B7BAFF88754F148629E915D7240D771FA94CB90

Uniqueness

Uniqueness Score: -1.00%

Function 008486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,008485CC,?,008D8CC8,0000000C), ref: 00848704
GetLastError.KERNEL32(?,008485CC,?,008D8CC8,0000000C), ref: 0084870E
__dosmaperr.LIBCMT ref: 00848739

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: db788b946ae34a1d4d492087b42fa33999ba9d5eb0589ff29ed1a6bd95a1e252
Instruction ID: abc4768bce2ce1454c727ceb15ec90634cc95136e9de1e95ad79b4375931a4f1
Opcode Fuzzy Hash: db788b946ae34a1d4d492087b42fa33999ba9d5eb0589ff29ed1a6bd95a1e252
Instruction Fuzzy Hash: 45016B33A04268A7D6A166386889B7F6749FB93778F3A0119F804CB2D3DEA08C818191

Uniqueness

Uniqueness Score: -1.00%

Function 00882FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00882CD4,?,?,?,00000004,00000001), ref: 00882FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00882CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00883006
CloseHandle.KERNEL32(00000000,?,00882CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0088300D

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 1cfe715912da6e84522ea4c517d3d3ce67849dd013637af19ab4e4393efda863
Instruction ID: 756557c1b47806af85408f6b740df675350a79a5c54ff4c24747ca88b57a462d
Opcode Fuzzy Hash: 1cfe715912da6e84522ea4c517d3d3ce67849dd013637af19ab4e4393efda863
Instruction Fuzzy Hash: 35E0863238021077E6312755BC0DF8B3A1CE787F71F104210F719B51D08AA0550143A8

Uniqueness

Uniqueness Score: -1.00%

Function 00821310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008217F6

Strings

CALL, xrefs: 008217C6

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: c32875571d1d0e4f02385da053db9856411d26635a1c8e7cdbe403442548b8aa
Instruction ID: 3965bec3a115e1f5181c90ba785362d21301c1595a8de88dc52a889709fe5612
Opcode Fuzzy Hash: c32875571d1d0e4f02385da053db9856411d26635a1c8e7cdbe403442548b8aa
Instruction Fuzzy Hash: AC229B706082519FCB14DF18D488A2ABBF1FF95314F25896DF496CB3A2D731E991CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00886EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00886F6B

Part of subcall function 00814ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00886F5A, 00886F63

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 724e2b41895f279f7e86363bac829ee3502059d7e94920311cdfbca77f32a409
Instruction ID: 3fc8a6d4a14825508e8850515d85cdde2e7af6623252271c6e09228d724b3775
Opcode Fuzzy Hash: 724e2b41895f279f7e86363bac829ee3502059d7e94920311cdfbca77f32a409
Instruction Fuzzy Hash: BCB13F311086019FCB14EF28C4919AEB7E9FF94314F14896DF596D7262EB30ED89CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00812DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00852C8C

Part of subcall function 00813AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00813A97,?,?,00812E7F,?,?,?,00000000), ref: 00813AC2

Part of subcall function 00812DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00812DC4

Strings

X, xrefs: 00852C5A

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: c33de775d40a1e81797858fc4f541fcfa36956f51300283f8c6e20e2e4851625
Instruction ID: cee250f2fc234b8a31a18dd40ecb46e42e8a670ddd24d012f84a5adff0af0816
Opcode Fuzzy Hash: c33de775d40a1e81797858fc4f541fcfa36956f51300283f8c6e20e2e4851625
Instruction Fuzzy Hash: 9E21A170A0025C9ADB01DF98C845BEE7BBDFF49315F00405AE505E7241EBB45A9D8FA2

Uniqueness

Uniqueness Score: -1.00%

Function 00882557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00882587

Strings

EA06, xrefs: 008825B9

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 17ca4fd43c0777e2ae1dbaa72f6845d2c2ed359e277edae09146396578cd17ce
Instruction ID: 5dcf2d7c7697d3a410bebaf2d7c414b154254094b9bf94a7e6d9183fc03b2af9
Opcode Fuzzy Hash: 17ca4fd43c0777e2ae1dbaa72f6845d2c2ed359e277edae09146396578cd17ce
Instruction Fuzzy Hash: C101B5729442587EDF28D7A8C856FAEBBF8EB05315F00455AE592D21C1E5B4E6088BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00813837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00813908

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: fc746222cd93613b1398cff3baab47f162969943ed3f19d473e04b2b939a3c7c
Instruction ID: d399aed171162f956e8d2645737aa476e3207b86ef8833c0e647f1d65b97f09c
Opcode Fuzzy Hash: fc746222cd93613b1398cff3baab47f162969943ed3f19d473e04b2b939a3c7c
Instruction Fuzzy Hash: D9315AB05043019FD721DF24D8847D6BBE8FF49708F00092EE99AD7250E775AA84CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00815745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0081949C,?,00008000), ref: 00815773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0081949C,?,00008000), ref: 00854052

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3b940065c7532620ca97195463ce2b4250e4b3baec68b49dbbb375d4dad3108c
Instruction ID: 79ff646c2aedf1032437b16e01f7d40c7844981aa6a31c4e47d582870b62115a
Opcode Fuzzy Hash: 3b940065c7532620ca97195463ce2b4250e4b3baec68b49dbbb375d4dad3108c
Instruction Fuzzy Hash: AE014031245625F6E3714A2ADC0EF977F98FF42BB5F148610BA9C9A1E0CBB45894CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03ED12FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03ED1B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03ED1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03ED1B73

Memory Dump Source

Source File: 00000000.00000002.1223683931.0000000003ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ed0000_FAR.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction ID: d7a84c0bc8df507f26ec46c611adbba6333a4f00427ac32722f7d616b0f493ac
Opcode Fuzzy Hash: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction Fuzzy Hash: 6E12D024E14658C6EB24DF64D8507DEB232EF68300F10A5E9910DEB7A4E77A4F81CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00814ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00814E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00814EDD,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814E9C
Part of subcall function 00814E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00814EAE
Part of subcall function 00814E90: FreeLibrary.KERNEL32(00000000,?,?,00814EDD,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814EFD

Part of subcall function 00814E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00853CDE,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814E62
Part of subcall function 00814E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00814E74
Part of subcall function 00814E59: FreeLibrary.KERNEL32(00000000,?,?,00853CDE,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814E87

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 26342c15ae11269c69e64432e2b34b1a9ce9eccf5e8dd8e96054e73cfe959217
Instruction ID: de8c78b55d79c401d95d3b0d969eb9d37a8086281f29e238dc9b3a85e129710c
Opcode Fuzzy Hash: 26342c15ae11269c69e64432e2b34b1a9ce9eccf5e8dd8e96054e73cfe959217
Instruction Fuzzy Hash: A011C132600205AADB14AB68D802FED77A9FF80711F108429F542EA2C1EE719E869791

Uniqueness

Uniqueness Score: -1.00%

Function 00848402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00848440

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 301b2e9b5e4937eb5470090748ea86564ee219f8e5ff6613f8bb63f9146963dd
Instruction ID: 3df8fb578c682be63db6571dabd516916779af875029ff88f4314e761c1aa171
Opcode Fuzzy Hash: 301b2e9b5e4937eb5470090748ea86564ee219f8e5ff6613f8bb63f9146963dd
Instruction Fuzzy Hash: A311067590410AEFCB05DF58E94199E7BF9FF48314F144059FC08EB312DA31DA118BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00819A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,0081543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00819A9C

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 4905063d0950fb75e32b3cf692a99a6b765188fed4f4fd3deff8eb557ee85bc4
Instruction ID: 9c31b7a2235b1fcc6fdb9c912ddfaa122509c8a9d3d7077ad46469d3c381bd2a
Opcode Fuzzy Hash: 4905063d0950fb75e32b3cf692a99a6b765188fed4f4fd3deff8eb557ee85bc4
Instruction Fuzzy Hash: 3F116631204B149FD7248E0AD890BA2B7F8FF44364F10C42EE9DBCAA50C771A889CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00845000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00844C7D: RtlAllocateHeap.NTDLL(00000008,00811129,00000000,?,00842E29,00000001,00000364,?,?,?,0083F2DE,00843863,008E1444,?,0082FDF5,?), ref: 00844CBE

_free.LIBCMT ref: 0084506C

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 0f18758eb191b3cdfaa40fd28130323f51691c15115ef54cae43d8614235fd88
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 51012676204B096BE321CE699881A9AFBE9FB89370F65051DE184C3281EA30A805C6B5

Uniqueness

Uniqueness Score: -1.00%

Function 0083E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 231308ad2812756c43b4de4a09d60189baed25adaaa97ff5c1b904fd74793ae9
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 73F08132511A1896D6313A6E9C06B5A3798FFE2335F100719F925D22D2EB749802C6E6

Uniqueness

Uniqueness Score: -1.00%

Function 00844C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00811129,00000000,?,00842E29,00000001,00000364,?,?,?,0083F2DE,00843863,008E1444,?,0082FDF5,?), ref: 00844CBE

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2aa3fb47fc82ce14220a2e99dc35e70d7a60c4c21aab380af832c93df6e09bea
Instruction ID: 94c889459cec5f5a962521b63eb299cc8657cd2311343df98edb4e018141c636
Opcode Fuzzy Hash: 2aa3fb47fc82ce14220a2e99dc35e70d7a60c4c21aab380af832c93df6e09bea
Instruction Fuzzy Hash: 8CF0E93160222CA7DB215F66AC89B5B3788FF917B1F1C6111BC15EA281CAB0D80046E1

Uniqueness

Uniqueness Score: -1.00%

Function 00843820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,008E1444,?,0082FDF5,?,?,0081A976,00000010,008E1440,008113FC,?,008113C6,?,00811129), ref: 00843852

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f436b4e79232ff988de3d4124e44c151ad51eacaa6d03ce959f0a8c741c685a3
Instruction ID: 1635e25d69729158aaa133496c9858856be944a5e75864bc188577a8e58dce99
Opcode Fuzzy Hash: f436b4e79232ff988de3d4124e44c151ad51eacaa6d03ce959f0a8c741c685a3
Instruction Fuzzy Hash: 8BE09B3150122C97E73126BB9C05B9BF749FF827B0F150131BD15D6591DB61EE0185E1

Uniqueness

Uniqueness Score: -1.00%

Function 00814F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814F6D

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 40b2843ac1195c173d6cd8994b4e788b561e0e38220e006fa64e655db55608c3
Instruction ID: d82a193909895d7bf16177c18fb4c43477346477f9cb1f2229289b40fb69b5cf
Opcode Fuzzy Hash: 40b2843ac1195c173d6cd8994b4e788b561e0e38220e006fa64e655db55608c3
Instruction Fuzzy Hash: ABF03971105752CFDB349F64E4908A2BBE8FF15329324A97EE1EBC6621CB319889DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00812DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00812DC4

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 0cb7537c54c74fe5393e9ba6933332054868f47ce6068f06fef42d026c313739
Instruction ID: c43fcfa17eca432eccbf0dbdf9c709b0a5d82f0b5126f965a4c81c94f7c8b133
Opcode Fuzzy Hash: 0cb7537c54c74fe5393e9ba6933332054868f47ce6068f06fef42d026c313739
Instruction Fuzzy Hash: B5E0CD726041245BCB10925C9C05FEA77DDFFC8791F050071FD09D7248DA64AD848551

Uniqueness

Uniqueness Score: -1.00%

Function 00882693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 008826B5

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 46fba4bd44375b8223ab31a618c4e8208c8cdea4b88631e9805413b9be442b4c
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 70E048B06097005FDF39AA28A9517B777D4EF59300F00046EF59BC2252E5726845874D

Uniqueness

Uniqueness Score: -1.00%

Function 00812B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00813837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00813908

Part of subcall function 0081D730: GetInputState.USER32 ref: 0081D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00812B6B

Part of subcall function 008130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0081314E

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 5765930578b5c9f213feafd2567b11ff8c91f57cb2957814a7d9ad6b23a0c9f6
Instruction ID: 4a7389af0b92bb7c5eb8460d1d1269ddab480630e630ae231457812781227bb5
Opcode Fuzzy Hash: 5765930578b5c9f213feafd2567b11ff8c91f57cb2957814a7d9ad6b23a0c9f6
Instruction Fuzzy Hash: 6CE0863130424407CA05BB7DA8565EDA79EFFD6355F40153EF142C72A2CE6589C94353

Uniqueness

Uniqueness Score: -1.00%

Function 0085039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00850704,?,?,00000000,?,00850704,00000000,0000000C), ref: 008503B7

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a4c07dba16edf7d013aa759931aaca0d44724cdb8d41a43f900b2fdf6d208d51
Instruction ID: 5a7243399ac559722f235d3d9a048c0b017f5e78b1abd75efbfd3fa447b9b2cc
Opcode Fuzzy Hash: a4c07dba16edf7d013aa759931aaca0d44724cdb8d41a43f900b2fdf6d208d51
Instruction Fuzzy Hash: BBD06C3214010DBBDF028F84DD06EDA3BAAFB48714F014000BE1856020C736E821AB90

Uniqueness

Uniqueness Score: -1.00%

Function 00811CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00811CBC

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 36e0f665b0f343dea0151516d2602ccdcb003ac4a4492c705c2d2defc406de31
Instruction ID: 9bec22163f6cb7edad410d8b1d945d7d683fcd6417c717fc0a24f9ff700c7abb
Opcode Fuzzy Hash: 36e0f665b0f343dea0151516d2602ccdcb003ac4a4492c705c2d2defc406de31
Instruction Fuzzy Hash: CEC09B352803449FF6144780BD8EF107754B348B00F444001F6095D5E3C7F11810D650

Uniqueness

Uniqueness Score: -1.00%

Function 0088744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00815745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0081949C,?,00008000), ref: 00815773

GetLastError.KERNEL32(00000002,00000000), ref: 008876DE

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 4fcffc9dc692b83f18418788c6e563545aaaf6d25d08c08eeb693c77fa017706
Instruction ID: 84712a34e3ce55a7a8374c4f7c9f6b6c70b338728bdca09a1dee2686e2f53636
Opcode Fuzzy Hash: 4fcffc9dc692b83f18418788c6e563545aaaf6d25d08c08eeb693c77fa017706
Instruction Fuzzy Hash: 6C817C306087019FC714EF28C491AA9B7F5FF99314F14452DF89A9B2A2DB30ED85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0082FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0082FD1F

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 9483155d13b19cec2705f982529cead8b54638cbbf094dd17448211daa32e295
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 9E31E2B4A001299BD718CF59E490969FBB1FF49304B2486B5E90ACB656D731EEC1CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 03ED2300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 03ED2311

Memory Dump Source

Source File: 00000000.00000002.1223683931.0000000003ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ed0000_FAR.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 5d9bb5eaec7cbda5490b0dd4488c06b5b00794f19172ad846cfdf477b8199ecd
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 2AE0E67494010EDFDB00EFB8D64969E7FB4EF04301F1006A1FD01D2280D6309D508A72

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 008A9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 008A961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008A965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 008A969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008A96C9
SendMessageW.USER32 ref: 008A96F2
GetKeyState.USER32(00000011), ref: 008A978B
GetKeyState.USER32(00000009), ref: 008A9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008A97AE
GetKeyState.USER32(00000010), ref: 008A97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008A97E9
SendMessageW.USER32 ref: 008A9810
SendMessageW.USER32(?,00001030,?,008A7E95), ref: 008A9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 008A992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 008A9941
SetCapture.USER32(?), ref: 008A994A
ClientToScreen.USER32(?,?), ref: 008A99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 008A99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008A99D6
ReleaseCapture.USER32 ref: 008A99E1
GetCursorPos.USER32(?), ref: 008A9A19
ScreenToClient.USER32(?,?), ref: 008A9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 008A9A80
SendMessageW.USER32 ref: 008A9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 008A9AEB
SendMessageW.USER32 ref: 008A9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 008A9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 008A9B4A
GetCursorPos.USER32(?), ref: 008A9B68
ScreenToClient.USER32(?,?), ref: 008A9B75
GetParent.USER32(?), ref: 008A9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 008A9BFA
SendMessageW.USER32 ref: 008A9C2B
ClientToScreen.USER32(?,?), ref: 008A9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 008A9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 008A9CDE
SendMessageW.USER32 ref: 008A9D01
ClientToScreen.USER32(?,?), ref: 008A9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 008A9D82

Part of subcall function 00829944: GetWindowLongW.USER32(?,000000EB), ref: 00829952

GetWindowLongW.USER32(?,000000F0), ref: 008A9E05

Strings

@GUI_DRAGID, xrefs: 008A997D
F, xrefs: 008A9D07

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 114c9b5c97d1d478b2fe9d471ab539c1930d4557228f4f80bec8a9ae76b047e2
Instruction ID: 430649a502f0b29e1ab9254312345104bff9884b75d4cc7afbe856634beeb5b0
Opcode Fuzzy Hash: 114c9b5c97d1d478b2fe9d471ab539c1930d4557228f4f80bec8a9ae76b047e2
Instruction Fuzzy Hash: 4B428034608241AFEB24CF68CC84AAABBE5FF5A314F14051DF695C7AA1D771E850CF51

Uniqueness

Uniqueness Score: -1.00%

Function 008A4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 008A48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 008A4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 008A4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 008A494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 008A495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 008A497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 008A49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 008A49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 008A4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 008A4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 008A4A7E
IsMenu.USER32(?), ref: 008A4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008A4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008A4B20
GetWindowLongW.USER32(?,000000F0), ref: 008A4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 008A4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 008A4C82
wsprintfW.USER32 ref: 008A4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008A4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 008A4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 008A4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008A4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 008A4D5A

Strings

%d/%02d/%02d, xrefs: 008A4CA8

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 8a76f60202272848e1e3d06f86de192e04547b9d063472c428c3b2785fd3c240
Instruction ID: c69cd272b3f94ee06a02a7452982dd2c03e07ef2f1cdd81b08f44c9dbfb3dbcc
Opcode Fuzzy Hash: 8a76f60202272848e1e3d06f86de192e04547b9d063472c428c3b2785fd3c240
Instruction Fuzzy Hash: BB12DC71600218ABFF258F28DC49FAE7BF8FF86314F105129F516EA6A1DBB49941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0082F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0082F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0086F474
IsIconic.USER32(00000000), ref: 0086F47D
ShowWindow.USER32(00000000,00000009), ref: 0086F48A
SetForegroundWindow.USER32(00000000), ref: 0086F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0086F4AA
GetCurrentThreadId.KERNEL32 ref: 0086F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0086F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0086F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0086F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0086F4DE
SetForegroundWindow.USER32(00000000), ref: 0086F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0086F4F6
keybd_event.USER32(00000012,00000000), ref: 0086F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0086F50B
keybd_event.USER32(00000012,00000000), ref: 0086F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0086F519
keybd_event.USER32(00000012,00000000), ref: 0086F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0086F528
keybd_event.USER32(00000012,00000000), ref: 0086F52D
SetForegroundWindow.USER32(00000000), ref: 0086F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0086F557

Strings

Shell_TrayWnd, xrefs: 0086F46F

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: c43e5eba7bb8bbcb483dfec13e3bccce5a3bfdf53653402f16b03b691b518a63
Instruction ID: bbba0c5f667ea7f8af060f3decbadbff585188750c6d6a9de9f4381c163a062e
Opcode Fuzzy Hash: c43e5eba7bb8bbcb483dfec13e3bccce5a3bfdf53653402f16b03b691b518a63
Instruction Fuzzy Hash: 39311071A40218BFFB216BB55C4AFBF7E6CFB45B50F110065FB01E61D1DAB19D00AA60

Uniqueness

Uniqueness Score: -1.00%

Function 00871201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 008716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0087170D
Part of subcall function 008716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0087173A
Part of subcall function 008716C3: GetLastError.KERNEL32 ref: 0087174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00871286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008712A8
CloseHandle.KERNEL32(?), ref: 008712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008712D1
GetProcessWindowStation.USER32 ref: 008712EA
SetProcessWindowStation.USER32(00000000), ref: 008712F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00871310

Part of subcall function 008710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008711FC), ref: 008710D4
Part of subcall function 008710BF: CloseHandle.KERNEL32(?,?,008711FC), ref: 008710E9

Strings

winsta0, xrefs: 008712CC
, xrefs: 0087125A
default, xrefs: 0087130B

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 9f83cb8c866142aa59bf40fe354f48d25251e54d776f11ed51ee437a812530d9
Instruction ID: fcda87ccc518b7deea5e1c8b655cf97664884e83f2236db6e13b48e44acd96d3
Opcode Fuzzy Hash: 9f83cb8c866142aa59bf40fe354f48d25251e54d776f11ed51ee437a812530d9
Instruction Fuzzy Hash: 42819D71900208AFEF219FA8DC49BEE7BBAFF05704F148129F914E66A4D774C944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00870B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00871114
Part of subcall function 008710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 00871120
Part of subcall function 008710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 0087112F
Part of subcall function 008710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 00871136
Part of subcall function 008710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0087114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00870BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00870C00
GetLengthSid.ADVAPI32(?), ref: 00870C17
GetAce.ADVAPI32(?,00000000,?), ref: 00870C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00870C6D
GetLengthSid.ADVAPI32(?), ref: 00870C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00870C8C
HeapAlloc.KERNEL32(00000000), ref: 00870C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00870CB4
CopySid.ADVAPI32(00000000), ref: 00870CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00870CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00870D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00870D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00870D45
HeapFree.KERNEL32(00000000), ref: 00870D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00870D55
HeapFree.KERNEL32(00000000), ref: 00870D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00870D65
HeapFree.KERNEL32(00000000), ref: 00870D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00870D78
HeapFree.KERNEL32(00000000), ref: 00870D7F

Part of subcall function 00871193: GetProcessHeap.KERNEL32(00000008,00870BB1,?,00000000,?,00870BB1,?), ref: 008711A1
Part of subcall function 00871193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00870BB1,?), ref: 008711A8
Part of subcall function 00871193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00870BB1,?), ref: 008711B7

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 45878661e8de86a8c88a90153f60b12486fc92120f7f742692ab7d5295d99260
Instruction ID: f04aa307d036dc1ea4e2f0ad3ba18c60c1f70765eab9db2d73ac6bf8261845d2
Opcode Fuzzy Hash: 45878661e8de86a8c88a90153f60b12486fc92120f7f742692ab7d5295d99260
Instruction Fuzzy Hash: 4B713C71A0020AEBEF10DFA4DC48BAEBBB8FF05310F148615E919E6295D775E905CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0088EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(008ACC08), ref: 0088EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0088EB37
GetClipboardData.USER32(0000000D), ref: 0088EB43
CloseClipboard.USER32 ref: 0088EB4F
GlobalLock.KERNEL32(00000000), ref: 0088EB87
CloseClipboard.USER32 ref: 0088EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 0088EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0088EBC9
GetClipboardData.USER32(00000001), ref: 0088EBD1
GlobalLock.KERNEL32(00000000), ref: 0088EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 0088EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0088EC38
GetClipboardData.USER32(0000000F), ref: 0088EC44
GlobalLock.KERNEL32(00000000), ref: 0088EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0088EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0088EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0088ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 0088ECF3
CountClipboardFormats.USER32 ref: 0088ED14
CloseClipboard.USER32 ref: 0088ED59

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: fa8686ccae8fbf92d66e8915baa6c68b9aa7a0ef90c70232ae1281defb1ff015
Instruction ID: 633a7cf0669e7108942ce50a8ff17b37dc466ab25bdbd8524c71ce7e867e3be0
Opcode Fuzzy Hash: fa8686ccae8fbf92d66e8915baa6c68b9aa7a0ef90c70232ae1281defb1ff015
Instruction Fuzzy Hash: 2061BD342042059FE310EF28D894F6ABBA8FF85714F18451DF496D76A2DB31ED49CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0088698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008869BE
FindClose.KERNEL32(00000000), ref: 00886A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00886A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00886A75

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00886AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00886ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00886B32
%4d%02d%02d%02d%02d%02d, xrefs: 00886B6A
%02d, xrefs: 00886C00, 00886C0A, 00886C5A, 00886CAA, 00886CFA, 00886D4A
%03d, xrefs: 00886DA2
%4d, xrefs: 00886BB1

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: cd539a2e872fbe50a9895a9c2ec7c0868bd1f2da7e3fbb00d0ca3de5d8ba32de
Instruction ID: 6d44530155ac059c145f82fe8597139afeab526d3e926450768e5ef87e6d4f5e
Opcode Fuzzy Hash: cd539a2e872fbe50a9895a9c2ec7c0868bd1f2da7e3fbb00d0ca3de5d8ba32de
Instruction Fuzzy Hash: 06D12C72508300AAC714EBA8D891EABB7ECFF88704F44491EF585D7291EB74DA44CB63

Uniqueness

Uniqueness Score: -1.00%

Function 00889642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00889663
GetFileAttributesW.KERNEL32(?), ref: 008896A1
SetFileAttributesW.KERNEL32(?,?), ref: 008896BB
FindNextFileW.KERNEL32(00000000,?), ref: 008896D3
FindClose.KERNEL32(00000000), ref: 008896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 008896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0088974A
SetCurrentDirectoryW.KERNEL32(008D6B7C), ref: 00889768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00889772
FindClose.KERNEL32(00000000), ref: 0088977F
FindClose.KERNEL32(00000000), ref: 0088978F

Strings

*.*, xrefs: 008896F5

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: e81c4f1c5a21108f7ba14b21a741e3574d5e5cefa170ce81816fa471f7bcca4b
Instruction ID: 7a6813a68ac68ac39c4800058b60ea3f36b32e74ab9a25e210a598cb9248e469
Opcode Fuzzy Hash: e81c4f1c5a21108f7ba14b21a741e3574d5e5cefa170ce81816fa471f7bcca4b
Instruction Fuzzy Hash: 6331C0325412196AEF20FFB4DC08AEE77ACFF4A320F184156F855E22A0EB74DE408B54

Uniqueness

Uniqueness Score: -1.00%

Function 0088979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 008897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00889819
FindClose.KERNEL32(00000000), ref: 00889824
FindFirstFileW.KERNEL32(*.*,?), ref: 00889840
SetCurrentDirectoryW.KERNEL32(?), ref: 00889890
SetCurrentDirectoryW.KERNEL32(008D6B7C), ref: 008898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 008898B8
FindClose.KERNEL32(00000000), ref: 008898C5
FindClose.KERNEL32(00000000), ref: 008898D5

Part of subcall function 0087DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0087DB00

Strings

*.*, xrefs: 0088983B

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: b950f0f06f11aabe836724549331d907aacce1ba4713af246605aa39aef6f8ef
Instruction ID: 1421da529393fbbd0d4d7643d9c05ea0bba676cb1f48f1c7ec1583597b05a411
Opcode Fuzzy Hash: b950f0f06f11aabe836724549331d907aacce1ba4713af246605aa39aef6f8ef
Instruction Fuzzy Hash: 9831A33150061E6EEF10BFB4DC48AEE77ACFF46324F184166E894E2691EB75DE448B60

Uniqueness

Uniqueness Score: -1.00%

Function 00888195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00888257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00888267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00888273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00888310
SetCurrentDirectoryW.KERNEL32(?), ref: 00888324
SetCurrentDirectoryW.KERNEL32(?), ref: 00888356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0088838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00888395

Strings

*.*, xrefs: 0088839B

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 02424f832d2ea5e739f452a789d861a90500819fd43231abc464ee0ce0fbc055
Instruction ID: 9bd259eb8d3483169038e16cfc408bb5c9460502cf9d5699998f62ff1459170f
Opcode Fuzzy Hash: 02424f832d2ea5e739f452a789d861a90500819fd43231abc464ee0ce0fbc055
Instruction Fuzzy Hash: C06169725043059FDB10EF68C8849AEB3E9FF89314F44892EF999C7251EB31E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0087D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00813AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00813A97,?,?,00812E7F,?,?,?,00000000), ref: 00813AC2

Part of subcall function 0087E199: GetFileAttributesW.KERNEL32(?,0087CF95), ref: 0087E19A

FindFirstFileW.KERNEL32(?,?), ref: 0087D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0087D1DD
MoveFileW.KERNEL32(?,?), ref: 0087D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0087D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0087D237

Part of subcall function 0087D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0087D21C,?,?), ref: 0087D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0087D253
FindClose.KERNEL32(00000000), ref: 0087D264

Strings

\*.*, xrefs: 0087D0CD, 0087D0D6, 0087D0EB

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: fd514b4674f4aac4d4b316e8301e7aa8b3d05f16c33a1b13279e32909bf078a7
Instruction ID: f9880ab141660cc5a7733c83ab855e5758e04019233b317e66a701f521562e6b
Opcode Fuzzy Hash: fd514b4674f4aac4d4b316e8301e7aa8b3d05f16c33a1b13279e32909bf078a7
Instruction Fuzzy Hash: D7617E3180120D9ACF05EBE4D9529EDB7B9FF15300F248165E44AF7196EB31AF4ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0088ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0088ED91
EmptyClipboard.USER32 ref: 0088ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0088EDAC
CloseClipboard.USER32 ref: 0088EEA3

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 6afddd7c7075babbe31b5cbc6f32a2cdfa88d4217213d86a0fa81f974bba9bef
Instruction ID: c4769590371508fabd6540fcd51cdcc31d9222d27240fd0e199f47267cdcc307
Opcode Fuzzy Hash: 6afddd7c7075babbe31b5cbc6f32a2cdfa88d4217213d86a0fa81f974bba9bef
Instruction Fuzzy Hash: 16418D35208611AFE720EF19D888B59BBE5FF55318F14C09DE419CBAA2CB75EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0087E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0087170D
Part of subcall function 008716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0087173A
Part of subcall function 008716C3: GetLastError.KERNEL32 ref: 0087174A

ExitWindowsEx.USER32(?,00000000), ref: 0087E932

Strings

, xrefs: 0087E95C
@, xrefs: 0087E925
SeShutdownPrivilege, xrefs: 0087E902
, xrefs: 0087E920

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 7b513760314a0fb0039a20554f8adc4fc582eb44f8b45c22ccbff6819fe44eb1
Instruction ID: ed33613e9fe8b1d7641eaaf207c1f2b2daa2998334ea485910f841f1d088ddc5
Opcode Fuzzy Hash: 7b513760314a0fb0039a20554f8adc4fc582eb44f8b45c22ccbff6819fe44eb1
Instruction Fuzzy Hash: 92014933610214AFFB6466B89C8AFBF769CF719744F148462FE1BE31D5D6A0DC408290

Uniqueness

Uniqueness Score: -1.00%

Function 00891204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00891276
WSAGetLastError.WSOCK32 ref: 00891283
bind.WSOCK32(00000000,?,00000010), ref: 008912BA
WSAGetLastError.WSOCK32 ref: 008912C5
closesocket.WSOCK32(00000000), ref: 008912F4
listen.WSOCK32(00000000,00000005), ref: 00891303
WSAGetLastError.WSOCK32 ref: 0089130D
closesocket.WSOCK32(00000000), ref: 0089133C

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 70e39943a1120b97cb07078d6d3d50993a70432b3c8a748ac07b8d39e546fbdf
Instruction ID: 7c4c5c9326b48492d8c47b1bbcdd4b147839af500790e0f5eda8c3aac92c5c08
Opcode Fuzzy Hash: 70e39943a1120b97cb07078d6d3d50993a70432b3c8a748ac07b8d39e546fbdf
Instruction Fuzzy Hash: 62416E316041019FEB10EF68C488B69BBE6FF46318F188198E856DF296C775ED81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0084B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0084B9D4
_free.LIBCMT ref: 0084B9F8
_free.LIBCMT ref: 0084BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,008B3700), ref: 0084BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,008E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0084BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,008E1270,000000FF,?,0000003F,00000000,?), ref: 0084BC36
_free.LIBCMT ref: 0084BD4B

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 40a38ee8f6d7a55357793d99281e7e6599b9e852517b6fe9c076b5698861247b
Instruction ID: e012613f99d11bcb8e35dfcd96409cc75711302868efc520d45d63d06523ed38
Opcode Fuzzy Hash: 40a38ee8f6d7a55357793d99281e7e6599b9e852517b6fe9c076b5698861247b
Instruction Fuzzy Hash: 55C12571A0425DAFDB20DF698C81BAEBBB9FF41360F1441AAE590DB251EB30CE41C791

Uniqueness

Uniqueness Score: -1.00%

Function 0087D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00813AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00813A97,?,?,00812E7F,?,?,?,00000000), ref: 00813AC2

Part of subcall function 0087E199: GetFileAttributesW.KERNEL32(?,0087CF95), ref: 0087E19A

FindFirstFileW.KERNEL32(?,?), ref: 0087D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0087D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0087D481
FindClose.KERNEL32(00000000), ref: 0087D498
FindClose.KERNEL32(00000000), ref: 0087D4A1

Strings

\*.*, xrefs: 0087D3F2

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: f3aba032a001121fec3a2bcfc450615a6cd835cd209c716461bb8fb3b1987fa1
Instruction ID: 5fbcaa0f860aee7ad12e3d7cec2409ef96ea4cc83973e0b340ad352761a3718e
Opcode Fuzzy Hash: f3aba032a001121fec3a2bcfc450615a6cd835cd209c716461bb8fb3b1987fa1
Instruction Fuzzy Hash: 13316F710083459BC204EF68D8559EFB7ACFE92314F448A2DF4E5D2191EB20EA49D767

Uniqueness

Uniqueness Score: -1.00%

Function 0084E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0084E645

Strings

1#SNAN, xrefs: 0084F844
1#QNAN, xrefs: 0084F84B
1#INF, xrefs: 0084F852
1#IND, xrefs: 0084F83D

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: ef0ef7d62c2f6b6ab658af321834053647aad31f405d5ae8be2bcd182bb32946
Instruction ID: 90275f9f6f5757bdbecf5443cf373a04b143d6c6901470a5804ff7d31f321b81
Opcode Fuzzy Hash: ef0ef7d62c2f6b6ab658af321834053647aad31f405d5ae8be2bcd182bb32946
Instruction Fuzzy Hash: CDC22872E0462C8FDB25CE289D407EAB7B5FB88305F1541EAD94DE7241E778AE818F41

Uniqueness

Uniqueness Score: -1.00%

Function 0088648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008864DC
CoInitialize.OLE32(00000000), ref: 00886639
CoCreateInstance.OLE32(008AFCF8,00000000,00000001,008AFB68,?), ref: 00886650
CoUninitialize.OLE32 ref: 008868D4

Strings

.lnk, xrefs: 008864BA, 00886524, 008865E0

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 0996ca7053b17458bc0514cf94edb80bd99039ae1450c8b4188c986315c2d89b
Instruction ID: 3622fa213303c409e7b35e917ac7eb2557190a82d691d3d4a28ee2f28f676cb7
Opcode Fuzzy Hash: 0996ca7053b17458bc0514cf94edb80bd99039ae1450c8b4188c986315c2d89b
Instruction Fuzzy Hash: 3AD139715083019FD304EF28C891AABB7E9FF99704F10496DF595CB291EB70E946CB92

Uniqueness

Uniqueness Score: -1.00%

Function 008922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 008922E8

Part of subcall function 0088E4EC: GetWindowRect.USER32(?,?), ref: 0088E504

GetDesktopWindow.USER32 ref: 00892312
GetWindowRect.USER32(00000000), ref: 00892319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00892355
GetCursorPos.USER32(?), ref: 00892381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008923DF

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 3dc77ebf6d51a9f89fdea5b2214a86963387fe7439ee58600a8ec578b88dce82
Instruction ID: 915fcaadd45099f62c482e08fac491cd9e0f5a7f26ce41c3a69a42d30a1d1078
Opcode Fuzzy Hash: 3dc77ebf6d51a9f89fdea5b2214a86963387fe7439ee58600a8ec578b88dce82
Instruction Fuzzy Hash: 6331E072504315AFDB20EF58C849B5BBBA9FF89314F04091DF989D7291DB34EA08CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00889B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00889B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00889C8B

Part of subcall function 00883874: GetInputState.USER32 ref: 008838CB
Part of subcall function 00883874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00883966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00889BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00889C75

Strings

*.*, xrefs: 00889B5D

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 27cf78bc38f546f64c611b8fe2113f537d14cad389adb091e0e419d7d5a89252
Instruction ID: 269e4de35f460f0a87444b13994afe44448478b9613ac4ae010d66618f43f646
Opcode Fuzzy Hash: 27cf78bc38f546f64c611b8fe2113f537d14cad389adb091e0e419d7d5a89252
Instruction Fuzzy Hash: A341827190020AAFDF15EFA8C845AEE7BB9FF45310F144156E855E2291EB31AE84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0082997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00829A4E
GetSysColor.USER32(0000000F), ref: 00829B23
SetBkColor.GDI32(?,00000000), ref: 00829B36

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 71918c04e86930b879b2dd05fbe4d7a575905b780092bff031dec608c10d27aa
Instruction ID: a81398d775928f81ac40f502fd09bb19fbe4c064f8d9963ffe30b5e33fe9d730
Opcode Fuzzy Hash: 71918c04e86930b879b2dd05fbe4d7a575905b780092bff031dec608c10d27aa
Instruction Fuzzy Hash: 05A12D70108578AEE724AA3CAC9CE7B3A9DFF43318F164119F583D69D1CA259D81D3B2

Uniqueness

Uniqueness Score: -1.00%

Function 00891806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0089304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0089307A
Part of subcall function 0089304E: _wcslen.LIBCMT ref: 0089309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0089185D
WSAGetLastError.WSOCK32 ref: 00891884
bind.WSOCK32(00000000,?,00000010), ref: 008918DB
WSAGetLastError.WSOCK32 ref: 008918E6
closesocket.WSOCK32(00000000), ref: 00891915

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 40d40812e043913b0a58d31b627adee32580e5832a1f7f853bdfa2ee28034b90
Instruction ID: 5877d5369995596257fc4caa8b3cffc95542356e7760dae39aba2230e68c09aa
Opcode Fuzzy Hash: 40d40812e043913b0a58d31b627adee32580e5832a1f7f853bdfa2ee28034b90
Instruction Fuzzy Hash: 70519671A002105FEB10AF28D88AF6A77E5FF45718F088058F955AF3D3DB71AD818B92

Uniqueness

Uniqueness Score: -1.00%

Function 008A1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 008A1CC0
IsWindowEnabled.USER32 ref: 008A1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 008A1CDB
IsIconic.USER32 ref: 008A1CE9
IsZoomed.USER32 ref: 008A1CF7

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: e0ddde5982e175b01c31130dc27ed41b7884818cbe680aa16bd236ab9b8ab957
Instruction ID: 4eb90dddcd8b453d1d5717e66cdff3021b6b0b672833f54202957d932f8a96cc
Opcode Fuzzy Hash: e0ddde5982e175b01c31130dc27ed41b7884818cbe680aa16bd236ab9b8ab957
Instruction Fuzzy Hash: C02191317406119FFB208F2AC848B6A7BE5FF96324F198058E846CBA51DB71EC42CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00818060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 008183FA
ERCP, xrefs: 0081813C
VUUU, xrefs: 008183E8
VUUU, xrefs: 00855DF0
VUUU, xrefs: 0081843C

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 1a235cdec599ea831806ade56c68dcfc8ad3bb9819cefae649d12799d7f074b4
Instruction ID: f6ed3510bce12d766c6cdd333771aeedf7427cf30019443d3fedab949d82875c
Opcode Fuzzy Hash: 1a235cdec599ea831806ade56c68dcfc8ad3bb9819cefae649d12799d7f074b4
Instruction Fuzzy Hash: 6DA25770A0061ACBDF248F58C8957EEB7B6FF54315F6481AAEC15E7280EB309DD58B90

Uniqueness

Uniqueness Score: -1.00%

Function 0089A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0089A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0089A6BA

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Process32NextW.KERNEL32(00000000,?), ref: 0089A79C
CloseHandle.KERNEL32(00000000), ref: 0089A7AB

Part of subcall function 0082CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00853303,?), ref: 0082CE8A

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 2c7d3308ff909bb0c43b48cc1f7a2c1728c56a4ce044343ccbd00f6fc547900e
Instruction ID: 0f08d981f3fe2be853bd64791ea702b4db2d24db2ba27e6c9137a4145dd5b283
Opcode Fuzzy Hash: 2c7d3308ff909bb0c43b48cc1f7a2c1728c56a4ce044343ccbd00f6fc547900e
Instruction Fuzzy Hash: 0B515B71508310AFD714EF28D886AABBBE8FF89754F00492DF595D7252EB30D944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0087AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0087AAAC
SetKeyboardState.USER32(00000080), ref: 0087AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0087AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0087AB88

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 280e5ea90575dffde57b4b8e4e6c4a69fe3620f89f59212378426c982db2c3b6
Instruction ID: e4d89d304964572152231b3674b480ef13043c721d7f85924c2283f983d4e755
Opcode Fuzzy Hash: 280e5ea90575dffde57b4b8e4e6c4a69fe3620f89f59212378426c982db2c3b6
Instruction Fuzzy Hash: FD31F730A40208AEFB29CA64C845BFE77A6FBC5320F04C21AF199D61D9D375D985C752

Uniqueness

Uniqueness Score: -1.00%

Function 0088CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0088CE89
GetLastError.KERNEL32(?,00000000), ref: 0088CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0088CEFE

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: e557f2235430c3907184245a3e6c5ed0cd4f2913eea6809591099a3178e7606c
Instruction ID: b422cac32ce97d7bfca0a75494c64fafe71adddba90f3cd6573f66735f01e109
Opcode Fuzzy Hash: e557f2235430c3907184245a3e6c5ed0cd4f2913eea6809591099a3178e7606c
Instruction Fuzzy Hash: 2B219DB1500305ABEB30EF65D949BA6B7F8FB50358F10441EE646D2151EBB4EE048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00878298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008782AA

Strings

(, xrefs: 008782F0
|, xrefs: 008782DA

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 254f10312cbea614e3bbd8c24a1929a076576ae71771c63be96ae7bf7b040572
Instruction ID: 3e4315dace8ae9acd4099724091ef9217bdbc8a5c60c4521efc749b1b1417eac
Opcode Fuzzy Hash: 254f10312cbea614e3bbd8c24a1929a076576ae71771c63be96ae7bf7b040572
Instruction Fuzzy Hash: C3324474A00605DFCB28CF69C084A6AB7F0FF48710B15C56EE59ADB7A5EB70E981CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00885C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00885CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00885D17
FindClose.KERNEL32(?), ref: 00885D5F

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 069d966acf489c9466264e4593c8c5a18d9a5fd3cc49b8216fa21329287ed0a6
Instruction ID: bfa16de0fd5c0a47a935b305604b2fef47f2168c5a6dc33c218eb7ab6be4f3b9
Opcode Fuzzy Hash: 069d966acf489c9466264e4593c8c5a18d9a5fd3cc49b8216fa21329287ed0a6
Instruction Fuzzy Hash: 0C519A346046019FC714DF28C494A96B7E4FF49324F14856EE96ACB3A2DB30ED45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00842622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0084271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00842724
UnhandledExceptionFilter.KERNEL32(?), ref: 00842731

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 103fa85694bd72516340e633bdd5b210db18f47ea86ac3f5f0dc8958976afcae
Instruction ID: a0ae00a625feae205408cdc14a079cac187cab6c32ae06a0e1ce871dd22fdaa0
Opcode Fuzzy Hash: 103fa85694bd72516340e633bdd5b210db18f47ea86ac3f5f0dc8958976afcae
Instruction Fuzzy Hash: 0E31B47491122C9BCB21DF68DD897D9BBB8FF48310F5041EAE41CA6261E7709F818F85

Uniqueness

Uniqueness Score: -1.00%

Function 008851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00885238
SetErrorMode.KERNEL32(00000000), ref: 008852A1

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 2fe51de855f3dbccc717290ded37f22176f4346a376850aa26a566f18cf970d8
Instruction ID: 7585707be00c5a8b2584deec7bc277720e4d3f5f659d68fb85b20328f20c49a1
Opcode Fuzzy Hash: 2fe51de855f3dbccc717290ded37f22176f4346a376850aa26a566f18cf970d8
Instruction Fuzzy Hash: 02312C75A00518DFDB00EF54D884EADBBB5FF49314F048099E805EB362DB31E856CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0082FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00830668
Part of subcall function 0082FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00830685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0087170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0087173A
GetLastError.KERNEL32 ref: 0087174A

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 571c02eff0b4ee3319e88fa2bb56aca4bf823a323f8f7b7bb4b3c1799c59ea2a
Instruction ID: e4078a1d435ab052e038c9126f45bf5b16a499d4bed637ab125a941e1186aa11
Opcode Fuzzy Hash: 571c02eff0b4ee3319e88fa2bb56aca4bf823a323f8f7b7bb4b3c1799c59ea2a
Instruction Fuzzy Hash: E41194B2414304AFE7189F58EC86D6AB7FDFB44754B20C52EE45697645EB70FC81CA20

Uniqueness

Uniqueness Score: -1.00%

Function 0087D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0087D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0087D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0087D650

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 9ad26a22901c90ecb58950b11e34daeca8fa1ba67a7f94928a92ab273f135e8d
Instruction ID: a0da2529d917954f9e4f02ee1a0bd0d96d93c8aa645376bdb232864b3f8e7822
Opcode Fuzzy Hash: 9ad26a22901c90ecb58950b11e34daeca8fa1ba67a7f94928a92ab273f135e8d
Instruction Fuzzy Hash: 9A113C75E05228BBEB108F959C45FAFBBBCFB46B50F108115F908E7294D6704A058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00871663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0087168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008716A1
FreeSid.ADVAPI32(?), ref: 008716B1

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b2854324620d84566f6a67ff1ab0393319830a64b2d3ce7f5be490a297d300a7
Instruction ID: 14f975cc50021222f181a54d3cae474063be1a0995d89ef05a3f1a12e43fa8df
Opcode Fuzzy Hash: b2854324620d84566f6a67ff1ab0393319830a64b2d3ce7f5be490a297d300a7
Instruction Fuzzy Hash: E3F0F47195030DFBEF00DFE49C89AAEBBBCFB08604F508565E501E2181E774AA448A50

Uniqueness

Uniqueness Score: -1.00%

Function 00834CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(008428E9,?,00834CBE,008428E9,008D88B8,0000000C,00834E15,008428E9,00000002,00000000,?,008428E9), ref: 00834D09
TerminateProcess.KERNEL32(00000000,?,00834CBE,008428E9,008D88B8,0000000C,00834E15,008428E9,00000002,00000000,?,008428E9), ref: 00834D10
ExitProcess.KERNEL32 ref: 00834D22

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8ef01821f8f036cae25588a51b705d70280ff6fac22d2747f3c7e099c1b7a0f5
Instruction ID: 7af196af8871434e553504a1213941ad50d3e31595d4d9ee324f94e6eafbbe51
Opcode Fuzzy Hash: 8ef01821f8f036cae25588a51b705d70280ff6fac22d2747f3c7e099c1b7a0f5
Instruction Fuzzy Hash: AEE0B631000548ABDF51AF54DD09A593B69FB82781F104414FC05DA632DB39ED42DA80

Uniqueness

Uniqueness Score: -1.00%

Function 0084C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0084C36C

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 0004a7fd71e7457474b4a656aae6d14e9e391c29b3db51e9e2794112c0923266
Instruction ID: 08cb46e46966d8ae9608b4682f3ff13189d3990d58538a36b181e94c5411aa49
Opcode Fuzzy Hash: 0004a7fd71e7457474b4a656aae6d14e9e391c29b3db51e9e2794112c0923266
Instruction Fuzzy Hash: CD41267690121DABCB209FB9CC89EBB77BCFB84314F504269F905D7280E6709D81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0086D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0086D28C

Strings

X64, xrefs: 0086D2A8

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: e0b270b6208a189c136f63fb34611c9d2dcd6390d35d155ccea51b54b2b2a23b
Instruction ID: 6e2c9c45aca7a1fd45289ba0722db5f21f1a33143aa9525a0e74249bd8353c5d
Opcode Fuzzy Hash: e0b270b6208a189c136f63fb34611c9d2dcd6390d35d155ccea51b54b2b2a23b
Instruction Fuzzy Hash: EBD0C9B580166DEACB90CB90EC88DD9B77CFB14309F100151F106E2100DB3095488F10

Uniqueness

Uniqueness Score: -1.00%

Function 0083CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: c7ae74d5d22689fed4a7c95cebbc19c7bd414f0fb8af528d0a07f731c6078236
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 3E020D72E012199BDF14CFA9D8806ADFBF1FF88314F258169E919F7384D731AA418B94

Uniqueness

Uniqueness Score: -1.00%

Function 008868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00886918
FindClose.KERNEL32(00000000), ref: 00886961

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d367d2b83307971664c84a3a53e29c01c8e3d1d7063b31b51c89d007407b45ca
Instruction ID: fd57118e21a5d73800ea0b5f37bd52bfdaf92c5d90442436a58cd6d74e35f3a2
Opcode Fuzzy Hash: d367d2b83307971664c84a3a53e29c01c8e3d1d7063b31b51c89d007407b45ca
Instruction Fuzzy Hash: E2119D316042009FD710DF29D888A16BBE5FF89328F14C6A9E469CF7A2DB34EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00894891,?,?,00000035,?), ref: 008837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00894891,?,?,00000035,?), ref: 008837F4

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 1e4ae83ecc798407095051d9e96dacc85f234675a326f2d8f3f65fdb0174206a
Instruction ID: a66c83bad438ab707e690397428537efb982b10e193aeac3b4626188b74d48df
Opcode Fuzzy Hash: 1e4ae83ecc798407095051d9e96dacc85f234675a326f2d8f3f65fdb0174206a
Instruction Fuzzy Hash: FDF0E5B06042282AEB20276A8C4DFEB3AAEFFC5B61F000175F509D2281D9609944C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0087B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0087B25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 0087B270

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 524051892c3e4d217c366adbda91792be568011263a177677af199572bb8bb55
Instruction ID: 56517607f4ed18f5ec4bb18be493a894ea84a9584e88959372fc318eca270a43
Opcode Fuzzy Hash: 524051892c3e4d217c366adbda91792be568011263a177677af199572bb8bb55
Instruction Fuzzy Hash: 25F01D7181424DABEB059FA4C805BBE7BB5FF05309F048009F955E6192C379C6119F94

Uniqueness

Uniqueness Score: -1.00%

Function 008710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008711FC), ref: 008710D4
CloseHandle.KERNEL32(?,?,008711FC), ref: 008710E9

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: ba024cf3b59636e1b60abc89ab23d9b838f89029e1a769683311aa55b6873d28
Instruction ID: 159ef090f17797ad386ea1fd1ec5875bef9ec8d238261c917be51bd0882b5e4d
Opcode Fuzzy Hash: ba024cf3b59636e1b60abc89ab23d9b838f89029e1a769683311aa55b6873d28
Instruction Fuzzy Hash: 9BE04F32004610AEFB252B15FC09E7377A9FF04310B10882DF5A6C08B1DB62ACD0DB10

Uniqueness

Uniqueness Score: -1.00%

Function 0081CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00860C40

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: f09c6cecbfed5b4f710a58b9b378a71d20a592384142ac53e20dec2e2af59451
Instruction ID: b774454dddc28c2762a82b47238c4f3cf5f0ae51ef3b2919cd4d3d47a5c8a9b0
Opcode Fuzzy Hash: f09c6cecbfed5b4f710a58b9b378a71d20a592384142ac53e20dec2e2af59451
Instruction Fuzzy Hash: BC328D70940218DBCF14DF94D881AEEB7B9FF05308F148159E806EB292DB75AE86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0084676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00846766,?,?,00000008,?,?,0084FEFE,00000000), ref: 00846998

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: cea1b9150f361c659902684389e7058cd1410a48798386b4049c0cef99ba48e3
Instruction ID: a642d05dabaa7eb16fe400253d06f9fa970551e5c75dc5a04351955ebeed5247
Opcode Fuzzy Hash: cea1b9150f361c659902684389e7058cd1410a48798386b4049c0cef99ba48e3
Instruction Fuzzy Hash: 8AB13B3161060D9FD715CF28C486B657FE0FF46368F298658E899CF2A2D335E9A1CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0082B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0086851F

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b212818d0b91b5ed7220222ddd69c2db6764735fc6f747ef757894932280415e
Instruction ID: 216920d801b8118a1d463272249d7e407a4e92af7020281f7621547972a460bb
Opcode Fuzzy Hash: b212818d0b91b5ed7220222ddd69c2db6764735fc6f747ef757894932280415e
Instruction Fuzzy Hash: CC125D71900229DBDB24DF58D880AEEB7F5FF48710F15819AE849EB355DB309E81CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0088EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0088EABD

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: ce588ee29a22f8555bbf39b71dd1544767d069b9a1f00d930e07580c95f61921
Instruction ID: 4c512078564a12f03963e9a6c230394c3ca346c48f19accb7df23dd2d3d3de31
Opcode Fuzzy Hash: ce588ee29a22f8555bbf39b71dd1544767d069b9a1f00d930e07580c95f61921
Instruction Fuzzy Hash: F8E01A312002149FD710EF59D804E9AB7EDFFA8760F00841AFC49C7251DAB0E8818B91

Uniqueness

Uniqueness Score: -1.00%

Function 008309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008303EE), ref: 008309DA

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bc919a8e2cf1ceac08001761b7f7edd08c4a54187c05fa91ea0ebd217892c5ff
Instruction ID: 20df7bdd77c022cd690da5cce05f22b331c7ac8e80e7d5dd8941b7f5ca93258c
Opcode Fuzzy Hash: bc919a8e2cf1ceac08001761b7f7edd08c4a54187c05fa91ea0ebd217892c5ff
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0083781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0083798B

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 1b49fa875631ea889c9f200ae6ab626512ab636b6a6e1c4dc23dc3387ca48c4d
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 4D516AE160C749ABDB38552C845E7BE67C5FBD2304F180A39ED82D7682C619DE01D3DA

Uniqueness

Uniqueness Score: -1.00%

Function 00846DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e1d9d38be0a9137e8619b6063ed8a4132fdc80d7ecd34337e1c466149c9185
Instruction ID: fb81b05b4a5898cfc4bd33b73685602ab858eaa4dee5a6eccf17f0bd3b4e6417
Opcode Fuzzy Hash: f8e1d9d38be0a9137e8619b6063ed8a4132fdc80d7ecd34337e1c466149c9185
Instruction Fuzzy Hash: 6B320222D29F454DDB239635C822336A749FFB73C5F15D737E81AB5AA6EB29C4834100

Uniqueness

Uniqueness Score: -1.00%

Function 0082CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b262e182013ceb25a29c1af994b5f9018ca2059bb18a7ebe52985b5d463533fa
Instruction ID: e906d5ca14522cfc8a7d248986f17f46b357e028a35781b065360528bcd43354
Opcode Fuzzy Hash: b262e182013ceb25a29c1af994b5f9018ca2059bb18a7ebe52985b5d463533fa
Instruction Fuzzy Hash: 10323572A001698BCF28CF69D89467D7BA1FB45314F2A816BD8CACB391D734DE81DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00817920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a4727e7d5e0bac7e128cb5c19dad79d5b5415bdf1d57893fc09834bc0c88f0d
Instruction ID: 5a218a5b98cbf5a3f3e2b22221fd1c0603517c14f7f049625c065a6a9635e500
Opcode Fuzzy Hash: 1a4727e7d5e0bac7e128cb5c19dad79d5b5415bdf1d57893fc09834bc0c88f0d
Instruction Fuzzy Hash: 5222BFB0A04609DFDF14CF68D891AEEB7F9FF44314F204229E816E7291EB369994CB51

Uniqueness

Uniqueness Score: -1.00%

Function 008191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff875f13fc79133e5fa6efe8ffd3413968a9d949c625373f2b0fec02b7820eab
Instruction ID: f2290b465aeb1debf81ef7d1a53a3e6021522a065d55491f560358989eb0f6d7
Opcode Fuzzy Hash: ff875f13fc79133e5fa6efe8ffd3413968a9d949c625373f2b0fec02b7820eab
Instruction Fuzzy Hash: 9802D6B0E00119EBDB09DF68D981AAEB7B5FF44304F118169E856DB391EB31EE54CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00831C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 7233a08605e71bea38fa3afce6ea0a94e46470858d457775c56973dc14477149
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 5F9178722090A349DF69463A857C03DFFE1FAD2BA1B1A079DD8F2CA1C1EE14C554D660

Uniqueness

Uniqueness Score: -1.00%

Function 008319B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 5bd3cfd7bc3e020fdd26fb9e58f3014ff24f0365b232043a65fa3e5129125459
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 7D9153722090A34ADF69427A857C03DFFE1EAD2BB6B1A079DD4F2CA1C1FE1485649660

Uniqueness

Uniqueness Score: -1.00%

Function 00837A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf8993e98e8b2801585ff3f3187af8f14567d2554357156b8ec6b6aaecf81f46
Instruction ID: 4fbabdcf2a005b60049a13f9edfb7f1fe59e270673dbdfca2964a3941707b248
Opcode Fuzzy Hash: cf8993e98e8b2801585ff3f3187af8f14567d2554357156b8ec6b6aaecf81f46
Instruction Fuzzy Hash: B16179F1208719A6DE349A2C8CA5BBEA3A4FFC1764F140D1AF943DB281D651DE42C3D6

Uniqueness

Uniqueness Score: -1.00%

Function 00837CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9559d90bb9049eccd817f4316904b2ed2e513dd0ade78bf26166ee9bc437f90
Instruction ID: d3cf7b5636e3d43d6c2b852d1beb03d554085a51f0154096a168c26123895f35
Opcode Fuzzy Hash: f9559d90bb9049eccd817f4316904b2ed2e513dd0ade78bf26166ee9bc437f90
Instruction Fuzzy Hash: A6616AF160C709A6DE389A2C9895BBF2398FFC1B04F100959F943DB285EA52DD4287D6

Uniqueness

Uniqueness Score: -1.00%

Function 00831706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 3d51ebd215d6352ae5dd3ae154b35713014a6449aa6e73c61c95f9234e349808
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: BF8184326090A309DF6D423A857C03EFFE1FAD2BA1B1A07ADD4F2CA1C5EE148554D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 03ED3640 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1223683931.0000000003ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ed0000_FAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: cc6213f32ba4b6984c61a8f272bdf2cc83a67176f94783659b342d30378f6271
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 9C41A271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00882046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c8e22dd85afc12a18eb60b4e5f0048fc0c44146c458c4b43d3fbc42cbf757af
Instruction ID: a67522e40ed37fcac2a56266aa90503e2a321e6c27a394e4c52d64206fd4cf85
Opcode Fuzzy Hash: 2c8e22dd85afc12a18eb60b4e5f0048fc0c44146c458c4b43d3fbc42cbf757af
Instruction Fuzzy Hash: B021A8326206518BDB28CE79C85267A73E9F7A4310F15862EE4A7C77D0DE75A904CB80

Uniqueness

Uniqueness Score: -1.00%

Function 03ED34D0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1223683931.0000000003ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ed0000_FAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: c4f6e27678953c6bc14955ffa8bf6268d092913a25a824893a08030db25e20ae
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: B6019278A01209EFCB44DF98C6909AEF7B5FB48310F2496D9D819A7741D730EE42DB81

Uniqueness

Uniqueness Score: -1.00%

Function 03ED3530 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1223683931.0000000003ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ed0000_FAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: d7e1884e01dcef78622792cf058c31226cdf91c5964587ad42a49eb17f22645d
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: DE019278A00209EFCB45DF98C5909AEF7B5FB48310F248699D819A7741D731AE42DB81

Uniqueness

Uniqueness Score: -1.00%

Function 03ED1ED0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1223683931.0000000003ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ed0000_FAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Uniqueness

Uniqueness Score: -1.00%

Function 00892ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00892B30
DeleteObject.GDI32(00000000), ref: 00892B43
DestroyWindow.USER32 ref: 00892B52
GetDesktopWindow.USER32 ref: 00892B6D
GetWindowRect.USER32(00000000), ref: 00892B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00892CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00892CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892CF8
GetClientRect.USER32(00000000,?), ref: 00892D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00892D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892DA8
GlobalFree.KERNEL32(00000000), ref: 00892DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,008AFC38,00000000), ref: 00892DDB
GlobalFree.KERNEL32(00000000), ref: 00892DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00892E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00892E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0089303F

Strings

, xrefs: 00892FC5
AutoIt v3, xrefs: 00892CF2
DISPLAY, xrefs: 00892EA2
static, xrefs: 00892D3A, 00892E91

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: fb38228d3c29fa54fdc59c342f3c8957a2f56fe094ee84cab5c3e5862b1c95e9
Instruction ID: 97de340f9f6b83ed04b2b2090e0cfc9363d2345b27cc8e2e4d2abfcd90d07a1e
Opcode Fuzzy Hash: fb38228d3c29fa54fdc59c342f3c8957a2f56fe094ee84cab5c3e5862b1c95e9
Instruction Fuzzy Hash: 04025B71A00209AFDB14DF68CC89EAE7BB9FF49714F048158F915EB2A1DB74AD41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 008A70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 008A712F
GetSysColorBrush.USER32(0000000F), ref: 008A7160
GetSysColor.USER32(0000000F), ref: 008A716C
SetBkColor.GDI32(?,000000FF), ref: 008A7186
SelectObject.GDI32(?,?), ref: 008A7195
InflateRect.USER32(?,000000FF,000000FF), ref: 008A71C0
GetSysColor.USER32(00000010), ref: 008A71C8
CreateSolidBrush.GDI32(00000000), ref: 008A71CF
FrameRect.USER32(?,?,00000000), ref: 008A71DE
DeleteObject.GDI32(00000000), ref: 008A71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 008A7230
FillRect.USER32(?,?,?), ref: 008A7262
GetWindowLongW.USER32(?,000000F0), ref: 008A7284

Part of subcall function 008A73E8: GetSysColor.USER32(00000012), ref: 008A7421
Part of subcall function 008A73E8: SetTextColor.GDI32(?,?), ref: 008A7425
Part of subcall function 008A73E8: GetSysColorBrush.USER32(0000000F), ref: 008A743B
Part of subcall function 008A73E8: GetSysColor.USER32(0000000F), ref: 008A7446
Part of subcall function 008A73E8: GetSysColor.USER32(00000011), ref: 008A7463
Part of subcall function 008A73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 008A7471
Part of subcall function 008A73E8: SelectObject.GDI32(?,00000000), ref: 008A7482
Part of subcall function 008A73E8: SetBkColor.GDI32(?,00000000), ref: 008A748B
Part of subcall function 008A73E8: SelectObject.GDI32(?,?), ref: 008A7498
Part of subcall function 008A73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 008A74B7
Part of subcall function 008A73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008A74CE
Part of subcall function 008A73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 008A74DB

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: b2cdc9ba459a903853dd9889b6d32d4bc5ad2eab49fe3ff32109645377c8390b
Instruction ID: b3bb462dd0ce0a7ae6662ff588936cfd1ad9fdde6cffd59e1b205db197554190
Opcode Fuzzy Hash: b2cdc9ba459a903853dd9889b6d32d4bc5ad2eab49fe3ff32109645377c8390b
Instruction Fuzzy Hash: E5A1B172508301AFEB009F64DC48E6B7BE9FF4A320F100A19FA62D65E1D771E944DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00828D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00828E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00866AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00866AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00866F43

Part of subcall function 00828F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00828BE8,?,00000000,?,?,?,?,00828BBA,00000000,?), ref: 00828FC5

SendMessageW.USER32(?,00001053), ref: 00866F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00866F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00866FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00866FB7

Strings

0, xrefs: 00866DCF

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 0dd8709217487b3a66ea32c62c09df53a7ab02f650b81c5a8a3a299a4e8895ff
Instruction ID: b70db125fb125cf0974ab0f53f6bc23a8959cc2a06a46a60c42d7903aff38419
Opcode Fuzzy Hash: 0dd8709217487b3a66ea32c62c09df53a7ab02f650b81c5a8a3a299a4e8895ff
Instruction Fuzzy Hash: 9112CD34201291DFDB25DF28D888BA9BBE1FB45310F564069F485CB662DB32ECA1CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00892711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0089273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0089286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 008928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 008928B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00892900
GetClientRect.USER32(00000000,?), ref: 0089290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00892955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00892964
GetStockObject.GDI32(00000011), ref: 00892974
SelectObject.GDI32(00000000,00000000), ref: 00892978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00892988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00892991
DeleteDC.GDI32(00000000), ref: 0089299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 008929DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00892A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00892A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00892A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00892A77
GetStockObject.GDI32(00000011), ref: 00892A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00892A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00892A97

Strings

msctls_progress32, xrefs: 00892A13
AutoIt v3, xrefs: 008928F8
static, xrefs: 0089294F, 00892A71
DISPLAY, xrefs: 0089295A

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: a7aaa96719b2a324a7588a1fd887a4c2d5ca43b47152070c99545d26249f346d
Instruction ID: b82ab0379efe228cf936f22c1adff8984c37dd5cce674eb522ec3d48bd23b061
Opcode Fuzzy Hash: a7aaa96719b2a324a7588a1fd887a4c2d5ca43b47152070c99545d26249f346d
Instruction Fuzzy Hash: F1B13B71A00219BFEB14DFA8DC89EAE7BA9FB09714F044115F915EB690D774AD40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00884ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00884AED
GetDriveTypeW.KERNEL32(?,008ACB68,?,\\.\,008ACC08), ref: 00884BCA
SetErrorMode.KERNEL32(00000000,008ACB68,?,\\.\,008ACC08), ref: 00884D36

Strings

RAID, xrefs: 00884CBB
FileBackedVirtual, xrefs: 00884CEC
SSD, xrefs: 00884C4A
RAMDisk, xrefs: 00884BF4
1394, xrefs: 00884C9F
Removable, xrefs: 00884C10, 00884C15
Virtual, xrefs: 00884CE5
\\.\, xrefs: 00884B3F
SAS, xrefs: 00884CC9
iSCSI, xrefs: 00884CC2
Unknown, xrefs: 00884BED, 00884C83
MMC, xrefs: 00884CDE
SCSI, xrefs: 00884C8A
Fixed, xrefs: 00884C09
Fibre, xrefs: 00884CAD
CDROM, xrefs: 00884BFB
SSA, xrefs: 00884CA6
USB, xrefs: 00884CB4
Network, xrefs: 00884C02
SATA, xrefs: 00884CD0
ATAPI, xrefs: 00884C91
ATA, xrefs: 00884C98
PhysicalDrive, xrefs: 00884B76

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 4eba367b0bfe7ec1364a72479e4abfcb7f0aaee5c5d953821929e435b7f594e4
Instruction ID: 3b938c1218e075d32656273d48aea033e0317bb83a3a611492774d76d5b181e8
Opcode Fuzzy Hash: 4eba367b0bfe7ec1364a72479e4abfcb7f0aaee5c5d953821929e435b7f594e4
Instruction Fuzzy Hash: 7761B23260120F9BCB04EF58D9819A8B7BAFF04304B249116F816EB751EB7AED51DB42

Uniqueness

Uniqueness Score: -1.00%

Function 008A73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 008A7421
SetTextColor.GDI32(?,?), ref: 008A7425
GetSysColorBrush.USER32(0000000F), ref: 008A743B
GetSysColor.USER32(0000000F), ref: 008A7446
CreateSolidBrush.GDI32(?), ref: 008A744B
GetSysColor.USER32(00000011), ref: 008A7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 008A7471
SelectObject.GDI32(?,00000000), ref: 008A7482
SetBkColor.GDI32(?,00000000), ref: 008A748B
SelectObject.GDI32(?,?), ref: 008A7498
InflateRect.USER32(?,000000FF,000000FF), ref: 008A74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008A74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 008A74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008A752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 008A7554
InflateRect.USER32(?,000000FD,000000FD), ref: 008A7572
DrawFocusRect.USER32(?,?), ref: 008A757D
GetSysColor.USER32(00000011), ref: 008A758E
SetTextColor.GDI32(?,00000000), ref: 008A7596
DrawTextW.USER32(?,008A70F5,000000FF,?,00000000), ref: 008A75A8
SelectObject.GDI32(?,?), ref: 008A75BF
DeleteObject.GDI32(?), ref: 008A75CA
SelectObject.GDI32(?,?), ref: 008A75D0
DeleteObject.GDI32(?), ref: 008A75D5
SetTextColor.GDI32(?,?), ref: 008A75DB
SetBkColor.GDI32(?,?), ref: 008A75E5

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: ca3ba9a5e8ecc364d5d4f05be615c2e55525a7061207d741c951671e14970d54
Instruction ID: d812d1d982f2d7ba4756ad21e3d3513c687a419f784319ecacbfbd3f006acec0
Opcode Fuzzy Hash: ca3ba9a5e8ecc364d5d4f05be615c2e55525a7061207d741c951671e14970d54
Instruction Fuzzy Hash: 7D615C72D04218AFEF019FA4DC49EAEBFB9FF0A320F114125F915AB6A1D7749940DB90

Uniqueness

Uniqueness Score: -1.00%

Function 008A0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 008A1128
GetDesktopWindow.USER32 ref: 008A113D
GetWindowRect.USER32(00000000), ref: 008A1144
GetWindowLongW.USER32(?,000000F0), ref: 008A1199
DestroyWindow.USER32(?), ref: 008A11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008A11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008A120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 008A121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 008A1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 008A1245
IsWindowVisible.USER32(00000000), ref: 008A12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 008A12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 008A12D0
GetWindowRect.USER32(00000000,?), ref: 008A12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 008A130E
GetMonitorInfoW.USER32(00000000,?), ref: 008A1328
CopyRect.USER32(?,?), ref: 008A133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 008A13AA

Strings

tooltips_class32, xrefs: 008A11E6
0, xrefs: 008A10D3
(, xrefs: 008A131B

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 6078defceadd444b0d5eac0661c077c7b7f743519df4ea511750deaef69ae3f7
Instruction ID: f32fd2b9dbf027f38fc0329020a0550b3bec858c9ad43adfe1e9bf9026f1051b
Opcode Fuzzy Hash: 6078defceadd444b0d5eac0661c077c7b7f743519df4ea511750deaef69ae3f7
Instruction Fuzzy Hash: EBB18F71608341AFEB04DF64C888BAABBE5FF85354F00891CF999DB661D771D844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 008A0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008A02E5
_wcslen.LIBCMT ref: 008A031F
_wcslen.LIBCMT ref: 008A0389
_wcslen.LIBCMT ref: 008A03F1
_wcslen.LIBCMT ref: 008A0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 008A04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008A0504

Part of subcall function 0082F9F2: _wcslen.LIBCMT ref: 0082F9FD

Part of subcall function 0087223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00872258
Part of subcall function 0087223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0087228A

Strings

VIEWCHANGE, xrefs: 008A0675
ISSELECTED, xrefs: 008A04DD
SELECTALL, xrefs: 008A0515
DESELECT, xrefs: 008A059C
SELECTINVERT, xrefs: 008A057E
GETSELECTED, xrefs: 008A05E1
SELECT, xrefs: 008A0548
GETTEXT, xrefs: 008A03EC, 008A0407
SELECTCLEAR, xrefs: 008A052D
GETSELECTEDCOUNT, xrefs: 008A0470, 008A048B
GETITEMCOUNT, xrefs: 008A0316, 008A0337
FINDITEM, xrefs: 008A0627
GETSUBITEMCOUNT, xrefs: 008A0384, 008A039F

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 059743ab9ed1b50006e8a614eee8847cdb8970ab74a10ed7ef37dd45c48fa458
Instruction ID: f33c497cf582ca8cd97deacdc8d61a415176e0587becb6d26c055dbf7b783994
Opcode Fuzzy Hash: 059743ab9ed1b50006e8a614eee8847cdb8970ab74a10ed7ef37dd45c48fa458
Instruction Fuzzy Hash: DEE19F312083018FD714DF28C45096AB7E6FF99318B544A6DF896DB7A6DB30ED85CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00828891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00828968
GetSystemMetrics.USER32(00000007), ref: 00828970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0082899B
GetSystemMetrics.USER32(00000008), ref: 008289A3
GetSystemMetrics.USER32(00000004), ref: 008289C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008289F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00828A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00828A3C
GetClientRect.USER32(00000000,000000FF), ref: 00828A5A
GetStockObject.GDI32(00000011), ref: 00828A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00828A81

Part of subcall function 0082912D: GetCursorPos.USER32(?), ref: 00829141
Part of subcall function 0082912D: ScreenToClient.USER32(00000000,?), ref: 0082915E
Part of subcall function 0082912D: GetAsyncKeyState.USER32(00000001), ref: 00829183
Part of subcall function 0082912D: GetAsyncKeyState.USER32(00000002), ref: 0082919D

SetTimer.USER32(00000000,00000000,00000028,008290FC), ref: 00828AA8

Strings

AutoIt v3 GUI, xrefs: 00828A20

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 65b2f7bdff100b5bc4fc3a0e4062aaaaf0a2b20773765d00c56758588aaec976
Instruction ID: 1e7d297346fd8879c6207814d3185916310917603fdfc47effda89773e7b3b84
Opcode Fuzzy Hash: 65b2f7bdff100b5bc4fc3a0e4062aaaaf0a2b20773765d00c56758588aaec976
Instruction Fuzzy Hash: 6DB18B31A00259DFDF14DFA8DC89BAE7BB5FB49314F114229FA15EB290DB34A880CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00870D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00871114
Part of subcall function 008710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 00871120
Part of subcall function 008710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 0087112F
Part of subcall function 008710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 00871136
Part of subcall function 008710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0087114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00870DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00870E29
GetLengthSid.ADVAPI32(?), ref: 00870E40
GetAce.ADVAPI32(?,00000000,?), ref: 00870E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00870E96
GetLengthSid.ADVAPI32(?), ref: 00870EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00870EB5
HeapAlloc.KERNEL32(00000000), ref: 00870EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00870EDD
CopySid.ADVAPI32(00000000), ref: 00870EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00870F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00870F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00870F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00870F6E
HeapFree.KERNEL32(00000000), ref: 00870F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00870F7E
HeapFree.KERNEL32(00000000), ref: 00870F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00870F8E
HeapFree.KERNEL32(00000000), ref: 00870F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00870FA1
HeapFree.KERNEL32(00000000), ref: 00870FA8

Part of subcall function 00871193: GetProcessHeap.KERNEL32(00000008,00870BB1,?,00000000,?,00870BB1,?), ref: 008711A1
Part of subcall function 00871193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00870BB1,?), ref: 008711A8
Part of subcall function 00871193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00870BB1,?), ref: 008711B7

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 8a70958244e7b9b1ea89b5fb30c31362f84d88e68bfe1bde3e9cc2b40f376da3
Instruction ID: b14e1bf5757deb1027f0da04fe830cea0fb39076fccd182a9704b252bed59697
Opcode Fuzzy Hash: 8a70958244e7b9b1ea89b5fb30c31362f84d88e68bfe1bde3e9cc2b40f376da3
Instruction Fuzzy Hash: BB712A7290020AEBEF20DFA4DC49BAEBBB8FF05310F148115E959E6195DB71D905CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0089C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0089C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,008ACC08,00000000,?,00000000,?,?), ref: 0089C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0089C5A4
_wcslen.LIBCMT ref: 0089C5F4
_wcslen.LIBCMT ref: 0089C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0089C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0089C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0089C84D
RegCloseKey.ADVAPI32(?), ref: 0089C881
RegCloseKey.ADVAPI32(00000000), ref: 0089C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0089C960

Strings

REG_EXPAND_SZ, xrefs: 0089C5CD
REG_BINARY, xrefs: 0089C913
REG_MULTI_SZ, xrefs: 0089C6F5
REG_QWORD, xrefs: 0089C8C3
REG_SZ, xrefs: 0089C644
REG_DWORD, xrefs: 0089C804

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 96bbe73798391dc34873c890e4bda2b20b004192f5259752bab187b98ab55362
Instruction ID: 3592cf677bd1fdb2f3707b7949aa76978518516d903c92e6b052dafad841fb20
Opcode Fuzzy Hash: 96bbe73798391dc34873c890e4bda2b20b004192f5259752bab187b98ab55362
Instruction Fuzzy Hash: 39124C356042019FDB14EF18C891A6AB7E5FF88714F09885DF85ADB3A2DB31ED41CB82

Uniqueness

Uniqueness Score: -1.00%

Function 008A091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008A09C6
_wcslen.LIBCMT ref: 008A0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008A0A54
_wcslen.LIBCMT ref: 008A0A8A
_wcslen.LIBCMT ref: 008A0B06
_wcslen.LIBCMT ref: 008A0B81

Part of subcall function 0082F9F2: _wcslen.LIBCMT ref: 0082F9FD

Part of subcall function 00872BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00872BFA

Strings

UNCHECK, xrefs: 008A0D3E
GETTEXT, xrefs: 008A0C97
GETITEMCOUNT, xrefs: 008A0C1E
GETTOTALCOUNT, xrefs: 008A09F2, 008A0A17
EXISTS, xrefs: 008A0B7C, 008A0B97
ISCHECKED, xrefs: 008A0CE1
COLLAPSE, xrefs: 008A0B01, 008A0B1C
GETSELECTED, xrefs: 008A0C4E
SELECT, xrefs: 008A0D11
EXPAND, xrefs: 008A0BF8
CHECK, xrefs: 008A0A85, 008A0AA0

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 6584a830a749209678cd23b3b535bdbd039d127dd57fb5673bf0a975f0dffde9
Instruction ID: d2534ad2d83b0b296e046ab743acea7ecfaecec67bae64dd29afc931086d326d
Opcode Fuzzy Hash: 6584a830a749209678cd23b3b535bdbd039d127dd57fb5673bf0a975f0dffde9
Instruction Fuzzy Hash: C2E16A312083118FD714DF28C45096AB7E2FF99314B148A5DF896DB7A2D731ED86CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0089C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0089B6AE,?,?), ref: 0089C9B5
_wcslen.LIBCMT ref: 0089C9F1
_wcslen.LIBCMT ref: 0089CA68
_wcslen.LIBCMT ref: 0089CA9E
_wcslen.LIBCMT ref: 0089CAF9
_wcslen.LIBCMT ref: 0089CB2F
_wcslen.LIBCMT ref: 0089CB7F

Strings

HKCU, xrefs: 0089CBCE
HKEY_LOCAL_MACHINE, xrefs: 0089CA62, 0089CA67
HKCR, xrefs: 0089CB29, 0089CB2E
HKCC, xrefs: 0089CBAC
HKU, xrefs: 0089CBF0
HKLM, xrefs: 0089CA98, 0089CA9D
HKEY_USERS, xrefs: 0089CBDF
HKEY_CURRENT_CONFIG, xrefs: 0089CB79, 0089CB7E
HKEY_CLASSES_ROOT, xrefs: 0089CAF3, 0089CAF8
HKEY_CURRENT_USER, xrefs: 0089CBBD

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: a3bd66c0332dd3843bc65499351af19d5925b0f863c407315e2162c468fa2866
Instruction ID: e2dcc496cbc453e223f1c7aac6548b2724d889f6aeb33e00598e37133f5a0db2
Opcode Fuzzy Hash: a3bd66c0332dd3843bc65499351af19d5925b0f863c407315e2162c468fa2866
Instruction Fuzzy Hash: D371F27260016A8BCF20EE6CCD515BE3795FFA0764F590629F856D7284F636CD84C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 008A833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008A835A
_wcslen.LIBCMT ref: 008A836E
_wcslen.LIBCMT ref: 008A8391
_wcslen.LIBCMT ref: 008A83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008A83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,008A5BF2), ref: 008A844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008A8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008A84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008A8501
FreeLibrary.KERNEL32(?), ref: 008A850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 008A851D
DestroyIcon.USER32(?,?,?,?,?,008A5BF2), ref: 008A852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 008A8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 008A8555

Strings

.icl, xrefs: 008A8368
.exe, xrefs: 008A8388
.dll, xrefs: 008A83AB

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 8d802d9fe56fe3c04bd826e91ae5089fb377b311fc1d91e6e1ec46e38be62a71
Instruction ID: 4b2ebc5ca45f76d45d4bc894b703365abf446d762a3b20b491cd2aba7895bf4b
Opcode Fuzzy Hash: 8d802d9fe56fe3c04bd826e91ae5089fb377b311fc1d91e6e1ec46e38be62a71
Instruction Fuzzy Hash: 7461BD71900219FEFB14DF68CC45BBE77A8FB09B21F104609F815D65D1EBB4A990CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00817778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

", xrefs: 00855153
#comments-end, xrefs: 008178D9
Unterminated group of comments, xrefs: 0085528C
#ce, xrefs: 008178ED
#include-once, xrefs: 0081782F
#cs, xrefs: 00817873, 008178C5
#include, xrefs: 00817847
#pragma compile, xrefs: 008177D3
#requireadmin, xrefs: 008177FF
#comments-start, xrefs: 0081785F, 008178B1
#OnAutoItStartRegister, xrefs: 00817817
Bad directive syntax error, xrefs: 0085519A
Cannot parse #include, xrefs: 00855279
', xrefs: 00855169
#notrayicon, xrefs: 008177E7

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 57f8d6d3b3a0fc3e57d215c1822eafff4ffbe7627e1c77041374647bce9f5232
Instruction ID: 921aab522a8fcdf0d3e9c881b381441dd966d4d0b9977d0fc1bf432ed46209bd
Opcode Fuzzy Hash: 57f8d6d3b3a0fc3e57d215c1822eafff4ffbe7627e1c77041374647bce9f5232
Instruction Fuzzy Hash: CF81F471644605ABDB20AF64DC52FEE3BB8FF55300F044428FD05EA292EB74D985C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00875A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00875A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00875A40
SetWindowTextW.USER32(?,?), ref: 00875A57
GetDlgItem.USER32(?,000003EA), ref: 00875A6C
SetWindowTextW.USER32(00000000,?), ref: 00875A72
GetDlgItem.USER32(?,000003E9), ref: 00875A82
SetWindowTextW.USER32(00000000,?), ref: 00875A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00875AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00875AC3
GetWindowRect.USER32(?,?), ref: 00875ACC
_wcslen.LIBCMT ref: 00875B33
SetWindowTextW.USER32(?,?), ref: 00875B6F
GetDesktopWindow.USER32 ref: 00875B75
GetWindowRect.USER32(00000000), ref: 00875B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00875BD3
GetClientRect.USER32(?,?), ref: 00875BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00875C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00875C2F

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 5ec44f65475793e90bbb4036ddc8eaa5710ffb147dcc64e457d2cec6093d6857
Instruction ID: decb5fe27f74074c58b1c895b8db9e27d5c8acc989b14fc29134acc17d1be862
Opcode Fuzzy Hash: 5ec44f65475793e90bbb4036ddc8eaa5710ffb147dcc64e457d2cec6093d6857
Instruction Fuzzy Hash: F9715E31900B09AFDB20DFA8CE85BAEBBF5FF48714F108918E546E25A4D7B5E944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 008300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008300C6

Part of subcall function 008300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(008E070C,00000FA0,D453D105,?,?,?,?,008523B3,000000FF), ref: 0083011C
Part of subcall function 008300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008523B3,000000FF), ref: 00830127
Part of subcall function 008300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008523B3,000000FF), ref: 00830138
Part of subcall function 008300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0083014E
Part of subcall function 008300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0083015C
Part of subcall function 008300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0083016A
Part of subcall function 008300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00830195
Part of subcall function 008300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008301A0

___scrt_fastfail.LIBCMT ref: 008300E7

Part of subcall function 008300A3: __onexit.LIBCMT ref: 008300A9

Strings

WakeAllConditionVariable, xrefs: 00830162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00830122
InitializeConditionVariable, xrefs: 00830148
SleepConditionVariableCS, xrefs: 00830154
kernel32.dll, xrefs: 00830133

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: c3c251404636fc06099979f8c8149035b012c3da4daf9f894b0b6eea584d1319
Instruction ID: 17f7e1443fda2fa0ec677dcbb0946c34fabf2283feb8192e018bf8bff7dc3f86
Opcode Fuzzy Hash: c3c251404636fc06099979f8c8149035b012c3da4daf9f894b0b6eea584d1319
Instruction Fuzzy Hash: C1212932A44710ABF7216BA4AC55B2E37E4FB86B51F000539F911E6B92DFB89C40CED1

Uniqueness

Uniqueness Score: -1.00%

Function 008730F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0087318D
_wcslen.LIBCMT ref: 008731F8

Strings

CLASS, xrefs: 00873188, 008731A5
REGEXPCLASS, xrefs: 00873255, 00873266
INSTANCE, xrefs: 00873453
TEXT, xrefs: 0087347C
CLASSNN, xrefs: 008731F3, 00873204
NAME, xrefs: 00873335, 00873346

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 0ed896c72390fa0fc930f5b29bc42b9ec460607a9789861cfcf932ff8ec88e02
Instruction ID: a8903310516f2ce972266f22efa0093a4803da8f92431e932c1f5783b1840bc8
Opcode Fuzzy Hash: 0ed896c72390fa0fc930f5b29bc42b9ec460607a9789861cfcf932ff8ec88e02
Instruction Fuzzy Hash: 97E1F632A00516ABCB18DFB8C4516EDBBB4FF54710F54C22AE45AF7244DB30EE85A792

Uniqueness

Uniqueness Score: -1.00%

Function 008844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,008ACC08), ref: 00884527
_wcslen.LIBCMT ref: 0088453B
_wcslen.LIBCMT ref: 00884599
_wcslen.LIBCMT ref: 008845F4
_wcslen.LIBCMT ref: 0088463F
_wcslen.LIBCMT ref: 008846A7

Part of subcall function 0082F9F2: _wcslen.LIBCMT ref: 0082F9FD

GetDriveTypeW.KERNEL32(?,008D6BF0,00000061), ref: 00884743

Strings

cdrom, xrefs: 0088458F, 00884594
network, xrefs: 0088469D, 008846A2
all, xrefs: 00884531, 00884536
ramdisk, xrefs: 008846F1
unknown, xrefs: 00884708
fixed, xrefs: 00884635, 0088463A
removable, xrefs: 008845EA, 008845EF

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: ddb1a8cfdf1ff1b73d642f25a702947543775e649d05ffc1256f84b69294f9c4
Instruction ID: 1795809cc986bef12928970d469b6e2a3ffc1338b9a9737f148706994aad65aa
Opcode Fuzzy Hash: ddb1a8cfdf1ff1b73d642f25a702947543775e649d05ffc1256f84b69294f9c4
Instruction Fuzzy Hash: D6B1D2326083029FC710EF28C890A6EB7E5FFA5764F505A1DF596C7291E730D985CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0089AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0089B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0089B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0089B1D4
_wcslen.LIBCMT ref: 0089B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0089B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0089B236
_wcslen.LIBCMT ref: 0089B332

Part of subcall function 008805A7: GetStdHandle.KERNEL32(000000F6), ref: 008805C6

_wcslen.LIBCMT ref: 0089B34B
_wcslen.LIBCMT ref: 0089B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0089B3B6
GetLastError.KERNEL32(00000000), ref: 0089B407
CloseHandle.KERNEL32(?), ref: 0089B439
CloseHandle.KERNEL32(00000000), ref: 0089B44A
CloseHandle.KERNEL32(00000000), ref: 0089B45C
CloseHandle.KERNEL32(00000000), ref: 0089B46E
CloseHandle.KERNEL32(?), ref: 0089B4E3

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 6fcfda66ecbe6528406686b55fef4702b1909e8297b6ff2aa6a898571e666890
Instruction ID: 4dd3e8505f845647dc21546c79113bc06b0acd2c3450e187c81829c775ef6119
Opcode Fuzzy Hash: 6fcfda66ecbe6528406686b55fef4702b1909e8297b6ff2aa6a898571e666890
Instruction Fuzzy Hash: 31F17A316083409FCB14EF28D991B6ABBE5FF85314F18855DF8999B2A2DB31EC44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0081326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(008E1990), ref: 00852F8D
GetMenuItemCount.USER32(008E1990), ref: 0085303D
GetCursorPos.USER32(?), ref: 00853081
SetForegroundWindow.USER32(00000000), ref: 0085308A
TrackPopupMenuEx.USER32(008E1990,00000000,?,00000000,00000000,00000000), ref: 0085309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008530A9

Strings

0, xrefs: 0081327D

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 94fd71e83c60b53b4478d7d16a7b60905e8bf602a07e86fe71312472c1b49cdd
Instruction ID: cb3b0390b68c57d7d2da324077aaf78a8969b7e641042054a35b57374cabceee
Opcode Fuzzy Hash: 94fd71e83c60b53b4478d7d16a7b60905e8bf602a07e86fe71312472c1b49cdd
Instruction Fuzzy Hash: 20712A30640205BEFB319F68DC49F9ABF69FF06365F204216F925EA1E0CBB1A954C791

Uniqueness

Uniqueness Score: -1.00%

Function 008A6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 008A6DEB

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 008A6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 008A6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008A6E94
DestroyWindow.USER32(?), ref: 008A6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00810000,00000000), ref: 008A6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008A6EFD
GetDesktopWindow.USER32 ref: 008A6F16
GetWindowRect.USER32(00000000), ref: 008A6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 008A6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 008A6F4D

Part of subcall function 00829944: GetWindowLongW.USER32(?,000000EB), ref: 00829952

Strings

tooltips_class32, xrefs: 008A6E58, 008A6EDD
0, xrefs: 008A6D98

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 36bf41e064833c3b7152ed2fe760692d05b8d6530907f194ed238bf39f391d69
Instruction ID: 289da819b61a33a9371dd613b6a62aa1bd4a654517839610801de84502fa31fe
Opcode Fuzzy Hash: 36bf41e064833c3b7152ed2fe760692d05b8d6530907f194ed238bf39f391d69
Instruction Fuzzy Hash: 88718A70144244AFEB21DF18DC48FAABBE9FB8A304F58041DF999C76A1EB70A915CB11

Uniqueness

Uniqueness Score: -1.00%

Function 008A911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

DragQueryPoint.SHELL32(?,?), ref: 008A9147

Part of subcall function 008A7674: ClientToScreen.USER32(?,?), ref: 008A769A
Part of subcall function 008A7674: GetWindowRect.USER32(?,?), ref: 008A7710
Part of subcall function 008A7674: PtInRect.USER32(?,?,008A8B89), ref: 008A7720

SendMessageW.USER32(?,000000B0,?,?), ref: 008A91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008A91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008A91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 008A9225
SendMessageW.USER32(?,000000B0,?,?), ref: 008A923E
SendMessageW.USER32(?,000000B1,?,?), ref: 008A9255
SendMessageW.USER32(?,000000B1,?,?), ref: 008A9277
DragFinish.SHELL32(?), ref: 008A927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 008A9371

Strings

@GUI_DROPID, xrefs: 008A929E
@GUI_DRAGID, xrefs: 008A92E9
@GUI_DRAGFILE, xrefs: 008A9320

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 24e99e23780710362b93303f704f44db71e22c4d8ab15237ccd7d12bf6b0d407
Instruction ID: 624af73d54d10553c33b979f34ffd718429212ee75017b73eda29cbdc8acb0c7
Opcode Fuzzy Hash: 24e99e23780710362b93303f704f44db71e22c4d8ab15237ccd7d12bf6b0d407
Instruction Fuzzy Hash: DF613971108301AFD701DF64DC85DAFBBE8FF99750F40092EF5A5922A1DB709A49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0088C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0088C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0088C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0088C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0088C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0088C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0088C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0088C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0088C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0088C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0088C5F0
InternetCloseHandle.WININET(00000000), ref: 0088C5FB

Strings

, xrefs: 0088C575

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: a4c70165717a8d843d91bad01e50f1d55076c0ac3c6bd6432236d323a1ceb987
Instruction ID: 63184e77b05627782cbb38657380b85fa893aee37ffb19a45f32875927373fd9
Opcode Fuzzy Hash: a4c70165717a8d843d91bad01e50f1d55076c0ac3c6bd6432236d323a1ceb987
Instruction Fuzzy Hash: 64516BB1500608BFEB21AF64C988AAB7BFCFF09754F00442AF945D6614DB34E944DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 008A856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 008A8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008A85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008A85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008A85BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008A85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008A85D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008A85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008A85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008A85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,008AFC38,?), ref: 008A8611
GlobalFree.KERNEL32(00000000), ref: 008A8621
GetObjectW.GDI32(?,00000018,?), ref: 008A8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 008A8671
DeleteObject.GDI32(?), ref: 008A8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008A86AF

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: c2679540819a2cbe7381f3f1319e5b9ef488523b99e211982f8c49ef104f507c
Instruction ID: 42cd6b5193a319e3d9b5356e900d7d437a3778a5596c26dd4d6cf6c2285dafca
Opcode Fuzzy Hash: c2679540819a2cbe7381f3f1319e5b9ef488523b99e211982f8c49ef104f507c
Instruction Fuzzy Hash: 84410975600208EFEB119FA5CC48EAABBB8FF9AB15F104058F909E7660DB309901CB60

Uniqueness

Uniqueness Score: -1.00%

Function 008814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00881502
VariantCopy.OLEAUT32(?,?), ref: 0088150B
VariantClear.OLEAUT32(?), ref: 00881517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 008815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00881657
VariantInit.OLEAUT32(?), ref: 00881708
SysFreeString.OLEAUT32(?), ref: 0088178C
VariantClear.OLEAUT32(?), ref: 008817D8
VariantClear.OLEAUT32(?), ref: 008817E7
VariantInit.OLEAUT32(00000000), ref: 00881823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00881625
Default, xrefs: 008816AF

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 07d3e9454b5c4bfa62fa1c69f1aed7214f6ff02f1fe32ec1ba02cd63467d577f
Instruction ID: c44098da40c5ee549eeaed36d892344f334570db31ed73c0a1cb95376cc85004
Opcode Fuzzy Hash: 07d3e9454b5c4bfa62fa1c69f1aed7214f6ff02f1fe32ec1ba02cd63467d577f
Instruction Fuzzy Hash: 8CD1D071A0011ADBDF10AF69E889B79B7B9FF46704F10805AE446EB581DF30DD82DB52

Uniqueness

Uniqueness Score: -1.00%

Function 0089B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 0089C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0089B6AE,?,?), ref: 0089C9B5
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089C9F1
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA68
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0089B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0089B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0089B80A
RegCloseKey.ADVAPI32(?), ref: 0089B87E
RegCloseKey.ADVAPI32(?), ref: 0089B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0089B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0089B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0089B922
FreeLibrary.KERNEL32(00000000), ref: 0089B983
RegCloseKey.ADVAPI32(00000000), ref: 0089B994

Strings

advapi32.dll, xrefs: 0089B8ED
RegDeleteKeyExW, xrefs: 0089B8FE

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 99bb3aaf4456d66643bad439a067f862bdf7280824aa3b3cea5d75b62e115a58
Instruction ID: d4457c2886bc2d03499b830249e796574ffac36c1c4d1abf59f7af4defd28225
Opcode Fuzzy Hash: 99bb3aaf4456d66643bad439a067f862bdf7280824aa3b3cea5d75b62e115a58
Instruction Fuzzy Hash: 20C18F30204201AFDB14EF18D594F6ABBE5FF84308F18855CE5998B7A2DB71ED85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0089255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 008925E8
CreateCompatibleDC.GDI32(?), ref: 008925F4
SelectObject.GDI32(00000000,?), ref: 00892601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0089266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 008926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 008926D0
SelectObject.GDI32(?,?), ref: 008926D8
DeleteObject.GDI32(?), ref: 008926E1
DeleteDC.GDI32(?), ref: 008926E8
ReleaseDC.USER32(00000000,?), ref: 008926F3

Strings

(, xrefs: 0089268D

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 62ab7892a59ea7ea57a1ebcadd044061cfd78438badb4e078a67e7450766f9cd
Instruction ID: b6a258bdb6412bef341cd0ce997569fce399049b330e00f44595e6631db6f39b
Opcode Fuzzy Hash: 62ab7892a59ea7ea57a1ebcadd044061cfd78438badb4e078a67e7450766f9cd
Instruction Fuzzy Hash: D961F1B5E00219EFDF05DFA8D884AAEBBB5FF48310F248529E955A7250E770A941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0084DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0084DAA1

Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D659
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D66B
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D67D
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D68F
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D6A1
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D6B3
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D6C5
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D6D7
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D6E9
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D6FB
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D70D
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D71F
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D731

_free.LIBCMT ref: 0084DA96

Part of subcall function 008429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000), ref: 008429DE
Part of subcall function 008429C8: GetLastError.KERNEL32(00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000,00000000), ref: 008429F0

_free.LIBCMT ref: 0084DAB8
_free.LIBCMT ref: 0084DACD
_free.LIBCMT ref: 0084DAD8
_free.LIBCMT ref: 0084DAFA
_free.LIBCMT ref: 0084DB0D
_free.LIBCMT ref: 0084DB1B
_free.LIBCMT ref: 0084DB26
_free.LIBCMT ref: 0084DB5E
_free.LIBCMT ref: 0084DB65
_free.LIBCMT ref: 0084DB82
_free.LIBCMT ref: 0084DB9A

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 90dc60f91b231da797b2585f22d2533c472785bd85c4fd343504c9affc5f7828
Instruction ID: 065df8293dfc6e980e3349f81f4a4b17013db8badef4f2b824c51254c4d96de0
Opcode Fuzzy Hash: 90dc60f91b231da797b2585f22d2533c472785bd85c4fd343504c9affc5f7828
Instruction Fuzzy Hash: AA313B3260870D9FEB22AA79E845F5A7BE9FF10360F55452AF449D7291DF31AC40C721

Uniqueness

Uniqueness Score: -1.00%

Function 0087365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0087369C
_wcslen.LIBCMT ref: 008736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00873797
GetClassNameW.USER32(?,?,00000400), ref: 0087380C
GetDlgCtrlID.USER32(?), ref: 0087385D
GetWindowRect.USER32(?,?), ref: 00873882
GetParent.USER32(?), ref: 008738A0
ScreenToClient.USER32(00000000), ref: 008738A7
GetClassNameW.USER32(?,?,00000100), ref: 00873921
GetWindowTextW.USER32(?,?,00000400), ref: 0087395D

Strings

%s%u, xrefs: 00873734

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 3142e38d9b8da3ed7d1b50593d5dcfd4945c5376cd3b4095264845922eeddec0
Instruction ID: 84290beeadb343992b1a3b4e59e0f3d6cba3b2de0966efec7c8a26648a4af316
Opcode Fuzzy Hash: 3142e38d9b8da3ed7d1b50593d5dcfd4945c5376cd3b4095264845922eeddec0
Instruction Fuzzy Hash: 5F91C171204606AFDB18DF24C885BAAF7A8FF45354F00C629FA9DD2194DB30EA45DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00874954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00874994
GetWindowTextW.USER32(?,?,00000400), ref: 008749DA
_wcslen.LIBCMT ref: 008749EB
CharUpperBuffW.USER32(?,00000000), ref: 008749F7
_wcsstr.LIBVCRUNTIME ref: 00874A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00874A64
GetWindowTextW.USER32(?,?,00000400), ref: 00874A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00874AE6
GetClassNameW.USER32(?,?,00000400), ref: 00874B20
GetWindowRect.USER32(?,?), ref: 00874B8B

Strings

ThumbnailClass, xrefs: 00874A6F, 00874AF1

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 6fd376aca80e392e2d3137d3a3d9af205bdf3d877f81b5b08249003ee000ba30
Instruction ID: d7f1c1073af4a0c1d91380801deca315945975c6d2b9c34a78c2c73dd2fe213c
Opcode Fuzzy Hash: 6fd376aca80e392e2d3137d3a3d9af205bdf3d877f81b5b08249003ee000ba30
Instruction Fuzzy Hash: B491BE711042059FDB05DF58C981BAAB7E8FF84314F04946AFD89DA19AEB30ED45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 008A8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008A8D5A
GetFocus.USER32 ref: 008A8D6A
GetDlgCtrlID.USER32(00000000), ref: 008A8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 008A8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 008A8ECF
GetMenuItemCount.USER32(?), ref: 008A8EEC
GetMenuItemID.USER32(?,00000000), ref: 008A8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 008A8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 008A8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008A8FA1

Strings

0, xrefs: 008A8E9F

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: d244da0eb181af41a66e853d1c4191046ad4b0c60052d1ea9145fae6121d71c0
Instruction ID: bddb8c5a0cfb35b8868a32459d08fc0cd7debd65b52fbc7171ee6034c32213ba
Opcode Fuzzy Hash: d244da0eb181af41a66e853d1c4191046ad4b0c60052d1ea9145fae6121d71c0
Instruction Fuzzy Hash: DF819C71508315EFEB10CF24D884AABBBE9FB8A754F140929F985D7691DF70D900CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0087DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0087DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0087DC46
_wcslen.LIBCMT ref: 0087DC50
_wcsstr.LIBVCRUNTIME ref: 0087DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0087DCBC

Strings

DefaultLangCodepage, xrefs: 0087DD1F
04090000, xrefs: 0087DCF2
\VarFileInfo\Translation, xrefs: 0087DCB4
%u.%u.%u.%u, xrefs: 0087DD9A
StringFileInfo\, xrefs: 0087DC8F

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 48692ddbb449eccca31d3e440ef5ad817a9d05ed211d182c6f6606afbde957fe
Instruction ID: ff702ee6a6b43354c9c1f3b902c1d81b072679c897b367b06bab0b3b78aa9028
Opcode Fuzzy Hash: 48692ddbb449eccca31d3e440ef5ad817a9d05ed211d182c6f6606afbde957fe
Instruction Fuzzy Hash: D44117329403147BEB15A7699C43EBF3BBCFF86710F10406AF904E6282EB75D90197A6

Uniqueness

Uniqueness Score: -1.00%

Function 0089CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0089CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0089CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0089CD48

Part of subcall function 0089CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0089CCAA
Part of subcall function 0089CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0089CCBD
Part of subcall function 0089CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0089CCCF
Part of subcall function 0089CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0089CD05
Part of subcall function 0089CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0089CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0089CCF3

Strings

advapi32.dll, xrefs: 0089CCB8
RegDeleteKeyExW, xrefs: 0089CCC9

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 8ae14009db217c4f2ff72329295b6bd0c06f498c74afe8329945b18180aa5157
Instruction ID: a471f42764baec8893905b9946a81dca487d3ece20d9c649573841940229c156
Opcode Fuzzy Hash: 8ae14009db217c4f2ff72329295b6bd0c06f498c74afe8329945b18180aa5157
Instruction Fuzzy Hash: AC316C71A01129BBEB20AB54DC88EFFBB7CFF46754F040165E906E2240DA349E45EAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0087E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0087E6B4

Part of subcall function 0082E551: timeGetTime.WINMM(?,?,0087E6D4), ref: 0082E555

Sleep.KERNEL32(0000000A), ref: 0087E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0087E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0087E727
SetActiveWindow.USER32 ref: 0087E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0087E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0087E773
Sleep.KERNEL32(000000FA), ref: 0087E77E
IsWindow.USER32 ref: 0087E78A
EndDialog.USER32(00000000), ref: 0087E79B

Strings

BUTTON, xrefs: 0087E719

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 85a31b00e925d5eda0c37ad9d827bb753618fa9639d0da775776f4f0ab559b76
Instruction ID: 60658990388f472e86f1355df645c65a07fd17521ecb21dd0f60498a1fc73aae
Opcode Fuzzy Hash: 85a31b00e925d5eda0c37ad9d827bb753618fa9639d0da775776f4f0ab559b76
Instruction Fuzzy Hash: 4C218170200245AFFF109F64ECC9A253B6DF76A349B108565F51DC66B5DBB1EC00DB25

Uniqueness

Uniqueness Score: -1.00%

Function 0087E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0087EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0087EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0087EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0087EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0087EAA7

Strings

play PlayMe wait, xrefs: 0087EA91
alias PlayMe, xrefs: 0087EA36
close PlayMe, xrefs: 0087EA6E, 0087EA9B
play PlayMe, xrefs: 0087EAA2
status PlayMe mode, xrefs: 0087EA58
open , xrefs: 0087EA0C

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 8e41f01833e5c85471e922fa0b0c691af75738d81ce46ad6c51469cb14328fa8
Instruction ID: 3c4a6acec5c4bbb9dc6932541cebd508d0a775376675805fe8c74c7ac1055641
Opcode Fuzzy Hash: 8e41f01833e5c85471e922fa0b0c691af75738d81ce46ad6c51469cb14328fa8
Instruction Fuzzy Hash: 3C118F21A5022D79D720A7A5DC5ADFBAF7CFFD5B40F00052AB821E22D0EE705955C5B1

Uniqueness

Uniqueness Score: -1.00%

Function 00875CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00875CE2
GetWindowRect.USER32(00000000,?), ref: 00875CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00875D59
GetDlgItem.USER32(?,00000002), ref: 00875D69
GetWindowRect.USER32(00000000,?), ref: 00875D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00875DCF
GetDlgItem.USER32(?,000003E9), ref: 00875DDD
GetWindowRect.USER32(00000000,?), ref: 00875DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00875E31
GetDlgItem.USER32(?,000003EA), ref: 00875E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00875E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00875E67

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 4c1cddc95296cddcd61f20cbcd622382d024a6cbaad865d49484ff8f9184f230
Instruction ID: 43c3972705daa46087ad1ec786ea8b2b3e825b3ce24efbe477a806d7aebee1f4
Opcode Fuzzy Hash: 4c1cddc95296cddcd61f20cbcd622382d024a6cbaad865d49484ff8f9184f230
Instruction Fuzzy Hash: C551FD71A00609AFDB18CF68DD89AAEBBB5FB59300F148129F519E6694D770EE04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00828BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00828F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00828BE8,?,00000000,?,?,?,?,00828BBA,00000000,?), ref: 00828FC5

DestroyWindow.USER32(?), ref: 00828C81
KillTimer.USER32(00000000,?,?,?,?,00828BBA,00000000,?), ref: 00828D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00866973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00828BBA,00000000,?), ref: 008669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00828BBA,00000000,?), ref: 008669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00828BBA,00000000), ref: 008669D4
DeleteObject.GDI32(00000000), ref: 008669E6

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: fedc2389f49be907e8669b4665f57a19fa38448a7be915d56d162daecf961d5c
Instruction ID: 107366fb3f20fa379bf482bd8d57e02c242d2d5bd8cf062578303534e3877024
Opcode Fuzzy Hash: fedc2389f49be907e8669b4665f57a19fa38448a7be915d56d162daecf961d5c
Instruction Fuzzy Hash: 8161AA30502664DFDF21AF28EA88B29BBF1FB51316F554518E042DBA60CB35A8E0CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00829838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00829944: GetWindowLongW.USER32(?,000000EB), ref: 00829952

GetSysColor.USER32(0000000F), ref: 00829862

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: e0c6ee776396087ca89e5d8a777ec8227cc28250f0e7204297f69749a81a7348
Instruction ID: b934076efa5552902271ab929a3d13388fe2ea178d5081ae6e183c328b45d052
Opcode Fuzzy Hash: e0c6ee776396087ca89e5d8a777ec8227cc28250f0e7204297f69749a81a7348
Instruction Fuzzy Hash: 58419031504654AFEB245F38AC88BB93BA5FB17334F194669F9E2C72E1D7319882DB10

Uniqueness

Uniqueness Score: -1.00%

Function 008796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0085F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00879717
LoadStringW.USER32(00000000,?,0085F7F8,00000001), ref: 00879720

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0085F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00879742
LoadStringW.USER32(00000000,?,0085F7F8,00000001), ref: 00879745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00879866

Strings

Line %d:, xrefs: 008797A0
Error: , xrefs: 0087981D
Line %d (File "%s"):, xrefs: 0087978F
%s (%d) : ==> %s: %s %s, xrefs: 0087984A
^ ERROR, xrefs: 008797FB

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: bd1e34f43a376bd025650091bc937e67191c38c85fcdfa32beb282c0c3547e65
Instruction ID: e76d5fb62028e7c509f38640da4b6aecedf1fa50ac367957124cc2c0c9e0b1e4
Opcode Fuzzy Hash: bd1e34f43a376bd025650091bc937e67191c38c85fcdfa32beb282c0c3547e65
Instruction Fuzzy Hash: 09414D72800219AADB04EBE8DD96DEEB77CFF15350F104025F645F2192EA356F88CB62

Uniqueness

Uniqueness Score: -1.00%

Function 008706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008707BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00870804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0087082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00870837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0087083C

Strings

SOFTWARE\Classes\, xrefs: 0087070E
\IPC$, xrefs: 00870784
\CLSID, xrefs: 00870724

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 62b44ecefb145b421bc95a263513684a5b72fbb686368aa6a8ba13e7ea262216
Instruction ID: 06b48684e2932b48cd275e172a384aad5f79c24f921fcfff9b24997d56e6e921
Opcode Fuzzy Hash: 62b44ecefb145b421bc95a263513684a5b72fbb686368aa6a8ba13e7ea262216
Instruction Fuzzy Hash: B441D672C10229EBDB15EBA4DC958EEB778FF04350F05412AE915E3261EB30AE44CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00893C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00893C5C
CoInitialize.OLE32(00000000), ref: 00893C8A
CoUninitialize.OLE32 ref: 00893C94
_wcslen.LIBCMT ref: 00893D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00893DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00893ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00893F0E
CoGetObject.OLE32(?,00000000,008AFB98,?), ref: 00893F2D
SetErrorMode.KERNEL32(00000000), ref: 00893F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00893FC4
VariantClear.OLEAUT32(?), ref: 00893FD8

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 560ac5782b6b194425a613bbb4a1ff12b2fad6d10adefcfa81c44212004845e8
Instruction ID: 211a34ea043c4215c0ed0806dd89c7d28c97fc62c2e837b74cb3087254424920
Opcode Fuzzy Hash: 560ac5782b6b194425a613bbb4a1ff12b2fad6d10adefcfa81c44212004845e8
Instruction Fuzzy Hash: 9DC12571608205AFDB00EF68C88496BB7E9FF89748F14491DF98ADB211DB31EE45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00887A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00887AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00887B8F
SHGetDesktopFolder.SHELL32(?), ref: 00887BA3
CoCreateInstance.OLE32(008AFD08,00000000,00000001,008D6E6C,?), ref: 00887BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00887C74
CoTaskMemFree.OLE32(?,?), ref: 00887CCC
SHBrowseForFolderW.SHELL32(?), ref: 00887D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00887D7A
CoTaskMemFree.OLE32(00000000), ref: 00887D81
CoTaskMemFree.OLE32(00000000), ref: 00887DD6
CoUninitialize.OLE32 ref: 00887DDC

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: fa191ec3a4699e0f8372ef048a2cef83f7f1c7b77e0f85b4dea21981b85238db
Instruction ID: a330f53fe3de4bc1803b27aba4dd33442d5dbc29d4f30680b1da193e3296db80
Opcode Fuzzy Hash: fa191ec3a4699e0f8372ef048a2cef83f7f1c7b77e0f85b4dea21981b85238db
Instruction Fuzzy Hash: C3C12C75A04109AFDB14DFA4C884DAEBBF9FF48314B1484A9E819DB761D730ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 008A541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 008A5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008A5515
CharNextW.USER32(00000158), ref: 008A5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 008A5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 008A559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008A55AC

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 42798054cd3c043234fc8232e33f53841524dbbf2b11a79c04b76518f568d986
Instruction ID: b7b3f8d02d75b75127416e6791c2ad16cfcc81d21fd79cd6dd9473ef03b28e71
Opcode Fuzzy Hash: 42798054cd3c043234fc8232e33f53841524dbbf2b11a79c04b76518f568d986
Instruction Fuzzy Hash: CF619B71901A08EBEF10CF54DC849FE7BB9FB0B724F144149F925EAA90D7748A80DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0086FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0086FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0086FB08
VariantInit.OLEAUT32(?), ref: 0086FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0086FB3A
VariantCopy.OLEAUT32(?,?), ref: 0086FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0086FBA1
VariantClear.OLEAUT32(?), ref: 0086FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0086FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0086FBCC
VariantClear.OLEAUT32(?), ref: 0086FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0086FBE9

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a61c353833d0b558378ce8a91857c16507bc675921c93a94b2ba1169f6728a87
Instruction ID: 38057d97637906d8355e2026385f6da75c283806a9f443059983249868d020cd
Opcode Fuzzy Hash: a61c353833d0b558378ce8a91857c16507bc675921c93a94b2ba1169f6728a87
Instruction Fuzzy Hash: C2416235A002199FDB00DF68E8549EDBBB9FF09354F018069E945E7261CB30E945CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00879C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00879CA1
GetAsyncKeyState.USER32(000000A0), ref: 00879D22
GetKeyState.USER32(000000A0), ref: 00879D3D
GetAsyncKeyState.USER32(000000A1), ref: 00879D57
GetKeyState.USER32(000000A1), ref: 00879D6C
GetAsyncKeyState.USER32(00000011), ref: 00879D84
GetKeyState.USER32(00000011), ref: 00879D96
GetAsyncKeyState.USER32(00000012), ref: 00879DAE
GetKeyState.USER32(00000012), ref: 00879DC0
GetAsyncKeyState.USER32(0000005B), ref: 00879DD8
GetKeyState.USER32(0000005B), ref: 00879DEA

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d8af4398b7451e722584167fd4583567d07a8da7bfb6139d9ddc7c4f5d014763
Instruction ID: 72417bd45de4559bfcc7fde1a7383339d83a1ecdcd336b5b3b8f3888b975bf28
Opcode Fuzzy Hash: d8af4398b7451e722584167fd4583567d07a8da7bfb6139d9ddc7c4f5d014763
Instruction Fuzzy Hash: 2B41A834504BC96DFF31966488043B5BEA1FF52344F08C09ADACAD65C6EBE5D9C8C792

Uniqueness

Uniqueness Score: -1.00%

Function 0089055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008905BC
inet_addr.WSOCK32(?), ref: 0089061C
gethostbyname.WSOCK32(?), ref: 00890628
IcmpCreateFile.IPHLPAPI ref: 00890636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 008907B9
WSACleanup.WSOCK32 ref: 008907BF

Strings

Ping, xrefs: 00890676

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 993ae3ff44ac4740380d066985e897c9f56652e107866cd64d3ec90c7c5acdb9
Instruction ID: 5e10986b997a712b75b5f7ba118d1f46583b4a79149294c810b8d7481ed8e8d7
Opcode Fuzzy Hash: 993ae3ff44ac4740380d066985e897c9f56652e107866cd64d3ec90c7c5acdb9
Instruction Fuzzy Hash: F9917F35604201AFD710DF19D488B16BBE4FF44328F1985A9F469DB6A2C731ED85CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00898CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00898CF3

Part of subcall function 00878E54: _wcslen.LIBCMT ref: 00878E77

_wcslen.LIBCMT ref: 00898D4E
_wcslen.LIBCMT ref: 00898D9C
_wcslen.LIBCMT ref: 00898DDC
_wcslen.LIBCMT ref: 00898E6E

Strings

none, xrefs: 00898E65, 00898E6A
winapi, xrefs: 00898D96, 00898D9B
stdcall, xrefs: 00898DD6, 00898DDB
cdecl, xrefs: 00898D48, 00898D4D

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: f1d6fcc52421c3cb5bc9d9e893564319bce66e1d20c90bc123e0c4f3daf80aef
Instruction ID: 8cacf5986f209b7782412fa18878f91d9053fdb37cd4985cfc456a7184b058d7
Opcode Fuzzy Hash: f1d6fcc52421c3cb5bc9d9e893564319bce66e1d20c90bc123e0c4f3daf80aef
Instruction Fuzzy Hash: C1519E31A00117DBCF14EFACC9509BEB7A5FF66324B294229E966E7284EB35DD40C790

Uniqueness

Uniqueness Score: -1.00%

Function 0089372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00893774
CoUninitialize.OLE32 ref: 0089377F
CoCreateInstance.OLE32(?,00000000,00000017,008AFB78,?), ref: 008937D9
IIDFromString.OLE32(?,?), ref: 0089384C
VariantInit.OLEAUT32(?), ref: 008938E4
VariantClear.OLEAUT32(?), ref: 00893936

Strings

Invalid parameter, xrefs: 00893865
Failed to create object, xrefs: 008937E4, 0089389A
NULL Pointer assignment, xrefs: 0089381E

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: c5ef98ed1b89a6a20d99599e79157279a1e44ae1fc3cf067a455f989953243e0
Instruction ID: 5679e8fc4665ab9fdfc9ef35c66806b5cc48315b1f081cda2849229d6e8106ba
Opcode Fuzzy Hash: c5ef98ed1b89a6a20d99599e79157279a1e44ae1fc3cf067a455f989953243e0
Instruction Fuzzy Hash: C9619F70608311AFD710EF54C848B6ABBE8FF49714F144929F995EB291D770EE48CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00883388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 008833CF

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008833F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00883504
Error: , xrefs: 008834D1
Line %d (File "%s"):, xrefs: 00883443, 0088345C
"%s" (%d) : ==> %s:, xrefs: 00883522
^ ERROR , xrefs: 0088349E
Incorrect parameters to object property !, xrefs: 008834AB

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 330c55b9e32d5e5048da3a6d5e3133145bb3eba82c8e81b655c03c362314d539
Instruction ID: 74bb861e58a51ac85ed075dd4147617eb390274967bb702c0b95d26f2365a1f4
Opcode Fuzzy Hash: 330c55b9e32d5e5048da3a6d5e3133145bb3eba82c8e81b655c03c362314d539
Instruction Fuzzy Hash: A9518A71800209AADF14EBA4DD46EEEB778FF04740F104166F515F22A2EB356F98DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0087B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0087B5FC
_wcslen.LIBCMT ref: 0087B608
_wcslen.LIBCMT ref: 0087B64D
_wcslen.LIBCMT ref: 0087B68C
_wcslen.LIBCMT ref: 0087B6C7

Strings

APPEND, xrefs: 0087B6C1, 0087B6C6
EXISTS, xrefs: 0087B686, 0087B68B
KEYS, xrefs: 0087B647, 0087B64C
REMOVE, xrefs: 0087B602, 0087B607

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: faf38e021d33cfd6919ab23b0586c707a4909ec878e04c0edf65e44f4043f589
Instruction ID: 6181028bc26b588207e668c775808f23624601e8eda098095a5e8b8d979c6e9a
Opcode Fuzzy Hash: faf38e021d33cfd6919ab23b0586c707a4909ec878e04c0edf65e44f4043f589
Instruction Fuzzy Hash: 9441DE32A000269BCB105F7DC8906BE77A6FFB1754B248229E629D7288F735CD81C790

Uniqueness

Uniqueness Score: -1.00%

Function 00885393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00885416
GetLastError.KERNEL32 ref: 00885420
SetErrorMode.KERNEL32(00000000,READY), ref: 008854A7

Strings

NOTREADY, xrefs: 0088544B
UNKNOWN, xrefs: 00885444
READY, xrefs: 00885460, 00885468
READONLY, xrefs: 00885452
INVALID, xrefs: 00885459

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 720a9dee1ebf921fef32b93c2194d14f7ee4d28d522eece762b3afc70c6812fd
Instruction ID: ae3b272595fb2339e9dab5c83b74453055f6126cf19bed5986d7382cee417099
Opcode Fuzzy Hash: 720a9dee1ebf921fef32b93c2194d14f7ee4d28d522eece762b3afc70c6812fd
Instruction Fuzzy Hash: 5431A3B5A006089FD710EF68C484AAA7BF4FF45305F148069E505DB392EB71ED86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008A3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 008A3C79
SetMenu.USER32(?,00000000), ref: 008A3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008A3D10
IsMenu.USER32(?), ref: 008A3D24
CreatePopupMenu.USER32 ref: 008A3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008A3D5B
DrawMenuBar.USER32 ref: 008A3D63

Strings

F, xrefs: 008A3D4E
0, xrefs: 008A3C54

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 9748f50de1885d48193ac8de7a6b876db4018e24046bde072cb8886e12420386
Instruction ID: 8934534bb893224dbcd9a5716ee9b96ec8a4780c5d42d307bd3566f62f6a9625
Opcode Fuzzy Hash: 9748f50de1885d48193ac8de7a6b876db4018e24046bde072cb8886e12420386
Instruction Fuzzy Hash: BF413875A01209EFEB14DF64D884BAABBB5FF4A350F140029F946E7760D770AA10CB94

Uniqueness

Uniqueness Score: -1.00%

Function 008A3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 008A3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 008A3AA0
GetWindowLongW.USER32(?,000000F0), ref: 008A3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008A3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 008A3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 008A3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 008A3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 008A3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 008A3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 008A3C13

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: e87a7c5dc48afd9c1b2ea62dd430c42132247719934b456ab602517a539b56d6
Instruction ID: 49961f6a216c592fbf1d2016c2e659c77397034f04155e69615c5b85a574a6c8
Opcode Fuzzy Hash: e87a7c5dc48afd9c1b2ea62dd430c42132247719934b456ab602517a539b56d6
Instruction Fuzzy Hash: 45617D75900248AFEB11DF68CC85EEE77B8FB0A710F100059FA15E7291C774AE41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0087B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0087B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B165
GetWindowThreadProcessId.USER32(00000000), ref: 0087B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0087B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B21D

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 5bd7c2ca15d11edb4ee946de560ef9a0ef3a7681d843fbd7f006f13342c300cf
Instruction ID: 3938c800c6f57659c36ff11748ea7c8fe60fa675735c36fd04b2ad935c79143f
Opcode Fuzzy Hash: 5bd7c2ca15d11edb4ee946de560ef9a0ef3a7681d843fbd7f006f13342c300cf
Instruction Fuzzy Hash: 0C3191B5510608BFEB10DF64DC88B6D7BAAFB62325F108419FA09DB191D7B4DE408F64

Uniqueness

Uniqueness Score: -1.00%

Function 00842C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00842C94

Part of subcall function 008429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000), ref: 008429DE
Part of subcall function 008429C8: GetLastError.KERNEL32(00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000,00000000), ref: 008429F0

_free.LIBCMT ref: 00842CA0
_free.LIBCMT ref: 00842CAB
_free.LIBCMT ref: 00842CB6
_free.LIBCMT ref: 00842CC1
_free.LIBCMT ref: 00842CCC
_free.LIBCMT ref: 00842CD7
_free.LIBCMT ref: 00842CE2
_free.LIBCMT ref: 00842CED
_free.LIBCMT ref: 00842CFB

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e091495acf67c7c18493d1ae598793bc3d8629afc1a9fc49b670b672c78346a0
Instruction ID: 6df76ff7bd89801dea2a454fba054351cc33ae4fe019166598b3a23d4eae4b4d
Opcode Fuzzy Hash: e091495acf67c7c18493d1ae598793bc3d8629afc1a9fc49b670b672c78346a0
Instruction Fuzzy Hash: BB11A27610410CAFDB02EF99D882DDD3FA9FF05350F9144A5FA489F222DA31EE509B92

Uniqueness

Uniqueness Score: -1.00%

Function 00811410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00811459
OleUninitialize.OLE32(?,00000000), ref: 008114F8
UnregisterHotKey.USER32(?), ref: 008116DD
DestroyWindow.USER32(?), ref: 008524B9
FreeLibrary.KERNEL32(?), ref: 0085251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0085254B

Strings

close all, xrefs: 00811454

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: f481df172f2fafa365fa5342c4cd4cc2a44cf64ce40ad7bbf390bf857a83f80c
Instruction ID: 0121e52e40d1733420a2c099579fc18a332a37a9ad72994867a2798ca664cecb
Opcode Fuzzy Hash: f481df172f2fafa365fa5342c4cd4cc2a44cf64ce40ad7bbf390bf857a83f80c
Instruction Fuzzy Hash: 75D16B317012228FDB19EF18C499A69F7A9FF06701F1441ADEA4AEB252DF30AC56CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00887DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00887FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00887FC1
GetFileAttributesW.KERNEL32(?), ref: 00887FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00888005
SetCurrentDirectoryW.KERNEL32(?), ref: 00888017
SetCurrentDirectoryW.KERNEL32(?), ref: 00888060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008880B0

Strings

*.*, xrefs: 00888066

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: dd4d67bfd980c753a1bff5728a7a9fbeddd5b2c82c6c8ddaf416f726df79cec5
Instruction ID: 99e6bf4b6351ff897d900aca5d4ced6d8951c2f8fe054373cbfb45a8029c9fd7
Opcode Fuzzy Hash: dd4d67bfd980c753a1bff5728a7a9fbeddd5b2c82c6c8ddaf416f726df79cec5
Instruction Fuzzy Hash: 4F81B1725082459BCB20FF18C4849AAB3E8FF89714F644C6EF889C7251EB75ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00815BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00815C7A

Part of subcall function 00815D0A: GetClientRect.USER32(?,?), ref: 00815D30
Part of subcall function 00815D0A: GetWindowRect.USER32(?,?), ref: 00815D71
Part of subcall function 00815D0A: ScreenToClient.USER32(?,?), ref: 00815D99

GetDC.USER32 ref: 008546F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00854708
SelectObject.GDI32(00000000,00000000), ref: 00854716
SelectObject.GDI32(00000000,00000000), ref: 0085472B
ReleaseDC.USER32(?,00000000), ref: 00854733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008547C4

Strings

U, xrefs: 00854693

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: ce6811eb7fe0ad6dbb7e38da6f7ca7b13c742e86d9c61d9aa8efbd5f14bb9690
Instruction ID: 4137a0626c53febc464dc85a216585e7c5a77c3c538d68d66eb0a771974b94f7
Opcode Fuzzy Hash: ce6811eb7fe0ad6dbb7e38da6f7ca7b13c742e86d9c61d9aa8efbd5f14bb9690
Instruction Fuzzy Hash: DC71F134500209DFDF218F64C984AFA3BB5FF8A32AF145269ED55DA266C73098C9DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0088359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 008835E4

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

LoadStringW.USER32(008E2390,?,00000FFF,?), ref: 0088360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00883724
Error: , xrefs: 008836EF
Line %d (File "%s"):, xrefs: 0088366B
"%s" (%d) : ==> %s:, xrefs: 00883742
^ ERROR, xrefs: 008836C9

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: dc22ef90b2a8e0c8eaff051e8755a34989948c3eb0f7dbb26cc2d90b87111529
Instruction ID: 0f5de109b6aee3f7c28e196da00b03782dbaa0bf05cc94a92d06263959965015
Opcode Fuzzy Hash: dc22ef90b2a8e0c8eaff051e8755a34989948c3eb0f7dbb26cc2d90b87111529
Instruction Fuzzy Hash: 87516D71800219AADF14EBA4DC52EEEBB39FF14710F144125F515B22A1EB346BD8DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 008A8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

Part of subcall function 0082912D: GetCursorPos.USER32(?), ref: 00829141
Part of subcall function 0082912D: ScreenToClient.USER32(00000000,?), ref: 0082915E
Part of subcall function 0082912D: GetAsyncKeyState.USER32(00000001), ref: 00829183
Part of subcall function 0082912D: GetAsyncKeyState.USER32(00000002), ref: 0082919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 008A8B6B
ImageList_EndDrag.COMCTL32 ref: 008A8B71
ReleaseCapture.USER32 ref: 008A8B77
SetWindowTextW.USER32(?,00000000), ref: 008A8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 008A8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 008A8CFF

Strings

@GUI_DROPID, xrefs: 008A8C51
@GUI_DRAGFILE, xrefs: 008A8C9A

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: a23d63b8c12615049e138b6c3545d78c8d36160892a0a3559a973cbe7dee946d
Instruction ID: be01ba573d3be391db96bffb16c152f7270b0145cc20a0938f51a47449e618c6
Opcode Fuzzy Hash: a23d63b8c12615049e138b6c3545d78c8d36160892a0a3559a973cbe7dee946d
Instruction Fuzzy Hash: DE518C70104344AFEB04EF14DC99FAA77E4FF89714F40062DF992972A2DB709944CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0088C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0088C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0088C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0088C2CA
GetLastError.KERNEL32 ref: 0088C322
SetEvent.KERNEL32(?), ref: 0088C336
InternetCloseHandle.WININET(00000000), ref: 0088C341

Strings

, xrefs: 0088C2BB

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 57cfda2516c468bb56fbc5fcc9fb543c32ae49d95b3317c9d0867f8e00151854
Instruction ID: 1a0653a032fd854d698666d7ba1758ee2ba5de86d6c5a34708329432db1888ac
Opcode Fuzzy Hash: 57cfda2516c468bb56fbc5fcc9fb543c32ae49d95b3317c9d0867f8e00151854
Instruction Fuzzy Hash: 31317AB1600608AFE721AFA99C88ABB7BFCFB4A744F10851EF446D2644DB34DD059B71

Uniqueness

Uniqueness Score: -1.00%

Function 0087989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00853AAF,?,?,Bad directive syntax error,008ACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008798BC
LoadStringW.USER32(00000000,?,00853AAF,?), ref: 008798C3

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00879987

Strings

Line %d:, xrefs: 00879912
Error: , xrefs: 00879955
Line %d (File "%s"):, xrefs: 0087992D
%s (%d) : ==> %s.: %s %s, xrefs: 008798F1
., xrefs: 0087996D

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: da922e27c4a666eb8d97a06f38c860113e1db76a82c814b15dd09d01dd87879a
Instruction ID: ccaa9893f79439ecd07958b490e1ceb94e27209c439c66ac3d31d449154c991a
Opcode Fuzzy Hash: da922e27c4a666eb8d97a06f38c860113e1db76a82c814b15dd09d01dd87879a
Instruction Fuzzy Hash: BF21943180021EABDF15AF94CC06EEE7779FF14300F044466F629A21A2EB75A668DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0087209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 008720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0087214D

Strings

SHELLDLL_DefView, xrefs: 008720CC
list, xrefs: 0087212F
largeicons, xrefs: 008720E1
smallicons, xrefs: 00872115
details, xrefs: 008720FB

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: c8cc2bcbbd6122309f33db6f031275068684d22569dc1dd94fdecc8b70995829
Instruction ID: 455a3bcfd63462d7f9828b0d3bd4cb32b8f51ba3cbb41299efa2c97e663841e1
Opcode Fuzzy Hash: c8cc2bcbbd6122309f33db6f031275068684d22569dc1dd94fdecc8b70995829
Instruction Fuzzy Hash: 35115976288706B9FA01A228DC07CA6339CFB15324F20411BFB08E41D5FF65F8015664

Uniqueness

Uniqueness Score: -1.00%

Function 0084CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0084CEB7
_free.LIBCMT ref: 0084CF22
_free.LIBCMT ref: 0084CF48
_free.LIBCMT ref: 0084CF71
_free.LIBCMT ref: 0084CFA9
_free.LIBCMT ref: 0084CFDA
_free.LIBCMT ref: 0084D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0084D09C
_free.LIBCMT ref: 0084D0B5

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 104fbd1e3db9e59f7d787d9822dfccaaede7c161e6fac741825a7d1b9afd429d
Instruction ID: 6c13c3b7d788813796ffe2df883a7b09285bd27e6b3c63a7d1c5d020a54e88ab
Opcode Fuzzy Hash: 104fbd1e3db9e59f7d787d9822dfccaaede7c161e6fac741825a7d1b9afd429d
Instruction Fuzzy Hash: 9D614771A0534CAFDB21AFB89C81A6E7BA9FF01310F04416DF940DB242DFB59D4587A1

Uniqueness

Uniqueness Score: -1.00%

Function 008A50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 008A5186
ShowWindow.USER32(?,00000000), ref: 008A51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 008A51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 008A51D1

Part of subcall function 008A6FBA: DeleteObject.GDI32(00000000), ref: 008A6FE6

GetWindowLongW.USER32(?,000000F0), ref: 008A520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008A521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 008A524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 008A5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 008A5296

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 40e58569590ef448322b2ea44f27cabb24cb1ce60d6fdeee4ce7d30785d2bca4
Instruction ID: 2861fad47e6c3b1e08ca80a80d1d6b60ebe12fd2e9ea240c8cda918353108ac3
Opcode Fuzzy Hash: 40e58569590ef448322b2ea44f27cabb24cb1ce60d6fdeee4ce7d30785d2bca4
Instruction Fuzzy Hash: BB518D30A40A08BEFF209F28DC4ABE93BA5FB06325F144011F625DAAE1C775A9D0DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00828B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00866890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008668A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00828874,00000000,00000000,00000000,000000FF,00000000), ref: 00866901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0086691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00828874,00000000,00000000,00000000,000000FF,00000000), ref: 0086692D

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: f5d7cf573d1d2068c26b4063f15759f02af10a8a70db96d3bfb28e69db321341
Instruction ID: ed26b91fcfb24290af97a71a90fe5027698f401c8a4435e4157e7dfb315b129a
Opcode Fuzzy Hash: f5d7cf573d1d2068c26b4063f15759f02af10a8a70db96d3bfb28e69db321341
Instruction Fuzzy Hash: FC516970600249EFEF20CF24DC95BAA7BB5FB58764F104528F956D72A0EB70A9A0DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0088C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0088C182
GetLastError.KERNEL32 ref: 0088C195
SetEvent.KERNEL32(?), ref: 0088C1A9

Part of subcall function 0088C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0088C272
Part of subcall function 0088C253: GetLastError.KERNEL32 ref: 0088C322
Part of subcall function 0088C253: SetEvent.KERNEL32(?), ref: 0088C336
Part of subcall function 0088C253: InternetCloseHandle.WININET(00000000), ref: 0088C341

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 70dafde0cbd10a6896cc8c70410a1176a16e93a1b4687c2da6be17dadabdb606
Instruction ID: e0b192aa8881b0a8b3483124d3fe2fb4f9690ae3600b3a10c2af74b3adfa76cb
Opcode Fuzzy Hash: 70dafde0cbd10a6896cc8c70410a1176a16e93a1b4687c2da6be17dadabdb606
Instruction Fuzzy Hash: A5318D71200605AFEB21AFB9DC48A76BBF8FF19300B00841DF956C2A64DB31E814DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 008725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00873A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00873A57
Part of subcall function 00873A3D: GetCurrentThreadId.KERNEL32 ref: 00873A5E
Part of subcall function 00873A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008725B3), ref: 00873A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 008725BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 008725E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00872601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00872605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0087260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00872623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00872627

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: b4529ef30112c3ab66f49999aaf6ede03c4530d37cfc7264c8e9015c4722e221
Instruction ID: 4a6d797f6641b250759e5e3db7d788cc37c6f5edcb23b30a7f3db93aa274b435
Opcode Fuzzy Hash: b4529ef30112c3ab66f49999aaf6ede03c4530d37cfc7264c8e9015c4722e221
Instruction Fuzzy Hash: 9C01D431390624BBFB1067689C8AF597F59FB5EB12F104005F318EE0D5C9E264459A6A

Uniqueness

Uniqueness Score: -1.00%

Function 00871803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00871449,?,?,00000000), ref: 0087180C
HeapAlloc.KERNEL32(00000000,?,00871449,?,?,00000000), ref: 00871813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00871449,?,?,00000000), ref: 00871828
GetCurrentProcess.KERNEL32(?,00000000,?,00871449,?,?,00000000), ref: 00871830
DuplicateHandle.KERNEL32(00000000,?,00871449,?,?,00000000), ref: 00871833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00871449,?,?,00000000), ref: 00871843
GetCurrentProcess.KERNEL32(00871449,00000000,?,00871449,?,?,00000000), ref: 0087184B
DuplicateHandle.KERNEL32(00000000,?,00871449,?,?,00000000), ref: 0087184E
CreateThread.KERNEL32(00000000,00000000,00871874,00000000,00000000,00000000), ref: 00871868

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 6c3d7da245e2f464ee413e4d9053f81122bf09f9f4576019d307936b5a776a68
Instruction ID: 61cc98bf464bdc736debd4142b79081080866b709bbacb125a84cc2bfce83dc1
Opcode Fuzzy Hash: 6c3d7da245e2f464ee413e4d9053f81122bf09f9f4576019d307936b5a776a68
Instruction Fuzzy Hash: B701AC75340304BFF610ABA5DC4DF577BACFB8AB11F004411FA05DB691DA7498008B20

Uniqueness

Uniqueness Score: -1.00%

Function 0089A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0087D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0087D501
Part of subcall function 0087D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0087D50F
Part of subcall function 0087D4DC: CloseHandle.KERNEL32(00000000), ref: 0087D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0089A16D
GetLastError.KERNEL32 ref: 0089A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0089A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0089A268
GetLastError.KERNEL32(00000000), ref: 0089A273
CloseHandle.KERNEL32(00000000), ref: 0089A2C4

Strings

SeDebugPrivilege, xrefs: 0089A18F

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 7505a96c4070c4a3148eecf8d6a56e14c8bfedfc6c7ea06b052bb83a01509aa1
Instruction ID: 08cb46f75aea1b22f8bcc2a309b9038d8c5d74c89f5f57d3858440274de9e85e
Opcode Fuzzy Hash: 7505a96c4070c4a3148eecf8d6a56e14c8bfedfc6c7ea06b052bb83a01509aa1
Instruction Fuzzy Hash: 9A616D302082419FDB14EF58C494F55BBA5FF44318F18849CE4668BBA2DB76EC85CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 008A3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 008A3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 008A393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 008A3954
_wcslen.LIBCMT ref: 008A3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 008A39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 008A39F4

Strings

SysListView32, xrefs: 008A38F7

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: eeddeae30ff6ca45753255523ff733c8d5d02c686135e600cb5835a739c84e32
Instruction ID: 28afd0388d90b9077ee7e575a6f4532230397ca660be7c27eb2415825037a7e9
Opcode Fuzzy Hash: eeddeae30ff6ca45753255523ff733c8d5d02c686135e600cb5835a739c84e32
Instruction Fuzzy Hash: 0C41A371A00218ABEF219F64CC49FEA7BA9FF09350F14052AF958E7281D7759E84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0087BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0087BCFD
IsMenu.USER32(00000000), ref: 0087BD1D
CreatePopupMenu.USER32 ref: 0087BD53
GetMenuItemCount.USER32(01676048), ref: 0087BDA4
InsertMenuItemW.USER32(01676048,?,00000001,00000030), ref: 0087BDCC

Strings

0, xrefs: 0087BCA8
2, xrefs: 0087BD37

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 7fcb4b6ff169c6930faf8c1b83f4c6f3c3d8a31c4fed07a8e90d57659d36918e
Instruction ID: 7e1ef10cd941ea462f11a9221d5126847a1949881041c06cf12d6a1b9dff72fc
Opcode Fuzzy Hash: 7fcb4b6ff169c6930faf8c1b83f4c6f3c3d8a31c4fed07a8e90d57659d36918e
Instruction Fuzzy Hash: FB518A70A002099FDB21CFA8D888BAEBFF6FF45354F148119E419D72A9E770D940CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0087C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0087C913

Strings

info, xrefs: 0087C8B4
warning, xrefs: 0087C8FC
question, xrefs: 0087C8CC
stop, xrefs: 0087C8E4
blank, xrefs: 0087C895

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 94a0e475e052044b9b400fadb81e1b97a251e345c6d479989429738ba82c533b
Instruction ID: e08ec870101569f42e0a1d90f3364c7b9a6b0cceee7c14282695c1bc4a4394d2
Opcode Fuzzy Hash: 94a0e475e052044b9b400fadb81e1b97a251e345c6d479989429738ba82c533b
Instruction Fuzzy Hash: F911EB3168930EBAA7015B549C82DEA6B9CFF15358B10812FF608E7382E774ED0052A9

Uniqueness

Uniqueness Score: -1.00%

Function 0087ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0087ED2A
_wcslen.LIBCMT ref: 0087ED3B
_wcslen.LIBCMT ref: 0087ED79
_wcslen.LIBCMT ref: 0087EDAF
_wcslen.LIBCMT ref: 0087EDDF
_wcslen.LIBCMT ref: 0087EDEF
_wcslen.LIBCMT ref: 0087EE2B
_wcslen.LIBCMT ref: 0087EE5A

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: d7e823e0a352177ea7fb8e52f2f0821e93ccd48b3f2b51670c5d57575da96d3c
Instruction ID: 568ae74cbb5cd9623901e65381b256e1a13c550e2424bedb79479c7d247e9c15
Opcode Fuzzy Hash: d7e823e0a352177ea7fb8e52f2f0821e93ccd48b3f2b51670c5d57575da96d3c
Instruction Fuzzy Hash: 22417765C1121875CB11EBF8888AACF77A8FF89710F509562F518E3121FB78E255C3E6

Uniqueness

Uniqueness Score: -1.00%

Function 0082F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0086682C,00000004,00000000,00000000), ref: 0082F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0086682C,00000004,00000000,00000000), ref: 0086F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0086682C,00000004,00000000,00000000), ref: 0086F454

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: d5c024785e872efe6fc2489c99e5c343838902a7d9272dfc290cbdd7a5725d18
Instruction ID: 814dca7f420cf453302ae3ac921ec0a8168c0c1d6202635777317416e501c05f
Opcode Fuzzy Hash: d5c024785e872efe6fc2489c99e5c343838902a7d9272dfc290cbdd7a5725d18
Instruction Fuzzy Hash: 5141F831608690BAD7399B2DB98872A7FB1FB56314F15443CE387D6A63DA31E8C0CB51

Uniqueness

Uniqueness Score: -1.00%

Function 008A2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 008A2D1B
GetDC.USER32(00000000), ref: 008A2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008A2D2E
ReleaseDC.USER32(00000000,00000000), ref: 008A2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 008A2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 008A2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,008A5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 008A2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 008A2DE1

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 67cf69fcbba1203ac2095740e8fea1ce7b5347bd8543cee83f4421e2d358601c
Instruction ID: fcd55419ade65b0d4fd0528473ffd8d2b6b393c899f6f1d94f6893c616f64b7d
Opcode Fuzzy Hash: 67cf69fcbba1203ac2095740e8fea1ce7b5347bd8543cee83f4421e2d358601c
Instruction Fuzzy Hash: 02318772201614BBFB218F548C8AFEB3BA9FB1A711F044065FE08DA292D6759C50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00875622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00875637
_memcmp.LIBVCRUNTIME ref: 00875659
_memcmp.LIBVCRUNTIME ref: 00875671
_memcmp.LIBVCRUNTIME ref: 00875684
_memcmp.LIBVCRUNTIME ref: 0087569E
_memcmp.LIBVCRUNTIME ref: 008756B1
_memcmp.LIBVCRUNTIME ref: 008756C9
_memcmp.LIBVCRUNTIME ref: 008756E4

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7fa0abfc0038d76296524c9c9935b57e2bfbcd262ccc88ec3c19b680662efa72
Instruction ID: d9bab49044317d0e0708d2eb11a20bb2f3d575470c7c5ed6f9dc181dd60aaf00
Opcode Fuzzy Hash: 7fa0abfc0038d76296524c9c9935b57e2bfbcd262ccc88ec3c19b680662efa72
Instruction Fuzzy Hash: 11212961640A1977E71855258D82FFA335CFF71794F448020FE0CDAB8AFBA8EE1081E6

Uniqueness

Uniqueness Score: -1.00%

Function 00894FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00895007
NULL Pointer assignment, xrefs: 0089502E, 00895383

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 4d76a9c310b60f332152c4ec4276d8aa2c2152255ab6a27ded2017e4ecfb7ed8
Instruction ID: 4ccb9fba8269456a5fbd169046b832ff2142e097b8530085a088dc16854debd8
Opcode Fuzzy Hash: 4d76a9c310b60f332152c4ec4276d8aa2c2152255ab6a27ded2017e4ecfb7ed8
Instruction Fuzzy Hash: 2AD1B171A0060A9FDF11DFA8C881BAEB7B5FF48344F188169E915EB281E770DD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00851522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,008517FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 008515CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00851651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,008517FB,?,008517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008516E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008516FB

Part of subcall function 00843820: RtlAllocateHeap.NTDLL(00000000,?,008E1444,?,0082FDF5,?,?,0081A976,00000010,008E1440,008113FC,?,008113C6,?,00811129), ref: 00843852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,008517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00851777
__freea.LIBCMT ref: 008517A2
__freea.LIBCMT ref: 008517AE

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 2b64ed26ba92d56ac26c70cc0c4a1052f7e818ee97f26f867dd9f414a46a678d
Instruction ID: 0eb7534d8dd2865860226dc7c2b1176b0eca33e14278e692d10de0e38226fffc
Opcode Fuzzy Hash: 2b64ed26ba92d56ac26c70cc0c4a1052f7e818ee97f26f867dd9f414a46a678d
Instruction Fuzzy Hash: 58919171F0021A9ADF208E78C889BEE7BA5FF49715F184659EC02E7141EB35DC48CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00894523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00894648
VariantInit.OLEAUT32(?), ref: 00894749
VariantClear.OLEAUT32(?), ref: 00894753
VariantClear.OLEAUT32(?), ref: 008947B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0089472C
Null Object assignment in FOR..IN loop, xrefs: 008945D8, 00894706, 008947BE

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 8548da7946653b19f209831021333620fa68035e7d08eae6e83c93a0eb173495
Instruction ID: 2cf3272162f9900fb3b131bbc59ccefdb942ca4339f006ec513029bccae6df33
Opcode Fuzzy Hash: 8548da7946653b19f209831021333620fa68035e7d08eae6e83c93a0eb173495
Instruction Fuzzy Hash: FC918C71A0021DABDF20EFA4C884FAEBBB8FF46714F148559F515EB281D7709946CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00881187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0088125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00881284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0088135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00881430

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 32203969a9772fe2cfc062d1d9de0c2bc7e668231931efc105f5993ff82e633f
Instruction ID: 3ed429001a582b237cf0342330dfd755c018ad874d96f6485f5fc4725532994f
Opcode Fuzzy Hash: 32203969a9772fe2cfc062d1d9de0c2bc7e668231931efc105f5993ff82e633f
Instruction Fuzzy Hash: 2691E271A002199FDF10EF98C888BBEB7BDFF45315F104029E941EB292DB74A946CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0082948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 42778a37a00f072ce297ec0e2cd5bdcb6d43f7d76c2b1d848df533da3e3df41f
Instruction ID: 70aa0cde7efb53b33d3d951b937f9bf7f22083b807600b74ed20d4e71c1f1faa
Opcode Fuzzy Hash: 42778a37a00f072ce297ec0e2cd5bdcb6d43f7d76c2b1d848df533da3e3df41f
Instruction Fuzzy Hash: 85912571E00219EFCB10CFA9D984AEEBBB8FF49324F144059E955F7251D378A981CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00893947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0089396B
CharUpperBuffW.USER32(?,?), ref: 00893A7A
_wcslen.LIBCMT ref: 00893A8A
VariantClear.OLEAUT32(?), ref: 00893C1F

Part of subcall function 00880CDF: VariantInit.OLEAUT32(00000000), ref: 00880D1F
Part of subcall function 00880CDF: VariantCopy.OLEAUT32(?,?), ref: 00880D28
Part of subcall function 00880CDF: VariantClear.OLEAUT32(?), ref: 00880D34

Strings

AUTOIT.ERROR, xrefs: 00893A80, 00893A85
Incorrect Parameter format, xrefs: 008939A6, 00893BA1

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 03bda8ccfe21a11436cdefd07eaa0d72a699949673bc4b343bfca45752942a74
Instruction ID: 381817fc9963af4f2d62900d3276e7142e4b1ac082b170aca5b3be2db9fa4e66
Opcode Fuzzy Hash: 03bda8ccfe21a11436cdefd07eaa0d72a699949673bc4b343bfca45752942a74
Instruction Fuzzy Hash: 319113756083059FCB04EF68C48096ABBE5FF89314F18892DF88AD7351DB31EA45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00894BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0087000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?,?,0087035E), ref: 0087002B
Part of subcall function 0087000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?), ref: 00870046
Part of subcall function 0087000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?), ref: 00870054
Part of subcall function 0087000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?), ref: 00870064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00894C51
_wcslen.LIBCMT ref: 00894D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00894DCF
CoTaskMemFree.OLE32(?), ref: 00894DDA

Strings

NULL Pointer assignment, xrefs: 00894E23, 00894E52

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: c71f88829547987c1fe3c44cd59218580f09e12ffae8c9979ed25c7d8a395bbe
Instruction ID: 62f7abec79aafd9fde36be978ef3050fe8d0fd8c15df8f5800bf46ceebee47ab
Opcode Fuzzy Hash: c71f88829547987c1fe3c44cd59218580f09e12ffae8c9979ed25c7d8a395bbe
Instruction Fuzzy Hash: 70911571D0021DAFDF14EFA4D890EEEB7B8FF08314F108169E919A7251EB349A458F61

Uniqueness

Uniqueness Score: -1.00%

Function 008A20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 008A2183
GetMenuItemCount.USER32(00000000), ref: 008A21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008A21DD
_wcslen.LIBCMT ref: 008A2213
GetMenuItemID.USER32(?,?), ref: 008A224D
GetSubMenu.USER32(?,?), ref: 008A225B

Part of subcall function 00873A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00873A57
Part of subcall function 00873A3D: GetCurrentThreadId.KERNEL32 ref: 00873A5E
Part of subcall function 00873A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008725B3), ref: 00873A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008A22E3

Part of subcall function 0087E97B: Sleep.KERNEL32 ref: 0087E9F3

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 64d402faa57ec0490f737f916a8210c91149bfea7eaf67a10959207cb2a562c8
Instruction ID: 8a665e8f97eafc110c55f2ce08cbe742bc94e7c0f6cd2496bdc6fc3316b541a3
Opcode Fuzzy Hash: 64d402faa57ec0490f737f916a8210c91149bfea7eaf67a10959207cb2a562c8
Instruction Fuzzy Hash: F1718E35A00215AFDB20DF68C841AAEB7F5FF49310F148459E916EB751DB34ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0087AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0087AEF9
GetKeyboardState.USER32(?), ref: 0087AF0E
SetKeyboardState.USER32(?), ref: 0087AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0087AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0087AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0087AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0087B020

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 89d4621985484a7c39ce2cc21f846ff8886d4a9fc1b968fdcc90cf8352c851ba
Instruction ID: 33a99dbde33afc1968d0a7607c3268fadad898fdfb594c4f7267fe47cb68ab15
Opcode Fuzzy Hash: 89d4621985484a7c39ce2cc21f846ff8886d4a9fc1b968fdcc90cf8352c851ba
Instruction Fuzzy Hash: 195104A16047D53DFB3A82348845BBE7EAABB46304F08C589E1DDC58D3C798E8C4D352

Uniqueness

Uniqueness Score: -1.00%

Function 0087ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0087AD19
GetKeyboardState.USER32(?), ref: 0087AD2E
SetKeyboardState.USER32(?), ref: 0087AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0087ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0087ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0087AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0087AE38

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: aaeca2b9031f2608062bc0cca36f1ecb2f8fb1eabaa1d5f627f996af86b3e25c
Instruction ID: 4b3781c652a2dcb32c86ab328c312986c2f4e6072bad7ba9b6d92dad0a857095
Opcode Fuzzy Hash: aaeca2b9031f2608062bc0cca36f1ecb2f8fb1eabaa1d5f627f996af86b3e25c
Instruction Fuzzy Hash: C251C5A15047D53DFB3A83648C95BBE7EA9FB86300F08C489E1DDD68C6D294EC84D752

Uniqueness

Uniqueness Score: -1.00%

Function 0084542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00853CD6,?,?,?,?,?,?,?,?,00845BA3,?,?,00853CD6,?,?), ref: 00845470
__fassign.LIBCMT ref: 008454EB
__fassign.LIBCMT ref: 00845506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00853CD6,00000005,00000000,00000000), ref: 0084552C
WriteFile.KERNEL32(?,00853CD6,00000000,00845BA3,00000000,?,?,?,?,?,?,?,?,?,00845BA3,?), ref: 0084554B
WriteFile.KERNEL32(?,?,00000001,00845BA3,00000000,?,?,?,?,?,?,?,?,?,00845BA3,?), ref: 00845584

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 80da4c42a1db080242869f9ab43e5be0e77f7c4561ca4bdb59109225137c5702
Instruction ID: 3f6f4d0fb785ecb971c9fc8c5e336b151066d841016747b135c1fa74180a337b
Opcode Fuzzy Hash: 80da4c42a1db080242869f9ab43e5be0e77f7c4561ca4bdb59109225137c5702
Instruction Fuzzy Hash: DF51E3B0A0064DAFDB11CFA8D895AEEBBF9FF09300F15451AF555E7292E7309A41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00832D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00832D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00832D53
_ValidateLocalCookies.LIBCMT ref: 00832DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00832E0C
_ValidateLocalCookies.LIBCMT ref: 00832E61

Strings

csm, xrefs: 00832DF6

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 44aa3e4b4c5d8ef22457d68293bfcf152aaaa9ae8b8a55b4c982e41a14b1f631
Instruction ID: 2519ebbb97768f8adae416334e7c17beba880da7f06dcbb522b5608686b1f228
Opcode Fuzzy Hash: 44aa3e4b4c5d8ef22457d68293bfcf152aaaa9ae8b8a55b4c982e41a14b1f631
Instruction Fuzzy Hash: 5A418C34A0020DEBCF10DF68C845A9EBBA5FF85328F148165E915EB392DB35AA15CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 008910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0089304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0089307A
Part of subcall function 0089304E: _wcslen.LIBCMT ref: 0089309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00891112
WSAGetLastError.WSOCK32 ref: 00891121
WSAGetLastError.WSOCK32 ref: 008911C9
closesocket.WSOCK32(00000000), ref: 008911F9

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: d6eb21cdfded9dd29f68995d0a6e8e8df0233cd922102bf092b32e98da8195f5
Instruction ID: f2717c2f1d67d344b12423ea05b33808d4ff7d31b1eb2ae6e14478b846b77dfd
Opcode Fuzzy Hash: d6eb21cdfded9dd29f68995d0a6e8e8df0233cd922102bf092b32e98da8195f5
Instruction Fuzzy Hash: 8B41D431600205AFEF10AF18C888BA9BBE9FF45364F188059F915DB291DB74ED81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0087CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0087DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0087CF22,?), ref: 0087DDFD

Part of subcall function 0087DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0087CF22,?), ref: 0087DE16

lstrcmpiW.KERNEL32(?,?), ref: 0087CF45
MoveFileW.KERNEL32(?,?), ref: 0087CF7F
_wcslen.LIBCMT ref: 0087D005
_wcslen.LIBCMT ref: 0087D01B
SHFileOperationW.SHELL32(?), ref: 0087D061

Strings

\*.*, xrefs: 0087CFF3

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 6335745657ca6298711d7ff16851cfec12b392945d9dba8a4cfe80ff2ea9b2a7
Instruction ID: 789d712bffeef1b8987f604361bd2070f4ff653fc27aaaf4a2a35338963cda82
Opcode Fuzzy Hash: 6335745657ca6298711d7ff16851cfec12b392945d9dba8a4cfe80ff2ea9b2a7
Instruction Fuzzy Hash: E74142719052185FDF12EFA4C981ADEB7B8FF49380F0040EAE549EB145EE74E688CB51

Uniqueness

Uniqueness Score: -1.00%

Function 008A2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 008A2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 008A2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 008A2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 008A2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 008A2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 008A2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 008A2F0B

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 3ccfd5d6c443ae5e36e4406cd436f4c9f23036e2d97b853e9b6ece2944c2e02c
Instruction ID: fbab4a08932be16223c4ca9284c096d919ba355cbc0d4d3b47250a2e22a91273
Opcode Fuzzy Hash: 3ccfd5d6c443ae5e36e4406cd436f4c9f23036e2d97b853e9b6ece2944c2e02c
Instruction Fuzzy Hash: C531E130604294AFEB21DF5CDC88F657BE1FB9A710F1501A4F901CF6A2CB71A8A0DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00877726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00877769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0087778F
SysAllocString.OLEAUT32(00000000), ref: 00877792
SysAllocString.OLEAUT32(?), ref: 008777B0
SysFreeString.OLEAUT32(?), ref: 008777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 008777DE
SysAllocString.OLEAUT32(?), ref: 008777EC

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 540bfd9bd7efc935032c34d7852b32ddf350fad98e6470743c369472aa45f9af
Instruction ID: ab802792089b92afd14a04dfbe79168e1a0022f43fb7669558252f410c735ddf
Opcode Fuzzy Hash: 540bfd9bd7efc935032c34d7852b32ddf350fad98e6470743c369472aa45f9af
Instruction Fuzzy Hash: 6721B076604219AFEB14DFA8DC88CBB77ECFB093A47008025FA18DB165D670DC41C764

Uniqueness

Uniqueness Score: -1.00%

Function 008777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00877842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00877868
SysAllocString.OLEAUT32(00000000), ref: 0087786B
SysAllocString.OLEAUT32 ref: 0087788C
SysFreeString.OLEAUT32 ref: 00877895
StringFromGUID2.OLE32(?,?,00000028), ref: 008778AF
SysAllocString.OLEAUT32(?), ref: 008778BD

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2e261f4fa029a4924d858920116e7a837c795218a1c3e4f2cffc87c49b96b306
Instruction ID: 3f68255f2af33869cb9c6c2befebca7033dc2362b1e79d7de22e2b5fb7837ccd
Opcode Fuzzy Hash: 2e261f4fa029a4924d858920116e7a837c795218a1c3e4f2cffc87c49b96b306
Instruction Fuzzy Hash: 20216035608218AFEB109FA8DC88DBA77ECFB097607108135F919CB2A5DA74DC41CB69

Uniqueness

Uniqueness Score: -1.00%

Function 008804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0088052E

Strings

nul, xrefs: 00880567

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 849e4582fb02f90544b8a9064625d9e63365d36ea2c31d60a35bfc260d5750a3
Instruction ID: a59fdfc204b9c09e468b5dedc28c98ccf9fd81d57bd119762be09233a451cc7b
Opcode Fuzzy Hash: 849e4582fb02f90544b8a9064625d9e63365d36ea2c31d60a35bfc260d5750a3
Instruction Fuzzy Hash: 80213D75600305AFDB60AF69DC44A9A77E4FF45724F204A19F8A1E62E1E7709958CF30

Uniqueness

Uniqueness Score: -1.00%

Function 008805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00880601

Strings

nul, xrefs: 00880639

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3c009bd4d5fd66a703a80190741526ff815129618392a5a7689c29842787e738
Instruction ID: 6c613343cd4feeecbb2e8785d80594f6a9a4e313ec38543aa5d1de3ee7448fa5
Opcode Fuzzy Hash: 3c009bd4d5fd66a703a80190741526ff815129618392a5a7689c29842787e738
Instruction Fuzzy Hash: A62181755003059FDB60AF698C04A9A77E4FFA5724F200B19F8A1E72E0E7709864CF20

Uniqueness

Uniqueness Score: -1.00%

Function 008A40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0081600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0081604C
Part of subcall function 0081600E: GetStockObject.GDI32(00000011), ref: 00816060
Part of subcall function 0081600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0081606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 008A4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 008A411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 008A412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 008A4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 008A4145

Strings

Msctls_Progress32, xrefs: 008A40E3

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c13d5487db977a2465090fb125f6867dc59cad3f08ca6375ba56f24fd5fd489b
Instruction ID: add745b5157f803081b7b7a03e1085df5723cafcec251d3c06a172c7475b2c9b
Opcode Fuzzy Hash: c13d5487db977a2465090fb125f6867dc59cad3f08ca6375ba56f24fd5fd489b
Instruction Fuzzy Hash: 2B1190B214021DBEFF118E64CC85EE77F9DFF09798F005121BA18E6150CAB29C619BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0084D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0084D7A3: _free.LIBCMT ref: 0084D7CC

_free.LIBCMT ref: 0084D82D

Part of subcall function 008429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000), ref: 008429DE
Part of subcall function 008429C8: GetLastError.KERNEL32(00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000,00000000), ref: 008429F0

_free.LIBCMT ref: 0084D838
_free.LIBCMT ref: 0084D843
_free.LIBCMT ref: 0084D897
_free.LIBCMT ref: 0084D8A2
_free.LIBCMT ref: 0084D8AD
_free.LIBCMT ref: 0084D8B8

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: e0b3f7f2c545c1e874a6e9a482f29263a3d30fe51ad632c298dc8fa4746682b6
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 5111F971544B08AAEA21BFB5CC46FCB7F9CFF04700F804825B299E6692DA75A5058662

Uniqueness

Uniqueness Score: -1.00%

Function 0087DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0087DA74
LoadStringW.USER32(00000000), ref: 0087DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0087DA91
LoadStringW.USER32(00000000), ref: 0087DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0087DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0087DAB9

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 3dcfab05ada66b28a97f6226d29d3d78676af7620619d97e22045be82d88521c
Instruction ID: 60c190476077b3002e2db3fe689c9b5251df8dda362ed7277b3f3b1538591e29
Opcode Fuzzy Hash: 3dcfab05ada66b28a97f6226d29d3d78676af7620619d97e22045be82d88521c
Instruction Fuzzy Hash: 87014BF29002187FF710ABA49D89EEA776CFB09301F404496B74AE2441EA749E848B74

Uniqueness

Uniqueness Score: -1.00%

Function 0088096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0166EB78,0166EB78), ref: 0088097B
EnterCriticalSection.KERNEL32(0166EB58,00000000), ref: 0088098D
TerminateThread.KERNEL32(56495244,000001F6), ref: 0088099B
WaitForSingleObject.KERNEL32(56495244,000003E8), ref: 008809A9
CloseHandle.KERNEL32(56495244), ref: 008809B8
InterlockedExchange.KERNEL32(0166EB78,000001F6), ref: 008809C8
LeaveCriticalSection.KERNEL32(0166EB58), ref: 008809CF

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: e3243154a9b06686e0c69d3d9972d9a1cb8d6024d72a9c7632837aace24021c9
Instruction ID: 38f1ce82c4f2279c02f0eaafe1077900a83071f5287d0b5114491f2e753c0b0a
Opcode Fuzzy Hash: e3243154a9b06686e0c69d3d9972d9a1cb8d6024d72a9c7632837aace24021c9
Instruction Fuzzy Hash: 9DF0EC32542A12BBE7515FA4EE8DBD6BB39FF06702F402025F20290CA1DB759465CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00891C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00891DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00891DE1
WSAGetLastError.WSOCK32 ref: 00891DF2
htons.WSOCK32(?,?,?,?,?), ref: 00891EDB
inet_ntoa.WSOCK32(?), ref: 00891E8C

Part of subcall function 008739E8: _strlen.LIBCMT ref: 008739F2

Part of subcall function 00893224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0088EC0C), ref: 00893240

_strlen.LIBCMT ref: 00891F35

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: e8ef4fdad5482de7b270dff440fa829b0ec61e3a346049a04bd566053ae5ff61
Instruction ID: 47c55770b48cfa7a4974fbed12bfdd48e4bbd44adee96f3dd12098c5b2f5c87e
Opcode Fuzzy Hash: e8ef4fdad5482de7b270dff440fa829b0ec61e3a346049a04bd566053ae5ff61
Instruction Fuzzy Hash: F2B1C4312083019FDB14EF28C899E6A77A5FF85318F58855CF4569B2E2DB31ED81CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00815D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00815D30
GetWindowRect.USER32(?,?), ref: 00815D71
ScreenToClient.USER32(?,?), ref: 00815D99
GetClientRect.USER32(?,?), ref: 00815ED7
GetWindowRect.USER32(?,?), ref: 00815EF8

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 397b78bf4389a16cc47f188510b19a22630dddd77b7bd53c62b592a4973f12a6
Instruction ID: 6c706b80d444f2cb20546e42c52c33f82323fa42eb8d5571213a644157420d2c
Opcode Fuzzy Hash: 397b78bf4389a16cc47f188510b19a22630dddd77b7bd53c62b592a4973f12a6
Instruction Fuzzy Hash: 71B17974A0074ADBDB10CFA8C4807EEB7F5FF58314F14941AE8AAD7250DB30AA95DB50

Uniqueness

Uniqueness Score: -1.00%

Function 008401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008400D6
__allrem.LIBCMT ref: 008400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0084010B
__allrem.LIBCMT ref: 00840122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00840140

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 908df50457970ae771974849dae04a3d1b467e7238ba4de22139128350ee8ac1
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 8481C771A00B0A9BD720AE6DCC41B6B73E9FF91324F244539F651D7282EB70D9008F91

Uniqueness

Uniqueness Score: -1.00%

Function 008461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008382D9,008382D9,?,?,?,0084644F,00000001,00000001,8BE85006), ref: 00846258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0084644F,00000001,00000001,8BE85006,?,?,?), ref: 008462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008463D8
__freea.LIBCMT ref: 008463E5

Part of subcall function 00843820: RtlAllocateHeap.NTDLL(00000000,?,008E1444,?,0082FDF5,?,?,0081A976,00000010,008E1440,008113FC,?,008113C6,?,00811129), ref: 00843852

__freea.LIBCMT ref: 008463EE
__freea.LIBCMT ref: 00846413

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 890c7553ec466c3754c397b2123071da2fd3365960fa4f25ca406f767ef50a4a
Instruction ID: fabab229cc223bcd0b8a1159b4dbe838b1c9c8d6b71b1c5b5638f133313e49f0
Opcode Fuzzy Hash: 890c7553ec466c3754c397b2123071da2fd3365960fa4f25ca406f767ef50a4a
Instruction Fuzzy Hash: BB51F572A0025EABEF258F64CC81EAF77A9FF46710F154229FC05D6240EB34DC60C662

Uniqueness

Uniqueness Score: -1.00%

Function 0089BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 0089C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0089B6AE,?,?), ref: 0089C9B5
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089C9F1
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA68
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0089BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0089BD25
RegCloseKey.ADVAPI32(00000000), ref: 0089BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0089BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0089BDF3
RegCloseKey.ADVAPI32(?), ref: 0089BDFF

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 125ba82b6cfeef24204cd18289419578fa82d229e63dc97a77a145463ecc771e
Instruction ID: 9c124fa964434d0f9a6328c093096905e6e895f4974f32505acc0263516bcbe3
Opcode Fuzzy Hash: 125ba82b6cfeef24204cd18289419578fa82d229e63dc97a77a145463ecc771e
Instruction Fuzzy Hash: A281D430108241EFD714EF24D981E6ABBE9FF84308F18445CF5598B2A2DB31ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0086F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0086F7B9
SysAllocString.OLEAUT32(00000001), ref: 0086F860
VariantCopy.OLEAUT32(0086FA64,00000000), ref: 0086F889
VariantClear.OLEAUT32(0086FA64), ref: 0086F8AD
VariantCopy.OLEAUT32(0086FA64,00000000), ref: 0086F8B1
VariantClear.OLEAUT32(?), ref: 0086F8BB

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 0bc9ae4d46329d172454d139c963c64200631012274b4a782696fb6f26f69dd3
Instruction ID: 0ce2c24d0044c96843db78e00cd9a449fc8b149da65f9bd335bf0d8337d5c40e
Opcode Fuzzy Hash: 0bc9ae4d46329d172454d139c963c64200631012274b4a782696fb6f26f69dd3
Instruction Fuzzy Hash: F151D531600314BADF10AB69E895B69B7A8FF45314F215476EA05DF293DB70CC40C757

Uniqueness

Uniqueness Score: -1.00%

Function 0088910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00817620: _wcslen.LIBCMT ref: 00817625

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 008894E5
_wcslen.LIBCMT ref: 00889506
_wcslen.LIBCMT ref: 0088952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00889585

Strings

X, xrefs: 00889412

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: fe7a125836032646c77dfb3447cda86c911ee7c2e2fc375a507d0e8f24cf8319
Instruction ID: 4986c21e5784752fc18fdb8511fb96dbd5dd982fc3364144687bd7a91d50aa11
Opcode Fuzzy Hash: fe7a125836032646c77dfb3447cda86c911ee7c2e2fc375a507d0e8f24cf8319
Instruction Fuzzy Hash: E1E170315043009FD724EF28D881AAAB7E5FF85314F08856DE999DB3A2DB31ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0082920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

BeginPaint.USER32(?,?,?), ref: 00829241
GetWindowRect.USER32(?,?), ref: 008292A5
ScreenToClient.USER32(?,?), ref: 008292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008292D3
EndPaint.USER32(?,?,?,?,?), ref: 00829321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008671EA

Part of subcall function 00829339: BeginPath.GDI32(00000000), ref: 00829357

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 8b941adba3d4da861d5ff253420de8927611d9750ed5cb86be8b4a6835078c28
Instruction ID: 4953935d01614026069910bf2cf886655a2ac5403b61a3b25af6e88502b22371
Opcode Fuzzy Hash: 8b941adba3d4da861d5ff253420de8927611d9750ed5cb86be8b4a6835078c28
Instruction Fuzzy Hash: 48419230104255AFDB11DF24DC88FBA7BF8FB56724F140269F9A4CB2A2C7319885DB62

Uniqueness

Uniqueness Score: -1.00%

Function 008807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0088080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00880847
EnterCriticalSection.KERNEL32(?), ref: 00880863
LeaveCriticalSection.KERNEL32(?), ref: 008808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00880921

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 9daf73b89a8e635db6e8bbb00cc3da89eeca7bf2130240852a1593aad8c9fb25
Instruction ID: 97c1c09b8b0bb1b37da1e2528bcb4fd6910d61e205d9ce07195dcc1bd9c1ebe0
Opcode Fuzzy Hash: 9daf73b89a8e635db6e8bbb00cc3da89eeca7bf2130240852a1593aad8c9fb25
Instruction Fuzzy Hash: 07415871A00205EBEF15AF58DC85AAA77B8FF04310F1440B9E900EA297DB30DE64DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 008A81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0086F3AB,00000000,?,?,00000000,?,0086682C,00000004,00000000,00000000), ref: 008A824C
EnableWindow.USER32(00000000,00000000), ref: 008A8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 008A82D1
ShowWindow.USER32(00000000,00000004), ref: 008A82E5
EnableWindow.USER32(00000000,00000001), ref: 008A830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 008A832F

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 8cf9a876dc7c5bb911b91e42a30a2989fec43bed5230ad46e8978703e54ff130
Instruction ID: 54bf42c32fabe735bb12fa964f3e29d472ad1df16a1202422e8cbcc8552709fe
Opcode Fuzzy Hash: 8cf9a876dc7c5bb911b91e42a30a2989fec43bed5230ad46e8978703e54ff130
Instruction Fuzzy Hash: 92418234601644EFEF25CF25D8D9BE47BE1FB0B714F1841A9E6488F6A2CB31A851CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00874C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00874C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00874CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00874CEA
_wcslen.LIBCMT ref: 00874D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00874D10
_wcsstr.LIBVCRUNTIME ref: 00874D1A

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: ba841b3d12a6c1e2e385bdc164de57f55087f22ef3b93f1417f13d74f93344f4
Instruction ID: 03cb17eb58e13c9116c321fb2313c496dc40858aa84b12aa3cf2721857143011
Opcode Fuzzy Hash: ba841b3d12a6c1e2e385bdc164de57f55087f22ef3b93f1417f13d74f93344f4
Instruction Fuzzy Hash: 13210731204214BBFB669B39AC49E7B7FACFF46750F10903DF809CA196EB65DC4092A1

Uniqueness

Uniqueness Score: -1.00%

Function 0088581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00813AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00813A97,?,?,00812E7F,?,?,?,00000000), ref: 00813AC2

_wcslen.LIBCMT ref: 0088587B
CoInitialize.OLE32(00000000), ref: 00885995
CoCreateInstance.OLE32(008AFCF8,00000000,00000001,008AFB68,?), ref: 008859AE
CoUninitialize.OLE32 ref: 008859CC

Strings

.lnk, xrefs: 00885876, 008858C1, 00885985

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: b4c498229136260778ff0d98862d059759023bcf8c53e4aef6d52f6547bbd3db
Instruction ID: dc0a413d1caf724311832d4f66e59fd7a8b9ff61121baa062f935c6cdf3b351d
Opcode Fuzzy Hash: b4c498229136260778ff0d98862d059759023bcf8c53e4aef6d52f6547bbd3db
Instruction Fuzzy Hash: A4D143716086019FC714EF28C480A6ABBE6FF89724F14885DF889DB361DB31ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0087175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00870FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00870FCA
Part of subcall function 00870FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00870FD6
Part of subcall function 00870FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00870FE5
Part of subcall function 00870FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00870FEC
Part of subcall function 00870FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00871002

GetLengthSid.ADVAPI32(?,00000000,00871335), ref: 008717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008717BA
HeapAlloc.KERNEL32(00000000), ref: 008717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 008717DA
GetProcessHeap.KERNEL32(00000000,00000000,00871335), ref: 008717EE
HeapFree.KERNEL32(00000000), ref: 008717F5

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 71c549b2d0fc57d8c3dea8781ffb7a4afb97f7d97a3489986b0a796f3d623837
Instruction ID: c287dc3669ad41d6d8603cdef7af3be79336bb2fb987844643bd9ce41e70d399
Opcode Fuzzy Hash: 71c549b2d0fc57d8c3dea8781ffb7a4afb97f7d97a3489986b0a796f3d623837
Instruction Fuzzy Hash: D3118E71610605FFEF189FA8CC49BAE7BA9FB46399F108018F445D7628D735E944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 008714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00871506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00871515
CloseHandle.KERNEL32(00000004), ref: 00871520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0087154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00871563

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 55d4f103e32fe1d50eb19279ab4f58b3bc79fab52348ad51fa6d594dc2f698b5
Instruction ID: 1cb463768898732bdc4af13678b8ca6cd40078eeab98da4c54d6185bd3a41d23
Opcode Fuzzy Hash: 55d4f103e32fe1d50eb19279ab4f58b3bc79fab52348ad51fa6d594dc2f698b5
Instruction Fuzzy Hash: 4B11267250020DABEF118FA8DD49BDE7BAAFF49748F048025FA09A2560C375CE64DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00833382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00833379,00832FE5), ref: 00833390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0083339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008333B7
SetLastError.KERNEL32(00000000,?,00833379,00832FE5), ref: 00833409

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 35a9f1d85ea93826fac31a80b8fb719792632652addbd0106dd292d6ce013c85
Instruction ID: c73dfd7fad4422cf9083f8d83e5c15a589bcff93cf0a8af1320c2af897f5c5ed
Opcode Fuzzy Hash: 35a9f1d85ea93826fac31a80b8fb719792632652addbd0106dd292d6ce013c85
Instruction Fuzzy Hash: E901D43364E712BEAA2527797C86A676F94FBA5379F20832AF410C53F0EF114D01A5C5

Uniqueness

Uniqueness Score: -1.00%

Function 00842D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00845686,00853CD6,?,00000000,?,00845B6A,?,?,?,?,?,0083E6D1,?,008D8A48), ref: 00842D78
_free.LIBCMT ref: 00842DAB
_free.LIBCMT ref: 00842DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0083E6D1,?,008D8A48,00000010,00814F4A,?,?,00000000,00853CD6), ref: 00842DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0083E6D1,?,008D8A48,00000010,00814F4A,?,?,00000000,00853CD6), ref: 00842DEC
_abort.LIBCMT ref: 00842DF2

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: f852c100371b8bcd9737db8233ef09cec7ca2e8db67c725e29f274cfdecbad28
Instruction ID: 989a69dba07be89eafd82ea3462224152ec7ba480fc23ccbc736140142a10aa8
Opcode Fuzzy Hash: f852c100371b8bcd9737db8233ef09cec7ca2e8db67c725e29f274cfdecbad28
Instruction Fuzzy Hash: F7F0C83190DA1D67D612773DBC0AF1E3A59FFC27A5F640519F824D22D2EF7488014162

Uniqueness

Uniqueness Score: -1.00%

Function 008A8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00829639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00829693
Part of subcall function 00829639: SelectObject.GDI32(?,00000000), ref: 008296A2
Part of subcall function 00829639: BeginPath.GDI32(?), ref: 008296B9
Part of subcall function 00829639: SelectObject.GDI32(?,00000000), ref: 008296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 008A8A4E
LineTo.GDI32(?,00000003,00000000), ref: 008A8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 008A8A70
LineTo.GDI32(?,00000000,00000003), ref: 008A8A80
EndPath.GDI32(?), ref: 008A8A90
StrokePath.GDI32(?), ref: 008A8AA0

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: a4262048931d3c8a7ad926f1740df1e1acc08e8f8b500f545a99e1268d739167
Instruction ID: aa9fc65547969822506b436fc71b37a789f94fe6ab7fe01a9b68fc4c60a886bc
Opcode Fuzzy Hash: a4262048931d3c8a7ad926f1740df1e1acc08e8f8b500f545a99e1268d739167
Instruction Fuzzy Hash: 14110976000158FFEF129F94DC88EAA7F6CFB09350F008012FA199A5A1D771AD55DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 008751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00875218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00875229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00875230
ReleaseDC.USER32(00000000,00000000), ref: 00875238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0087524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00875261

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: fbc241248d2aaa85f51b2a6497c70e47d628fa17918573f3394e813a365c5340
Instruction ID: 8062e9420107747b4ee0e9d07450c381f45b5647a8f7713fa3afd342f8ac26e2
Opcode Fuzzy Hash: fbc241248d2aaa85f51b2a6497c70e47d628fa17918573f3394e813a365c5340
Instruction Fuzzy Hash: 8C014F75A00718BBEB109BA69C49A5EBFB8FB49751F044065FA04E7681DA70DC00CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00811BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00811BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00811BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00811C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00811C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00811C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00811C22

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 9793ae4ce71b431f56d3d3ef4fec3d52770578dfa0b0fe19880e06f701a98c7c
Instruction ID: 2337703464a6f9ee212430fa96ea39a66334e7a06e6b9de92bce74c1d70a8111
Opcode Fuzzy Hash: 9793ae4ce71b431f56d3d3ef4fec3d52770578dfa0b0fe19880e06f701a98c7c
Instruction Fuzzy Hash: 4A0167B0902B5ABDE3008F6A8C85B52FFE8FF19354F04411BA15C4BA42C7F5A864CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0087EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0087EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0087EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0087EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0087EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0087EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0087EB75

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 7e759b3454cc717106e17f0b44f214ae25b8739cb0f419d8951b409b43e62612
Instruction ID: 40168818099cb8d42b4809b61048450c53e67157d579d0993def229f72e36206
Opcode Fuzzy Hash: 7e759b3454cc717106e17f0b44f214ae25b8739cb0f419d8951b409b43e62612
Instruction Fuzzy Hash: 1BF01772240558BBE6219B629C0EEAB7A7CFBDBB11F004159F601E1591EBA05A0186B5

Uniqueness

Uniqueness Score: -1.00%

Function 00867439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00867452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00867469
GetWindowDC.USER32(?), ref: 00867475
GetPixel.GDI32(00000000,?,?), ref: 00867484
ReleaseDC.USER32(?,00000000), ref: 00867496
GetSysColor.USER32(00000005), ref: 008674B0

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 437e8727d222653393daad84f1a23778484038ea3146e693da763592178d0442
Instruction ID: a7d42d0348540ced15115b729965fc4cb1676fc43b31d000ef18ab4dde283bf8
Opcode Fuzzy Hash: 437e8727d222653393daad84f1a23778484038ea3146e693da763592178d0442
Instruction Fuzzy Hash: B501A931400219EFEB509FA4DD08BAE7BB6FF05325F210064FA26E25A0CF311E41EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00871874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0087187F
UnloadUserProfile.USERENV(?,?), ref: 0087188B
CloseHandle.KERNEL32(?), ref: 00871894
CloseHandle.KERNEL32(?), ref: 0087189C
GetProcessHeap.KERNEL32(00000000,?), ref: 008718A5
HeapFree.KERNEL32(00000000), ref: 008718AC

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 23863f7181cddd2d4649a1fba116ba666bc512aef1ccacc7ea64a9e59b9ce47b
Instruction ID: 7ffbc852af878ce1165dcd9bd31d78e644538c451e1beffe6e0c94e4b1b5982e
Opcode Fuzzy Hash: 23863f7181cddd2d4649a1fba116ba666bc512aef1ccacc7ea64a9e59b9ce47b
Instruction Fuzzy Hash: DBE0E536204101BBEB015FA5ED0C90AFF79FF4AB22B108220F22581970CB329421DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0087C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00817620: _wcslen.LIBCMT ref: 00817625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0087C6EE
_wcslen.LIBCMT ref: 0087C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0087C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0087C7CA

Strings

0, xrefs: 0087C6AF

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 3bfd0d89c623f4d1ee87c533ba1128aefdc0f71a03239e9e10835545583dd274
Instruction ID: df52c7669c8f35e50a65e9584c483644c6d0f36b49f666fd1b5ce552c23db30c
Opcode Fuzzy Hash: 3bfd0d89c623f4d1ee87c533ba1128aefdc0f71a03239e9e10835545583dd274
Instruction Fuzzy Hash: CF51DE716083009BD7189F2CC885A6B77E8FF9A394F048A2DF999E31A5DF70D944CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0089AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0089AEA3

Part of subcall function 00817620: _wcslen.LIBCMT ref: 00817625

GetProcessId.KERNEL32(00000000), ref: 0089AF38
CloseHandle.KERNEL32(00000000), ref: 0089AF67

Strings

<, xrefs: 0089AE6B
@, xrefs: 0089AE72

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 5bb1260f2e7a2e40e84a0dc200343debf602c35d6ab042bbd732445a45c046db
Instruction ID: 6f9ac9b25f206e60ff7a7a1de2099239b1ec9536349287a352b8b34d46d2ab24
Opcode Fuzzy Hash: 5bb1260f2e7a2e40e84a0dc200343debf602c35d6ab042bbd732445a45c046db
Instruction Fuzzy Hash: A8713774A00219DFCF14EF58C484A9EBBB5FF08314F088499E816AB752CB75ED85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0087719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00877206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0087723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0087724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008772CF

Strings

DllGetClassObject, xrefs: 00877242

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 7bfb60997defd8b72c9d193725d9e0be4d906f8995dfc64fd58d260ac79e23cd
Instruction ID: 9706590ac4e62610e0a26b6e601e8dea8fd3b091979dad5de2e81a96f9597e95
Opcode Fuzzy Hash: 7bfb60997defd8b72c9d193725d9e0be4d906f8995dfc64fd58d260ac79e23cd
Instruction Fuzzy Hash: BF416B71A04204EFDB15CF94C884A9A7BA9FF45314F1480A9BD1ADF20ED7B0D944DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00871DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 00873CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00873CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00871E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00871E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00871EA9

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

Strings

ListBox, xrefs: 00871E25
ComboBox, xrefs: 00871DF0

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: fe4b643ba8cb5d467a4f7e725c06abb46651b0b569e17d1790a4356a3d44c775
Instruction ID: 80961461524de38f45ceebbae78f23e308295c6a18afe0443c3b62b4ba9fb5a1
Opcode Fuzzy Hash: fe4b643ba8cb5d467a4f7e725c06abb46651b0b569e17d1790a4356a3d44c775
Instruction Fuzzy Hash: 61210A72900104BADB149B68DC5ACFF77BCFF46360B108129F869E76D1DB3489459661

Uniqueness

Uniqueness Score: -1.00%

Function 008A2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 008A2F8D
LoadLibraryW.KERNEL32(?), ref: 008A2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 008A2FA9
DestroyWindow.USER32(?), ref: 008A2FB1

Strings

SysAnimate32, xrefs: 008A2F68

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 9543f169b7774eecaa10b553932183d36a731e9a8f38fe63d273cc53ccabd882
Instruction ID: c882540c39c35ab9049b35d48d41c067a3c808a0b7730cc251328533ef558ce6
Opcode Fuzzy Hash: 9543f169b7774eecaa10b553932183d36a731e9a8f38fe63d273cc53ccabd882
Instruction Fuzzy Hash: 5E219A71200209AFFB309F68DC80EBB37B9FB5A368F104229FA50D6990DB71DC919760

Uniqueness

Uniqueness Score: -1.00%

Function 00834D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00834D1E,008428E9,?,00834CBE,008428E9,008D88B8,0000000C,00834E15,008428E9,00000002), ref: 00834D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00834DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00834D1E,008428E9,?,00834CBE,008428E9,008D88B8,0000000C,00834E15,008428E9,00000002,00000000), ref: 00834DC3

Strings

CorExitProcess, xrefs: 00834D98
mscoree.dll, xrefs: 00834D86

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f77f4c2ffce647d5ad94eaf6419dd4a3cc7556c05df5bb551fbfb036eef90fee
Instruction ID: 8c62049ae16b9ebb502ac6ff77886f4bc86747e8bbb9df099f01eee671bbac78
Opcode Fuzzy Hash: f77f4c2ffce647d5ad94eaf6419dd4a3cc7556c05df5bb551fbfb036eef90fee
Instruction Fuzzy Hash: E0F03C34A41618ABEB119B94DC49BAEBFE5FB44751F0001A4E806E2660CF75AD40DED5

Uniqueness

Uniqueness Score: -1.00%

Function 0086D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0086D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0086D3BF
FreeLibrary.KERNEL32(00000000), ref: 0086D3E5

Strings

X64, xrefs: 0086D2A8
GetSystemWow64DirectoryW, xrefs: 0086D3B9

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 82be257e039231f774a07d78f4730894c6e6dcc0400ca8b0e17cc42f7bcbbda2
Instruction ID: a297cb63ff226854e3e6a3e452b5bee0d5f1d73fb74125c5e2883a26af56a864
Opcode Fuzzy Hash: 82be257e039231f774a07d78f4730894c6e6dcc0400ca8b0e17cc42f7bcbbda2
Instruction Fuzzy Hash: 78F05571F05B208BE77117118C28A6E3720FF12709B568155F602EA321EB20CC84C792

Uniqueness

Uniqueness Score: -1.00%

Function 00814E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00814EDD,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00814EAE
FreeLibrary.KERNEL32(00000000,?,?,00814EDD,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814EC0

Strings

kernel32.dll, xrefs: 00814E94
Wow64DisableWow64FsRedirection, xrefs: 00814EA8

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 6f25a49518c044b1e8791cfb561095a280105b1cc8d5af3a04ae76d5e7ba2fee
Instruction ID: b85881fec64011d4c9bc059d0e947e72b2f4df5f0c9d5441b20d4c3893854add
Opcode Fuzzy Hash: 6f25a49518c044b1e8791cfb561095a280105b1cc8d5af3a04ae76d5e7ba2fee
Instruction Fuzzy Hash: 3BE08635B019225BA2311B256C18B9B7658FF82B727050115FC04D2600DB64CD4284A1

Uniqueness

Uniqueness Score: -1.00%

Function 00814E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00853CDE,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00814E74
FreeLibrary.KERNEL32(00000000,?,?,00853CDE,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814E87

Strings

kernel32.dll, xrefs: 00814E5B
Wow64RevertWow64FsRedirection, xrefs: 00814E6E

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 9585ab067d2a81acf6942d2c3e693e25ca69607aad54d4b13fd926b13867de53
Instruction ID: 3df3d790f6dff00018e60566ed398687ca9ef9fe4181d8eff4372c10332cfbdd
Opcode Fuzzy Hash: 9585ab067d2a81acf6942d2c3e693e25ca69607aad54d4b13fd926b13867de53
Instruction Fuzzy Hash: 5ED01235602A225766221B257C18DCB7A1CFF86B713450615F905E2614DF65CD42C5E0

Uniqueness

Uniqueness Score: -1.00%

Function 0089A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0089A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0089A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0089A468
CloseHandle.KERNEL32(?), ref: 0089A63D

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: f84652a55adbadc899f799bd3238582dc4cd7bf3f50cf0f402a6c4d8cbea1f41
Instruction ID: 27b453d339398d167e006fa6b31306b76a3c14d5bb1bd42d2f50b98243d691c2
Opcode Fuzzy Hash: f84652a55adbadc899f799bd3238582dc4cd7bf3f50cf0f402a6c4d8cbea1f41
Instruction Fuzzy Hash: 01A16D716043009FDB24EF28D886B2AB7E5FF94714F14885DF55ADB292DBB0EC418B92

Uniqueness

Uniqueness Score: -1.00%

Function 0084BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,008B3700), ref: 0084BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,008E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0084BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,008E1270,000000FF,?,0000003F,00000000,?), ref: 0084BC36
_free.LIBCMT ref: 0084BB7F

Part of subcall function 008429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000), ref: 008429DE
Part of subcall function 008429C8: GetLastError.KERNEL32(00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000,00000000), ref: 008429F0

_free.LIBCMT ref: 0084BD4B

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: a69a9c19405967a550f219219947f9ce714fd0edeef8ff4493c9430bb3bf5c6a
Instruction ID: 92d154c32cb1cd0ae437891b914b4e7aadde01061fc2decdba71ed45376bbabd
Opcode Fuzzy Hash: a69a9c19405967a550f219219947f9ce714fd0edeef8ff4493c9430bb3bf5c6a
Instruction Fuzzy Hash: B451D37190021DEFDB14EF699CC59AEBBB8FF41320B10026AE564D72A1EB30DE41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0087E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0087DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0087CF22,?), ref: 0087DDFD

Part of subcall function 0087DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0087CF22,?), ref: 0087DE16

Part of subcall function 0087E199: GetFileAttributesW.KERNEL32(?,0087CF95), ref: 0087E19A

lstrcmpiW.KERNEL32(?,?), ref: 0087E473
MoveFileW.KERNEL32(?,?), ref: 0087E4AC
_wcslen.LIBCMT ref: 0087E5EB
_wcslen.LIBCMT ref: 0087E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0087E650

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: cfc292117daa387525a90c4e2d0f53ce92c75762ac44b0087fa5d7c305f9653c
Instruction ID: 05b726201daf8e20938d714133a81ea4b6961d5603cbac2fcd8b1f922d1b162c
Opcode Fuzzy Hash: cfc292117daa387525a90c4e2d0f53ce92c75762ac44b0087fa5d7c305f9653c
Instruction Fuzzy Hash: 20517EB24087445BC724DB94C8919DB73ECFF88344F00492EE689D3151EE74E68887AB

Uniqueness

Uniqueness Score: -1.00%

Function 0089B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 0089C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0089B6AE,?,?), ref: 0089C9B5
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089C9F1
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA68
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0089BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0089BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0089BB63
RegCloseKey.ADVAPI32(?,?), ref: 0089BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0089BBB3

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 05650cd87f910e2f9dab1b0db96b98a9f700a17f21f410d424467b8eb47d9683
Instruction ID: adca6da3d2f0b635c40fcc00d335442d703c13191090965d275f18db2bcb3df3
Opcode Fuzzy Hash: 05650cd87f910e2f9dab1b0db96b98a9f700a17f21f410d424467b8eb47d9683
Instruction Fuzzy Hash: 4A61C031208241EFD714EF14D990E6ABBE9FF84318F18855CF4998B2A2DB31ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00878BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00878BCD
VariantClear.OLEAUT32 ref: 00878C3E
VariantClear.OLEAUT32 ref: 00878C9D
VariantClear.OLEAUT32(?), ref: 00878D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00878D3B

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 228207fd30c23ebda0b092dd299a5f675328bbb17c7c39bf1215130ba83fe721
Instruction ID: b442e11746f46f4395e162824327115b1dc0624e97c368362e7d0ebc6cb875bb
Opcode Fuzzy Hash: 228207fd30c23ebda0b092dd299a5f675328bbb17c7c39bf1215130ba83fe721
Instruction Fuzzy Hash: F85189B1A00219EFCB10CF28C884AAABBF8FF8D314B158559E919DB354E730E911CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00888AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00888BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00888BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00888C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00888C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00888C5F

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 52fcdb25a370e2a95e01f8d526746a252f319d5426d0c9923f49c2088b1baf19
Instruction ID: 9ae282b72db3ea27cf956987baa7b15bc76fd29619bfa79659b18cf7facb33d0
Opcode Fuzzy Hash: 52fcdb25a370e2a95e01f8d526746a252f319d5426d0c9923f49c2088b1baf19
Instruction Fuzzy Hash: 44515D35A00215DFCB01DF68C881AADBBF6FF49314F088458E849AB362DB31ED81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00898EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00898F40
GetProcAddress.KERNEL32(00000000,?), ref: 00898FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00898FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00899032
FreeLibrary.KERNEL32(00000000), ref: 00899052

Part of subcall function 0082F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00881043,?,75C0E610), ref: 0082F6E6
Part of subcall function 0082F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0086FA64,00000000,00000000,?,?,00881043,?,75C0E610,?,0086FA64), ref: 0082F70D

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: b80ea0c358ed2fd48de22e54cf6773e11fa8f7e692dded6fbce9491ea0d33508
Instruction ID: 60b929f097bcce6ee7fefe4b696a56eedd6c8d6b18f006e0c5331054859c23ff
Opcode Fuzzy Hash: b80ea0c358ed2fd48de22e54cf6773e11fa8f7e692dded6fbce9491ea0d33508
Instruction Fuzzy Hash: E2512835600605DFCB11EF58C4948ADBBF5FF49314B0980A8E85ADB762DB31ED85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008A6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 008A6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 008A6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 008A6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0088AB79,00000000,00000000), ref: 008A6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 008A6CC7

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: be86487edc27d339706033dabdab7b285bcfad06b14370ebdb6f81e7b36ae26d
Instruction ID: bd6812b4266632d4af5f71d46ea338a4ac321d2ff4d322e41208087d612b0896
Opcode Fuzzy Hash: be86487edc27d339706033dabdab7b285bcfad06b14370ebdb6f81e7b36ae26d
Instruction Fuzzy Hash: 7641D535A04104AFEB24DF28CC58FA57BA5FB0B370F190228F895E76E5E771AD61C650

Uniqueness

Uniqueness Score: -1.00%

Function 00842051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008420C3
_free.LIBCMT ref: 008420E3

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e2b5dff7edb89556bad23e4817dbd98baa6b0be6689f8ec7a23aba83bca66215
Instruction ID: 0c0055029585b6a5ede671083009e926b2b4ba059ae6854e0cbd3e1833c98b1e
Opcode Fuzzy Hash: e2b5dff7edb89556bad23e4817dbd98baa6b0be6689f8ec7a23aba83bca66215
Instruction Fuzzy Hash: 6F41E132A006089FCB20DF78C880A5EB7F5FF88314F5545A9F615EB396DA31AD01CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0082912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00829141
ScreenToClient.USER32(00000000,?), ref: 0082915E
GetAsyncKeyState.USER32(00000001), ref: 00829183
GetAsyncKeyState.USER32(00000002), ref: 0082919D

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d3beb79cae16491d18229e920deb59dd84695c200b86e5edef35cf6217164da5
Instruction ID: 487ef05559f8078eb386c19c77f42f922bac231d16cb43d34cee7b314fb19e01
Opcode Fuzzy Hash: d3beb79cae16491d18229e920deb59dd84695c200b86e5edef35cf6217164da5
Instruction Fuzzy Hash: 6B41407190861AFBDF159F69D844BEEB774FB06324F204216E465E72D0C7345990CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00883874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00883922
TranslateMessage.USER32(?), ref: 0088394B
DispatchMessageW.USER32(?), ref: 00883955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00883966

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: da56ae7c91a1cc332cfa292e2c3afa9ae4aa0af071271a27d38c9fd1ab40bb40
Instruction ID: 54e1788dc8e24537c2bb99be933a865cd014fac9accea3fa1a02fbf96a78e0fe
Opcode Fuzzy Hash: da56ae7c91a1cc332cfa292e2c3afa9ae4aa0af071271a27d38c9fd1ab40bb40
Instruction Fuzzy Hash: 9931D3709043869EEF35EB34DC88BB67FA8FB07B04F040569E466C65A1E7F49A85CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0088CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0088CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0088CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0088C21E,00000000), ref: 0088CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0088C21E,00000000), ref: 0088CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0088C21E,00000000), ref: 0088CFF2

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 05a2385caeab775fb6fe556d3aac940f333668f0035cc5fd7007036644e8038b
Instruction ID: a2eefc12e4f49fbb293572487e69442805c34a452a1bd162efcf19371fee9f55
Opcode Fuzzy Hash: 05a2385caeab775fb6fe556d3aac940f333668f0035cc5fd7007036644e8038b
Instruction Fuzzy Hash: 34315E71504205EFEB20EFA9D884AABBBF9FF15354B10442EF606D2545DF70AE40DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00871901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00871915
PostMessageW.USER32(00000001,00000201,00000001), ref: 008719C1
Sleep.KERNEL32(00000000,?,?,?), ref: 008719C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 008719DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 008719E2

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: ea9dad20c58bbc962efde06cd4799ad01080e6824f7de6061472e84456c9402e
Instruction ID: 1622a46f3886f23d5150b917ca281bb22efce44ab8c76fee601111a4dea10629
Opcode Fuzzy Hash: ea9dad20c58bbc962efde06cd4799ad01080e6824f7de6061472e84456c9402e
Instruction Fuzzy Hash: BF317871A00219AFDB10CFACC999B9E3BB5FB55315F108229FA25E72D1C770D945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 008A5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 008A5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 008A579D
_wcslen.LIBCMT ref: 008A57AF
_wcslen.LIBCMT ref: 008A57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 008A5816

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 2b13f0d87eef7fcde1340343d4e886b8dfe9366d589eb1493fd3ddb22734e601
Instruction ID: 3a73f42fc2894542e092b88369ffe703e3402cede2c68ddfd457d8f160162a41
Opcode Fuzzy Hash: 2b13f0d87eef7fcde1340343d4e886b8dfe9366d589eb1493fd3ddb22734e601
Instruction Fuzzy Hash: 4C21B671904618DAEB20CF64DC84AEE7BB8FF46324F108216F929EB580D77499C5CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0082990F Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008298CC
SetTextColor.GDI32(?,?), ref: 008298D6
SetBkMode.GDI32(?,00000001), ref: 008298E9
GetStockObject.GDI32(00000005), ref: 008298F1
GetWindowLongW.USER32(?,000000EB), ref: 00829952

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: fba9b56133fc415a0e82017fc7bcf38dcb72e2a827c1603565bda1500cfb94ad
Instruction ID: 00c066718cb837de5afd814bbebea1668a8ce7d8586a1b89c4821747eaa1f388
Opcode Fuzzy Hash: fba9b56133fc415a0e82017fc7bcf38dcb72e2a827c1603565bda1500cfb94ad
Instruction Fuzzy Hash: D521A1715492909FDB228B34EC59AA53FA0FF13335B19019DE5D2CA1A2D6364992CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00890930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00890951
GetForegroundWindow.USER32 ref: 00890968
GetDC.USER32(00000000), ref: 008909A4
GetPixel.GDI32(00000000,?,00000003), ref: 008909B0
ReleaseDC.USER32(00000000,00000003), ref: 008909E8

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 5c25c11687e209f88ee7c47804089b916926c28287e5f19c291028c5d6a2de1f
Instruction ID: 957d2352b0709b077422092f60b066b5011ea88aa13b213724da1bb7b1cd41ca
Opcode Fuzzy Hash: 5c25c11687e209f88ee7c47804089b916926c28287e5f19c291028c5d6a2de1f
Instruction Fuzzy Hash: 67218435A00204AFDB04EF69D944AAEBBE9FF45700F04846CF84AD7751DB70AC44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0084CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0084CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0084CDE9

Part of subcall function 00843820: RtlAllocateHeap.NTDLL(00000000,?,008E1444,?,0082FDF5,?,?,0081A976,00000010,008E1440,008113FC,?,008113C6,?,00811129), ref: 00843852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0084CE0F
_free.LIBCMT ref: 0084CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0084CE31

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 42a88adf63b974f84d6a2f45b31112d08fa93c2684b9b4ecaa6abf8d052761e7
Instruction ID: 378cebfd0605599f615f6e3086e9f1bcdaeb3be1f9379b8ff4d593c802daa1ba
Opcode Fuzzy Hash: 42a88adf63b974f84d6a2f45b31112d08fa93c2684b9b4ecaa6abf8d052761e7
Instruction Fuzzy Hash: 8A014F72A0361D7F37611ABAAC88D7B7E6DFEC7BA13150129F905D7201EF618D0291B1

Uniqueness

Uniqueness Score: -1.00%

Function 00829639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00829693
SelectObject.GDI32(?,00000000), ref: 008296A2
BeginPath.GDI32(?), ref: 008296B9
SelectObject.GDI32(?,00000000), ref: 008296E2

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6f68c8e08b7de07214907c8fa42bb561097ddc9dd256406bd5def739d5794265
Instruction ID: aebf369782d2319621c43bdd1c05c81116c575f34e95cfd986090fad30061409
Opcode Fuzzy Hash: 6f68c8e08b7de07214907c8fa42bb561097ddc9dd256406bd5def739d5794265
Instruction Fuzzy Hash: EA217F30802355EBDF11AF28EC4CBA93FA8FB21315F900216F850EA1A2D37458D2CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00875711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00875726
_memcmp.LIBVCRUNTIME ref: 00875744
_memcmp.LIBVCRUNTIME ref: 00875757
_memcmp.LIBVCRUNTIME ref: 0087576F
_memcmp.LIBVCRUNTIME ref: 00875787

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a881648d6b5de5e7133eddd9446e4f752a53bd242223186b16e7bc57183cae58
Instruction ID: 634e45ce2ec735040f35416cd4ff9cdeceae41a79bf10c671ca393dc5a7247a4
Opcode Fuzzy Hash: a881648d6b5de5e7133eddd9446e4f752a53bd242223186b16e7bc57183cae58
Instruction Fuzzy Hash: C90192A1641A19BAE70C55159D86FBA635CFB627E8F00C020FE1CDA746F7A5ED1082E1

Uniqueness

Uniqueness Score: -1.00%

Function 00842DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0083F2DE,00843863,008E1444,?,0082FDF5,?,?,0081A976,00000010,008E1440,008113FC,?,008113C6), ref: 00842DFD
_free.LIBCMT ref: 00842E32
_free.LIBCMT ref: 00842E59
SetLastError.KERNEL32(00000000,00811129), ref: 00842E66
SetLastError.KERNEL32(00000000,00811129), ref: 00842E6F

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 447f8a425c38262dc6a83ecf43315af64649f8c6ab163f904c49406117e3bdf2
Instruction ID: da435009536782110b502a65d46bcc5dce07b8b5f21a795665217bd4463b98dc
Opcode Fuzzy Hash: 447f8a425c38262dc6a83ecf43315af64649f8c6ab163f904c49406117e3bdf2
Instruction Fuzzy Hash: 9101F43220D60D77DA1267396C85E2B2B69FBD23B9BE40129F421E2293EF74CC018121

Uniqueness

Uniqueness Score: -1.00%

Function 0087000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?,?,0087035E), ref: 0087002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?), ref: 00870046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?), ref: 00870054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?), ref: 00870064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?), ref: 00870070

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 6f33481e19e967b5f8a7e5d3641040009eb0cc137cdb390baadeaae4ba8b0225
Instruction ID: ee89200bfad049ea9e2f16d94b934cf0854e0747b46e31833a5e60f3711f8597
Opcode Fuzzy Hash: 6f33481e19e967b5f8a7e5d3641040009eb0cc137cdb390baadeaae4ba8b0225
Instruction Fuzzy Hash: B501AD72600604FFEB108F68DC04BAA7AEDFF497A2F148124F909D2314EB75DD409BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0087E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0087E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0087E9A5
Sleep.KERNEL32(00000000), ref: 0087E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0087E9B7
Sleep.KERNEL32 ref: 0087E9F3

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: fbf59f5f8103581892fc3e979493bcfe4fc9c98e2e04c7b84aa4814f4dd99aa7
Instruction ID: e8671d783757d48a8f54d9dca43c4eb98d644f0c8a34a1dd1580c7c82c7c7990
Opcode Fuzzy Hash: fbf59f5f8103581892fc3e979493bcfe4fc9c98e2e04c7b84aa4814f4dd99aa7
Instruction Fuzzy Hash: 73010532D0162DDBDF00ABE5D859BEDBB78FB0E701F004596EA06F2245CB3495558BA1

Uniqueness

Uniqueness Score: -1.00%

Function 008710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00871114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 00871120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 0087112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 00871136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0087114D

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 0c388830020a4137424687fd29f3d82236c65a8105ea0f3265d78c82b3a84637
Instruction ID: da3384582b05139e5089db9d02036d53c6da0f7acf89bd89b8a136f7302226ec
Opcode Fuzzy Hash: 0c388830020a4137424687fd29f3d82236c65a8105ea0f3265d78c82b3a84637
Instruction Fuzzy Hash: B9011975200205BFEB114FA9DC4DA6A3B6EFF8A3A0B604419FA45D7760DA31DD009A60

Uniqueness

Uniqueness Score: -1.00%

Function 00870FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00870FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00870FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00870FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00870FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00871002

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e5af3018e422cb32dec97d0c4e8a8ebf0e302fe946984c001202941bfe326b05
Instruction ID: b0be2a920a6126f7b4c69688060500b13668765fe8e622d0dd744adbd4239405
Opcode Fuzzy Hash: e5af3018e422cb32dec97d0c4e8a8ebf0e302fe946984c001202941bfe326b05
Instruction Fuzzy Hash: C5F04935200701ABEB214FA89C4DF563BADFF8AB62F104414FA49C6651DE70DC508A60

Uniqueness

Uniqueness Score: -1.00%

Function 00871014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0087102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00871036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00871045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0087104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00871062

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 2a298950b3560cccd696698e5590e0d0fd681424442d0ec41fbf814b16d6e512
Instruction ID: 3f5f91e11c88501fa89fc270732a6624432747475a59cece021461699ccce633
Opcode Fuzzy Hash: 2a298950b3560cccd696698e5590e0d0fd681424442d0ec41fbf814b16d6e512
Instruction Fuzzy Hash: 64F04935200701ABEB219FA8EC4DF563BADFF8A761F104414FA49C6650DE70D8508A60

Uniqueness

Uniqueness Score: -1.00%

Function 0088030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0088017D,?,008832FC,?,00000001,00852592,?), ref: 00880324
CloseHandle.KERNEL32(?,?,?,?,0088017D,?,008832FC,?,00000001,00852592,?), ref: 00880331
CloseHandle.KERNEL32(?,?,?,?,0088017D,?,008832FC,?,00000001,00852592,?), ref: 0088033E
CloseHandle.KERNEL32(?,?,?,?,0088017D,?,008832FC,?,00000001,00852592,?), ref: 0088034B
CloseHandle.KERNEL32(?,?,?,?,0088017D,?,008832FC,?,00000001,00852592,?), ref: 00880358
CloseHandle.KERNEL32(?,?,?,?,0088017D,?,008832FC,?,00000001,00852592,?), ref: 00880365

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: edcd758a46512f2c6327ecf3334624bb1b681dc22bc204ee9dad8bc805e3aa96
Instruction ID: a1a26e24c5108b9d86efd86074efbcf5c755b376fb135f8c02dba47dc13eae9d
Opcode Fuzzy Hash: edcd758a46512f2c6327ecf3334624bb1b681dc22bc204ee9dad8bc805e3aa96
Instruction Fuzzy Hash: BB016C72801B159FCB30AF66D890816FBF9FE602153158A3ED19692A31C7B1A959DF80

Uniqueness

Uniqueness Score: -1.00%

Function 0084D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0084D752

Part of subcall function 008429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000), ref: 008429DE
Part of subcall function 008429C8: GetLastError.KERNEL32(00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000,00000000), ref: 008429F0

_free.LIBCMT ref: 0084D764
_free.LIBCMT ref: 0084D776
_free.LIBCMT ref: 0084D788
_free.LIBCMT ref: 0084D79A

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 62f871b8d1889659a193eae531eb8815ee0da2af07252cde60b6ed7707d661fd
Instruction ID: 9296f7bf3507a5bfc472f1f11da9265e27329b60633d580bfba55d4c8c5d612f
Opcode Fuzzy Hash: 62f871b8d1889659a193eae531eb8815ee0da2af07252cde60b6ed7707d661fd
Instruction Fuzzy Hash: 78F01D3254A30DAB9621EB69F9C6D1ABFDDFB44710BE40D06F048E7502CB30FC808A65

Uniqueness

Uniqueness Score: -1.00%

Function 00875C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00875C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00875C6F
MessageBeep.USER32(00000000), ref: 00875C87
KillTimer.USER32(?,0000040A), ref: 00875CA3
EndDialog.USER32(?,00000001), ref: 00875CBD

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 9b09bdb1dee2706ff4e2d7125fd6430e4948f21d5e4423edb72cef66be2d1bd0
Instruction ID: 16b818071be4168717eeefd5c1ba66fce19e6fb9af3f0e7d9278e30aa7c565a6
Opcode Fuzzy Hash: 9b09bdb1dee2706ff4e2d7125fd6430e4948f21d5e4423edb72cef66be2d1bd0
Instruction Fuzzy Hash: AF018130500B08ABFB219B50DD8EFA677B8FF51B05F04455DA587E14E1DBF4A9848A90

Uniqueness

Uniqueness Score: -1.00%

Function 008422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008422BE

Part of subcall function 008429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000), ref: 008429DE
Part of subcall function 008429C8: GetLastError.KERNEL32(00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000,00000000), ref: 008429F0

_free.LIBCMT ref: 008422D0
_free.LIBCMT ref: 008422E3
_free.LIBCMT ref: 008422F4
_free.LIBCMT ref: 00842305

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 43381f4fe83f3551d9863e2f3f7b85e4a65cf96ba9a6669297e64bf33ade2765
Instruction ID: 253c4deb202b244bb50cee25d458dc7fd7d5d5185d6bf5a418c9e1ded6ceb265
Opcode Fuzzy Hash: 43381f4fe83f3551d9863e2f3f7b85e4a65cf96ba9a6669297e64bf33ade2765
Instruction Fuzzy Hash: 68F05E708091A59B9A12EF99BC81D0C3F68F7187607800A1BF414DA2B5CB711862EFE5

Uniqueness

Uniqueness Score: -1.00%

Function 008295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008295D4
StrokeAndFillPath.GDI32(?,?,008671F7,00000000,?,?,?), ref: 008295F0
SelectObject.GDI32(?,00000000), ref: 00829603
DeleteObject.GDI32 ref: 00829616
StrokePath.GDI32(?), ref: 00829631

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 0709e0c9139c3cf92ad96fa9b7ad536e31306cfdf3aca2a975c769d097cfd76b
Instruction ID: b3c50a94adf40547de9b950cfc38650b340b580122a132a971c889b680b6abd4
Opcode Fuzzy Hash: 0709e0c9139c3cf92ad96fa9b7ad536e31306cfdf3aca2a975c769d097cfd76b
Instruction Fuzzy Hash: ABF04F30005648EBEF126F65ED5C7643FA1FB12322F448214F565994F2CB3489D1DF20

Uniqueness

Uniqueness Score: -1.00%

Function 00840F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008410F9
__freea.LIBCMT ref: 00841117

Part of subcall function 00841537: _free.LIBCMT ref: 0084154F

Strings

am/pm, xrefs: 0084117A
a/p, xrefs: 008411DE

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 41649554c4a1ddda6e9bbf398edd4aa16249b15d8a40e0288bbd445748779cb1
Instruction ID: 5fdee0413b8cd5eeb4361d79ea63106bb2752e7aa3d0283ded9a8a3c1cdf9ef7
Opcode Fuzzy Hash: 41649554c4a1ddda6e9bbf398edd4aa16249b15d8a40e0288bbd445748779cb1
Instruction Fuzzy Hash: CAD1DE31A1020E9ADF289F68C89DABAB7B1FF05704F284159E911EBB50D7799DC0CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00897B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00830242: EnterCriticalSection.KERNEL32(008E070C,008E1884,?,?,0082198B,008E2518,?,?,?,008112F9,00000000), ref: 0083024D
Part of subcall function 00830242: LeaveCriticalSection.KERNEL32(008E070C,?,0082198B,008E2518,?,?,?,008112F9,00000000), ref: 0083028A

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 008300A3: __onexit.LIBCMT ref: 008300A9

__Init_thread_footer.LIBCMT ref: 00897BFB

Part of subcall function 008301F8: EnterCriticalSection.KERNEL32(008E070C,?,?,00828747,008E2514), ref: 00830202
Part of subcall function 008301F8: LeaveCriticalSection.KERNEL32(008E070C,?,00828747,008E2514), ref: 00830235

Strings

Variable must be of type 'Object'., xrefs: 00897C3A
5, xrefs: 00897C78
G, xrefs: 00897C7F

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: e7902abe9d47638af5f5654299c79132e89518abe958abd7fcd367ef811d8146
Instruction ID: 378f778ff601613632eb0f92874d0ca3bfe1a9629d50d43ccbb12665f515a95a
Opcode Fuzzy Hash: e7902abe9d47638af5f5654299c79132e89518abe958abd7fcd367ef811d8146
Instruction Fuzzy Hash: 6F918970A14209EFCF04EF98D8919ADB7B5FF49304F188059F806DB292DB71AE85CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00872716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0087B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008721D0,?,?,00000034,00000800,?,00000034), ref: 0087B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00872760

Part of subcall function 0087B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0087B3F8

Part of subcall function 0087B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0087B355
Part of subcall function 0087B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00872194,00000034,?,?,00001004,00000000,00000000), ref: 0087B365
Part of subcall function 0087B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00872194,00000034,?,?,00001004,00000000,00000000), ref: 0087B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0087281A

Strings

@, xrefs: 00872832

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: b03f31979b71c8fe1999019e2264c3e11692615ead24f86757782d4604eaf87f
Instruction ID: e04bc967268eaf9c8680fde97fd1dd52b0e1a3805ef186f5e0cddd1dba06ca77
Opcode Fuzzy Hash: b03f31979b71c8fe1999019e2264c3e11692615ead24f86757782d4604eaf87f
Instruction Fuzzy Hash: DB411F72900218AFDB10DBA8CD45BDEBBB8FF05700F108095FA59B7185DB71AE85DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0084172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\FAR.N_2430-240009934.exe,00000104), ref: 00841769
_free.LIBCMT ref: 00841834
_free.LIBCMT ref: 0084183E

Strings

C:\Users\user\Desktop\FAR.N_2430-240009934.exe, xrefs: 00841760, 00841767, 00841796, 008417CE

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\FAR.N_2430-240009934.exe
API String ID: 2506810119-4084676668
Opcode ID: 13955819af2e51a0aa501a5fd4b85d54051b51e16188c0ac1dccfd05616853be
Instruction ID: 524df0cd09e16bcdfd3f360fcf9fa9e6ce9ada851ad86d15fe89db6edff16341
Opcode Fuzzy Hash: 13955819af2e51a0aa501a5fd4b85d54051b51e16188c0ac1dccfd05616853be
Instruction Fuzzy Hash: BC316D71A4425CEBDF21DB99DC89D9EBBFCFB89310B544166F904DB211D6B08E80CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0087C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0087C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0087C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,008E1990,01676048), ref: 0087C395

Strings

0, xrefs: 0087C2DF

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 503e71d9d729636b04418efcc4275b5551d0cc0d0087b83fa5ed4c5d13579e73
Instruction ID: 756c7f3130142dce2905ff85324e22512374db8bdc189acc11f349a20c9fae1b
Opcode Fuzzy Hash: 503e71d9d729636b04418efcc4275b5551d0cc0d0087b83fa5ed4c5d13579e73
Instruction Fuzzy Hash: 814156712043019FD7209F29D885B6ABBE8FB85324F148A1DF9A9D73D5D730E904CB62

Uniqueness

Uniqueness Score: -1.00%

Function 008A4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,008ACC08,00000000,?,?,?,?), ref: 008A44AA
GetWindowLongW.USER32 ref: 008A44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008A44D7

Strings

SysTreeView32, xrefs: 008A447C

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 23587f9a4e4894d6de02ba3d6bedcc0ecf51d5b3519f9710f14db884b495cb35
Instruction ID: 9de2c604cbf10b1e829b87333a6d9cce19363ed06d07c2fd60f20eef70d95470
Opcode Fuzzy Hash: 23587f9a4e4894d6de02ba3d6bedcc0ecf51d5b3519f9710f14db884b495cb35
Instruction Fuzzy Hash: 6F319C31201605AFEF208E38DC45BEA7BA9FB4A334F205725F975E25D0D7B4AC909B50

Uniqueness

Uniqueness Score: -1.00%

Function 0089304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0089335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00893077,?,?), ref: 00893378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0089307A
_wcslen.LIBCMT ref: 0089309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00893106

Strings

255.255.255.255, xrefs: 00893095, 0089309A

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 2e663dc0273502947d0f5ba944558a1fc918940c82b9f8e60cc3aa5ec7b2147c
Instruction ID: 9b310032cadc4a259e90056e185f885259427069ac9b769fd231bc22395bafd4
Opcode Fuzzy Hash: 2e663dc0273502947d0f5ba944558a1fc918940c82b9f8e60cc3aa5ec7b2147c
Instruction Fuzzy Hash: 0731D3392002059FCF20EF68C885EAA77E0FF55318F288059E915CB7A2DB36EE45C761

Uniqueness

Uniqueness Score: -1.00%

Function 008A4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 008A4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 008A4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 008A471A

Strings

msctls_updown32, xrefs: 008A4684

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: f939df726f4f2a83c16492a673b03379a5ca935d99fa401599974cd0e54b05de
Instruction ID: 6abec5156b7dd2e113903eae3d29bbd116e8be216a22360c2e1769fee626a160
Opcode Fuzzy Hash: f939df726f4f2a83c16492a673b03379a5ca935d99fa401599974cd0e54b05de
Instruction Fuzzy Hash: 9D214CB5600248AFEB10DF68DCC1DAB77ADFB9B3A4B040059FA01DB261DB70EC51CA61

Uniqueness

Uniqueness Score: -1.00%

Function 008795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0087961D

Strings

#requireadmin, xrefs: 008795D9
#OnAutoItStartRegister, xrefs: 008795F3
#notrayicon, xrefs: 008795B7

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: cda5bcb8462679bdb58c5a3f583805448425fb89d48c17ea88092c69051ff4c3
Instruction ID: ef3a8045a5999bea28da92258f3af03958b3123b2619e4bf22d0b915f4231249
Opcode Fuzzy Hash: cda5bcb8462679bdb58c5a3f583805448425fb89d48c17ea88092c69051ff4c3
Instruction Fuzzy Hash: 6E213B7210422166D331EA299C02FB773ACFFA1314F108029F9CDD7149EB55ED81C2D6

Uniqueness

Uniqueness Score: -1.00%

Function 008A37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 008A3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 008A3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 008A3876

Strings

Listbox, xrefs: 008A380F

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 3a179f5a666ae81e60d6bf1b1bfec0dfac1bb2078cf0dc7405648f22c2c91b8f
Instruction ID: 8932e2f165a332976d5831fb03690821ec6cb72adc245aea9cbdb05cd1f80ad5
Opcode Fuzzy Hash: 3a179f5a666ae81e60d6bf1b1bfec0dfac1bb2078cf0dc7405648f22c2c91b8f
Instruction Fuzzy Hash: 85218E72610218BBFF218F54CC85FAB376EFF8A754F108125F9149B590DA75DC528BA0

Uniqueness

Uniqueness Score: -1.00%

Function 008849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00884A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00884A5C
SetErrorMode.KERNEL32(00000000,?,?,008ACC08), ref: 00884AD0

Strings

%lu, xrefs: 00884A6F

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: f0cea8f5935274c7b6033fc254f5b78f0206a688aebe0b201e4e1fe37a70e2b8
Instruction ID: b567fcc41e8af2189c777bde43fa98fb1c81de4000a877078b85ed6c298d0272
Opcode Fuzzy Hash: f0cea8f5935274c7b6033fc254f5b78f0206a688aebe0b201e4e1fe37a70e2b8
Instruction Fuzzy Hash: 7E315E75A00119AFDB10DF58C885EAA7BF8FF09308F1480A9E909DB352DB75EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 008A41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 008A424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 008A4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 008A4271

Strings

msctls_trackbar32, xrefs: 008A4226

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 4369454715c02ce989f01f607bca4648c5939d4fe0720bf19a84cc8d5f567a86
Instruction ID: 5bab714a6eb6b6248163b3f24236fdf01d4d44edfcf5d9d067d13c14169ac188
Opcode Fuzzy Hash: 4369454715c02ce989f01f607bca4648c5939d4fe0720bf19a84cc8d5f567a86
Instruction Fuzzy Hash: 9911E331240248BEFF205E28CC46FAB3BACFF96B54F110124FA55E6090D6B1DC519B60

Uniqueness

Uniqueness Score: -1.00%

Function 00872F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

Part of subcall function 00872DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00872DC5
Part of subcall function 00872DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00872DD6
Part of subcall function 00872DA7: GetCurrentThreadId.KERNEL32 ref: 00872DDD
Part of subcall function 00872DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00872DE4

GetFocus.USER32 ref: 00872F78

Part of subcall function 00872DEE: GetParent.USER32(00000000), ref: 00872DF9

GetClassNameW.USER32(?,?,00000100), ref: 00872FC3
EnumChildWindows.USER32(?,0087303B), ref: 00872FEB

Strings

%s%d, xrefs: 00872FFF

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: eb582b516551dbeca6f8521bd78ba54a3d5ba5c841bb9a41fe5efb9a9ef49258
Instruction ID: 000e411ac42f4a24e38765281c8ac581b02d30d97930df346d50818b3bae0177
Opcode Fuzzy Hash: eb582b516551dbeca6f8521bd78ba54a3d5ba5c841bb9a41fe5efb9a9ef49258
Instruction Fuzzy Hash: CB11E4716002096BDF10BF788C85EED3B6AFF94314F048079F90DDB256EE3099459B62

Uniqueness

Uniqueness Score: -1.00%

Function 008A5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008A58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008A58EE
DrawMenuBar.USER32(?), ref: 008A58FD

Strings

0, xrefs: 008A588F

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 5d5a49af179230058c1ed1c9c0ef174c6f2d66dbb64ef8d07ffca4d4c6f28307
Instruction ID: d79603d81fc7f8a8b1f0234cba6b397bdc0a4eb05638a5f8cabb4ee0721517a0
Opcode Fuzzy Hash: 5d5a49af179230058c1ed1c9c0ef174c6f2d66dbb64ef8d07ffca4d4c6f28307
Instruction Fuzzy Hash: 34015B31500218EEEB219F15EC44BAFBBB4FF46360F1480A9F949DA552DB308AC4DF21

Uniqueness

Uniqueness Score: -1.00%

Function 0087007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93edae1f780acef7607408cb36c24467d2573c3111f0dd7ebd19af59b8ae7db
Instruction ID: a674420898bac3a123476b380722b27479a30620ea25abcfb93f0f04c0dd7bc9
Opcode Fuzzy Hash: d93edae1f780acef7607408cb36c24467d2573c3111f0dd7ebd19af59b8ae7db
Instruction Fuzzy Hash: C5C15B75A0020AEFDB14CFA8C894AAEB7B5FF48704F208598E509EB255D731EE41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0089342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00893459
CoUninitialize.OLE32 ref: 00893463
VariantInit.OLEAUT32(?), ref: 0089346E
VariantClear.OLEAUT32(?), ref: 0089371B

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 1d6b1c309e9c7964eb572e10b682dc4c6b1ef6ddf9756a7d3617bd4b25ac18e2
Instruction ID: fe9880188b10c011bc80e0b225d3e5a36c7e57b30e0c7b10b181cf1f035e9d8b
Opcode Fuzzy Hash: 1d6b1c309e9c7964eb572e10b682dc4c6b1ef6ddf9756a7d3617bd4b25ac18e2
Instruction Fuzzy Hash: F7A13D756042109FCB11EF68C485A5AB7E9FF88714F09885DF98ADB362DB30ED41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00870436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,008AFC08,?), ref: 008705F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,008AFC08,?), ref: 00870608
CLSIDFromProgID.OLE32(?,?,00000000,008ACC40,000000FF,?,00000000,00000800,00000000,?,008AFC08,?), ref: 0087062D
_memcmp.LIBVCRUNTIME ref: 0087064E

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 0483db154575b93e934328fce3879abc29c1bf8e03dc871b8b3b8acce51174ea
Instruction ID: 1b8caa126e3dd3b9c995dc00dbe1d6d367a7298840d45c9140e5ea7279e5b0c6
Opcode Fuzzy Hash: 0483db154575b93e934328fce3879abc29c1bf8e03dc871b8b3b8acce51174ea
Instruction Fuzzy Hash: A281E971A00209EFCB04DF94C984DEEB7B9FF89315B208558E516EB254DB71AE46CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00851391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008514C0

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 672f744f3447d2cd063c7dd696c9500d30e45b35e6467c4bd001fe2e097314c2
Instruction ID: d01f969fcb6dfbc7fc5695d221e4f46e2030c880d7de4799ae7a9fb73a9ab19b
Opcode Fuzzy Hash: 672f744f3447d2cd063c7dd696c9500d30e45b35e6467c4bd001fe2e097314c2
Instruction Fuzzy Hash: D9414C35A00104ABDF216BBDDC8DBBF3AA6FF81371F144225FC19D6292E6B4484553A7

Uniqueness

Uniqueness Score: -1.00%

Function 008A6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0167F348,?), ref: 008A62E2
ScreenToClient.USER32(?,?), ref: 008A6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 008A6382

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 96d7adc506ee0a029fa13765b21b23f2c1fce436aeaec421446f3c0aa19347b9
Instruction ID: 492b881e8a57786133ff15c9183488376116d6438774d2d0e4fd85fbf605df35
Opcode Fuzzy Hash: 96d7adc506ee0a029fa13765b21b23f2c1fce436aeaec421446f3c0aa19347b9
Instruction Fuzzy Hash: 16514A70A00209EFEF10DF68D880AAE7BB5FF56360F148169F815DB694E770AD91CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00891AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00891AFD
WSAGetLastError.WSOCK32 ref: 00891B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00891B8A
WSAGetLastError.WSOCK32 ref: 00891B94

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 817e813442d850411c3242b0f233b82b4ea6a345e2ca2d9449bcc30ee26d59ee
Instruction ID: 93791ad3dae93623745be24a84403d97412971f50af63c1c06956d1cfcaabcf7
Opcode Fuzzy Hash: 817e813442d850411c3242b0f233b82b4ea6a345e2ca2d9449bcc30ee26d59ee
Instruction Fuzzy Hash: 0B41AF346402006FEB20AF28C88AF6577A5FF44718F588448F5169F3D2D672ED828B91

Uniqueness

Uniqueness Score: -1.00%

Function 0084B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1225d5204238bf20b7509eae421cc2f0ac13e3faf93d1b3bda4a5500361c30ba
Instruction ID: 692cff2035023ea6240168e260a26bf56bd9a502c00166662f6a8358fc0527e0
Opcode Fuzzy Hash: 1225d5204238bf20b7509eae421cc2f0ac13e3faf93d1b3bda4a5500361c30ba
Instruction Fuzzy Hash: 78410471A00308AFD7249F7CCC46BAABBA9FB88720F10852AF555DB682D771D9018781

Uniqueness

Uniqueness Score: -1.00%

Function 008856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00885783
GetLastError.KERNEL32(?,00000000), ref: 008857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008857FA

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 6f3d906f4b584d8995183e460b498ecbaa6e824d2861b2088463d9daf7e36aab
Instruction ID: f6ba009f8e429f25e2b05d8a004b5c5063004948f7593f931015dc2c89299e08
Opcode Fuzzy Hash: 6f3d906f4b584d8995183e460b498ecbaa6e824d2861b2088463d9daf7e36aab
Instruction Fuzzy Hash: 1A41FB35600610DFCB11EF19C545A9ABBF6FF49720B198498E84A9B362CB34FD41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0084D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00836D71,00000000,00000000,008382D9,?,008382D9,?,00000001,00836D71,8BE85006,00000001,008382D9,008382D9), ref: 0084D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0084D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0084D9AB
__freea.LIBCMT ref: 0084D9B4

Part of subcall function 00843820: RtlAllocateHeap.NTDLL(00000000,?,008E1444,?,0082FDF5,?,?,0081A976,00000010,008E1440,008113FC,?,008113C6,?,00811129), ref: 00843852

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: c7aeac4a2b1e0bc14ea050de4d3da000f2a20009ab3b24445dd402bd7d1842a5
Instruction ID: de722104b89663ece983ae1241342df0e2e60f491f5cc2d6dbbbc14b5732fce7
Opcode Fuzzy Hash: c7aeac4a2b1e0bc14ea050de4d3da000f2a20009ab3b24445dd402bd7d1842a5
Instruction Fuzzy Hash: 0531BC72A0020AABDF249F69DC45EAE7FA5FB41710F054268FC04DB2A0EB35DD51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008A52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 008A5352
GetWindowLongW.USER32(?,000000F0), ref: 008A5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008A5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008A53A8

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 0077c2ebab92b3f714f106d35e6fc4e855c89abb7395403b6e41d99f8364dd9f
Instruction ID: 1e9e20cdf1d3294bd825ee9255f0b720e075fe04c585ac9e6155e6fdde2111de
Opcode Fuzzy Hash: 0077c2ebab92b3f714f106d35e6fc4e855c89abb7395403b6e41d99f8364dd9f
Instruction Fuzzy Hash: 5D31BC30A55A0CEFFF249A14CC56BE977A5FB97390F584001FA11D6BE1C7B099C09B42

Uniqueness

Uniqueness Score: -1.00%

Function 0087AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 0087ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0087AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0087AC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 0087ACC6

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: fcf8206580bfd3b6b6a68f149f03a694fa7b616059fa42bad8c333780e0183a2
Instruction ID: 6e3cc8169bef93ee6b16cc8db4a581f2a5222ec5adcc1feca24462275a45a528
Opcode Fuzzy Hash: fcf8206580bfd3b6b6a68f149f03a694fa7b616059fa42bad8c333780e0183a2
Instruction Fuzzy Hash: A731E530A00618BFFB2ACB65C805BFE7AA5FBC5320F08C21AE489D21D9C375C9859752

Uniqueness

Uniqueness Score: -1.00%

Function 008A7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 008A769A
GetWindowRect.USER32(?,?), ref: 008A7710
PtInRect.USER32(?,?,008A8B89), ref: 008A7720
MessageBeep.USER32(00000000), ref: 008A778C

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: e19c37178fd2f5c4dc14de76c2920d27583b8cf159f9dc467588171697dd4658
Instruction ID: 5e45a9593f3564b9fe6b3d5f01604565b7821b0a96fa1a35beac7e57dc1c0391
Opcode Fuzzy Hash: e19c37178fd2f5c4dc14de76c2920d27583b8cf159f9dc467588171697dd4658
Instruction Fuzzy Hash: C0418B34A09254DFEB01DF58CC98EA9BBF5FB4A314F1940A8E914DFA61D730A941DF90

Uniqueness

Uniqueness Score: -1.00%

Function 008A16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 008A16EB

Part of subcall function 00873A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00873A57
Part of subcall function 00873A3D: GetCurrentThreadId.KERNEL32 ref: 00873A5E
Part of subcall function 00873A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008725B3), ref: 00873A65

GetCaretPos.USER32(?), ref: 008A16FF
ClientToScreen.USER32(00000000,?), ref: 008A174C
GetForegroundWindow.USER32 ref: 008A1752

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 93b50d38704a9c82858349d586bbf17cdcb464296c28b17c38a4b39cc0612bdd
Instruction ID: e4fc89d3d97fcea4a51578b8904faf9ff7dc9092e23ea4bdbc322ba48e2b21ab
Opcode Fuzzy Hash: 93b50d38704a9c82858349d586bbf17cdcb464296c28b17c38a4b39cc0612bdd
Instruction Fuzzy Hash: C3312C75D00249AFDB00EFA9C8858EEBBFDFF49304B5080A9E415E7611EA31DE45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0087D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0087D501
Process32FirstW.KERNEL32(00000000,?), ref: 0087D50F
Process32NextW.KERNEL32(00000000,?), ref: 0087D52F
CloseHandle.KERNEL32(00000000), ref: 0087D5DC

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 4a9c795a330b60eeed76e8a7a44629f56e50a13369fbf6acaceac617cdefa55d
Instruction ID: 5e645767f5cd8c65a4aeac6905b591086d8938d69c980a33b43514ca7f427a0d
Opcode Fuzzy Hash: 4a9c795a330b60eeed76e8a7a44629f56e50a13369fbf6acaceac617cdefa55d
Instruction Fuzzy Hash: DA318C711083009FD300EF58C881AAABBF8FF99344F10492DF585C21A1EB619985CB93

Uniqueness

Uniqueness Score: -1.00%

Function 008A8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

GetCursorPos.USER32(?), ref: 008A9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00867711,?,?,?,?,?), ref: 008A9016
GetCursorPos.USER32(?), ref: 008A905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00867711,?,?,?), ref: 008A9094

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 802ae1c3accfb1fb24e8e784ca2e05d0968f9a3f3b79b9ea6641d144f2789ecb
Instruction ID: 37203aff76f6772b7496d162f0d39eda045ff7b5586eb3444ab0e87a13f11ac5
Opcode Fuzzy Hash: 802ae1c3accfb1fb24e8e784ca2e05d0968f9a3f3b79b9ea6641d144f2789ecb
Instruction Fuzzy Hash: 4D21BF35600418EFEF258F94C898EEA7BF9FB4A3A0F104065F9458B661C3319990DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0087D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,008ACB68), ref: 0087D2FB
GetLastError.KERNEL32 ref: 0087D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0087D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,008ACB68), ref: 0087D376

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 1da8667c7786cd399d4d30a26973308c83160d3d8297c2878514bb7639ccaff9
Instruction ID: 54524df990ed233b841e45423b6238b2ed6baa6227f45b31dfa8d05ebd821971
Opcode Fuzzy Hash: 1da8667c7786cd399d4d30a26973308c83160d3d8297c2878514bb7639ccaff9
Instruction Fuzzy Hash: 012151705093019F8710DF28C8818AA77F8FE56768F508A1DF4A9C73A1EB31D946CB93

Uniqueness

Uniqueness Score: -1.00%

Function 00871571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00871014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0087102A
Part of subcall function 00871014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00871036
Part of subcall function 00871014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00871045
Part of subcall function 00871014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0087104C
Part of subcall function 00871014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00871062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008715BE
_memcmp.LIBVCRUNTIME ref: 008715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00871617
HeapFree.KERNEL32(00000000), ref: 0087161E

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: d8f67d9c109542e4c6189ec2a4df19a35806e38819ed02f636a3e77cfe7caee3
Instruction ID: e1847ddd93bb3e6c3e97eeefebf7608d05226d2cfdce96467c4c34756ebe5688
Opcode Fuzzy Hash: d8f67d9c109542e4c6189ec2a4df19a35806e38819ed02f636a3e77cfe7caee3
Instruction Fuzzy Hash: 72215531E00108ABDF14DFA8C949BEEB7B8FF94344F188459E449EB645E730AA05DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 008A2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 008A280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 008A2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 008A2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 008A2840

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 7f6def8dc8cfc4bbceef1a75b895b29c8670269b7b5e75e4493df644e6d4564e
Instruction ID: 9bbc0fe5c44e02afb23a26ae2828b828ef227f5f535d77ddd4a5b4c5d4aeefc5
Opcode Fuzzy Hash: 7f6def8dc8cfc4bbceef1a75b895b29c8670269b7b5e75e4493df644e6d4564e
Instruction Fuzzy Hash: 0121D631604515AFE724DB28C844FAA7799FF46324F148158F426CBAD2CB75FD82C791

Uniqueness

Uniqueness Score: -1.00%

Function 008778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00878D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0087790A,?,000000FF,?,00878754,00000000,?,0000001C,?,?), ref: 00878D8C
Part of subcall function 00878D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00878DB2
Part of subcall function 00878D7D: lstrcmpiW.KERNEL32(00000000,?,0087790A,?,000000FF,?,00878754,00000000,?,0000001C,?,?), ref: 00878DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00878754,00000000,?,0000001C,?,?,00000000), ref: 00877923
lstrcpyW.KERNEL32(00000000,?), ref: 00877949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00878754,00000000,?,0000001C,?,?,00000000), ref: 00877984

Strings

cdecl, xrefs: 0087797B

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 53dfa76230f15a774a2e736edd619608a9f83ddc9063744feb562cf956f0d7d2
Instruction ID: 6f7c5b75f43cd821c646bfaeba85ce21e971f0e5142ec2e2b341117d9f828401
Opcode Fuzzy Hash: 53dfa76230f15a774a2e736edd619608a9f83ddc9063744feb562cf956f0d7d2
Instruction Fuzzy Hash: 5511D63A201201ABDB155F38D845E7A7BA9FF95350B50802AFA4ACB368EB35D811D791

Uniqueness

Uniqueness Score: -1.00%

Function 008A7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 008A7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 008A7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 008A7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0088B7AD,00000000), ref: 008A7D6B

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 79504c950d7234db5e68035243993189fd9a2a9f87de340fb081938df71cca93
Instruction ID: 89bb729273058218c7ad3c90d4f201cd902f36a574f83983d7d59ac7c618b2dd
Opcode Fuzzy Hash: 79504c950d7234db5e68035243993189fd9a2a9f87de340fb081938df71cca93
Instruction Fuzzy Hash: 4E11A231604665AFEB109F28CC08A6A3BA5FF47370B154728F835DB6F0E7309950DB50

Uniqueness

Uniqueness Score: -1.00%

Function 008A5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 008A56BB
_wcslen.LIBCMT ref: 008A56CD
_wcslen.LIBCMT ref: 008A56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 008A5816

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: cfc0959a789f41a619c80e8ee77ef59740836dbd3523c96c304e6cdde703f927
Instruction ID: 2c41c547b402ba1ecd8245d7faee0a8443883dd5996f5d04bbb0c5c77d5a45cf
Opcode Fuzzy Hash: cfc0959a789f41a619c80e8ee77ef59740836dbd3523c96c304e6cdde703f927
Instruction Fuzzy Hash: 7711E471600A18A6EF20DF65DC85AEE3B6CFF16764F104026F915D6481EB7489C0CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00841D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09b35ac9c1d304358c4ff1709fdecfb3e7c738738f940dd3d85cbede0a03cca5
Instruction ID: 1ea641b4aad8be634e6ff706453ad176409a5936bccea32bc40b1d38cf4df933
Opcode Fuzzy Hash: 09b35ac9c1d304358c4ff1709fdecfb3e7c738738f940dd3d85cbede0a03cca5
Instruction Fuzzy Hash: 64014BF2A0961E7EFA212AB86CC5F676A1DFF423B8B341325F531E11D2DB709C809161

Uniqueness

Uniqueness Score: -1.00%

Function 00871A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00871A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00871A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00871A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00871A8A

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 216ca4fb950dc030157d9e5b0d35c3b597bfbcc100f6239a4354c09cf711a1aa
Instruction ID: fb5fde697ae645fcad23c2c298370b157a69ab05346f17c271405f9ff8a0a19c
Opcode Fuzzy Hash: 216ca4fb950dc030157d9e5b0d35c3b597bfbcc100f6239a4354c09cf711a1aa
Instruction Fuzzy Hash: F211183A901229BFEF109BA88985FADFB78FB14750F204091E604B7294D671AE509B94

Uniqueness

Uniqueness Score: -1.00%

Function 0087E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0087E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0087E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0087E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0087E24D

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: b7def3bfc5ff49444ee988c3f04f27ccaa2fcb467596e5e36079eeab1e31d691
Instruction ID: 77a5064ba95d423b978095cb804219649e47c058c7e0e9f77e401e263b7ce2cc
Opcode Fuzzy Hash: b7def3bfc5ff49444ee988c3f04f27ccaa2fcb467596e5e36079eeab1e31d691
Instruction Fuzzy Hash: 30112B72A04258BBDB019FA89C49A9F7FACFB46315F008255F828D7395D774CD0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 0083D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0083CFF9,00000000,00000004,00000000), ref: 0083D218
GetLastError.KERNEL32 ref: 0083D224
__dosmaperr.LIBCMT ref: 0083D22B
ResumeThread.KERNEL32(00000000), ref: 0083D249

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: da2e0f283d007c36e2b3fccf6a900bf368fdbbdbc8bd140bd4ca7a5c8f464bbe
Instruction ID: 8d5bb60d8960a5651c0f9fae930802bee3ae347f43d13a1c569f81bd338128be
Opcode Fuzzy Hash: da2e0f283d007c36e2b3fccf6a900bf368fdbbdbc8bd140bd4ca7a5c8f464bbe
Instruction Fuzzy Hash: 7F01C036805208BBDB215BA9EC09AAF7A69FFC2731F104229F925D21D1CF719901C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 0081600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0081604C
GetStockObject.GDI32(00000011), ref: 00816060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0081606A

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: f98cb10c6f42464350d607d70f5cd10c59bbb080bce9bf8a812bf6998f532a7e
Instruction ID: dc22e2270e1e73e54e7b9313f03b35b6d3b4378cf3e1b16d65ee66283a0090fd
Opcode Fuzzy Hash: f98cb10c6f42464350d607d70f5cd10c59bbb080bce9bf8a812bf6998f532a7e
Instruction Fuzzy Hash: 02116172501948BFEF129F949C44EEA7BADFF1D364F040115FA54A2110D732DCA0DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00833B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00833B56

Part of subcall function 00833AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00833AD2
Part of subcall function 00833AA3: ___AdjustPointer.LIBCMT ref: 00833AED

_UnwindNestedFrames.LIBCMT ref: 00833B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00833B7C
CallCatchBlock.LIBVCRUNTIME ref: 00833BA4

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: f2d0ce4de731a3d39ffe9c9cb3b120496c0fb00301fa09308771886bbdf8b20d
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 3401E932100149BBDF125E99CC46EEB7B69FF98764F044414FE48A6121C736E961DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00843073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008113C6,00000000,00000000,?,0084301A,008113C6,00000000,00000000,00000000,?,0084328B,00000006,FlsSetValue), ref: 008430A5
GetLastError.KERNEL32(?,0084301A,008113C6,00000000,00000000,00000000,?,0084328B,00000006,FlsSetValue,008B2290,FlsSetValue,00000000,00000364,?,00842E46), ref: 008430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0084301A,008113C6,00000000,00000000,00000000,?,0084328B,00000006,FlsSetValue,008B2290,FlsSetValue,00000000), ref: 008430BF

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: a495ce06e9082e76bb100198867c74f8200dfab9ae63a0a3f2e3c88c143f3194
Instruction ID: 0d39aabcaaada561ce6bfa8659a9df9b04534d8e5dcd2aac2d4f39c0f551cf95
Opcode Fuzzy Hash: a495ce06e9082e76bb100198867c74f8200dfab9ae63a0a3f2e3c88c143f3194
Instruction Fuzzy Hash: 03014E32301A2AABDB314B789C44A577BD8FF06B71B200720F905E7240CB21DD01C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 00877464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0087747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00877497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008774CA

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: f6fa6737ca62b5028bb1e93edc27462fc249eea587cac4ddf6956ec3640d1998
Instruction ID: cd7025eb0b5b219e1f9f82a4429908403823ee5d5422c83ed54ca29c391ebaf8
Opcode Fuzzy Hash: f6fa6737ca62b5028bb1e93edc27462fc249eea587cac4ddf6956ec3640d1998
Instruction Fuzzy Hash: 81118EB12093159BF7208F24DC08B927BFCFB04B04F10C569A61AD6555D7B0E944DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0087B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0087ACD3,?,00008000), ref: 0087B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0087ACD3,?,00008000), ref: 0087B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0087ACD3,?,00008000), ref: 0087B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0087ACD3,?,00008000), ref: 0087B126

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: ece8c9bbfa408220dc36c8bf1943defcfa2e8b072f81a4e6acd6d960005f1601
Instruction ID: 335c273efdcec33ea3252cc758ec1f4fa3484ad3f24924cc69df86959124c64e
Opcode Fuzzy Hash: ece8c9bbfa408220dc36c8bf1943defcfa2e8b072f81a4e6acd6d960005f1601
Instruction Fuzzy Hash: 38117C30E0152DD7DF00AFE4E9687EEBB78FF0A311F008085D945B2145DB3085918B65

Uniqueness

Uniqueness Score: -1.00%

Function 00872DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00872DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00872DD6
GetCurrentThreadId.KERNEL32 ref: 00872DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00872DE4

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: caf9b77eaf14c7a95523af6734b9df01d90c9784492d8ecbe835efa11231e334
Instruction ID: c9f204e13d289a1f9c3bb234e9a601e5c815049e4e487c11bd16eea94a466b06
Opcode Fuzzy Hash: caf9b77eaf14c7a95523af6734b9df01d90c9784492d8ecbe835efa11231e334
Instruction Fuzzy Hash: D1E012B16052287BE7305B739C0DFEB7E6CFF57BA1F404119F50AD14909AA5C941C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 008A8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00829639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00829693
Part of subcall function 00829639: SelectObject.GDI32(?,00000000), ref: 008296A2
Part of subcall function 00829639: BeginPath.GDI32(?), ref: 008296B9
Part of subcall function 00829639: SelectObject.GDI32(?,00000000), ref: 008296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 008A8887
LineTo.GDI32(?,?,?), ref: 008A8894
EndPath.GDI32(?), ref: 008A88A4
StrokePath.GDI32(?), ref: 008A88B2

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 4194ab208ed2d62784bcb0a96af73e61ebd53745f1fd397012b763e14bf84223
Instruction ID: d8fb30f4e1c3d7ee76d523d780a7196f2420225211d8d7a97e5c6e77a1fedd9e
Opcode Fuzzy Hash: 4194ab208ed2d62784bcb0a96af73e61ebd53745f1fd397012b763e14bf84223
Instruction Fuzzy Hash: 17F03A36045658FAEB126F94AC0DFCE3E59BF06310F448000FA11A54E2CB795551CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 008298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008298CC
SetTextColor.GDI32(?,?), ref: 008298D6
SetBkMode.GDI32(?,00000001), ref: 008298E9
GetStockObject.GDI32(00000005), ref: 008298F1

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 82a88f8ad3401d7700bc26ef8ad905bf42bcc5f4bf3e85cb1151fa6e60a6ede6
Instruction ID: e85a301ed0767817e4dceed4a52940ca3ebba8dccd31675d4aa79d360dbe61b6
Opcode Fuzzy Hash: 82a88f8ad3401d7700bc26ef8ad905bf42bcc5f4bf3e85cb1151fa6e60a6ede6
Instruction Fuzzy Hash: 3DE06D31244280AAEB215B74BC0DBE83F61FB13336F048219F6FA984E1C77246809B10

Uniqueness

Uniqueness Score: -1.00%

Function 0087162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00871634
OpenThreadToken.ADVAPI32(00000000,?,?,?,008711D9), ref: 0087163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008711D9), ref: 00871648
OpenProcessToken.ADVAPI32(00000000,?,?,?,008711D9), ref: 0087164F

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 4ddf26440a961d8ba8e26641bf14a24f5231e0e95527ce489558c8959c61eb62
Instruction ID: 5cb9d100a12dee9a0f3ffd42428f2f0f0492014f60551e8dc2331866d5919947
Opcode Fuzzy Hash: 4ddf26440a961d8ba8e26641bf14a24f5231e0e95527ce489558c8959c61eb62
Instruction Fuzzy Hash: 34E08C32602211EBEB201FA5AE0DB873BBCFF56792F148808F249C9480EA388540CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0086D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0086D858
GetDC.USER32(00000000), ref: 0086D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0086D882
ReleaseDC.USER32(?), ref: 0086D8A3

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 1bce8d339edf1806da5962e74b54f92e6d232b5e6229b747f3f0744b4817cb54
Instruction ID: 36bdff0617f8f45a55eb48bac9e64bbb2dd6fedc5241512380eade3e18de9dd5
Opcode Fuzzy Hash: 1bce8d339edf1806da5962e74b54f92e6d232b5e6229b747f3f0744b4817cb54
Instruction Fuzzy Hash: FAE01AB0800208DFDB419FA0D80C66DBBB5FB19310F109419E806E7750CB388941AF40

Uniqueness

Uniqueness Score: -1.00%

Function 0086D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0086D86C
GetDC.USER32(00000000), ref: 0086D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0086D882
ReleaseDC.USER32(?), ref: 0086D8A3

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 5e7415956cef5788422355c7576713a226b4b0ee8d55a63a3dcd15fce1b84e83
Instruction ID: b5eea3b0b73ec0060532e985c5607dd124d347e47e3385808e0d169001aad6c7
Opcode Fuzzy Hash: 5e7415956cef5788422355c7576713a226b4b0ee8d55a63a3dcd15fce1b84e83
Instruction Fuzzy Hash: FCE012B0800204EFDB41AFA0D80866EBBB5FB18310B109008E80AE7760CB389942AF40

Uniqueness

Uniqueness Score: -1.00%

Function 00884D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00817620: _wcslen.LIBCMT ref: 00817625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00884ED4

Strings

LPT, xrefs: 00884DFB
*, xrefs: 00884E10

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 819ea01fcef3eeff38099168e2b6144697c96b6629d835080950498e856356fa
Instruction ID: 1cf7b925eaf80a0c34e1e1c543900a46ed6a081e7db964ff9365f092490cacea
Opcode Fuzzy Hash: 819ea01fcef3eeff38099168e2b6144697c96b6629d835080950498e856356fa
Instruction Fuzzy Hash: A2914A75A002059FCB14EF58C484EAABBB5FF44318F18909DE90A9F362DB35ED85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0083E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0083E30D

Strings

pow, xrefs: 0083E2E5, 0083E302

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 5def7ce09ad62495d409d33ef6f4bc13ea5623d90ae562cfed03a0b16ba5aed8
Instruction ID: eed8ba0503fbd399c0b0042d102b0402cf0c1847dd5716c3cc96a5936a14dfd3
Opcode Fuzzy Hash: 5def7ce09ad62495d409d33ef6f4bc13ea5623d90ae562cfed03a0b16ba5aed8
Instruction Fuzzy Hash: 48512B61E1C20A96DB157728C9413BA3BA4FB80B40F744E68F0D5C63EDEF358C959AC6

Uniqueness

Uniqueness Score: -1.00%

Function 0082E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0082E1B1

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 7c68b429e5d68b61367992833169be3608f474c44932c1f8fc789585fc06c15f
Instruction ID: 4556106f470561206a6db3c08deeac102d2a16df287557cd272e8d0a81a1994a
Opcode Fuzzy Hash: 7c68b429e5d68b61367992833169be3608f474c44932c1f8fc789585fc06c15f
Instruction Fuzzy Hash: 9951233950025ADFDF15DF68D485AFA7BA8FF26310F244059F892DB2D0D6349D82CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0082F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0082F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0082F2BB

Strings

@, xrefs: 0082F2AF

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: be47045f6b66b0bdfb8cdd3fd2d91c67a9cd1206e5822491f6b46767a44836af
Instruction ID: 7da5f998818ab42650d68e552cf76a7c59f5f7981ff1be1eed4cabc25172b6a1
Opcode Fuzzy Hash: be47045f6b66b0bdfb8cdd3fd2d91c67a9cd1206e5822491f6b46767a44836af
Instruction Fuzzy Hash: 09512571418B449BD320AF14D886BABBBFCFF85300F81885DF2D9811A5EB709569CB67

Uniqueness

Uniqueness Score: -1.00%

Function 00895745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 008957E0
_wcslen.LIBCMT ref: 008957EC

Strings

CALLARGARRAY, xrefs: 008957E6, 008957EB

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: b9b3169f45e9a8494ee04496d856abde7b2c756c2021eabfb8ef6d5404443cbf
Instruction ID: effa3ddb0e226fc93bd8c3f64d8fd70fbdfb6fb6f779f8499781985bd480b2cf
Opcode Fuzzy Hash: b9b3169f45e9a8494ee04496d856abde7b2c756c2021eabfb8ef6d5404443cbf
Instruction Fuzzy Hash: A941AE71A002099FCF04EFA9C8859EEBBB5FF59724F148069E505E7291E7309D81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0088D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0088D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0088D13A

Strings

|, xrefs: 0088D10B

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 6a442b169beb002c2fd29a2dfb9f68cefd207ae56fa662bf7ecec021cd90d3b9
Instruction ID: dd0c2e8da79077e7c41627ed5b7c2bc27eda91f4085055af24e4694837bf177b
Opcode Fuzzy Hash: 6a442b169beb002c2fd29a2dfb9f68cefd207ae56fa662bf7ecec021cd90d3b9
Instruction Fuzzy Hash: CE311975D00219ABCF15EFA8CC85AEEBFB9FF04300F100119F815E6166EB31AA56CB61

Uniqueness

Uniqueness Score: -1.00%

Function 008A356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 008A3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 008A365C

Strings

static, xrefs: 008A35BC

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 02791141a566fa177f258b1abc586b294d1a2645aaa2589cd899a2c7bfa92d18
Instruction ID: 00dc7420d71a048c6abe6c0ec381e18b52da38ad663ba00b93b3bece0a34727c
Opcode Fuzzy Hash: 02791141a566fa177f258b1abc586b294d1a2645aaa2589cd899a2c7bfa92d18
Instruction Fuzzy Hash: 28318B71500604AEEB109F68DC80EFB73A9FF99724F008619F8A5D7280DA31AD91DB60

Uniqueness

Uniqueness Score: -1.00%

Function 008A4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 008A461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008A4634

Strings

', xrefs: 008A458E

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 950e127f3647ddbf4f30ece5d7768d15126ef2df46d9186fe7b94bb70208dcfa
Instruction ID: 0bf9d817e3adad4fe23feab810267e167f6e9b366ef4784aec4e54a9c85b72f9
Opcode Fuzzy Hash: 950e127f3647ddbf4f30ece5d7768d15126ef2df46d9186fe7b94bb70208dcfa
Instruction Fuzzy Hash: 51312874A0120A9FEF14CF69C980BDABBB5FF8A300F105069E904EB741D7B0A941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 008A31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 008A327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008A3287

Strings

Combobox, xrefs: 008A3249

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: d1373fc561a16150c0e4ab401aa0d09e384df0be69368b89288b0d167568788c
Instruction ID: 7c067a09a8394a5ccffd7e103a6c9d000e478924f014b4dd36bfa042bc5be73f
Opcode Fuzzy Hash: d1373fc561a16150c0e4ab401aa0d09e384df0be69368b89288b0d167568788c
Instruction Fuzzy Hash: B011B2713002087FFF219E94DC85FBB3B6AFB9A3A5F104129F918E7690D6319D5187A0

Uniqueness

Uniqueness Score: -1.00%

Function 008A3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0081600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0081604C
Part of subcall function 0081600E: GetStockObject.GDI32(00000011), ref: 00816060
Part of subcall function 0081600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0081606A

GetWindowRect.USER32(00000000,?), ref: 008A377A
GetSysColor.USER32(00000012), ref: 008A3794

Strings

static, xrefs: 008A3757

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: f2e86444e8a81d2b79acb4de1d783748215f0754e8829ed52baa4a9a5885c213
Instruction ID: 0e14cf02875783ca7e5c1eeee1e3f7a9077e1ff5f16a2163c447d1649ce35172
Opcode Fuzzy Hash: f2e86444e8a81d2b79acb4de1d783748215f0754e8829ed52baa4a9a5885c213
Instruction Fuzzy Hash: 0811F9B2610209AFEF01DFA8CC45EFA7BB8FB09354F004525F955E2250E775E9519B60

Uniqueness

Uniqueness Score: -1.00%

Function 0088CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0088CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0088CDA6

Strings

<local>, xrefs: 0088CD66

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: a99e7740e1c2e68787fcc6e86141af69f5ba67435f6903dffe216a9401de8810
Instruction ID: 04ba3b047b8d678203356d3ae68de9d5b3562bfaa62c10c5c620c539fb01e870
Opcode Fuzzy Hash: a99e7740e1c2e68787fcc6e86141af69f5ba67435f6903dffe216a9401de8810
Instruction Fuzzy Hash: 8C11A371205636BAD7746B668C45EE7BEA8FB127A4F004226B109C3184D6749841D7F0

Uniqueness

Uniqueness Score: -1.00%

Function 008A3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 008A34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008A34BA

Strings

edit, xrefs: 008A348F

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 22a6e565d55c22cd88fce54aa9b97c8bb93bbcfdb687999a9d6965398f8b51ed
Instruction ID: f3b2856bd3e267dbafb9a2bc4cb5c9b123dc9b31c8922b1164eef5c656518fc2
Opcode Fuzzy Hash: 22a6e565d55c22cd88fce54aa9b97c8bb93bbcfdb687999a9d6965398f8b51ed
Instruction Fuzzy Hash: 1E116D71501208ABFB118E64DC44AAB3B6AFB2A378F504324F961D79D0C771DD919B68

Uniqueness

Uniqueness Score: -1.00%

Function 00876C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

CharUpperBuffW.USER32(?,?,?), ref: 00876CB6
_wcslen.LIBCMT ref: 00876CC2

Strings

STOP, xrefs: 00876CBC, 00876CC1

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 094e6db393e83843d9ded90f7438879dc6bda3dcc2e04bf627a1771464d241cb
Instruction ID: b41f7b547dbe74b910470fc6992e6f5e886f0907743b8c119f75df931a58b85e
Opcode Fuzzy Hash: 094e6db393e83843d9ded90f7438879dc6bda3dcc2e04bf627a1771464d241cb
Instruction Fuzzy Hash: 7C010432A109268ACB219FBDCC809BF37A8FFA1710B104528E966D6198FB32D960C650

Uniqueness

Uniqueness Score: -1.00%

Function 00871CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 00873CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00873CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00871D4C

Strings

ListBox, xrefs: 00871D16
ComboBox, xrefs: 00871CEB

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6c8ce1730ac12f9836299670a07a548e607a9e8f2651ba250e5ed8f9f097e3b7
Instruction ID: e531934f340717fc4f21d8d8b70de52a75fa001daac7a6b7489ac931e99446ca
Opcode Fuzzy Hash: 6c8ce1730ac12f9836299670a07a548e607a9e8f2651ba250e5ed8f9f097e3b7
Instruction Fuzzy Hash: 2E012D316001186BCF14EBACCC55CFE7768FF43390B00461AF876D73C5EA3099089A61

Uniqueness

Uniqueness Score: -1.00%

Function 00871BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 00873CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00873CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00871C46

Strings

ListBox, xrefs: 00871C10
ComboBox, xrefs: 00871BE5

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 60fb58d43199c612b91f494e11673e5b0d8caa68ee32c80cfc6b4f9856321838
Instruction ID: 97efb2f01797dae4c7a5ee1a49cef128f5b836c715748fe7fe9445c844588d8b
Opcode Fuzzy Hash: 60fb58d43199c612b91f494e11673e5b0d8caa68ee32c80cfc6b4f9856321838
Instruction Fuzzy Hash: A701D87168010866CF05E7D8C9569FF73ACFF51340F20001AE85AE7685EA20DB0896B2

Uniqueness

Uniqueness Score: -1.00%

Function 00871C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 00873CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00873CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00871CC8

Strings

ListBox, xrefs: 00871C94
ComboBox, xrefs: 00871C69

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6de89846e7f303fea54a5b666a86feca7152a545d528d5869405c8496b1db967
Instruction ID: f9d184419b2ce5dc4f2ef4ca7f824033314464e91e528798622f664b9f6cb4ac
Opcode Fuzzy Hash: 6de89846e7f303fea54a5b666a86feca7152a545d528d5869405c8496b1db967
Instruction Fuzzy Hash: BF01A77168011866DF15EBD8CA16AFE73ACFF51340B144016B886F3685EA20DF0896B2

Uniqueness

Uniqueness Score: -1.00%

Function 0089747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00897493
_wcslen.LIBCMT ref: 008974B9

Strings

3, 3, 16, 1, xrefs: 00897483

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: df59a66127e7b75d86255d5a14dc38a940b4f97438c8431816359d7ee2eac021
Instruction ID: b0c9570cc18cc8bc6e0a15935c1d22ab9417d6bbdfd743e821ef7492abd84201
Opcode Fuzzy Hash: df59a66127e7b75d86255d5a14dc38a940b4f97438c8431816359d7ee2eac021
Instruction Fuzzy Hash: F9E02B02224220109731327DDCC1B7F5B89FFC9760B18282BFD85C2377EA989D9193E6

Uniqueness

Uniqueness Score: -1.00%

Function 00870B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00870B23

Strings

Error allocating memory., xrefs: 00870B1C
AutoIt, xrefs: 00870B17

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 7bd407442d361815b55dbd26b3ae65f8f2fb8f1012c0ccfdd8d75abbc1305395
Instruction ID: f003c798c29efb58c17c4ba14deffd7daae0921fd8f06882e0de7f2b10ad85f7
Opcode Fuzzy Hash: 7bd407442d361815b55dbd26b3ae65f8f2fb8f1012c0ccfdd8d75abbc1305395
Instruction Fuzzy Hash: FCE0D83124431836E21037987C03F897B84FF06B60F100427FB98D5AC38FE1649046EA

Uniqueness

Uniqueness Score: -1.00%

Function 00830D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0082F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00830D71,?,?,?,0081100A), ref: 0082F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0081100A), ref: 00830D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0081100A), ref: 00830D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00830D7F

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 8190aac6d4c11a093638a9498259bc1541b4818d842ea91f4d7eb9de85701a3e
Instruction ID: c2c17584899b51a69c9f51e3184ddb519db6c7a06f50f157ff63199430157ddf
Opcode Fuzzy Hash: 8190aac6d4c11a093638a9498259bc1541b4818d842ea91f4d7eb9de85701a3e
Instruction Fuzzy Hash: 57E06D702007518BE3209FFCE8583467BE4FF05740F004A2DE582CAA52DBB4E4888FD1

Uniqueness

Uniqueness Score: -1.00%

Function 0086D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0086D220

Strings

%.3d, xrefs: 0086D22B
X64, xrefs: 0086D2A8

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: c2e8ae44ad7932f4c2359f2d58d83c29fc0771bb3bf49f0e7fbace9d9b2811d0
Instruction ID: 5de2fe68ec3711abb88604ae65c2ef43707bd995798b97fb8d0b07f9e017f95c
Opcode Fuzzy Hash: c2e8ae44ad7932f4c2359f2d58d83c29fc0771bb3bf49f0e7fbace9d9b2811d0
Instruction Fuzzy Hash: 59D05BB1D0831CE9CB9097D0DC559B9B37CFB08305F918463F906D1241E738E548A761

Uniqueness

Uniqueness Score: -1.00%

Function 008A2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008A232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 008A233F

Part of subcall function 0087E97B: Sleep.KERNEL32 ref: 0087E9F3

Strings

Shell_TrayWnd, xrefs: 008A2325

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: f5487fce4cea312ee9a729e91246d7a89b117aeae2203d3b98b4d194167e5686
Instruction ID: 49ac0c524c9ecfa5996180fa75af021079cc36840f2b1e3d72b1fe6b69be35fc
Opcode Fuzzy Hash: f5487fce4cea312ee9a729e91246d7a89b117aeae2203d3b98b4d194167e5686
Instruction Fuzzy Hash: ACD01236794314B7F6A4BB70DC4FFCA7A14FB15B10F008A167759EA2D4D9F4A801CA54

Uniqueness

Uniqueness Score: -1.00%

Function 008A2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008A236C
PostMessageW.USER32(00000000), ref: 008A2373

Part of subcall function 0087E97B: Sleep.KERNEL32 ref: 0087E9F3

Strings

Shell_TrayWnd, xrefs: 008A2365

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 3d581e3807a6fef973aa98eabfe49f13599ecd58d07a38c9ce50a8a41b6fa038
Instruction ID: eccca48c20e6be6db2eceb6058761953ab3a2f23f69dda266fa4498532d1c7ee
Opcode Fuzzy Hash: 3d581e3807a6fef973aa98eabfe49f13599ecd58d07a38c9ce50a8a41b6fa038
Instruction Fuzzy Hash: 6FD0C9327813147AF6A4AB709C4FFCA6A14BB16B10F008A167755EA2D4D9A4A8018A54

Uniqueness

Uniqueness Score: -1.00%

Function 0084BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0084BE93
GetLastError.KERNEL32 ref: 0084BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0084BEFC

Memory Dump Source

Source File: 00000000.00000002.1221092828.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1221070638.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221171396.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221221215.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1221336410.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_FAR.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 3991960f86941f8e40a85fa42166253ba18fd24a506b2fc5271580cf8a9ca21d
Instruction ID: bc90a83e0f63a8a24ae0db000ca94e4479e4d5985ebaf6e7c2cad2ae98afea84
Opcode Fuzzy Hash: 3991960f86941f8e40a85fa42166253ba18fd24a506b2fc5271580cf8a9ca21d
Instruction Fuzzy Hash: 3141A23460420AABDB218FA9CC44AAABBA5FF42310F144169F95DD72A2DF30DD05DB61

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FAR.N_2430-240009934.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newfile.exe.log

C:\Users\user\AppData\Local\Temp\Idonna

C:\Users\user\AppData\Local\Temp\aut100A.tmp

C:\Users\user\AppData\Local\Temp\autFBB.tmp

C:\Users\user\AppData\Local\Temp\preconform

C:\Users\user\AppData\Roaming\newfile\newfile.exe

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
FAR.N_2430-240009934.exe

Function 008142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 008142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00852BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00812CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0085065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0081344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00812B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00813170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 00848D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 03ED2620 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00812C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 03ED2410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136
fileCOMMON

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre