Edit tour

Windows Analysis Report
charesworh.exe

Overview

General Information

Sample name:	charesworh.exe
Analysis ID:	1428836
MD5:	590b450f25fafb87d58090f15d279e17
SHA1:	3f73fb4c40e67fe01b71bc1cb99dc4fb1a5b54b4
SHA256:	2dd7ca872acd828eeab12c42fb0a2fb96084876164525845d396ae489932aa7a
Tags:	agentteslaexeFormbook
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Binary is likely a compiled AutoIt script file

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

charesworh.exe (PID: 6080 cmdline: "C:\Users\user\Desktop\charesworh.exe" MD5: 590B450F25FAFB87D58090F15D279E17)

RegSvcs.exe (PID: 5360 cmdline: "C:\Users\user\Desktop\charesworh.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

newfile.exe (PID: 3228 cmdline: "C:\Users\user\AppData\Roaming\newfile\newfile.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 6064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

newfile.exe (PID: 3120 cmdline: "C:\Users\user\AppData\Roaming\newfile\newfile.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 1280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.cash4cars.nz", "Username": "logs@cash4cars.nz", "Password": "logs2024!"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2634689317.0000000000712000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2634689317.0000000000712000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.2635779693.0000000002861000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2635779693.0000000002861000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34662:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x346d4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3475e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x347f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3485a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x348cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34962:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x349f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000002.00000002.2635779693.000000000288E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: charesworh.exe PID: 6080	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: charesworh.exe PID: 6080	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: charesworh.exe PID: 6080	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 5360	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5360	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.710000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.710000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.710000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.710000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34662:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x346d4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3475e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x347f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3485a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x348cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34962:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x349f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.charesworh.exe.1390000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.charesworh.exe.1390000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.charesworh.exe.1390000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.charesworh.exe.1390000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34662:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x346d4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3475e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x347f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3485a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x348cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34962:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x349f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.charesworh.exe.1390000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.charesworh.exe.1390000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.charesworh.exe.1390000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32862:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x328d4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3295e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x329f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32a5a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32acc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32b62:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32bf2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 6 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\newfile\newfile.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5360, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newfile

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.RegSvcs.exe.710000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.cash4cars.nz", "Username": "logs@cash4cars.nz", "Password": "logs2024!"}

Multi AV Scanner detection for submitted file

Source: charesworh.exe

ReversingLabs: Detection: 50%

Machine Learning detection for sample

Source: charesworh.exe

Joe Sandbox ML: detected

Source: charesworh.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: RegSvcs.pdb, source: newfile.exe, 00000003.00000000.1516766156.0000000000E72000.00000002.00000001.01000000.00000006.sdmp, newfile.exe.2.dr
Source:	Binary string: wntdll.pdbUGP source: charesworh.exe, 00000000.00000003.1396161490.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, charesworh.exe, 00000000.00000003.1397980135.0000000003C80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: charesworh.exe, 00000000.00000003.1396161490.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, charesworh.exe, 00000000.00000003.1397980135.0000000003C80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: newfile.exe, 00000003.00000000.1516766156.0000000000E72000.00000002.00000001.01000000.00000006.sdmp, newfile.exe.2.dr

Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C84696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C84696
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C8C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00C8C9C7
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C8C93C FindFirstFileW,FindClose,	0_2_00C8C93C
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C8F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C8F200
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C8F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C8F35D
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C8F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C8F65E
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C83A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C83A2B
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C83D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C83D4E
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C8BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C8BF27

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.RegSvcs.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.charesworh.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.8:49706 -> 114.142.162.17:26

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 114.142.162.17 114.142.162.17

Source: Joe Sandbox View

ASN Name: SERVERMULE-AS-APNimbus2PtyLtdAU SERVERMULE-AS-APNimbus2PtyLtdAU

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C925E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00C925E2

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: RegSvcs.exe, 00000002.00000002.2635779693.0000000002831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: charesworh.exe, 00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2634689317.0000000000712000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2635779693.0000000002831000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2634989652.0000000000995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegSvcs.exe, 00000002.00000002.2635779693.0000000002894000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.cash4cars.nz
Source: RegSvcs.exe, 00000002.00000002.2635779693.0000000002831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: charesworh.exe, 00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2634689317.0000000000712000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.charesworh.exe.1390000.1.raw.unpack, cPKWk.cs

.Net Code: hZd2

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C9425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00C9425A

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C94458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00C94458

Source: C:\Users\user\Desktop\charesworh.exe

0_2_00C9425A

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C80219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00C80219

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00CACDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00CACDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.710000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.charesworh.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.charesworh.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\charesworh.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00C23B4C
Source: charesworh.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: charesworh.exe, 00000000.00000000.1384002707.0000000000CD5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_3731d04b-4
Source: charesworh.exe, 00000000.00000000.1384002707.0000000000CD5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e75241d9-7
Source: charesworh.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_47b33e29-9
Source: charesworh.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_97ceaffa-c

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C840B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_00C840B1

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C78858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00C78858

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C8545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00C8545F

Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C2E800	0_2_00C2E800
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C4DBB5	0_2_00C4DBB5
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00CA804A	0_2_00CA804A
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C2E060	0_2_00C2E060
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C34140	0_2_00C34140
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C42405	0_2_00C42405
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C56522	0_2_00C56522
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00CA0665	0_2_00CA0665
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C5267E	0_2_00C5267E
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C36843	0_2_00C36843
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C4283A	0_2_00C4283A
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C589DF	0_2_00C589DF
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00CA0AE2	0_2_00CA0AE2
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C56A94	0_2_00C56A94
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C38A0E	0_2_00C38A0E
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C7EB07	0_2_00C7EB07
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C88B13	0_2_00C88B13
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C4CD61	0_2_00C4CD61
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C57006	0_2_00C57006
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C33190	0_2_00C33190
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C3710E	0_2_00C3710E
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C21287	0_2_00C21287
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C433C7	0_2_00C433C7
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C4F419	0_2_00C4F419
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C416C4	0_2_00C416C4
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C35680	0_2_00C35680
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C358C0	0_2_00C358C0
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C478D3	0_2_00C478D3
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C41BB8	0_2_00C41BB8
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C59D05	0_2_00C59D05
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C2FE40	0_2_00C2FE40
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C41FD0	0_2_00C41FD0
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C4BFE6	0_2_00C4BFE6
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_01383650	0_2_01383650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00C64AD0	2_2_00C64AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00C6D230	2_2_00C6D230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00C63EB8	2_2_00C63EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00C64200	2_2_00C64200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F68788	2_2_05F68788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F60040	2_2_05F60040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F6B380	2_2_05F6B380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F632D0	2_2_05F632D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F65910	2_2_05F65910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F6E830	2_2_05F6E830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F69BF0	2_2_05F69BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F60007	2_2_05F60007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F6ACA0	2_2_05F6ACA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F68EF0	2_2_05F68EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05F6E81F	2_2_05F6E81F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_064E3500	2_2_064E3500

Source: C:\Users\user\Desktop\charesworh.exe	Code function: String function: 00C48B40 appears 42 times
Source: C:\Users\user\Desktop\charesworh.exe	Code function: String function: 00C40D27 appears 70 times
Source: C:\Users\user\Desktop\charesworh.exe	Code function: String function: 00C27F41 appears 35 times

Source: charesworh.exe, 00000000.00000003.1398561609.0000000003F4D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs charesworh.exe
Source: charesworh.exe, 00000000.00000003.1396530391.0000000003DA3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs charesworh.exe
Source: charesworh.exe, 00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename5c6f5efb-7c76-4283-af3e-eb17be5e53b7.exe4 vs charesworh.exe

Source: charesworh.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.710000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.charesworh.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.charesworh.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.charesworh.exe.1390000.1.raw.unpack, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.charesworh.exe.1390000.1.raw.unpack, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.charesworh.exe.1390000.1.raw.unpack, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.charesworh.exe.1390000.1.raw.unpack, 3uPsILA6U.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.charesworh.exe.1390000.1.raw.unpack, 6oQOw74dfIt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.charesworh.exe.1390000.1.raw.unpack, aMIWm.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.charesworh.exe.1390000.1.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.charesworh.exe.1390000.1.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/8@2/2

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C8A2D5 GetLastError,FormatMessageW,

0_2_00C8A2D5

Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C78713 AdjustTokenPrivileges,CloseHandle,		0_2_00C78713
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C78CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00C78CC3

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C8B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00C8B59E

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C9F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00C9F121

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C986D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00C986D0

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C24FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00C24FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\newfile

Jump to behavior

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6064:120:WilError_03

Source: C:\Users\user\Desktop\charesworh.exe

File created: C:\Users\user\AppData\Local\Temp\aut92D3.tmp

Jump to behavior

Source: charesworh.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\charesworh.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: charesworh.exe

ReversingLabs: Detection: 50%

Source: unknown	Process created: C:\Users\user\Desktop\charesworh.exe "C:\Users\user\Desktop\charesworh.exe"
Source: C:\Users\user\Desktop\charesworh.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\charesworh.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\charesworh.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\charesworh.exe"	Jump to behavior

Source: C:\Users\user\Desktop\charesworh.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: charesworh.exe

Static file information: File size 1067008 > 1048576

Source: charesworh.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: charesworh.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: charesworh.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: charesworh.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: charesworh.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: charesworh.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: charesworh.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RegSvcs.pdb, source: newfile.exe, 00000003.00000000.1516766156.0000000000E72000.00000002.00000001.01000000.00000006.sdmp, newfile.exe.2.dr
Source:	Binary string: wntdll.pdbUGP source: charesworh.exe, 00000000.00000003.1396161490.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, charesworh.exe, 00000000.00000003.1397980135.0000000003C80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: charesworh.exe, 00000000.00000003.1396161490.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, charesworh.exe, 00000000.00000003.1397980135.0000000003C80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: newfile.exe, 00000003.00000000.1516766156.0000000000E72000.00000002.00000001.01000000.00000006.sdmp, newfile.exe.2.dr

Source: charesworh.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: charesworh.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: charesworh.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: charesworh.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: charesworh.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C9C304 LoadLibraryA,GetProcAddress,

0_2_00C9C304

Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C7031B push ecx; ret	0_2_00C70451
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C70457 push ecx; ret	0_2_00C70459
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C70453 push ecx; ret	0_2_00C70455
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C36701 push ecx; ret	0_2_00C36737
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C48B85 push ecx; ret	0_2_00C48B98
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C311AD push cs; ret	0_2_00C311AE
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C311B1 push cs; ret	0_2_00C311B6
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C31118 push cs; ret	0_2_00C3111E
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C31120 push cs; ret	0_2_00C311AA
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C35488 push eax; ret	0_2_00C354B2
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C354B4 push edx; ret	0_2_00C354E6
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C35470 push ebx; ret	0_2_00C35486
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C35400 push ebx; ret	0_2_00C35406
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C35408 push ebx; ret	0_2_00C35432
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C35507 push edx; ret	0_2_00C35512
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C3553F push ebx; ret	0_2_00C3554A
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C317E3 push ss; ret	0_2_00C317EC
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C317ED push ss; ret	0_2_00C317F0
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C317FD push ss; ret	0_2_00C31800

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\newfile\newfile.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfile			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfile			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Roaming\newfile\newfile.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C24A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00C24A35
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00CA55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00CA55FD

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C433C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00C433C7

Source: C:\Users\user\Desktop\charesworh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: charesworh.exe PID: 6080, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: charesworh.exe, 00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2634689317.0000000000712000.00000040.80000000.00040000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 2FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 3150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 5150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 22E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 2590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 22E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2276			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7582			Jump to behavior

Source: C:\Users\user\Desktop\charesworh.exe

API coverage: 4.6 %

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe TID: 3340	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe TID: 3404	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C84696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C84696
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C8C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00C8C9C7
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C8C93C FindFirstFileW,FindClose,	0_2_00C8C93C
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C8F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C8F200
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C8F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C8F35D
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C8F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C8F65E
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C83A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C83A2B
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C83D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C83D4E
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C8BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C8BF27

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C24AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C24AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99873	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98543	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98429	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97647	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97420	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97091	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96430	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95761	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94560	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.2634689317.0000000000712000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000002.00000002.2634689317.0000000000712000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBox
Source: RegSvcs.exe, 00000002.00000002.2637339494.00000000059EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\charesworh.exe	API call chain: ExitProcess graph end node			graph_0-98786
Source: C:\Users\user\Desktop\charesworh.exe	API call chain: ExitProcess graph end node			graph_0-99616

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_00C670B8 CheckRemoteDebuggerPresent,

2_2_00C670B8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C941FD BlockInput,

0_2_00C941FD

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C23B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C23B4C

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C55CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00C55CCC

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C9C304 LoadLibraryA,GetProcAddress,

0_2_00C9C304

Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_01383540 mov eax, dword ptr fs:[00000030h]	0_2_01383540
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_013834E0 mov eax, dword ptr fs:[00000030h]	0_2_013834E0
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_01381ED0 mov eax, dword ptr fs:[00000030h]	0_2_01381ED0

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C781F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00C781F7

Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C4A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00C4A395
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C4A364 SetUnhandledExceptionFilter,		0_2_00C4A364

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\charesworh.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\charesworh.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 598008

Jump to behavior

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C78C93 LogonUserW,

0_2_00C78C93

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C23B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C23B4C

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C24A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00C24A35

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C84EC9 mouse_event,

0_2_00C84EC9

Source: C:\Users\user\Desktop\charesworh.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\charesworh.exe"

Jump to behavior

Source: C:\Users\user\Desktop\charesworh.exe

0_2_00C781F7

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C84C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00C84C03

Source: charesworh.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: charesworh.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C4886B cpuid

0_2_00C4886B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Users\user\AppData\Roaming\newfile\newfile.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Users\user\AppData\Roaming\newfile\newfile.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C550D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00C550D7

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C62230 GetUserNameW,

0_2_00C62230

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C5418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00C5418A

Source: C:\Users\user\Desktop\charesworh.exe

Code function: 0_2_00C24AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C24AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.charesworh.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.charesworh.exe.1390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2634689317.0000000000712000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2635779693.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2635779693.000000000288E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: charesworh.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5360, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: charesworh.exe	Binary or memory string: WIN_81
Source: charesworh.exe	Binary or memory string: WIN_XP
Source: charesworh.exe	Binary or memory string: WIN_XPe
Source: charesworh.exe	Binary or memory string: WIN_VISTA
Source: charesworh.exe	Binary or memory string: WIN_7
Source: charesworh.exe	Binary or memory string: WIN_8
Source: charesworh.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 2.2.RegSvcs.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.charesworh.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.charesworh.exe.1390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2634689317.0000000000712000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2635779693.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: charesworh.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5360, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.charesworh.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.charesworh.exe.1390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2634689317.0000000000712000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2635779693.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2635779693.000000000288E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: charesworh.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5360, type: MEMORYSTR

Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C96596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00C96596
Source: C:\Users\user\Desktop\charesworh.exe	Code function: 0_2_00C96A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00C96A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	38 System Information Discovery	Distributed Component Object Model	121 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	451 Security Software Discovery	SSH	3 Clipboard Data	2 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
charesworh.exe	50%	ReversingLabs	Win32.Spyware.Negasteal
charesworh.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\newfile\newfile.exe	0%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.cash4cars.nz	114.142.162.17	true	true		unknown
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://mail.cash4cars.nz	RegSvcs.exe, 00000002.00000002.2635779693.0000000002894000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://account.dyn.com/	charesworh.exe, 00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2634689317.0000000000712000.00000040.80000000.00040000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.2635779693.0000000002831000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ip-api.com	RegSvcs.exe, 00000002.00000002.2635779693.0000000002831000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
114.142.162.17	mail.cash4cars.nz	Australia		133525	SERVERMULE-AS-APNimbus2PtyLtdAU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428836
Start date and time:	2024-04-19 17:23:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	charesworh.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/8@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 61 Number of non-executed functions: 270
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target newfile.exe, PID 3120 because it is empty
Execution Graph export aborted for target newfile.exe, PID 3228 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: charesworh.exe

Simulations

Behavior and APIs

Time	Type	Description
17:24:09	API Interceptor	175x Sleep call for process: RegSvcs.exe modified
17:24:11	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run newfile C:\Users\user\AppData\Roaming\newfile\newfile.exe
17:24:20	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run newfile C:\Users\user\AppData\Roaming\newfile\newfile.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	FAR.N#U00b02430-24000993.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	tems.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	00_datos de la transacci#U00f3n rechazada y n#U00famero de cuenta incorrecto.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	PO-095325.scr.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	UPDATED SSTATEMENT OF ACCOUNT.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	REMITTANCE COPY.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	New Voicemail_Daiichi-Sankyo.html	Get hash	malicious	HTMLPhisher	Browse	ip-api.com/json/?fields=status,country,regionName,city,query
	DHL.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	KjCBSM7Ukv.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	ip-api.com/line/?fields=hosting
114.142.162.17	http://otahuhumainstreet.co.nz	Get hash	malicious	Unknown	Browse	otahuhumainstreet.co.nz/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	FAR.N#U00b02430-24000993.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	tems.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	00_datos de la transacci#U00f3n rechazada y n#U00famero de cuenta incorrecto.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PO-095325.scr.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	UPDATED SSTATEMENT OF ACCOUNT.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	REMITTANCE COPY.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	New Voicemail_Daiichi-Sankyo.html	Get hash	malicious	HTMLPhisher	Browse	208.95.112.1
	DHL.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	KjCBSM7Ukv.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	208.95.112.1
mail.cash4cars.nz	tems.exe	Get hash	malicious	AgentTesla	Browse	114.142.162.17
	20220829_PEDIDO_22073M_PROTECO_LIMPIEZA_Y_KITS.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	114.142.162.17
	justificante.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	114.142.162.17
	Transferencia 4334300002017359pdf.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	114.142.162.17
	20220830_ProtecoPTE.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	114.142.162.17
	Klkket.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	114.142.162.17
	PEDIDO MILWAUKEE 00652024.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	114.142.162.17
	Psychologizing.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	114.142.162.17
	RFQ122.494001.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	114.142.162.17
	FACTURA2402616 - BP.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	114.142.162.17

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SERVERMULE-AS-APNimbus2PtyLtdAU	FAR.N#U00b02430-24000993.exe	Get hash	malicious	AgentTesla	Browse	114.142.162.17
	tems.exe	Get hash	malicious	AgentTesla	Browse	114.142.162.17
	20220829_PEDIDO_22073M_PROTECO_LIMPIEZA_Y_KITS.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	114.142.162.17
	justificante.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	114.142.162.17
	Transferencia 4334300002017359pdf.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	114.142.162.17
	20220830_ProtecoPTE.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	114.142.162.17
	Klkket.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	114.142.162.17
	PEDIDO MILWAUKEE 00652024.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	114.142.162.17
	Psychologizing.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	114.142.162.17
	RFQ122.494001.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	114.142.162.17
TUT-ASUS	FAR.N#U00b02430-24000993.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	tems.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	00_datos de la transacci#U00f3n rechazada y n#U00famero de cuenta incorrecto.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PO-095325.scr.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	UPDATED SSTATEMENT OF ACCOUNT.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	REMITTANCE COPY.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	New Voicemail_Daiichi-Sankyo.html	Get hash	malicious	HTMLPhisher	Browse	208.95.112.1
	DHL.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	KjCBSM7Ukv.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\newfile\newfile.exe	FAR.N_2430-240009934.exe	Get hash	malicious	AgentTesla	Browse
	FAR.N#U00b02430-24000993.exe	Get hash	malicious	AgentTesla	Browse
	tems.exe	Get hash	malicious	AgentTesla	Browse
	HBL.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Heur.15333.25205.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.FileRepMalware.7644.21541.exe	Get hash	malicious	AgentTesla	Browse
	Cintillo 2024.pdf.exe	Get hash	malicious	AgentTesla	Browse
	SHIPMENT ADVICE FOR CLEARTEX.exe	Get hash	malicious	AgentTesla	Browse
	REQUEST FOR QUOTATION.exe	Get hash	malicious	Unknown	Browse
	67002314579XX.exe	Get hash	malicious	AgentTesla	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newfile.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\Marquand

Download File

Process:	C:\Users\user\Desktop\charesworh.exe
File Type:	data
Category:	dropped
Size (bytes):	244736
Entropy (8bit):	6.605921629675959
Encrypted:	false
SSDEEP:	3072:lP2Et5AIJVasTH9QgOiEyL+bCpzff6bZkaLa+wwuxe6PMG16SMI3CRRhzY+t4ZEd:n5qiEm2CaLVqANRmJ97HtBgj+mJSlrM
MD5:	C3CDBE87F4D382C6957F8A467911C59E
SHA1:	A69EEBBA53DA2EA1F287D5976ECAD6F244B78B38
SHA-256:	86733A5F3E6C19CC2E3A164F1B52ED603ACCFC2E03B779D877C3093ACC7AE251
SHA-512:	2F8E64B3FC1152F5064C3F1077CD7EDF172B619EB2290248551B70E6F921EAD7F6EC9EB808D38F16F4502728D732460DA07144AEC51DA3DA59CDD16D57874FAC
Malicious:	false
Reputation:	low
Preview:	...3JJ9TW6GN..C3.T93IJ9T.6GNLNC3DT93IJ9TS6GNLNC3DT93IJ9TS6GN.NC3JK.=I.0.r.F..o.[-'.C;%^&2[g-- -\0t[Vi8L:s_)n....);]VgG4^w6GNLNC3..93.K:T.LX(LNC3DT93.J;UX7LNL.@3D\93IJ9TM.DNLnC3D.:3IJyTS.GNLLC3@T93IJ9TW6GNLNC3Dt=3IH9TS6GNNN..DT)3IZ9TS6WNL^C3DT93YJ9TS6GNLNC3..:3.J9TS.DN.KC3DT93IJ9TS6GNLNC3DT=3EJ9TS6GNLNC3DT93IJ9TS6GNLNC3DT93IJ9TS6GNLNC3DT93IJ9TS.GNDNC3DT93IJ9T[.GN.NC3DT93IJ9T}B"68NC3`.:3Ij9TS.DNLLC3DT93IJ9TS6GNlNCSj&JAJ9T.3GNL.@3DR93I.:TS6GNLNC3DT93.J9.}D""#-C3HT93IJ=TS4GNL.@3DT93IJ9TS6GN.NCqDT93IJ9TS6GNLNC3D.:3IJ9T.6GNNNF3L.;3.\|8TP6GNMNC5DT93IJ9TS6GNLNC3DT93IJ9TS6GNLNC3DT93IJ9TS6GNLNC3Y....qj.KyD.I...3.0....O..C.V.?@....4....k;E..T.<y.Z....;.;A-8....kVL?B&.Dk[X.T....f:...5.C...Gf.XAj.g..r...u['h...:..';T.(:I86..//1Z.V.2IJ9T......-,ridI6Jg$?....pFAe...-6GN(NC36T93(J9T.6GN#NC3*T937J9T-6GN.NC3.T93~J9Tv6GN!NC3`T937J9T.KHA...Z7..3IJ9Tf..~.#.......b".9..v..0.x..<..9/.;..t..7..!u.Dd,Ho..4ER=6KM=W_.I.....FP=6KM=W_.I......r..p..."....4.ODT93IJ.TS.GNL..3.T93.J.T.GNL.3.T.3..T

C:\Users\user\AppData\Local\Temp\aut92D3.tmp

Download File

Process:	C:\Users\user\Desktop\charesworh.exe
File Type:	data
Category:	dropped
Size (bytes):	146182
Entropy (8bit):	7.74719422100689
Encrypted:	false
SSDEEP:	3072:vuOQ29XH+2q4apYG2YRiQ8d7C6qBugNGDXZRTDFUUkOGNSIJ4O:vuf0+LfpZx6zgNGDuUNIx
MD5:	FB3F3C86836544C198AB1C287BC48A39
SHA1:	C4CB20AC2CF58FB82D302B09FEA5A6296B9281C4
SHA-256:	FAB26028F0F66198191016CB2DBE87D2736BC4A472D3F7B2CF7CEB7FA64DAE43
SHA-512:	47D0B838250B5A588D3A3E804A85092B51239154E0EA187593C0E08635D1F7BC41045B0663AC56292AC3230B6C031B2905F3EB0806B71EF6739776CA41A87DC9
Malicious:	false
Reputation:	low
Preview:	EA06......3:UsT.....3.U'3:H.....).....!........)T......fnX.4..o...x..w%.I.U.<.[ ..&.J.Z.8.N.u.M....D.3..Z.G.W.....Dg38-.uT.S+....jiS..boL.S?.......o..N.[......@..q`...C...$3W....{3...(1N.@..J..gI...5zu2.......r.I.... ....U,..... .P....@Q..;[.. .....Si...`.h.....D...=l.P.v.5...".0..\. T..........1K..E"..hs:@..=.T.......C).;.....Pg5H...F..9....8.T...m:.5.....3Y.dyy.......h..Nz+...&......`48}[.?.mz.(d.+..du6...q..yg..V.SZ...i..wA..:=.[.k.S'.)4B.k..8.N&....P./.k..../....PmY[?.-..F..}..'.G....E'..#...&q6.E%.\|...p.@.....z.\M,.Yr..)3jU.I?.y.....A...]l.....`.`..P.`E........&........ .....@.........=.]".....S....B.u.W.4....B.pN.o.b.z'1Yu.-...3...By...e...6.t..f....Y%..\|.74...j]6{W...0]../..T..>...q..s<\i.W....:....q..=.......`..&...t..-..T.L.<..R.X.K$....Wt..RZ..m.......m;...boE..).....W.Dh.9.6...ftJ..L.`U...=:.0..b *.JS..Q.Vn...5.Ng3I`..4..i..L.....4....@.Le`t..O1.L@...O........=..+ b.6.....m".s.I&.z ..7.B......y.[. ..N.T........F.C.5x..9....

C:\Users\user\AppData\Local\Temp\aut9370.tmp

Download File

Process:	C:\Users\user\Desktop\charesworh.exe
File Type:	data
Category:	dropped
Size (bytes):	9866
Entropy (8bit):	7.595025453696654
Encrypted:	false
SSDEEP:	192:mS5jnkklrTefgLYmK2CZOTyTkC7MxAm8+sXxK3v0/qqXfbvjoG9xtDNHvk69TAX5:VnI0BMkekCkaxK3v0/tT7xxRZvksE5v
MD5:	C9C72000BA506C902278AF1A257E5D90
SHA1:	08D7DCDE3162CE6D3EAF88ECBB53F35901B0F585
SHA-256:	89E7BA480C2BC40DD0C6C62321BA6B815DE5726647B371E452E16047D6AF600A
SHA-512:	71196393716FA3C789A37AE7D1D51AA4BC2D48C001007277DC26B4989A5D5BD008D7CA95F754C15BE18ACAAC00DD2CB61D16923243942BF6F750E15FCB6A3963
Malicious:	false
Reputation:	low
Preview:	EA06..p.P.tY..kD.L'....8.M.t..o7.Q'.)..aC.P......0.Mf.....8..lv;..e0..&.i...8.X.....m6.Nf.Y...9.M@..d.!,3y.........e.6., ..%..a.X....-.q3...zs0.Nf`.].Y'3+..d....s4.l&..........\|....sa...`.........Y&.K0.....-vs5.M..2...N&.I...@.>..........$.0...fx. ..$l...I...#..$6...... ..... .Z...a.5..&.).....L.j.;$....M.j.;$....X@j.;%....Y@j.;,.....j.e.\|f #^...j......l.....l.5....>0..Xf....M.^.8.N@.=7.z...#.$...`!..H&.>_L.p..............@\|..6..(....ka..&...Xf@0........\|.=..g...........`.A..b.......P.O.id...\|.)....4....\.M.4.;...K..4\|. F...e.f..s....id..p.....4....s`./.....X. ..%..K.;-.o8...k ..4..`w..qd..f`....l.....V0...lS..m4.Y.......>.5...S...f&.+..Af....<..f....gl`....g.d..#4.x..#1.X...cV....0..BV0.NL@.;1.X..e1.Y,S[(.#6.,.d.....f.I......B3p....;2.X.se.Y..@.Fn.....f`...J&.9.......!93.X...c6).$.6.....h`...@.....3f.Lg3I..h....l.Z.,.....[%.ec...`....,vj...%.sb.X.,...p.....f.....g ...!8.....c.`!......3d...l.2.,...g.K..i0...B.....@.....j.0..B...Fl.....f....X.I..P...@

C:\Users\user\AppData\Local\Temp\sulfhydric

Download File

Process:	C:\Users\user\Desktop\charesworh.exe
File Type:	ASCII text, with very long lines (28714), with no line terminators
Category:	dropped
Size (bytes):	28714
Entropy (8bit):	3.5948168779944245
Encrypted:	false
SSDEEP:	768:DiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbBE+Ii6m34vfF3if6gyv:DiTZ+2QoioGRk6ZklputwjpjBkCiw2Re
MD5:	FC770D036790596C236A89E658DE7218
SHA1:	963EB1E937FB8AFBD040DDCA268769C40B91CD05
SHA-256:	F1BF842AE7EAE7F623B58AC2D2844AD0EB595DC266B36D2C1E4A9C675241298C
SHA-512:	1F6013268CB365F1AFDEAE3DFE3D0716A1A6496B345470D1030C56FF1A5E91E14D801954E3DFDA1E894A92781F4A554C9E762C733C740CA9B5CE2B31D9754C22
Malicious:	false
Reputation:	low
Preview:	8BCE895DD08975C8663BC2772D8B5F0C8BD08BFE0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c0000006689857e

C:\Users\user\AppData\Roaming\newfile\newfile.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45984
Entropy (8bit):	6.16795797263964
Encrypted:	false
SSDEEP:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
MD5:	9D352BC46709F0CB5EC974633A0C3C94
SHA1:	1969771B2F022F9A86D77AC4D4D239BECDF08D07
SHA-256:	2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
SHA-512:	13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: FAR.N_2430-240009934.exe, Detection: malicious, Browse Filename: FAR.N#U00b02430-24000993.exe, Detection: malicious, Browse Filename: tems.exe, Detection: malicious, Browse Filename: HBL.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Heur.15333.25205.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.7644.21541.exe, Detection: malicious, Browse Filename: Cintillo 2024.pdf.exe, Detection: malicious, Browse Filename: SHIPMENT ADVICE FOR CLEARTEX.exe, Detection: malicious, Browse Filename: REQUEST FOR QUOTATION.exe, Detection: malicious, Browse Filename: 67002314579XX.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.442398121585593
Encrypted:	false
SSDEEP:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
MD5:	6FB4D27A716A8851BC0505666E7C7A10
SHA1:	AD2A232C6E709223532C4D1AB892303273D8C814
SHA-256:	1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
SHA-512:	3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.981252703048062
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	charesworh.exe
File size:	1'067'008 bytes
MD5:	590b450f25fafb87d58090f15d279e17
SHA1:	3f73fb4c40e67fe01b71bc1cb99dc4fb1a5b54b4
SHA256:	2dd7ca872acd828eeab12c42fb0a2fb96084876164525845d396ae489932aa7a
SHA512:	1d80dfbfee3abd898802552c5fa1502a9bab378dd28b4fe8f30fdcbeb03869f6747e0c967f4b7146a38922e62bcd72fbab81a56e87b06b89a39a7b5adfc18824
SSDEEP:	24576:4AHnh+eWsN3skA4RV1Hom2KXMmHaGX2NRaoyKJ5:/h+ZkldoPK8YaGX2NMc
TLSH:	8535AD0273D2C036FFAB92739B6AF60156BC79254123852F13981DB9BD701B2267E763
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6620FFF1 [Thu Apr 18 11:11:45 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F1750EBB92Dh
jmp 00007F1750EAE6E4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F1750EAE86Ah
cmp edi, eax
jc 00007F1750EAEBCEh
bt dword ptr [004C41FCh], 01h
jnc 00007F1750EAE869h
rep movsb
jmp 00007F1750EAEB7Ch
cmp ecx, 00000080h
jc 00007F1750EAEA34h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F1750EAE870h
bt dword ptr [004BF324h], 01h
jc 00007F1750EAED40h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F1750EAEA0Dh
test edi, 00000003h
jne 00007F1750EAEA1Eh
test esi, 00000003h
jne 00007F1750EAE9FDh
bt edi, 02h
jnc 00007F1750EAE86Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F1750EAE873h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F1750EAE8C5h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x3a1f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x103000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x3a1f4	0x3a200	37e2867bfd10ae235e5089001da16564	False	0.8876176075268817	data	7.792853213841211	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x103000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x3148c	data			1.0003517149820675
RT_GROUP_ICON	0x101c44	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x101cbc	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x101cd0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x101ce4	0x14	data	English	Great Britain	1.25
RT_VERSION	0x101cf8	0x10c	data	English	Great Britain	0.5970149253731343
RT_MANIFEST	0x101e04	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 17:24:09.454185009 CEST	49705	80	192.168.2.8	208.95.112.1
Apr 19, 2024 17:24:09.570139885 CEST	80	49705	208.95.112.1	192.168.2.8
Apr 19, 2024 17:24:09.570244074 CEST	49705	80	192.168.2.8	208.95.112.1
Apr 19, 2024 17:24:09.571289062 CEST	49705	80	192.168.2.8	208.95.112.1
Apr 19, 2024 17:24:09.696644068 CEST	80	49705	208.95.112.1	192.168.2.8
Apr 19, 2024 17:24:09.738454103 CEST	49705	80	192.168.2.8	208.95.112.1
Apr 19, 2024 17:24:10.821948051 CEST	49706	26	192.168.2.8	114.142.162.17
Apr 19, 2024 17:24:11.832158089 CEST	49706	26	192.168.2.8	114.142.162.17
Apr 19, 2024 17:24:13.832178116 CEST	49706	26	192.168.2.8	114.142.162.17
Apr 19, 2024 17:24:17.832091093 CEST	49706	26	192.168.2.8	114.142.162.17
Apr 19, 2024 17:24:25.831973076 CEST	49706	26	192.168.2.8	114.142.162.17
Apr 19, 2024 17:25:00.425812960 CEST	49705	80	192.168.2.8	208.95.112.1
Apr 19, 2024 17:25:00.541990042 CEST	80	49705	208.95.112.1	192.168.2.8
Apr 19, 2024 17:25:00.542157888 CEST	49705	80	192.168.2.8	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 17:24:09.341196060 CEST	52999	53	192.168.2.8	1.1.1.1
Apr 19, 2024 17:24:09.447129965 CEST	53	52999	1.1.1.1	192.168.2.8
Apr 19, 2024 17:24:10.422291040 CEST	50275	53	192.168.2.8	1.1.1.1
Apr 19, 2024 17:24:10.819961071 CEST	53	50275	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 19, 2024 17:24:09.341196060 CEST	192.168.2.8	1.1.1.1	0x5d33	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Apr 19, 2024 17:24:10.422291040 CEST	192.168.2.8	1.1.1.1	0x42e9	Standard query (0)	mail.cash4cars.nz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 19, 2024 17:24:09.447129965 CEST	1.1.1.1	192.168.2.8	0x5d33	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Apr 19, 2024 17:24:10.819961071 CEST	1.1.1.1	192.168.2.8	0x42e9	No error (0)	mail.cash4cars.nz		114.142.162.17	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49705	208.95.112.1	80	5360	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 17:24:09.571289062 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Apr 19, 2024 17:24:09.696644068 CEST	174	IN	HTTP/1.1 200 OK Date: Fri, 19 Apr 2024 15:24:09 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 74 72 75 65 0a Data Ascii: true

Target ID:	0
Start time:	17:24:06
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\charesworh.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\charesworh.exe"
Imagebase:	0xc20000
File size:	1'067'008 bytes
MD5 hash:	590B450F25FAFB87D58090F15D279E17
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:24:07
Start date:	19/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\charesworh.exe"
Imagebase:	0x340000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2634689317.0000000000712000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2634689317.0000000000712000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2635779693.0000000002861000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2635779693.0000000002861000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2635779693.000000000288E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	17:24:20
Start date:	19/04/2024
Path:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Imagebase:	0xe70000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:24:20
Start date:	19/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	17:24:28
Start date:	19/04/2024
Path:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Imagebase:	0x1a0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:24:28
Start date:	19/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	1.3%
Signature Coverage:	4.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	38

Executed Functions

Function 00C23B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C23B7A
IsDebuggerPresent.KERNEL32 ref: 00C23B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00CE62F8,00CE62E0,?,?), ref: 00C23BFD

Part of subcall function 00C27D2C: _memmove.LIBCMT ref: 00C27D66

Part of subcall function 00C30A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00C23C26,00CE62F8,?,?,?), ref: 00C30ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00C23C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00CD93F0,00000010), ref: 00C5D4BC
SetCurrentDirectoryW.KERNEL32(?,00CE62F8,?,?,?), ref: 00C5D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00CD5D40,00CE62F8,?,?,?), ref: 00C5D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00C5D581

Part of subcall function 00C23A58: GetSysColorBrush.USER32(0000000F), ref: 00C23A62
Part of subcall function 00C23A58: LoadCursorW.USER32(00000000,00007F00), ref: 00C23A71
Part of subcall function 00C23A58: LoadIconW.USER32(00000063), ref: 00C23A88
Part of subcall function 00C23A58: LoadIconW.USER32(000000A4), ref: 00C23A9A
Part of subcall function 00C23A58: LoadIconW.USER32(000000A2), ref: 00C23AAC
Part of subcall function 00C23A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C23AD2
Part of subcall function 00C23A58: RegisterClassExW.USER32(?), ref: 00C23B28

Part of subcall function 00C239E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,as failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array va,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C23A15
Part of subcall function 00C239E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C23A36
Part of subcall function 00C239E7: ShowWindow.USER32(00000000,?,?), ref: 00C23A4A
Part of subcall function 00C239E7: ShowWindow.USER32(00000000,?,?), ref: 00C23A53

Part of subcall function 00C243DB: _memset.LIBCMT ref: 00C24401
Part of subcall function 00C243DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C244A6

Strings

runas, xrefs: 00C5D575
This is a third-party compiled AutoIt script., xrefs: 00C5D4B4

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: d30b5b4c1a742ff6a42ebe07622163f44cb9c7023972923caaee95cceab9b108
Instruction ID: c9ccd4adafa72828dcf8e68280d90d2fd4a854369de950f6425e325eb9fcdec3
Opcode Fuzzy Hash: d30b5b4c1a742ff6a42ebe07622163f44cb9c7023972923caaee95cceab9b108
Instruction Fuzzy Hash: 0B5136719042D8AECF11EBB0FC86BEE7B78AB15340B004279F912A61A1DA744646EB21

Uniqueness

Uniqueness Score: -1.00%

Function 00C24AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00C24B2B

Part of subcall function 00C27D2C: _memmove.LIBCMT ref: 00C27D66

GetCurrentProcess.KERNEL32(?,00CAFAEC,00000000,00000000,?), ref: 00C24BF8
IsWow64Process.KERNEL32(00000000), ref: 00C24BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00C24C45
FreeLibrary.KERNEL32(00000000), ref: 00C24C50
GetSystemInfo.KERNEL32(00000000), ref: 00C24C81
GetSystemInfo.KERNEL32(00000000), ref: 00C24C8D

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 5e81974fab2e31fd3d7f4c736d80faf13e1231766bddc577fc0ffcb4c18e6fd7
Instruction ID: acb4e66d4f5341c6bce41974baf1ce3bd5aedb49a9a12aef7fd39c38b44f67b7
Opcode Fuzzy Hash: 5e81974fab2e31fd3d7f4c736d80faf13e1231766bddc577fc0ffcb4c18e6fd7
Instruction Fuzzy Hash: 0991E43154ABD0DFC736CB6894512AABFE4AF26301B444A9DE4DB93E01D230FA48D75D

Uniqueness

Uniqueness Score: -1.00%

Function 00C24FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00C24EEE,?,?,00000000,00000000), ref: 00C24FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C24EEE,?,?,00000000,00000000), ref: 00C25010
LoadResource.KERNEL32(?,00000000,?,?,00C24EEE,?,?,00000000,00000000,?,?,?,?,?,?,00C24F8F), ref: 00C5DD60
SizeofResource.KERNEL32(?,00000000,?,?,00C24EEE,?,?,00000000,00000000,?,?,?,?,?,?,00C24F8F), ref: 00C5DD75
LockResource.KERNEL32(00C24EEE,?,?,00C24EEE,?,?,00000000,00000000,?,?,?,?,?,?,00C24F8F,00000000), ref: 00C5DD88

Strings

SCRIPT, xrefs: 00C25006

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 9ed8f617192d8225dffc9bcfd8b62205ac40af3bc7b86c4e744addc1a2ce7aaa
Instruction ID: 12ea6dcf553504803eeeb08715d03eeda7ce5b490eec4874d9d1d73c58d119b7
Opcode Fuzzy Hash: 9ed8f617192d8225dffc9bcfd8b62205ac40af3bc7b86c4e744addc1a2ce7aaa
Instruction Fuzzy Hash: 6E115A75240701AFE7218BA5EC58F6B7BB9EBCAB15F20426CF416C6660DB71EC0186A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C84696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00C5E7C1), ref: 00C846A6
FindFirstFileW.KERNELBASE(?,?), ref: 00C846B7
FindClose.KERNEL32(00000000), ref: 00C846C7

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 7b26cd2ecd3adb3af32de3d48e59ab572508956c0ccf81126a262f61bbd9e76a
Instruction ID: 8f044d52ab495bda50c65876a80afb0d75c6d3663e3eb69c2983d2606be67c1c
Opcode Fuzzy Hash: 7b26cd2ecd3adb3af32de3d48e59ab572508956c0ccf81126a262f61bbd9e76a
Instruction Fuzzy Hash: 50E0D8314104015B46147778EC4D6EE779C9E0733DF100719F935C20E0F7B05D508699

Uniqueness

Uniqueness Score: -1.00%

Function 00C2E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00C6428C

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 1b9e49f649e957f266867074257a24b9571ec47616d3427c4eb335cf95151d31
Instruction ID: 27b4b825fb18f458b2d5051105d983c118f4cc1f5d4ba371eee4048d5b17b856
Opcode Fuzzy Hash: 1b9e49f649e957f266867074257a24b9571ec47616d3427c4eb335cf95151d31
Instruction Fuzzy Hash: A3A2A074A04229CFCB24CF99E4C0AADB7B1FF58300F648169E916AB751D735ED82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C30B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C30BBB
timeGetTime.WINMM ref: 00C30E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C30FB3
TranslateMessage.USER32(?), ref: 00C30FC7
DispatchMessageW.USER32(?), ref: 00C30FD5
Sleep.KERNEL32(0000000A), ref: 00C30FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 00C3105A
DestroyWindow.USER32 ref: 00C31066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C31080
Sleep.KERNEL32(0000000A,?,?), ref: 00C652AD
TranslateMessage.USER32(?), ref: 00C6608A
DispatchMessageW.USER32(?), ref: 00C66098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C660AC

Strings

@GUI_WINHANDLE, xrefs: 00C653B9
@GUI_CTRLID, xrefs: 00C65364
@TRAY_ID, xrefs: 00C65BB9
@GUI_CTRLHANDLE, xrefs: 00C6540E
@COM_EVENTOBJ, xrefs: 00C6591A

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: 7a609fdcc86c846b07ec19bb0d9311132e7be8b72e1d0d3ee4d483ccdb4861c0
Instruction ID: ba0a79f4a1c8ebd0bcdbde75356d285768b51de51022b94f794a5bd0ad1061de
Opcode Fuzzy Hash: 7a609fdcc86c846b07ec19bb0d9311132e7be8b72e1d0d3ee4d483ccdb4861c0
Instruction Fuzzy Hash: E5B2BB71608741DFDB38DF24C894BAEB7E4BF84304F24491DE59A872A1CB71E985DB82

Uniqueness

Uniqueness Score: -1.00%

Function 00C893DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C891E9: __time64.LIBCMT ref: 00C891F3

Part of subcall function 00C25045: _fseek.LIBCMT ref: 00C2505D

__wsplitpath.LIBCMT ref: 00C894BE

Part of subcall function 00C4432E: __wsplitpath_helper.LIBCMT ref: 00C4436E

_wcscpy.LIBCMT ref: 00C894D1
_wcscat.LIBCMT ref: 00C894E4
__wsplitpath.LIBCMT ref: 00C89509
_wcscat.LIBCMT ref: 00C8951F
_wcscat.LIBCMT ref: 00C89532

Part of subcall function 00C8922F: _memmove.LIBCMT ref: 00C89268
Part of subcall function 00C8922F: _memmove.LIBCMT ref: 00C89277

_wcscmp.LIBCMT ref: 00C89479

Part of subcall function 00C899BE: _wcscmp.LIBCMT ref: 00C89AAE
Part of subcall function 00C899BE: _wcscmp.LIBCMT ref: 00C89AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C896DC
_wcsncpy.LIBCMT ref: 00C8974F
DeleteFileW.KERNEL32(?,?), ref: 00C89785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C8979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C897AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C897BE

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 6ba8d49b05f73985535f808d2443510ec12f0d1be97a58bcee8bdb25fe7def91
Instruction ID: 0d984b291db9ab76a767640463c91b40545949db6dac512a4da3d4d51edd6156
Opcode Fuzzy Hash: 6ba8d49b05f73985535f808d2443510ec12f0d1be97a58bcee8bdb25fe7def91
Instruction Fuzzy Hash: 4DC13AB1D00229AADF21EF95CC85AEEB7BDEF45304F0440AAF609E7151EB309A449F65

Uniqueness

Uniqueness Score: -1.00%

Function 00C2302C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C23074
RegisterClassExW.USER32(00000030), ref: 00C2309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C230AF
InitCommonControlsEx.COMCTL32(?), ref: 00C230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C230DC
LoadIconW.USER32(000000A9), ref: 00C230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C23101

Strings

AutoIt v3 GUI, xrefs: 00C23090
0, xrefs: 00C23056
+, xrefs: 00C2305D
TaskbarCreated, xrefs: 00C230A4

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: cd50abaaacd3fde35488cdd3f8aef760e1355b15d7924ba69037a077ade2d299
Instruction ID: b02d98b2ad3206852b94760596dae69ce7a168afc4bfe8986d48a4a36e432a2d
Opcode Fuzzy Hash: cd50abaaacd3fde35488cdd3f8aef760e1355b15d7924ba69037a077ade2d299
Instruction Fuzzy Hash: 812104B1850249EFDB508FE4E888BCDBBF0FB19314F10452EE580EA2A0D7B505828F90

Uniqueness

Uniqueness Score: -1.00%

Function 00C23041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C23074
RegisterClassExW.USER32(00000030), ref: 00C2309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C230AF
InitCommonControlsEx.COMCTL32(?), ref: 00C230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C230DC
LoadIconW.USER32(000000A9), ref: 00C230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C23101

Strings

AutoIt v3 GUI, xrefs: 00C23090
0, xrefs: 00C23056
+, xrefs: 00C2305D
TaskbarCreated, xrefs: 00C230A4

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 45aa0b0de178bcfcbabc06eb12f1c035cb0be05209d4dcdf0567e25f4cc692f2
Instruction ID: 2a5d7e1008e16c351c8ca5d5eb998cfd22b2542c7311a69cfbfac1fcfa61368d
Opcode Fuzzy Hash: 45aa0b0de178bcfcbabc06eb12f1c035cb0be05209d4dcdf0567e25f4cc692f2
Instruction Fuzzy Hash: E921C3B1910258AFDB10DFE4E889B9DBBF4FB19754F00412AFA10EB2A0D7B145458F95

Uniqueness

Uniqueness Score: -1.00%

Function 00C271EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C24864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00CE62F8,?,00C237C0,?), ref: 00C24882

Part of subcall function 00C4074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00C272C5), ref: 00C40771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C27308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C5ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C5ED32
RegCloseKey.ADVAPI32(?), ref: 00C5ED70
_wcscat.LIBCMT ref: 00C5EDC9

Strings

Include, xrefs: 00C5ECE8, 00C5ED29
Software\AutoIt v3\AutoIt, xrefs: 00C272FE
\, xrefs: 00C5EDEC
\Include\, xrefs: 00C272C5

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 8d778d442c516120139c44416d7a42ac64e460f434201ca98cf741e5ac9f3ddc
Instruction ID: bc8c6b7997289c66f5a4feac28965f133d1997408bb1ac6e6e520b88a415d616
Opcode Fuzzy Hash: 8d778d442c516120139c44416d7a42ac64e460f434201ca98cf741e5ac9f3ddc
Instruction Fuzzy Hash: 71717C71408341DEC714EF65EC81AAFBBE8FF44340B44062EFA458B1A0EB309A49DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00C23A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C23A62
LoadCursorW.USER32(00000000,00007F00), ref: 00C23A71
LoadIconW.USER32(00000063), ref: 00C23A88
LoadIconW.USER32(000000A4), ref: 00C23A9A
LoadIconW.USER32(000000A2), ref: 00C23AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C23AD2
RegisterClassExW.USER32(?), ref: 00C23B28

Part of subcall function 00C23041: GetSysColorBrush.USER32(0000000F), ref: 00C23074
Part of subcall function 00C23041: RegisterClassExW.USER32(00000030), ref: 00C2309E
Part of subcall function 00C23041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C230AF
Part of subcall function 00C23041: InitCommonControlsEx.COMCTL32(?), ref: 00C230CC
Part of subcall function 00C23041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C230DC
Part of subcall function 00C23041: LoadIconW.USER32(000000A9), ref: 00C230F2
Part of subcall function 00C23041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C23101

Strings

#, xrefs: 00C23B0D
AutoIt v3, xrefs: 00C23B17
0, xrefs: 00C23B06

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 2e2a8b75a73f1d1dab40c0e40e692feec45458f691bf3127027c89444585f0fc
Instruction ID: d4eb0bf5ad4e87a5ad8253922f681bd4865be4fb2721c1dc91b51662adafab54
Opcode Fuzzy Hash: 2e2a8b75a73f1d1dab40c0e40e692feec45458f691bf3127027c89444585f0fc
Instruction Fuzzy Hash: 32217C70D20348AFEB109FA4EC89B9D7BB4FB18755F00012AF604EB2A0C7BA56449F84

Uniqueness

Uniqueness Score: -1.00%

Function 00C23633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00C236D2
KillTimer.USER32(?,00000001), ref: 00C236FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C2371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C2372A
CreatePopupMenu.USER32 ref: 00C2373E
PostQuitMessage.USER32(00000000), ref: 00C2375F

Strings

TaskbarCreated, xrefs: 00C23725

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 37f211ceac1baf8033f3c2899341cc95a7f2c559c060322ea29516e92a3bfbdb
Instruction ID: 84997105a8a32a403bd9df36d8b6b58665ed4bf9275dcd23c739c96afee2223e
Opcode Fuzzy Hash: 37f211ceac1baf8033f3c2899341cc95a7f2c559c060322ea29516e92a3bfbdb
Instruction Fuzzy Hash: 734134B22102E5ABDF245F68FD49B7D3768FB10740F040128FA13CAAE1CA799F41A765

Uniqueness

Uniqueness Score: -1.00%

Function 00C23778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINE, xrefs: 00C23834
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00C237C0
CMDLINERAW, xrefs: 00C2380D
/AutoIt3ExecuteScript, xrefs: 00C238CE
/ErrorStdOut, xrefs: 00C2388F
/AutoIt3OutputDebug, xrefs: 00C238A4
/AutoIt3ExecuteLine, xrefs: 00C238B9

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 520f8cbfc5e4655d24e2ab91f5ddf1d7fd7ff9cc86cb58e3d28a92ce72ea09d9
Instruction ID: 2d1d05f8a9eb7db9d7abd8994a1c1b4371f70f6e65570d636fdf46423c3c96f7
Opcode Fuzzy Hash: 520f8cbfc5e4655d24e2ab91f5ddf1d7fd7ff9cc86cb58e3d28a92ce72ea09d9
Instruction Fuzzy Hash: B2A15C729102799BDF14EBA0EC92EEEB778BF14310F04052AF512B7591DF749A09DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C239E7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,as failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array va,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C23A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C23A36
ShowWindow.USER32(00000000,?,?), ref: 00C23A4A
ShowWindow.USER32(00000000,?,?), ref: 00C23A53

Strings

edit, xrefs: 00C23A30
AutoIt v3, xrefs: 00C23A0D, 00C23A12, 00C23A13
as failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array va, xrefs: 00C23A08

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$as failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array va$edit
API String ID: 1584632944-3469418680
Opcode ID: 0f09ec3511cd6ca3228d6ca4d4f5e556847e784e04a965a68ec3d8560206521b
Instruction ID: 50e0274e7367e4bc8dba36add6dad03cea0e7c06ffde955b707b1d25abdffd46
Opcode Fuzzy Hash: 0f09ec3511cd6ca3228d6ca4d4f5e556847e784e04a965a68ec3d8560206521b
Instruction Fuzzy Hash: 7AF03A706102D07EEA301763AC88F7B3E7DD7D7FA4B01002EBA00AA170C6B51841DAB0

Uniqueness

Uniqueness Score: -1.00%

Function 01382630 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01382701
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01382927

Memory Dump Source

Source File: 00000000.00000002.1399982648.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_charesworh.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
Instruction ID: 108defe875dfe2f474cba782588b11f84f57708c5991b3ab329aa177f88f8aa8
Opcode Fuzzy Hash: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
Instruction Fuzzy Hash: 83A10674E00209EBDF14EFA8C994BAEBBB5FF48308F208159E615BB281D7759A41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01382410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01382300: Sleep.KERNELBASE(000001F4), ref: 01382311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01382528

Strings

DT93IJ9TS6GNLNC3, xrefs: 0138258B, 0138258E

Memory Dump Source

Source File: 00000000.00000002.1399982648.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_charesworh.jbxd

Similarity

API ID: CreateFileSleep
String ID: DT93IJ9TS6GNLNC3
API String ID: 2694422964-2777791936
Opcode ID: 7ac660820fc8aa3318c5d10c39e3d7c738e479267fa87e3caf23c7da75916906
Instruction ID: ccbb7d239086471a005ec1e7b7ba5ed124a0937abc515aef275a696be5399401
Opcode Fuzzy Hash: 7ac660820fc8aa3318c5d10c39e3d7c738e479267fa87e3caf23c7da75916906
Instruction Fuzzy Hash: 83515074D04349EBEF11DBA8C854BEEBB79AF14304F004199E609BB2C0D7B91B49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C2410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C5D5EC

Part of subcall function 00C27D2C: _memmove.LIBCMT ref: 00C27D66

_memset.LIBCMT ref: 00C2418D
_wcscpy.LIBCMT ref: 00C241E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C241F1

Strings

Line: , xrefs: 00C5D615

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: e19b049bee106c005e5e6278ec8727445a936ed9d0b2e0bc865549c8ccbbf4d0
Instruction ID: 1ce48aa65cdee8a3b55d95811d660ba128e14c5706a8d8904d83997c607c3131
Opcode Fuzzy Hash: e19b049bee106c005e5e6278ec8727445a936ed9d0b2e0bc865549c8ccbbf4d0
Instruction Fuzzy Hash: AE310271008364ABD725EB60EC86FDF77E8AF54300F104A1EF295964A1EF74A648D793

Uniqueness

Uniqueness Score: -1.00%

Function 00C4564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00C456AB
_memcpy_s.LIBCMT ref: 00C4571D
__read_nolock.LIBCMT ref: 00C4577B
__filbuf.LIBCMT ref: 00C4579E
_memset.LIBCMT ref: 00C457E2

Part of subcall function 00C48D68: __getptd_noexit.LIBCMT ref: 00C48D68

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 1ff0bac2ac345def48b804962cc1945801263ec083864c72fc90276c4095cf38
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 4E51BE30A00B09DFDB248FB9C8846AEB7B6BF40320F258739F835962D2D7709E549B40

Uniqueness

Uniqueness Score: -1.00%

Function 00C269CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00C24F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00CE62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C24F6F

_free.LIBCMT ref: 00C5E68C
_free.LIBCMT ref: 00C5E6D3

Part of subcall function 00C26BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C26D0D

Strings

Bad directive syntax error, xrefs: 00C5E6BB
>>>AUTOIT SCRIPT<<<, xrefs: 00C5E462

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 64fab722e28d37f52d0ac55e48462ddd5b4c14bf05f531d4576f34989c8e1ce3
Instruction ID: cdce857313c04376c005159d254c72f953b68b3cd36b6f3f23f7d26539126731
Opcode Fuzzy Hash: 64fab722e28d37f52d0ac55e48462ddd5b4c14bf05f531d4576f34989c8e1ce3
Instruction Fuzzy Hash: 0591C271910229EFCF08EFA4DC819EDB7B4FF14304F14442AF815AB291EB30AA49DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00C235B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00C235A1,SwapMouseButtons,00000004,?), ref: 00C235D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00C235A1,SwapMouseButtons,00000004,?,?,?,?,00C22754), ref: 00C235F5
RegCloseKey.KERNELBASE(00000000,?,?,00C235A1,SwapMouseButtons,00000004,?,?,?,?,00C22754), ref: 00C23617

Strings

Control Panel\Mouse, xrefs: 00C235D2

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 9818bfb9cddc11c7c4293e9e39d454ca701b82b4a5c4660207cfb5545eb575d8
Instruction ID: 6f70d9ecd90f347b6fb930384128d87cdde285c0240ef6dec30a6d667b14a221
Opcode Fuzzy Hash: 9818bfb9cddc11c7c4293e9e39d454ca701b82b4a5c4660207cfb5545eb575d8
Instruction Fuzzy Hash: BD114571610268BFDB208FA8EC80AEEBBBCFF05744F018469F805D7210E2719F419BA4

Uniqueness

Uniqueness Score: -1.00%

Function 01381300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01381B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01381B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01381B73

Memory Dump Source

Source File: 00000000.00000002.1399982648.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_charesworh.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
Instruction ID: 08f2c1f5ea049d54edd640da239523dfd53c97fe8becb758a2b78bc7408a1301
Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
Instruction Fuzzy Hash: 48620B30A14258DBEB24DFA4C840BEEB776EF58304F1091A9D20DEB394E7759E81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00C897E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00C25045: _fseek.LIBCMT ref: 00C2505D

Part of subcall function 00C899BE: _wcscmp.LIBCMT ref: 00C89AAE
Part of subcall function 00C899BE: _wcscmp.LIBCMT ref: 00C89AC1

_free.LIBCMT ref: 00C8992C
_free.LIBCMT ref: 00C89933
_free.LIBCMT ref: 00C8999E

Part of subcall function 00C42F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00C49C64), ref: 00C42FA9
Part of subcall function 00C42F95: GetLastError.KERNEL32(00000000,?,00C49C64), ref: 00C42FBB

_free.LIBCMT ref: 00C899A6

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction ID: 6c812bd8c056e17864ca057d09e16fa6edcf75a9071d27209373ad4d47460aaf
Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction Fuzzy Hash: 3F5140B1904218AFDF249F64DC41AAEBBB9FF48314F1404AEF609A7281DB715E80DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00C4493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C449D0
__flush.LIBCMT ref: 00C449F0
__write.LIBCMT ref: 00C44A23
__flsbuf.LIBCMT ref: 00C44A51

Part of subcall function 00C48D68: __getptd_noexit.LIBCMT ref: 00C48D68

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 237f683de59bc643bd9a2a9e252f63ca7bea9168982c1fcfead80b5409cc0c92
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 3F41B671A406059BDF1CCEA9C884B6F77AAFF94360B34817DE865C7640D770DE41A744

Uniqueness

Uniqueness Score: -1.00%

Function 00C273E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C5EE62
GetOpenFileNameW.COMDLG32(?), ref: 00C5EEAC

Part of subcall function 00C248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C248A1,?,?,00C237C0,?), ref: 00C248CE

Part of subcall function 00C409D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C409F4

Strings

X, xrefs: 00C5EE7A

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 59d96107b3bd822c806e98aa6e8cda2035718f7d2e5999402217ab5458355c06
Instruction ID: c1bc312344ce5c3d024b4e65afdcc4eb78f318d485833ba89aa974ddb4c3c02b
Opcode Fuzzy Hash: 59d96107b3bd822c806e98aa6e8cda2035718f7d2e5999402217ab5458355c06
Instruction Fuzzy Hash: 6921C6719102589BCF05DF94D8457EE7BF89F49305F00401AE908E7381DBB45A899FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C8901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C89036
__fread_nolock.LIBCMT ref: 00C8904B

Strings

EA06, xrefs: 00C8907D

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 65849000c69c080d271ea19d4411074776cd3bbcc380d5acc9c462960cdf564d
Instruction ID: 2a868e2dd470978da0c17e7dd5cd7a5b6bd47604cd4d2bd087850ac5fd55f58a
Opcode Fuzzy Hash: 65849000c69c080d271ea19d4411074776cd3bbcc380d5acc9c462960cdf564d
Instruction Fuzzy Hash: BD01F9718042186EDB28C6A8C816EFE7BF8DB05305F04419AF552D2181E975E704D760

Uniqueness

Uniqueness Score: -1.00%

Function 00C89B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00C89B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00C89B99

Strings

aut, xrefs: 00C89B93

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: b0d77096c959fa264e71bf1bea0a646a6e10a1c1600ff0babed8fb0ccc47188d
Instruction ID: 3c0ce7e4ac3ba83ae58703cf4f8b74cb3c0372124afca6d3bab517cfd44a34e8
Opcode Fuzzy Hash: b0d77096c959fa264e71bf1bea0a646a6e10a1c1600ff0babed8fb0ccc47188d
Instruction Fuzzy Hash: F6D05E7954030DABDB109BD0DC0EFDA776CE704705F0042B1BF94921A1DEB455998B91

Uniqueness

Uniqueness Score: -1.00%

Function 00C9CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54bfa28329a7ac877933809138b875951c6ebe763db3f8aed10b17180c8da0c5
Instruction ID: 5517c0c52020e1364c95270bc29de5eb3f214008a657c867246a5921dfc75f00
Opcode Fuzzy Hash: 54bfa28329a7ac877933809138b875951c6ebe763db3f8aed10b17180c8da0c5
Instruction Fuzzy Hash: 30F14A719087019FCB14DF28C485A6ABBE5FF88314F14896EF89A9B351D731E945CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00C2F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C403A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C403D3
Part of subcall function 00C403A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C403DB
Part of subcall function 00C403A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C403E6
Part of subcall function 00C403A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C403F1
Part of subcall function 00C403A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C403F9
Part of subcall function 00C403A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C40401

Part of subcall function 00C36259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00C2FA90), ref: 00C362B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C2FB2D
OleInitialize.OLE32(00000000), ref: 00C2FBAA
CloseHandle.KERNEL32(00000000), ref: 00C649F2

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: d8cf8d8b62366dfb9f20ac9ef57cfed6fd0f6120964ff7f5682299f5a5d4853d
Instruction ID: 4f0eca24bdbc7d54da22348d013a14ee2de43b0fcad0f214464f0b9b6d612ac5
Opcode Fuzzy Hash: d8cf8d8b62366dfb9f20ac9ef57cfed6fd0f6120964ff7f5682299f5a5d4853d
Instruction Fuzzy Hash: E581B8B19213D08ECB85DF3AE9D171D7AE4FBB8398710853EA019CB2B2EB3154059F51

Uniqueness

Uniqueness Score: -1.00%

Function 00C243DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C24401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C244A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C244C3

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 4eb602337333c9ade003ab09adf21027dfd6ad5c7988c16383b1e8967b4dca7c
Instruction ID: 3263d1d4dc02cae4836a8e05a01b57ce245d567ace930e7ff3481dcb9727b728
Opcode Fuzzy Hash: 4eb602337333c9ade003ab09adf21027dfd6ad5c7988c16383b1e8967b4dca7c
Instruction Fuzzy Hash: 03318170504751CFD724EF24E88479BBBE8FB59308F00092EF69A87641D7B56A44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C4594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00C45963

Part of subcall function 00C4A3AB: __NMSG_WRITE.LIBCMT ref: 00C4A3D2
Part of subcall function 00C4A3AB: __NMSG_WRITE.LIBCMT ref: 00C4A3DC

__NMSG_WRITE.LIBCMT ref: 00C4596A

Part of subcall function 00C4A408: GetModuleFileNameW.KERNEL32(00000000,00CE43BA,00000104,?,00000001,00000000), ref: 00C4A49A
Part of subcall function 00C4A408: ___crtMessageBoxW.LIBCMT ref: 00C4A548

Part of subcall function 00C432DF: ___crtCorExitProcess.LIBCMT ref: 00C432E5
Part of subcall function 00C432DF: ExitProcess.KERNEL32 ref: 00C432EE

Part of subcall function 00C48D68: __getptd_noexit.LIBCMT ref: 00C48D68

RtlAllocateHeap.NTDLL(013F0000,00000000,00000001,00000000,?,?,?,00C41013,?), ref: 00C4598F

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: a936e1ee2460b46c9819e85d38f6ab96c8e9978efebf0764a5839f7af5e6b49d
Instruction ID: f5a8f121c4cfde1c701da012a9ef9559ecf680722f01580e9f2af466c1793afb
Opcode Fuzzy Hash: a936e1ee2460b46c9819e85d38f6ab96c8e9978efebf0764a5839f7af5e6b49d
Instruction Fuzzy Hash: 5F01F531645B16DFE6253B66DC42B2E7348BFA2771F10003AF510AB1C3DE709E02A660

Uniqueness

Uniqueness Score: -1.00%

Function 00C89B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00C897D2,?,?,?,?,?,00000004), ref: 00C89B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00C897D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00C89B5B
CloseHandle.KERNEL32(00000000,?,00C897D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C89B62

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 9d8ba466b79e47d9ba802dc754f5a7c5f2eeac536d8c156e14c318a00470d1eb
Instruction ID: 3b27250ed13d3dee5243a1f7b6844d5ae839fabc4f0dda2a857924a808624b8e
Opcode Fuzzy Hash: 9d8ba466b79e47d9ba802dc754f5a7c5f2eeac536d8c156e14c318a00470d1eb
Instruction Fuzzy Hash: E9E08031141214B7DB311B94EC09FDD7B18DB06765F144114FB54650E0877155129798

Uniqueness

Uniqueness Score: -1.00%

Function 00C88F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C88FA5

Part of subcall function 00C42F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00C49C64), ref: 00C42FA9
Part of subcall function 00C42F95: GetLastError.KERNEL32(00000000,?,00C49C64), ref: 00C42FBB

_free.LIBCMT ref: 00C88FB6
_free.LIBCMT ref: 00C88FC8

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction ID: 7d30a1125a1dc54ea7d7be0f318195fc991f6dde6e64a47eaaa5837173e31c0e
Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction Fuzzy Hash: D0E0C2B12087204ADA20B5F8AD01A831BEE2F483947C8081DB519DB142CE24F948A228

Uniqueness

Uniqueness Score: -1.00%

Function 00C2AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00C6002B

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: ee5b04c7401f3a4d21dbd0030f0fa3da7842da5a83040dac531a845df8fc7e0e
Instruction ID: 9bee9c97b8167853a8eff4d2338050734aaaf792f9162152d40a579ec6007fce
Opcode Fuzzy Hash: ee5b04c7401f3a4d21dbd0030f0fa3da7842da5a83040dac531a845df8fc7e0e
Instruction Fuzzy Hash: 1E225870508361DFCB24DF14D494B2ABBE1BF88300F15896DE89A9B762D731ED85DB82

Uniqueness

Uniqueness Score: -1.00%

Function 00C24DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C24E1A

Strings

EA06, xrefs: 00C5DCF5

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: fed83e4eee30b25e307856cd8a5ed7e8a397c2f28e562c8e193cae23d37a4b3d
Instruction ID: f4e1b76a7a6d76c4ad5990c0e6e35a57d7a1748d489ba485d475266d97fa4a22
Opcode Fuzzy Hash: fed83e4eee30b25e307856cd8a5ed7e8a397c2f28e562c8e193cae23d37a4b3d
Instruction Fuzzy Hash: 3F41AF31A042745BEF299B64EC517BFFFA6AB41300F294074EC829B992C6709E8497A1

Uniqueness

Uniqueness Score: -1.00%

Function 00C2492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00C24992

Part of subcall function 00C435AC: __lock.LIBCMT ref: 00C435B2
Part of subcall function 00C435AC: DecodePointer.KERNEL32(00000001,?,00C249A7,00C781BC), ref: 00C435BE
Part of subcall function 00C435AC: EncodePointer.KERNEL32(?,?,00C249A7,00C781BC), ref: 00C435C9

Part of subcall function 00C24A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00C24A73
Part of subcall function 00C24A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C24A88

Part of subcall function 00C23B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C23B7A
Part of subcall function 00C23B4C: IsDebuggerPresent.KERNEL32 ref: 00C23B8C
Part of subcall function 00C23B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00CE62F8,00CE62E0,?,?), ref: 00C23BFD
Part of subcall function 00C23B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00C23C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C249D2

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 16ad1db84bf4c3368b56a471b938bc2b5945dbed7774a3f609187315eddefdea
Instruction ID: 166069c009b64fe149507a1071e834284c9d5ebc67e379a73e9cdd69e5649dd5
Opcode Fuzzy Hash: 16ad1db84bf4c3368b56a471b938bc2b5945dbed7774a3f609187315eddefdea
Instruction Fuzzy Hash: DA118C719183A19BC700EF69EC85B0EFBE8EB94750F00451EF5458B2B1DB709645DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C25DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00C25981,?,?,?,?), ref: 00C25E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00C25981,?,?,?,?), ref: 00C5E19C

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4b74cc457df16dc43b982fb2ae35a604c46b5657081af4ee8b1f7754b34da6bb
Instruction ID: cc8cda467c37030ea983e186aa29db938feaa369bbb80a68304770fa1f1ccbf9
Opcode Fuzzy Hash: 4b74cc457df16dc43b982fb2ae35a604c46b5657081af4ee8b1f7754b34da6bb
Instruction Fuzzy Hash: A4017570244718BEF7241E64DC8AF7B3B9CEB05768F108319BAF55A1E0C6B85F498B54

Uniqueness

Uniqueness Score: -1.00%

Function 00C40FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C4594C: __FF_MSGBANNER.LIBCMT ref: 00C45963
Part of subcall function 00C4594C: __NMSG_WRITE.LIBCMT ref: 00C4596A
Part of subcall function 00C4594C: RtlAllocateHeap.NTDLL(013F0000,00000000,00000001,00000000,?,?,?,00C41013,?), ref: 00C4598F

std::exception::exception.LIBCMT ref: 00C4102C
__CxxThrowException@8.LIBCMT ref: 00C41041

Part of subcall function 00C487DB: RaiseException.KERNEL32(?,?,?,00CDBAF8,00000000,?,?,?,?,00C41046,?,00CDBAF8,?,00000001), ref: 00C48830

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 8e61cd7db6a2ee95bef7822d753552ed2410a664d0a03832fd886ad7c2ff2b59
Instruction ID: 34a2226ac2c2735e6a9ed4b5c11bf3b6a54629e66078a3667b92338e1a18989a
Opcode Fuzzy Hash: 8e61cd7db6a2ee95bef7822d753552ed2410a664d0a03832fd886ad7c2ff2b59
Instruction Fuzzy Hash: 53F0A475544259A6CB20BAA8EC169DF7BE8BF01350F140426FD1496692DFB18BC4E2A4

Uniqueness

Uniqueness Score: -1.00%

Function 00C4582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C4585C
__lock_file.LIBCMT ref: 00C4587D

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: d54107a74da087274b19442b12e804a333b862edef0348811c795e3c84912e9b
Instruction ID: 18d4e30c4a5e8f7edd7eab4d48f6a03078b6a16cb152605c015fba161f2a78e5
Opcode Fuzzy Hash: d54107a74da087274b19442b12e804a333b862edef0348811c795e3c84912e9b
Instruction Fuzzy Hash: 32014471C41609EFCF22AF698C0559E7B61BF85760F158215F8245A1E2DF318A11EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C455D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C48D68: __getptd_noexit.LIBCMT ref: 00C48D68

__lock_file.LIBCMT ref: 00C4561B

Part of subcall function 00C46E4E: __lock.LIBCMT ref: 00C46E71

__fclose_nolock.LIBCMT ref: 00C45626

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 3db027edd2b80a00c2c887a4b0017b8d8409ec97da44737c2aab9e4b3ab96211
Instruction ID: f0c48e82391d46556a89b0950cb93a746b41e603f45ff237ec03123b0b8869d7
Opcode Fuzzy Hash: 3db027edd2b80a00c2c887a4b0017b8d8409ec97da44737c2aab9e4b3ab96211
Instruction Fuzzy Hash: DEF05471901A059BDB21BF758C027AE77E17F41734F568209F425AB2C3CF7C8A05AB55

Uniqueness

Uniqueness Score: -1.00%

Function 00C281C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,00C2558F,?,?,?,?,?), ref: 00C281DA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,00C2558F,?,?,?,?,?), ref: 00C2820D

Part of subcall function 00C278AD: _memmove.LIBCMT ref: 00C278E9

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: 80dea40256313093d5edc2a5ee5b3435584ce9ca4dbf48a66c609056b031445b
Instruction ID: 18fcae6a3bbe4b63ccf9ea684285d9d3433789b72665a75de0213e78195e5217
Opcode Fuzzy Hash: 80dea40256313093d5edc2a5ee5b3435584ce9ca4dbf48a66c609056b031445b
Instruction Fuzzy Hash: B501A231201114BFEB246A65ED4AF7F3B5CEB89760F10812AFE05CE190DE3098009671

Uniqueness

Uniqueness Score: -1.00%

Function 013812FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01381B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01381B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01381B73

Memory Dump Source

Source File: 00000000.00000002.1399982648.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_charesworh.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction ID: 0bcf14b8bb74b3b17c002d95a54981429419acdbe95597436316ab84f4e70639
Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction Fuzzy Hash: F012DE24E24658C6EB24DF64D8507DEB232EF68300F1091E9910DEB7A5E77A4F81CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00C2F3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d12fd2df28a7bdf7552f1e06735f6024e93282ff2f3df40c24ff025d8af2ef4
Instruction ID: 858539123314dca6c3ea7342c49db66cf068ca1dc0d4de3b5bbf159e0f914977
Opcode Fuzzy Hash: 3d12fd2df28a7bdf7552f1e06735f6024e93282ff2f3df40c24ff025d8af2ef4
Instruction Fuzzy Hash: 0961AD7060021ADFDB24EF64E981A6BB7F5EF08300F14807DE9169BA41D771EE52DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C32123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00fe2a35f6fe86229ea6826f0f505e5439485cb5783587d6b8a668c136aebebd
Instruction ID: 2bdde5506156cf7afebf6244bdd2db9d311677d5a22ed0d4e2e63463971dfb5f
Opcode Fuzzy Hash: 00fe2a35f6fe86229ea6826f0f505e5439485cb5783587d6b8a668c136aebebd
Instruction Fuzzy Hash: 8C519135600614AFCF14EB68D992E7E77A5AF45320F148168F916AB392CF30EE01EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C2766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C2774A

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: fa3ea96c23ee318c7c61f9c18aa491c3f2e5633dec36f002f76385951fdffe92
Instruction ID: bcc1836d71039be97a1ad71dccb40802ba7b1f9eea83f686d1ff1e7e2c86cc24
Opcode Fuzzy Hash: fa3ea96c23ee318c7c61f9c18aa491c3f2e5633dec36f002f76385951fdffe92
Instruction Fuzzy Hash: AC31B679208A12DFD7249F1DE0D0A22F7A0FF09710714C66DE99A8BB65EB30DC81DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00C25C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00C25CF6

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 5d616dfdadab18cf14075897fa5010bcf3fdfa0171ab918086b4ec4f1a35f07e
Instruction ID: a0fd3d30416479c8f5e7285c4b49346514467199fc941014e781701ba1a1fd0a
Opcode Fuzzy Hash: 5d616dfdadab18cf14075897fa5010bcf3fdfa0171ab918086b4ec4f1a35f07e
Instruction Fuzzy Hash: B6315E75A00B29AFCB18DF6DD48465EB7B5FF48310F148629D81993B10E771BE50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C600D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00C600E1

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: bd7ffba51e35ca3b20876c6dcabe3c32632ba4af84d3a2bc999c0677857ab56e
Instruction ID: 544316a8280d627e1f10af7c23a5c86d08545234fbfbd77c96860cd328d5838b
Opcode Fuzzy Hash: bd7ffba51e35ca3b20876c6dcabe3c32632ba4af84d3a2bc999c0677857ab56e
Instruction Fuzzy Hash: D3411774508351DFDB24DF14D484B1ABBE0BF49318F1988ACE8999B762C732EC86CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C2C707 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 00C2C73D

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: 56abc8edc21bcf8f24e8452f68c82c7304ba206b009d215cace72a9916570eb1
Instruction ID: 5c9613a119bf1bbfefdac81ec6df28b11e8b8f9439f2b1a90eee409225e91e5f
Opcode Fuzzy Hash: 56abc8edc21bcf8f24e8452f68c82c7304ba206b009d215cace72a9916570eb1
Instruction Fuzzy Hash: 8911A272904129DBCB14EBA9ECC19EEF778EF90751F144126F821A7590EB309E05EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C24F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C24D13: FreeLibrary.KERNEL32(00000000,?), ref: 00C24D4D

Part of subcall function 00C4548B: __wfsopen.LIBCMT ref: 00C45496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00CE62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C24F6F

Part of subcall function 00C24CC8: FreeLibrary.KERNEL32(00000000), ref: 00C24D02

Part of subcall function 00C24DD0: _memmove.LIBCMT ref: 00C24E1A

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: eca25a42921d7c4ae88f806ddd2e0e60246bc9247c11357ecd97a18ee3f95d45
Instruction ID: 31f63169f1740ba81113e098391b473ef6ea92803d85eb2d995164c12437527a
Opcode Fuzzy Hash: eca25a42921d7c4ae88f806ddd2e0e60246bc9247c11357ecd97a18ee3f95d45
Instruction Fuzzy Hash: 24112031600325ABCF14FFB4EC02F6E77A49F80701F10842DF541975C1DE715A05A760

Uniqueness

Uniqueness Score: -1.00%

Function 00C601AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00C601BB

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 5a8e96addf6e0c0dc938137e031f9d33590f7bb5c8b921f8c752b6bdb2b21e69
Instruction ID: ee33be1bc0f44e6dd1e4685a37a5d1372b967cc2482525376f78d22b99868b2b
Opcode Fuzzy Hash: 5a8e96addf6e0c0dc938137e031f9d33590f7bb5c8b921f8c752b6bdb2b21e69
Instruction Fuzzy Hash: F62113B4508351DFCB24DF54D484B1ABBE0BF88314F05896CE89A57B21D731E856DB53

Uniqueness

Uniqueness Score: -1.00%

Function 00C25D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00C25807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00C25D76

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 5afe27abbed651778cdb2c6a5178455fa75e67bd655606ba434a6239537519b0
Instruction ID: caea16013d3bccdd80d9ab19a26f38807b18bf95d9557e5dea07ba667d9b1775
Opcode Fuzzy Hash: 5afe27abbed651778cdb2c6a5178455fa75e67bd655606ba434a6239537519b0
Instruction Fuzzy Hash: DF113A35200B119FD330CF15E584B67B7E5EF45750F10C92EE5AA86A50D770E945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00C2C6EF Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 00C2C73D

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: ee0c86e73b8b2eeb84f9f3d1e55c7982d303e76507bfa95d5d267e51f25b1614
Instruction ID: caa9f035a8e483efd3139fb9df3c9d772c5f8dc5936dcf34e7cfad400cf07004
Opcode Fuzzy Hash: ee0c86e73b8b2eeb84f9f3d1e55c7982d303e76507bfa95d5d267e51f25b1614
Instruction Fuzzy Hash: F2012431C042954FDB259B2898C0ADEFFB4AF42720F048156D860EB5A1D2349D46CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00C44A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00C44AD6

Part of subcall function 00C48D68: __getptd_noexit.LIBCMT ref: 00C48D68

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 0995fef58c27f61b18df1dddd0219506df1195fbaf381b0234acdaae74d70fb5
Instruction ID: 9a6c4a0f2246d672938f0cd80dc07bdc63d95b9c1cffebc6cef873bba5cfaf73
Opcode Fuzzy Hash: 0995fef58c27f61b18df1dddd0219506df1195fbaf381b0234acdaae74d70fb5
Instruction Fuzzy Hash: F5F0CD31940209EBDF65BFB4CC063AF36A1BF00725F288519F824AA1D2CB788A54FF55

Uniqueness

Uniqueness Score: -1.00%

Function 00C24FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00CE62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C24FDE

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: ae7a0ec49b446440af4b9e049fa46b7b55b73a451472420b46af6a7ddd585db1
Instruction ID: 0dc76c51f396a77f244717d4f83d0cd1b3bdc5d8b1df7b19845d140e93c56016
Opcode Fuzzy Hash: ae7a0ec49b446440af4b9e049fa46b7b55b73a451472420b46af6a7ddd585db1
Instruction Fuzzy Hash: C8F03975105722CFCB389FA5E594826BBE1BF443293208A3EE1E682A10C731A944DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00C409D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C409F4

Part of subcall function 00C27D2C: _memmove.LIBCMT ref: 00C27D66

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 4aa1c653550e0a51482543f118009209e1ffb4613476250a7cf14317c9d992dd
Instruction ID: d499e197d9dbc87d42d7064ce684515d68f4ca835966e0224d09d79dbee1e2c4
Opcode Fuzzy Hash: 4aa1c653550e0a51482543f118009209e1ffb4613476250a7cf14317c9d992dd
Instruction Fuzzy Hash: 8FE0CD7690522857C720D6989C05FFA77EDDFC9791F0402B5FC4CD7205D9709C818690

Uniqueness

Uniqueness Score: -1.00%

Function 00C89129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00C8914B

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 3ff0ea6b8cb3d3b64d1059a2ec6c3b5c7d5f54505f9067290d22ea1ccecfe81e
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: 45E09AB0218B009FDB389A24D814BE373E0FB06319F04081CF2AA83342EF63B8419B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00C25DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00C5E16B,?,?,00000000), ref: 00C25DBF

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 24a3fc34734b751a5ccc165dd31ee6380d66eb2ea39a66bb69ece700bf4b32c6
Instruction ID: 300c1b3b001baa4d6ec4d93fc9a23c5adf5d2e2ce428fbe38c03d5dbd8a8cb65
Opcode Fuzzy Hash: 24a3fc34734b751a5ccc165dd31ee6380d66eb2ea39a66bb69ece700bf4b32c6
Instruction Fuzzy Hash: FDD0C77464020CBFEB10DB80DC46FAD777CD705714F100194FE0457290D6B27D508795

Uniqueness

Uniqueness Score: -1.00%

Function 00C4548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00C45496

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 3465f820aac001d1cddd7ababadde00eb8ac29016020337e05d1cc4f1cebbf91
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: D4B0927A84020C77DE012E82EC02A593B19AB40678F808020FF0C2C162A673AAA0A689

Uniqueness

Uniqueness Score: -1.00%

Function 00C8D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00C8D46A

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 5e1dbe6564f390324826d334e79a4d9b95c0099e7a81286ae250c6588ed017e3
Instruction ID: fb0ae9d766070a7c09697a8092b4455814cb7d706483c64878106336e362cd4d
Opcode Fuzzy Hash: 5e1dbe6564f390324826d334e79a4d9b95c0099e7a81286ae250c6588ed017e3
Instruction Fuzzy Hash: 177160302043128FCB14EF64D491A6EB7E0AF88718F04496DF5968B6E1DB30EE49DB56

Uniqueness

Uniqueness Score: -1.00%

Function 00C40E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00C40EF7

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: e31173a8429773e4e0258b5f9c4e23375e5e169e6e36c67aa54e505164303b6a
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 3A311471A80105EFD718DF49C480A69F7A2FF99300B348AA5E64ACB251D731EED1CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 013822FC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01382311

Memory Dump Source

Source File: 00000000.00000002.1399982648.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_charesworh.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: ba66cc2ba64598570594d721bdb3c7711e977f67f43c1498b561092059222298
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 40E09A7494020DAFDB00EFB4D54969E7BB4EF04302F1005A1FD0596681DA709A548A62

Uniqueness

Uniqueness Score: -1.00%

Function 01382300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01382311

Memory Dump Source

Source File: 00000000.00000002.1399982648.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_charesworh.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 35f5f7f496ef9c90df1bb96c91b9855428bd663b4b7ca386e760371682c8468e
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 84E0E67494020DDFDB00EFB4D54969E7FB4EF04302F100561FD01D2281D6709D50CA62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00CACDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00CACE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CACE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00CACED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CACF00
SendMessageW.USER32 ref: 00CACF29
_wcsncpy.LIBCMT ref: 00CACFA1
GetKeyState.USER32(00000011), ref: 00CACFC2
GetKeyState.USER32(00000009), ref: 00CACFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CACFE5
GetKeyState.USER32(00000010), ref: 00CACFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CAD018
SendMessageW.USER32 ref: 00CAD03F
SendMessageW.USER32(?,00001030,?,00CAB602), ref: 00CAD145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00CAD15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00CAD16E
SetCapture.USER32(?), ref: 00CAD177
ClientToScreen.USER32(?,?), ref: 00CAD1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00CAD1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CAD203
ReleaseCapture.USER32 ref: 00CAD20E
GetCursorPos.USER32(?), ref: 00CAD248
ScreenToClient.USER32(?,?), ref: 00CAD255
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CAD2B1
SendMessageW.USER32 ref: 00CAD2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CAD31C
SendMessageW.USER32 ref: 00CAD34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00CAD36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00CAD37B
GetCursorPos.USER32(?), ref: 00CAD39B
ScreenToClient.USER32(?,?), ref: 00CAD3A8
GetParent.USER32(?), ref: 00CAD3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CAD431
SendMessageW.USER32 ref: 00CAD462
ClientToScreen.USER32(?,?), ref: 00CAD4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00CAD4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CAD51A
SendMessageW.USER32 ref: 00CAD53D
ClientToScreen.USER32(?,?), ref: 00CAD58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00CAD5C3

Part of subcall function 00C225DB: GetWindowLongW.USER32(?,000000EB), ref: 00C225EC

GetWindowLongW.USER32(?,000000F0), ref: 00CAD65F

Strings

F, xrefs: 00CAD543
@GUI_DRAGID, xrefs: 00CAD1AA

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 7cd42c4b9a1ea6dbf348691b2dc832a28ea2b05b9e5144b091b3d1b43ca0239e
Instruction ID: 44eab464b340f704b20cc3bffd907dbba225b11d956efbb91a24d9d96f4752d1
Opcode Fuzzy Hash: 7cd42c4b9a1ea6dbf348691b2dc832a28ea2b05b9e5144b091b3d1b43ca0239e
Instruction Fuzzy Hash: FF42B070204342EFD725CF68C888FAABBE5FF4A318F14051DF6A6876A1C7319941DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00CA804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00CA873F

Strings

%d/%02d/%02d, xrefs: 00CA8478

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 9ca5bab7dc106cc54526ae803503fc804e39557900607349aa3e6c8019d29465
Instruction ID: dae19ca3f2d8f4af80bdcbbc191c8344420e251e5b036a8d9d8901338cf2c9a6
Opcode Fuzzy Hash: 9ca5bab7dc106cc54526ae803503fc804e39557900607349aa3e6c8019d29465
Instruction Fuzzy Hash: 7412E371500209AFEB258F65CC49FAE7BB4EF4A318F244129F915EB2E1DF708A49CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C3710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C375C2
_memset.LIBCMT ref: 00C376B1
_memmove.LIBCMT ref: 00C37C4B
_memmove.LIBCMT ref: 00C37E4F

Strings

\b(?<=\w), xrefs: 00C73C41
[:>:]], xrefs: 00C3760A
DEFINE, xrefs: 00C725AF
[:<:]], xrefs: 00C375F1
Q\E, xrefs: 00C381C1
\b(?=\w), xrefs: 00C73C34

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: f23d5d9253ff9d0259bbf455b7314b522619ca50df1543631c829ad087e2ff77
Instruction ID: 55e034cacc67095c1150f97da354b863eb9de1b510b3f47e1621da33fdc14328
Opcode Fuzzy Hash: f23d5d9253ff9d0259bbf455b7314b522619ca50df1543631c829ad087e2ff77
Instruction Fuzzy Hash: 0993A271A00216DFDB24CF99C881BADB7B1FF48710F25816AE959EB391E7709E81DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00C24A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00C24A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C5DA8E
IsIconic.USER32(?), ref: 00C5DA97
ShowWindow.USER32(?,00000009), ref: 00C5DAA4
SetForegroundWindow.USER32(?), ref: 00C5DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C5DAC4
GetCurrentThreadId.KERNEL32 ref: 00C5DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C5DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C5DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C5DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 00C5DAF8
SetForegroundWindow.USER32(?), ref: 00C5DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C5DB10
keybd_event.USER32(00000012,00000000), ref: 00C5DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C5DB25
keybd_event.USER32(00000012,00000000), ref: 00C5DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C5DB33
keybd_event.USER32(00000012,00000000), ref: 00C5DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C5DB42
keybd_event.USER32(00000012,00000000), ref: 00C5DB47
SetForegroundWindow.USER32(?), ref: 00C5DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 00C5DB71

Strings

Shell_TrayWnd, xrefs: 00C5DA89

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: df11547d3568cdcbfa158ea7196c338e561dfda74db70c04876e92aa788f9d10
Instruction ID: 6617d97544f2eab0ce9eda5ed141e0bb9fcc75ebf20917f20461b360388be857
Opcode Fuzzy Hash: df11547d3568cdcbfa158ea7196c338e561dfda74db70c04876e92aa788f9d10
Instruction Fuzzy Hash: 27317075A80318BBEB306FA19C49FBF3E6CEB45B51F114029FE05EB1D0D6B05941ABA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C78858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00C78CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C78D0D
Part of subcall function 00C78CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C78D3A
Part of subcall function 00C78CC3: GetLastError.KERNEL32 ref: 00C78D47

_memset.LIBCMT ref: 00C7889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00C788ED
CloseHandle.KERNEL32(?), ref: 00C788FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C78915
GetProcessWindowStation.USER32 ref: 00C7892E
SetProcessWindowStation.USER32(00000000), ref: 00C78938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C78952

Part of subcall function 00C78713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C78851), ref: 00C78728
Part of subcall function 00C78713: CloseHandle.KERNEL32(?,?,00C78851), ref: 00C7873A

Strings

, xrefs: 00C788AA
winsta0, xrefs: 00C78910
default, xrefs: 00C7894D

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 5344920e14518bc85f117014f52d785fa436e7de245c50bd7f75722d8cc1fc7a
Instruction ID: ac22ede84a171584d3817cfe117ccccdc33cba19cc27d096c133b4a7bb665dc5
Opcode Fuzzy Hash: 5344920e14518bc85f117014f52d785fa436e7de245c50bd7f75722d8cc1fc7a
Instruction Fuzzy Hash: 57814071940209AFDF11DFA4DC49AEE7B78FF05314F18816AFA24A6161DB318E19EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C9425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00CAF910), ref: 00C94284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00C94292
GetClipboardData.USER32(0000000D), ref: 00C9429A
CloseClipboard.USER32 ref: 00C942A6
GlobalLock.KERNEL32(00000000), ref: 00C942C2
CloseClipboard.USER32 ref: 00C942CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00C942E1
IsClipboardFormatAvailable.USER32(00000001), ref: 00C942EE
GetClipboardData.USER32(00000001), ref: 00C942F6
GlobalLock.KERNEL32(00000000), ref: 00C94303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00C94337
CloseClipboard.USER32 ref: 00C94447

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: b02f45eaf0f5db254224a1e77664715c58e4249642d0e57cafcd95445ad4da4e
Instruction ID: a912c8efdb822bd1e05a17ae18c2f5b28437b36ed94a67166f2fce95322b905d
Opcode Fuzzy Hash: b02f45eaf0f5db254224a1e77664715c58e4249642d0e57cafcd95445ad4da4e
Instruction Fuzzy Hash: 2851BE31204302ABDB14EFA0EC8AF6E77A8AF85B04F00462DF556D31E1DF70D9069B62

Uniqueness

Uniqueness Score: -1.00%

Function 00C8C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C8C9F8
FindClose.KERNEL32(00000000), ref: 00C8CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C8CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C8CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C8CAAF
__swprintf.LIBCMT ref: 00C8CAFB
__swprintf.LIBCMT ref: 00C8CB3E

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

__swprintf.LIBCMT ref: 00C8CB92

Part of subcall function 00C438D8: __woutput_l.LIBCMT ref: 00C43931

__swprintf.LIBCMT ref: 00C8CBE0

Part of subcall function 00C438D8: __flsbuf.LIBCMT ref: 00C43953
Part of subcall function 00C438D8: __flsbuf.LIBCMT ref: 00C4396B

__swprintf.LIBCMT ref: 00C8CC2F
__swprintf.LIBCMT ref: 00C8CC7E
__swprintf.LIBCMT ref: 00C8CCCD

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00C8CAF5
%02d, xrefs: 00C8CB86, 00C8CB90, 00C8CBDE, 00C8CC2D, 00C8CC7C, 00C8CCCB
%4d, xrefs: 00C8CB38

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: ccec6441869373f5cafdd8add060e7e48462bcea38993e3de886143d617e25b4
Instruction ID: 52ffae40f8ee2d321ebb7ccb5ab496e18a6e0a01a944a043c842cf1b691beff1
Opcode Fuzzy Hash: ccec6441869373f5cafdd8add060e7e48462bcea38993e3de886143d617e25b4
Instruction Fuzzy Hash: 64A14FB1408314ABC700FBA4D886EAFB7ECFF94704F40492AF596D3191EA74DA08D762

Uniqueness

Uniqueness Score: -1.00%

Function 00C8F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00C8F221
_wcscmp.LIBCMT ref: 00C8F236
_wcscmp.LIBCMT ref: 00C8F24D
GetFileAttributesW.KERNEL32(?), ref: 00C8F25F
SetFileAttributesW.KERNEL32(?,?), ref: 00C8F279
FindNextFileW.KERNEL32(00000000,?), ref: 00C8F291
FindClose.KERNEL32(00000000), ref: 00C8F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 00C8F2B8
_wcscmp.LIBCMT ref: 00C8F2DF
_wcscmp.LIBCMT ref: 00C8F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 00C8F308
SetCurrentDirectoryW.KERNEL32(00CDA5A0), ref: 00C8F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C8F330
FindClose.KERNEL32(00000000), ref: 00C8F33D
FindClose.KERNEL32(00000000), ref: 00C8F34F

Strings

*.*, xrefs: 00C8F2B3

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: bbca08cf91317f1973d6d37a215fc3a0ee62d81c1909028115eec2f6aefde638
Instruction ID: 2ce1e20266f87401d2fe4de686d903ae00b0b24e866625039eb3c8eee95f5007
Opcode Fuzzy Hash: bbca08cf91317f1973d6d37a215fc3a0ee62d81c1909028115eec2f6aefde638
Instruction Fuzzy Hash: CF31C5765012196BDB10EBB4EC48BDE77ACAF49369F10027EE950D30A0EB30DB46CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00CA0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CA0BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00CAF910,00000000,?,00000000,?,?), ref: 00CA0C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00CA0C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00CA0D1D
RegCloseKey.ADVAPI32(?), ref: 00CA103D
RegCloseKey.ADVAPI32(00000000), ref: 00CA104A

Strings

REG_MULTI_SZ, xrefs: 00CA0E05
REG_QWORD, xrefs: 00CA0F8B
REG_BINARY, xrefs: 00CA0FD8
REG_EXPAND_SZ, xrefs: 00CA0CBA
REG_SZ, xrefs: 00CA0D5B
REG_DWORD, xrefs: 00CA0F0E

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 3a1e7ad59693b6c68b3cc77f07d9603711647ffd8fb88e5e96264fdf04c8684a
Instruction ID: 41dab1cefc1b6ab914a9f462879404602160420946821f9576c46446a7893f6c
Opcode Fuzzy Hash: 3a1e7ad59693b6c68b3cc77f07d9603711647ffd8fb88e5e96264fdf04c8684a
Instruction Fuzzy Hash: 77029C356006119FDB14EF24D881E2AB7E5FF89724F04885DF89A9B7A2CB31ED41DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C8F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00C8F37E
_wcscmp.LIBCMT ref: 00C8F393
_wcscmp.LIBCMT ref: 00C8F3AA

Part of subcall function 00C845C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C845DC

FindNextFileW.KERNEL32(00000000,?), ref: 00C8F3D9
FindClose.KERNEL32(00000000), ref: 00C8F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 00C8F400
_wcscmp.LIBCMT ref: 00C8F427
_wcscmp.LIBCMT ref: 00C8F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 00C8F450
SetCurrentDirectoryW.KERNEL32(00CDA5A0), ref: 00C8F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C8F478
FindClose.KERNEL32(00000000), ref: 00C8F485
FindClose.KERNEL32(00000000), ref: 00C8F497

Strings

*.*, xrefs: 00C8F3FB

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: aefd2e2cb2f53fb33e1d947952bffe799ffd8e44fdaec4bfeab61dd9af9224c9
Instruction ID: 056e4609f9ab190432f274c8e47957f9e2eb5e835333ad3dbce245121fd37a60
Opcode Fuzzy Hash: aefd2e2cb2f53fb33e1d947952bffe799ffd8e44fdaec4bfeab61dd9af9224c9
Instruction Fuzzy Hash: 3331A97150111D6BCF10BBA4EC88BDE77AC9F49368F14027AE950A31A1E770DF46DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00C781F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C78766
Part of subcall function 00C7874A: GetLastError.KERNEL32(?,00C7822A,?,?,?), ref: 00C78770
Part of subcall function 00C7874A: GetProcessHeap.KERNEL32(00000008,?,?,00C7822A,?,?,?), ref: 00C7877F
Part of subcall function 00C7874A: HeapAlloc.KERNEL32(00000000,?,00C7822A,?,?,?), ref: 00C78786
Part of subcall function 00C7874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C7879D

Part of subcall function 00C787E7: GetProcessHeap.KERNEL32(00000008,00C78240,00000000,00000000,?,00C78240,?), ref: 00C787F3
Part of subcall function 00C787E7: HeapAlloc.KERNEL32(00000000,?,00C78240,?), ref: 00C787FA
Part of subcall function 00C787E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C78240,?), ref: 00C7880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C7825B
_memset.LIBCMT ref: 00C78270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C7828F
GetLengthSid.ADVAPI32(?), ref: 00C782A0
GetAce.ADVAPI32(?,00000000,?), ref: 00C782DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C782F9
GetLengthSid.ADVAPI32(?), ref: 00C78316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C78325
HeapAlloc.KERNEL32(00000000), ref: 00C7832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C7834D
CopySid.ADVAPI32(00000000), ref: 00C78354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C78385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C783AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C783BF

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 06a9b4ef3c1c671ded44a46f0cb75671ce64d74eacb4f72b7d94376e3c16d423
Instruction ID: e9f1848667f73080330c390bb301907b18e0bada55505924755efd7346b83c59
Opcode Fuzzy Hash: 06a9b4ef3c1c671ded44a46f0cb75671ce64d74eacb4f72b7d94376e3c16d423
Instruction Fuzzy Hash: 34615E71940209AFDF10DF94DC48AEEBB79FF05704F148169F929A72A1DB319A09CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C36843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

LF), xrefs: 00C716DD
UTF16), xrefs: 00C71508
NO_AUTO_POSSESS), xrefs: 00C71567
BSR_ANYCRLF), xrefs: 00C71757
ANY), xrefs: 00C71717
NO_START_OPT), xrefs: 00C71588
LIMIT_RECURSION=, xrefs: 00C71635
UCP), xrefs: 00C71546
UTF), xrefs: 00C71533
CRLF), xrefs: 00C716FA
LIMIT_MATCH=, xrefs: 00C715A9
ANYCRLF), xrefs: 00C71734
BSR_UNICODE), xrefs: 00C71771
CR), xrefs: 00C716C0

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 8658e54637ac0653ce927c95a0456c9c9ea036071dede56771b2b708f54bb273
Instruction ID: 89f04e9c74c8a40700310f206181405e35db7188d00d29964b60477c5764d488
Opcode Fuzzy Hash: 8658e54637ac0653ce927c95a0456c9c9ea036071dede56771b2b708f54bb273
Instruction Fuzzy Hash: 20728F71E102199BDF24CF59C8907AEB7B5FF48310F18C16AE959EB290DB709E81DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CA0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CA0038,?,?), ref: 00CA10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CA0737

Part of subcall function 00C29997: __itow.LIBCMT ref: 00C299C2
Part of subcall function 00C29997: __swprintf.LIBCMT ref: 00C29A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00CA07D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00CA086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00CA0AAD
RegCloseKey.ADVAPI32(00000000), ref: 00CA0ABA

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 4f2e9b5433e3a5b4ccb1dc6b7ee9c8dcc9210b8f552ae48ad37bf518805cfa8c
Instruction ID: 4d432d2cb8dbc3aecfa9465a402b2555fe571ab5b34dee2823b5504d38f21b56
Opcode Fuzzy Hash: 4f2e9b5433e3a5b4ccb1dc6b7ee9c8dcc9210b8f552ae48ad37bf518805cfa8c
Instruction Fuzzy Hash: A3E16C31604311AFCB14DF65C881E2ABBE4EF89758F14896DF89ADB262DA30ED01DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C80219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C80241
GetAsyncKeyState.USER32(000000A0), ref: 00C802C2
GetKeyState.USER32(000000A0), ref: 00C802DD
GetAsyncKeyState.USER32(000000A1), ref: 00C802F7
GetKeyState.USER32(000000A1), ref: 00C8030C
GetAsyncKeyState.USER32(00000011), ref: 00C80324
GetKeyState.USER32(00000011), ref: 00C80336
GetAsyncKeyState.USER32(00000012), ref: 00C8034E
GetKeyState.USER32(00000012), ref: 00C80360
GetAsyncKeyState.USER32(0000005B), ref: 00C80378
GetKeyState.USER32(0000005B), ref: 00C8038A

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 2bf9100fefa4fba4c3b10f659218be290a431b9ffb9c71a7d6323f088f81d3ac
Instruction ID: fd012a5404c9446a1e6abe24d485d8b15a6289e463e3e7f944bdb4dcdb38d993
Opcode Fuzzy Hash: 2bf9100fefa4fba4c3b10f659218be290a431b9ffb9c71a7d6323f088f81d3ac
Instruction Fuzzy Hash: 66419E24904BC96EFFB16AA484083B5BEA06F1234CF28409DD5D5571D2D7E45FCC8795

Uniqueness

Uniqueness Score: -1.00%

Function 00C986D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29997: __itow.LIBCMT ref: 00C299C2
Part of subcall function 00C29997: __swprintf.LIBCMT ref: 00C29A0C

CoInitialize.OLE32 ref: 00C98718
CoUninitialize.OLE32 ref: 00C98723
CoCreateInstance.OLE32(?,00000000,00000017,00CB2BEC,?), ref: 00C98783
IIDFromString.OLE32(?,?), ref: 00C987F6
VariantInit.OLEAUT32(?), ref: 00C98890
VariantClear.OLEAUT32(?), ref: 00C988F1

Strings

NULL Pointer assignment, xrefs: 00C987C8
Failed to create object, xrefs: 00C9878E, 00C98844
Invalid parameter, xrefs: 00C9880F

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 4ca4ea02e2d67c4f44783f9ade35fe310d660852dcbf42c59dd7088c9a7e962a
Instruction ID: 70d91791b988102f7d4d0609ffa39f232057c24fcd71c5b5f8453741813f3706
Opcode Fuzzy Hash: 4ca4ea02e2d67c4f44783f9ade35fe310d660852dcbf42c59dd7088c9a7e962a
Instruction Fuzzy Hash: AE61C0706083119FDB10DF65C848B6EBBE8EF4A714F10481DF9959B291CB70EE48CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00C94458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00C9447F
EmptyClipboard.USER32 ref: 00C94485
GlobalAlloc.KERNEL32(00000002,?), ref: 00C9449A
CloseClipboard.USER32 ref: 00C94539

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 0ccd3c3f2c85aa7e185671160abd31975ace6657ec0f8c93e565887a8099a5a2
Instruction ID: dd7763bbf5f20a546eebef4612e74c003f231214f82d3c215d5694b152d70fb1
Opcode Fuzzy Hash: 0ccd3c3f2c85aa7e185671160abd31975ace6657ec0f8c93e565887a8099a5a2
Instruction Fuzzy Hash: 8621B235600620DFDB14AFA0EC49F6D7BA8EF05725F11802AF946DB2B1DB30AD02DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00C83A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C248A1,?,?,00C237C0,?), ref: 00C248CE

Part of subcall function 00C84CD3: GetFileAttributesW.KERNEL32(?,00C83947), ref: 00C84CD4

FindFirstFileW.KERNEL32(?,?), ref: 00C83ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00C83B87
MoveFileW.KERNEL32(?,?), ref: 00C83B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00C83BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C83BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00C83BF5

Strings

\*.*, xrefs: 00C83A8A, 00C83A93, 00C83AA8

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 6668f042d5ef08bd0d3f539eaff8005a0dfb9913020eda6ad90296f7d6341dd7
Instruction ID: 2a8933bae0283e15963ccebed7498a7c24839109535309da0aad29c282c5e216
Opcode Fuzzy Hash: 6668f042d5ef08bd0d3f539eaff8005a0dfb9913020eda6ad90296f7d6341dd7
Instruction Fuzzy Hash: B9517E318052999BCF15FBA0DD929FEB778AF14704F2442A9E45277091EF306F09EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C8F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00C8F6AB
Sleep.KERNEL32(0000000A), ref: 00C8F6DB
_wcscmp.LIBCMT ref: 00C8F6EF
_wcscmp.LIBCMT ref: 00C8F70A
FindNextFileW.KERNEL32(?,?), ref: 00C8F7A8
FindClose.KERNEL32(00000000), ref: 00C8F7BE

Strings

*.*, xrefs: 00C8F690

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 14f946f3fee8ac4074a615457688aafac392558731afe13ea6273b26ee8e4a56
Instruction ID: 9de820fc6b4d834e66295f9659719a2098e278f2b3ce50eaa360bf0dbc23f638
Opcode Fuzzy Hash: 14f946f3fee8ac4074a615457688aafac392558731afe13ea6273b26ee8e4a56
Instruction Fuzzy Hash: 1A41937190021AAFDF11EFA4CC85AEEBBB4FF05314F14456AE814A3190EB309E55DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C34140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00C3421F
VUUU, xrefs: 00C344ED
VUUU, xrefs: 00C67B0C
VUUU, xrefs: 00C34520
VUUU, xrefs: 00C344DB

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 20bb06393df2968e8a76db9eb79fd5374da8269f0147664d15bd44be8bdcf6dc
Instruction ID: b2ea5f46f91a2874e9c68b1a24b8407dd73b1a7b81d6935eae29c5be25e14372
Opcode Fuzzy Hash: 20bb06393df2968e8a76db9eb79fd5374da8269f0147664d15bd44be8bdcf6dc
Instruction Fuzzy Hash: 62A29170E1421ACBDF38CF58C9807ADB7B1BF55314F1486AAE866A7280D734AE85DF41

Uniqueness

Uniqueness Score: -1.00%

Function 00C358C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C35A05
_memmove.LIBCMT ref: 00C35A55
_memmove.LIBCMT ref: 00C35ABB

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9cc62833047fc5025aa2a57b1e4fa2284f42e6d38ecab1ec734a185009d616ee
Instruction ID: 7cd5e15a49038a912137518f85a8a8c14214ed5dd457286739ad56d2060b3612
Opcode Fuzzy Hash: 9cc62833047fc5025aa2a57b1e4fa2284f42e6d38ecab1ec734a185009d616ee
Instruction Fuzzy Hash: 88129B70A00609DFDF14DFA5D981AEEB7F5FF48300F208629E816A7291EB35AE15DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C8545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00C78CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C78D0D
Part of subcall function 00C78CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C78D3A
Part of subcall function 00C78CC3: GetLastError.KERNEL32 ref: 00C78D47

ExitWindowsEx.USER32(?,00000000), ref: 00C8549B

Strings

SeShutdownPrivilege, xrefs: 00C8546B
@, xrefs: 00C8548E
, xrefs: 00C85489

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 223f5d86b58463d565cd82324563a39be07381b5f405481b2435af529f48e338
Instruction ID: 99435bb1b8a199e2eb4a6c67ccb77f4f66fb36f0bfb97b67149989a71f60237f
Opcode Fuzzy Hash: 223f5d86b58463d565cd82324563a39be07381b5f405481b2435af529f48e338
Instruction Fuzzy Hash: CA017B35A94B112AE72872B8DC4ABBA7258EB8574BF200135FD17E20D3DAF04D808398

Uniqueness

Uniqueness Score: -1.00%

Function 00C96596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C965EF
WSAGetLastError.WSOCK32(00000000), ref: 00C965FE
bind.WSOCK32(00000000,?,00000010), ref: 00C9661A
listen.WSOCK32(00000000,00000005), ref: 00C96629
WSAGetLastError.WSOCK32(00000000), ref: 00C96643
closesocket.WSOCK32(00000000,00000000), ref: 00C96657

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 2b82ddd75876b8965f16c909541367487148dfe0922f418100c0af77ea3dbbd7
Instruction ID: d9a0b3d1c459d039449e75bb377351637e80afd061c9bfd2b13fcb5c5aed3060
Opcode Fuzzy Hash: 2b82ddd75876b8965f16c909541367487148dfe0922f418100c0af77ea3dbbd7
Instruction Fuzzy Hash: B721AD306002109FDF10EF64D889B6EB7A9EF4A724F158169F96AE73D1CB70AD01EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C35680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00C40FF6: std::exception::exception.LIBCMT ref: 00C4102C
Part of subcall function 00C40FF6: __CxxThrowException@8.LIBCMT ref: 00C41041

_memmove.LIBCMT ref: 00C7062F
_memmove.LIBCMT ref: 00C70744
_memmove.LIBCMT ref: 00C707EB

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 22b2605a07cc1fb397ed4bcc1b037fe5057635357445f60817d800aaa006146b
Instruction ID: 7b939b461ac97332353588dbecd29ec0c2b752713b730342662ccfe00754cc98
Opcode Fuzzy Hash: 22b2605a07cc1fb397ed4bcc1b037fe5057635357445f60817d800aaa006146b
Instruction Fuzzy Hash: 6D0281B0E10205DBDF04DF65D982AAEBBB5FF44300F248069E80ADB295EB31DE55DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C21287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00C219FA
GetSysColor.USER32(0000000F), ref: 00C21A4E
SetBkColor.GDI32(?,00000000), ref: 00C21A61

Part of subcall function 00C21290: DefDlgProcW.USER32(?,00000020,?), ref: 00C212D8

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: edbd7f5939a51c199c9ba79263d893d85ca4d5ee9424d62acfd80f66fc630515
Instruction ID: 90711155b0933f34f7fdb5c5e4efd581ae3c3022993ffce88a4f7157253c9aaf
Opcode Fuzzy Hash: edbd7f5939a51c199c9ba79263d893d85ca4d5ee9424d62acfd80f66fc630515
Instruction Fuzzy Hash: 80A17C711014A5FFD638AB2A7C85F7F399CDB62386B1C0109FC12D69D1CE269E41B2B9

Uniqueness

Uniqueness Score: -1.00%

Function 00C96A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C980A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C980CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C96AB1
WSAGetLastError.WSOCK32(00000000), ref: 00C96ADA
bind.WSOCK32(00000000,?,00000010), ref: 00C96B13
WSAGetLastError.WSOCK32(00000000), ref: 00C96B20
closesocket.WSOCK32(00000000,00000000), ref: 00C96B34

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 916be20282abe20d8416e2a784f10638730b9cce9ab55daef203e93e569650ba
Instruction ID: 5e4f8526e153c305c4892f658c2039948ca02144c8226c61285047c05b7d66a1
Opcode Fuzzy Hash: 916be20282abe20d8416e2a784f10638730b9cce9ab55daef203e93e569650ba
Instruction Fuzzy Hash: A841C675B00220AFEB10BF64EC86F6E77A5DB09724F04805CF95AAB3D2DB749D01A791

Uniqueness

Uniqueness Score: -1.00%

Function 00CA55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00CA564C
IsWindowEnabled.USER32 ref: 00CA565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00CA5667
IsIconic.USER32 ref: 00CA5675
IsZoomed.USER32 ref: 00CA5683

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: c65afe800aab06e67c9702c36f76b99a49b8cd6cb2c4c1b5ca2b5ee52530acca
Instruction ID: 8efdf5d12e43324642180415cb8714b3900a0f7d12c12b10e424136e6985d0a1
Opcode Fuzzy Hash: c65afe800aab06e67c9702c36f76b99a49b8cd6cb2c4c1b5ca2b5ee52530acca
Instruction Fuzzy Hash: 16110471700A22AFE7212F66DC04B6F7798EF46725B448028F846D3341CB309E028AA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C9C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C61D88,?), ref: 00C9C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C9C324

Strings

kernel32.dll, xrefs: 00C9C30D
GetSystemWow64DirectoryW, xrefs: 00C9C31E

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: ef8c6f752b7ce694584c1d645606473bce671674c1ab534251c0666ed6f0ab9a
Instruction ID: 7fd7e61b92aeaa24399b676494802a94484f01e3e53974462eb94f5e6652771d
Opcode Fuzzy Hash: ef8c6f752b7ce694584c1d645606473bce671674c1ab534251c0666ed6f0ab9a
Instruction Fuzzy Hash: 0BE0E674610713CFDF205B65D848B8A76D4FB09759B80843DD9A5D2660D770D941C760

Uniqueness

Uniqueness Score: -1.00%

Function 00C33190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 68f11ea968fd3a5363d865d8016e39bace16c46d3115d92d56a3395c3ded6647
Instruction ID: ce61b55c9fd4e0c5a53c9e6a3efc0646bfbd2f97c98f9328ac7100cf8eefe62a
Opcode Fuzzy Hash: 68f11ea968fd3a5363d865d8016e39bace16c46d3115d92d56a3395c3ded6647
Instruction Fuzzy Hash: B422BA716183519FC724DF24C891BAFB7E4BF84314F104A2DF89A9B291DB31EA44DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C9F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C9F151
Process32FirstW.KERNEL32(00000000,?), ref: 00C9F15F

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

Process32NextW.KERNEL32(00000000,?), ref: 00C9F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00C9F22E

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 2bc17f62c12a21a15a8d6601797716666f557f04a90d63c7671b399de11de19b
Instruction ID: a20ec2016ca8838149b1076cbcaa1c68a4cc32a2266cfaa3770b0b0da8d72e56
Opcode Fuzzy Hash: 2bc17f62c12a21a15a8d6601797716666f557f04a90d63c7671b399de11de19b
Instruction Fuzzy Hash: 1B517C715043119FD710EF20EC86B6FB7E8EF89710F10492DF595972A1EB70AA09DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C840B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00C840D1
_memset.LIBCMT ref: 00C840F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00C84144
CloseHandle.KERNEL32(00000000), ref: 00C8414D

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 6358c85facbed295c931989dafe9eb562dc0339838883613bf6a29ce3e25009e
Instruction ID: 11a90b6ab00b0ff75731dd49cee88e037c990b924bdc27a4d932af31288481b7
Opcode Fuzzy Hash: 6358c85facbed295c931989dafe9eb562dc0339838883613bf6a29ce3e25009e
Instruction Fuzzy Hash: 1B11CA759012287AD7309BA5AC4DFAFBB7CEF45764F1042AAF908D7190D6744F80CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C7EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C7EB19

Strings

(, xrefs: 00C7EB5F
|, xrefs: 00C7EB49

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 6027ec0aa5b5c669dc3f4dfa5fc937ea98a6ca8bc811e3278d07a94e63cc0725
Instruction ID: a5efe2d77b0eabe779828fa7f10fcbb7c8a0451eacde43e30c8bb1681d109e7b
Opcode Fuzzy Hash: 6027ec0aa5b5c669dc3f4dfa5fc937ea98a6ca8bc811e3278d07a94e63cc0725
Instruction Fuzzy Hash: 97323775A007059FDB28CF69C481A6AB7F1FF48310B15C5AEE4AADB3A1D770E941CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00C925E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00C926D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00C9270C

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: f77297ddae19c3c0ac29c902b821522c163f3109e8d0dd2754382fd3f9b4069b
Instruction ID: 9b0bcc1c7e6e1d66c16fc6656767cbbaec4d66315486d27135bb01b329475e47
Opcode Fuzzy Hash: f77297ddae19c3c0ac29c902b821522c163f3109e8d0dd2754382fd3f9b4069b
Instruction Fuzzy Hash: DC41D375500209BFEF20DE95DC89FBFB7BCEB40724F10406EFA91A6540EA719E41A660

Uniqueness

Uniqueness Score: -1.00%

Function 00C8B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C8B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C8B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00C8B655

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 925048740543dd7ba9a3f149a48ff7629646fd4e67c56fea2bc31a3d75459161
Instruction ID: b9b4c7d92603e09b96bbf37da01d9dde60a5ec6cafb6fac1f69b28cdbad4a334
Opcode Fuzzy Hash: 925048740543dd7ba9a3f149a48ff7629646fd4e67c56fea2bc31a3d75459161
Instruction Fuzzy Hash: A221A135A00218EFCB00EFA5D881FAEBBB8FF49314F0480A9E905AB351DB319D06DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C78CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00C40FF6: std::exception::exception.LIBCMT ref: 00C4102C
Part of subcall function 00C40FF6: __CxxThrowException@8.LIBCMT ref: 00C41041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C78D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C78D3A
GetLastError.KERNEL32 ref: 00C78D47

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: a5f5945736aecd3fda7b4455deedd2fa24fb3cb492a6a738a51d4ff892831016
Instruction ID: af9b39e4807be4dc516bee4aaafc6d73f1481913b2cab5101bf07964c3f96ba3
Opcode Fuzzy Hash: a5f5945736aecd3fda7b4455deedd2fa24fb3cb492a6a738a51d4ff892831016
Instruction Fuzzy Hash: 4711C1B1454209AFE728DFA4DC89E6BB7BCFB04710B20C52EF55A83241EB70AC458A20

Uniqueness

Uniqueness Score: -1.00%

Function 00C84C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00C84C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C84C43
FreeSid.ADVAPI32(?), ref: 00C84C53

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 85e113e7a4bc97a3f01f0bf28f0b36a143ac88231ccd3f3cd2400ba81029e45d
Instruction ID: 7565df599debe80814415e0736148b0a75b1dd83897a047c944d30d6254e598d
Opcode Fuzzy Hash: 85e113e7a4bc97a3f01f0bf28f0b36a143ac88231ccd3f3cd2400ba81029e45d
Instruction Fuzzy Hash: 77F03775A11209BBDB04DFE09C89AAEBBBCEB08205F0044A9A901E2181E7706A048B50

Uniqueness

Uniqueness Score: -1.00%

Function 00C2E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a9de5d1115b59d1dd4dee916dc8082723412f13a8a12c00f29275fd3ac91a5
Instruction ID: ca53baad559cb3ba144246e1fe92b7151839443185a219f42879286aef2ef2cb
Opcode Fuzzy Hash: e4a9de5d1115b59d1dd4dee916dc8082723412f13a8a12c00f29275fd3ac91a5
Instruction Fuzzy Hash: 7422B070A00225DFDB24DF54E480BAEB7F0FF08300F188169E866AB751E774AE85DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C8C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C8C966
FindClose.KERNEL32(00000000), ref: 00C8C996

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 64daee1c2ef9c08316d4dc35f147b292578fc03c3a727847ec33ce0125a50063
Instruction ID: 30d7e135dc6feb03eb31435797742585f74d76726d2a7ba0dcded8eb05c44715
Opcode Fuzzy Hash: 64daee1c2ef9c08316d4dc35f147b292578fc03c3a727847ec33ce0125a50063
Instruction Fuzzy Hash: 9411C4326106109FDB10EF29D845A2EF7E9FF85324F00895EF8A9D72A1DB30AC01DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C8A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00C9977D,?,00CAFB84,?), ref: 00C8A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00C9977D,?,00CAFB84,?), ref: 00C8A314

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 05e1c734c18ae8e941c63f67d51e8e51e033e865f8aec947aeb5ed3a4270f187
Instruction ID: 1c3cec99a83a91a9d692f8de16c2719d6c91f8b7a18e2894dc49d47c922dcc76
Opcode Fuzzy Hash: 05e1c734c18ae8e941c63f67d51e8e51e033e865f8aec947aeb5ed3a4270f187
Instruction Fuzzy Hash: 13F0E23510422DBBEB10AFA4CC48FEA736CBF09362F00426AB908D3190D6309940CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00C78713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C78851), ref: 00C78728
CloseHandle.KERNEL32(?,?,00C78851), ref: 00C7873A

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 426d767cc145f69277ff0a3e4be8de3edf376c49257b70eba58e92b7503df71f
Instruction ID: 07f9619362fa8f054b07e4fed1c351113f1bb75e98a933f375223e53f6416716
Opcode Fuzzy Hash: 426d767cc145f69277ff0a3e4be8de3edf376c49257b70eba58e92b7503df71f
Instruction Fuzzy Hash: FDE0B676010650EEEB262B60EC09E777BA9FB05354724892DB99681470DB72ACD1EB10

Uniqueness

Uniqueness Score: -1.00%

Function 00C4A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00C48F97,?,?,?,00000001), ref: 00C4A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00C4A3A3

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5eb7b0a60ce4fc28f2875a96dbb31379cccf7592c09c232226e7918044425d26
Instruction ID: 4e53ea655d0227f3e52aaf8b81d5d77004409a4d8e6c9e57cb63653d64a50a9d
Opcode Fuzzy Hash: 5eb7b0a60ce4fc28f2875a96dbb31379cccf7592c09c232226e7918044425d26
Instruction Fuzzy Hash: D1B09231055208ABCF002BD1EC59B8C3F68EB46AAAF404024F60D86070CBB254528A91

Uniqueness

Uniqueness Score: -1.00%

Function 00C4F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f4ab5f0fdcce883bf6cb04a5e74f2ef05149d992bae3cee1d7013ef2951645
Instruction ID: 59bed775f106c244b04f1bc2d2fb22a12866ee557987befeffe2c45a4b5bddc9
Opcode Fuzzy Hash: d2f4ab5f0fdcce883bf6cb04a5e74f2ef05149d992bae3cee1d7013ef2951645
Instruction Fuzzy Hash: 2632F531D69F414EDB239635D87233AA249AFB73C4F15D73BEC29B59A6EB28C5834100

Uniqueness

Uniqueness Score: -1.00%

Function 00C5267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d1c36ce49db769d8528405afb425ceb078f1c6f5abd5fff5ccd86964d941bc
Instruction ID: 998d9a91dc84e1ea740583582977505ccb5e5d8afad65ffd417971a2af78ccb8
Opcode Fuzzy Hash: a7d1c36ce49db769d8528405afb425ceb078f1c6f5abd5fff5ccd86964d941bc
Instruction Fuzzy Hash: 7AB1E020D2AF514DD7239639883133ABB9CAFBB2D5F51E71BFC6674D22EB2185834241

Uniqueness

Uniqueness Score: -1.00%

Function 00C88B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00C88B25

Part of subcall function 00C4543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00C891F8,00000000,?,?,?,?,00C893A9,00000000,?), ref: 00C45443
Part of subcall function 00C4543A: __aulldiv.LIBCMT ref: 00C45463

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 69a9c34613ea5fab0b1136a2082236ea0b34bcc31f43ffcfa361a2c4ae157c24
Instruction ID: d89ce2f249d67ce2cab1e4e55dcad3da65e688cfa982f56733080a90d63372db
Opcode Fuzzy Hash: 69a9c34613ea5fab0b1136a2082236ea0b34bcc31f43ffcfa361a2c4ae157c24
Instruction Fuzzy Hash: AA21D2726256108BC729CF25D841B62B3E1EBA5311B688F6CD1F5CF6D0CA34B905CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00C941FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00C94218

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 4c0bbb565e0ca3ded1c4520817177ca4dc799a216c58fd1448fa866c7af44247
Instruction ID: e0ffc902a920b451743ccbaea68215f3e64f01ba059c9fd62c874919df1a68f6
Opcode Fuzzy Hash: 4c0bbb565e0ca3ded1c4520817177ca4dc799a216c58fd1448fa866c7af44247
Instruction Fuzzy Hash: ACE04F31240614DFDB10EF5AE845E9AF7E8EF98760F00802AFC4AC7752DA70E9419BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C84EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00C84EEC

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: b27c93cb9675565e7db3f2e34f6205175261d19c07cf70a3b628ffc8436ffe36
Instruction ID: 8f4d6aa30c97d77f93d75265886b45f6a06502ab9d020f2e3eecf432d01ec429
Opcode Fuzzy Hash: b27c93cb9675565e7db3f2e34f6205175261d19c07cf70a3b628ffc8436ffe36
Instruction Fuzzy Hash: 5CD05E981607077AEC2C6B249C5FF778108F30078EFD0414AB112894C1E8D06D516238

Uniqueness

Uniqueness Score: -1.00%

Function 00C78C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00C788D1), ref: 00C78CB3

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 4ee6e3149753b9b78f78bcc46bc7805d201d4239552a996a3fe81e85d038e07d
Instruction ID: 9f353ecb36a79f4127ce251b1641cc1b252dda701583e4f55384ed5d9abb5e02
Opcode Fuzzy Hash: 4ee6e3149753b9b78f78bcc46bc7805d201d4239552a996a3fe81e85d038e07d
Instruction Fuzzy Hash: 7ED05E322A050EABEF018EA4DC01EAE3B69EB04B01F408111FE15C60A1C775D835AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C62230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00C62242

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 892f5755f1e4af89ad0c58a63b6e5261c2305b3589307b4535f9bc5065fb6f7b
Instruction ID: 96394d4737467daf895bb5748ddb723b12a9d68af4447252acdca9f5d70cc805
Opcode Fuzzy Hash: 892f5755f1e4af89ad0c58a63b6e5261c2305b3589307b4535f9bc5065fb6f7b
Instruction Fuzzy Hash: 86C04CF1800109DBDB15DB90D988EEE77BCAB04305F144055A541F2100D7749B448A71

Uniqueness

Uniqueness Score: -1.00%

Function 00C4A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00C4A36A

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b2bb3a47191434f22a200cc348037cc9ec2fa58b4dfd278eda713314872ef49e
Instruction ID: 70ca8e2b0b051b0975c6d36cc52265962e8e6f8a730e52bea7e507c43922f765
Opcode Fuzzy Hash: b2bb3a47191434f22a200cc348037cc9ec2fa58b4dfd278eda713314872ef49e
Instruction Fuzzy Hash: 94A0123000010CA78F001BC1EC045487F5CD6011947004020F40C41031873254114580

Uniqueness

Uniqueness Score: -1.00%

Function 00C38A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01fccad98b39d2275c2e405bfbfda34e46d2daddbef6b5b305b9ab4296879a79
Instruction ID: c509b1550b69e2a7814b71dfb48b8030331008935db82566056bd6f59d8d9ed4
Opcode Fuzzy Hash: 01fccad98b39d2275c2e405bfbfda34e46d2daddbef6b5b305b9ab4296879a79
Instruction Fuzzy Hash: 09224A30911716CBDF289B29D4C467DB7B1FB01304F68846AF4669B2D1DB70DE8ADBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C42405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: e5b8151b5ba15bad31b3de2cb168d6c19e5d60d875214b40f9e270766a9f89dd
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: B6C1823220509309EB2D467AD43513EBAE17AA27B139E175DF8F2CB5C4FF20D669D620

Uniqueness

Uniqueness Score: -1.00%

Function 00C4283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 76b998f177638db1341fb7fe1dd9e9cb65b97892e2241b61f74923225e8d1577
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: B7C1963220519309EB2D463A843513EBBE17AA27B139A075DF8F3DB5C4FF10D669E620

Uniqueness

Uniqueness Score: -1.00%

Function 00C41BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: fc36d08a0761d7711c4a1f3874e6d76c26a6b6e5fd6cdc369ef7b719f6f1bb79
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 59C1A13624519309EF2D467A847403EBAE17AA27B135E076DECF2CB4C4FF20D6A99610

Uniqueness

Uniqueness Score: -1.00%

Function 01383650 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399982648.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_charesworh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: b1a0e7909a0cb492e790c4ca3a064015e38b82aa6875b07934ca8d19fbf2cbd4
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: D141D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 013834E0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399982648.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_charesworh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 2f2c90339b4012647b71cfc120f789cd62c2c10105f14b8b288470b9ab433f10
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 9E019278A04209EFCB48EF98C5909AEF7B5FB48714F208599D809A7701D730EE41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01383540 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399982648.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_charesworh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 95ccbfd9818e5f0449b621cf2ca7cac44b5dcfa7edaf8f638b94aea86f0209e5
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 17019D78A01209EFCB44EF98C5909AEF7B5FB48714F208699E919A7701E730EE41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01381ED0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399982648.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_charesworh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Uniqueness

Uniqueness Score: -1.00%

Function 00CA37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00CAF910), ref: 00CA38AF
IsWindowVisible.USER32(?), ref: 00CA38D3

Strings

GETLINECOUNT, xrefs: 00CA3B4E
ISENABLED, xrefs: 00CA38F3
GETCURRENTSELECTION, xrefs: 00CA3A6B
UNCHECK, xrefs: 00CA3B0B
CHECK, xrefs: 00CA3AF5
GETCURRENTLINE, xrefs: 00CA3B75
GETSELECTED, xrefs: 00CA3B2B
ADDSTRING, xrefs: 00CA399E
EDITPASTE, xrefs: 00CA3BE7
SELECTSTRING, xrefs: 00CA3A8E
GETCURRENTCOL, xrefs: 00CA3BB0
ISCHECKED, xrefs: 00CA3AC1
CURRENTTAB, xrefs: 00CA3945
SETCURRENTSELECTION, xrefs: 00CA3A3E
TABRIGHT, xrefs: 00CA3925
FINDSTRING, xrefs: 00CA39FE
DELSTRING, xrefs: 00CA39D1
ISVISIBLE, xrefs: 00CA38BF
SHOWDROPDOWN, xrefs: 00CA3968
SENDCOMMANDID, xrefs: 00CA3C62
HIDEDROPDOWN, xrefs: 00CA3988
GETLINE, xrefs: 00CA3C23
TABLEFT, xrefs: 00CA390F

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: c6526d54cc24b3fd4ccb0af6c7b8c47eff59bf17073ad48a067b7e5a538f9fe5
Instruction ID: 642398fdd2f749c1aaa1206360b66058dee15b7b21ec68e2f3b258459a9a45ed
Opcode Fuzzy Hash: c6526d54cc24b3fd4ccb0af6c7b8c47eff59bf17073ad48a067b7e5a538f9fe5
Instruction Fuzzy Hash: 5DD1A230204356DBCB14EF60C865A6EB7A1EF95358F10845DF9965B3E2CB31EE0AEB41

Uniqueness

Uniqueness Score: -1.00%

Function 00CAA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00CAA89F
GetSysColorBrush.USER32(0000000F), ref: 00CAA8D0
GetSysColor.USER32(0000000F), ref: 00CAA8DC
SetBkColor.GDI32(?,000000FF), ref: 00CAA8F6
SelectObject.GDI32(?,?), ref: 00CAA905
InflateRect.USER32(?,000000FF,000000FF), ref: 00CAA930
GetSysColor.USER32(00000010), ref: 00CAA938
CreateSolidBrush.GDI32(00000000), ref: 00CAA93F
FrameRect.USER32(?,?,00000000), ref: 00CAA94E
DeleteObject.GDI32(00000000), ref: 00CAA955
InflateRect.USER32(?,000000FE,000000FE), ref: 00CAA9A0
FillRect.USER32(?,?,?), ref: 00CAA9D2
GetWindowLongW.USER32(?,000000F0), ref: 00CAA9FD

Part of subcall function 00CAAB60: GetSysColor.USER32(00000012), ref: 00CAAB99
Part of subcall function 00CAAB60: SetTextColor.GDI32(?,?), ref: 00CAAB9D
Part of subcall function 00CAAB60: GetSysColorBrush.USER32(0000000F), ref: 00CAABB3
Part of subcall function 00CAAB60: GetSysColor.USER32(0000000F), ref: 00CAABBE
Part of subcall function 00CAAB60: GetSysColor.USER32(00000011), ref: 00CAABDB
Part of subcall function 00CAAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CAABE9
Part of subcall function 00CAAB60: SelectObject.GDI32(?,00000000), ref: 00CAABFA
Part of subcall function 00CAAB60: SetBkColor.GDI32(?,00000000), ref: 00CAAC03
Part of subcall function 00CAAB60: SelectObject.GDI32(?,?), ref: 00CAAC10
Part of subcall function 00CAAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00CAAC2F
Part of subcall function 00CAAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CAAC46
Part of subcall function 00CAAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00CAAC5B

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 77a8db2bb64415d5d3c4983a2f8be1751dedcdf52f354f2461d1e2a98a6977ac
Instruction ID: 90e4ed46f89fdf7d5f43ebc6dcd275786cf0f07a82d2cd81bbbcf328b4787a04
Opcode Fuzzy Hash: 77a8db2bb64415d5d3c4983a2f8be1751dedcdf52f354f2461d1e2a98a6977ac
Instruction Fuzzy Hash: D6A18071408302AFD7109FA4DC08B6F7BA9FB8A329F104A2DF9A2971E0D775D945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C22C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00C22CA2
DeleteObject.GDI32(00000000), ref: 00C22CE8
DeleteObject.GDI32(00000000), ref: 00C22CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00C22CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00C22D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00C5C68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00C5C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C5CAED

Part of subcall function 00C21B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C22036,?,00000000,?,?,?,?,00C216CB,00000000,?), ref: 00C21B9A

SendMessageW.USER32(?,00001053), ref: 00C5CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C5CB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00C5CB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00C5CB62

Strings

0, xrefs: 00C5C981

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: b6ea0bfd3ced77a8d92df12127fb5734015ea095d9cac4936c0dfe2fc4fd030a
Instruction ID: 3b44fbac6ddc99f80c7e7f24134524a32332079f2ea96fa15fcc64719ca87e46
Opcode Fuzzy Hash: b6ea0bfd3ced77a8d92df12127fb5734015ea095d9cac4936c0dfe2fc4fd030a
Instruction Fuzzy Hash: 4B12BD38604311EFDB20CF24D888BA9BBE1BF09311F544569F8A5DB662C731E986DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00C977BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00C977F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C978B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00C978EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00C97900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00C97946
GetClientRect.USER32(00000000,?), ref: 00C97952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00C97996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C979A5
GetStockObject.GDI32(00000011), ref: 00C979B5
SelectObject.GDI32(00000000,00000000), ref: 00C979B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00C979C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C979D2
DeleteDC.GDI32(00000000), ref: 00C979DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C97A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00C97A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00C97A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C97A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00C97A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00C97AAE
GetStockObject.GDI32(00000011), ref: 00C97AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C97AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00C97ACE

Strings

static, xrefs: 00C97990, 00C97AA8
msctls_progress32, xrefs: 00C97A4F
DISPLAY, xrefs: 00C9799B
AutoIt v3, xrefs: 00C9793E

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 9dda31f836eda8a416fec066e9ede679e7d2aad84e6f3291144de7ae61d5e0f8
Instruction ID: d36cefd6a494f11bbb229688b774aca28dc0013ccd15b12c5ff43f02f0ec01f2
Opcode Fuzzy Hash: 9dda31f836eda8a416fec066e9ede679e7d2aad84e6f3291144de7ae61d5e0f8
Instruction Fuzzy Hash: E6A18271A50215BFEB14DBA4DC8AFAF7BB9EB45714F004218FA15AB2E0C774AD01CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00C8AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C8AF89
GetDriveTypeW.KERNEL32(?,00CAFAC0,?,\\.\,00CAF910), ref: 00C8B066
SetErrorMode.KERNEL32(00000000,00CAFAC0,?,\\.\,00CAF910), ref: 00C8B1C4

Strings

CDROM, xrefs: 00C8B09A
MMC, xrefs: 00C8B185
RAID, xrefs: 00C8B162
SSD, xrefs: 00C8B0F1
Network, xrefs: 00C8B0A4
Virtual, xrefs: 00C8B18C
\\.\, xrefs: 00C8AFDB
ATAPI, xrefs: 00C8B138
ATA, xrefs: 00C8B13F
SSA, xrefs: 00C8B14D
RAMDisk, xrefs: 00C8B090
SAS, xrefs: 00C8B170
Fixed, xrefs: 00C8B0AE
SCSI, xrefs: 00C8B131
iSCSI, xrefs: 00C8B169
PhysicalDrive, xrefs: 00C8B012
1394, xrefs: 00C8B146
Unknown, xrefs: 00C8B086, 00C8B12A
Removable, xrefs: 00C8B0B8
USB, xrefs: 00C8B15B
SATA, xrefs: 00C8B177
FileBackedVirtual, xrefs: 00C8B193
Fibre, xrefs: 00C8B154

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 3c9e2d8d1e85bcf0d261943a5d411587da1fb964b70e87d7e674d01d54c4b85c
Instruction ID: 18aeaddb7996ad16b1f2bfaf7715b4f36fa79719c47b69148f7fd03c7ead13bc
Opcode Fuzzy Hash: 3c9e2d8d1e85bcf0d261943a5d411587da1fb964b70e87d7e674d01d54c4b85c
Instruction Fuzzy Hash: 4551D430784305EBCB04FB51C9A69BD73B0EF14349B614027F51AAB391CB75AE42EB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00C26A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00C26A91
__wcsnicmp.LIBCMT ref: 00C26AA9
__wcsnicmp.LIBCMT ref: 00C26AC1
__wcsnicmp.LIBCMT ref: 00C26AD9
__wcsnicmp.LIBCMT ref: 00C26AF1
__wcsnicmp.LIBCMT ref: 00C26B09
__wcsnicmp.LIBCMT ref: 00C26B21
__wcsnicmp.LIBCMT ref: 00C26B35
__wcsnicmp.LIBCMT ref: 00C26B76
__wcsnicmp.LIBCMT ref: 00C26B8A
__wcsnicmp.LIBCMT ref: 00C26B9E
__wcsnicmp.LIBCMT ref: 00C26BB2

Strings

Bad directive syntax error, xrefs: 00C5E743
#notrayicon, xrefs: 00C26AA3
#include-once, xrefs: 00C26AEB
Cannot parse #include, xrefs: 00C5E819
#OnAutoItStartRegister, xrefs: 00C26AD3
#cs, xrefs: 00C26B2F, 00C26B84
#include, xrefs: 00C26B03
#comments-end, xrefs: 00C26B98
#pragma compile, xrefs: 00C26A8B
Unterminated group of comments, xrefs: 00C5E82C
#requireadmin, xrefs: 00C26ABB
#ce, xrefs: 00C26BAC
#comments-start, xrefs: 00C26B1B, 00C26B70

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 92c7a16e2c7c2b9b6da57847b6ab1d97e177e66979803d7c519e852c582fa99f
Instruction ID: a75f9fd5d4d35b1e68d15594be0ef9c36ea0d04ef1577ce959b3f440ff0772d7
Opcode Fuzzy Hash: 92c7a16e2c7c2b9b6da57847b6ab1d97e177e66979803d7c519e852c582fa99f
Instruction Fuzzy Hash: 39813774640265BBCB24AF61EC82FAF7768BF15300F044025FD45AA5C2EB70DB99F2A5

Uniqueness

Uniqueness Score: -1.00%

Function 00CAAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00CAAB99
SetTextColor.GDI32(?,?), ref: 00CAAB9D
GetSysColorBrush.USER32(0000000F), ref: 00CAABB3
GetSysColor.USER32(0000000F), ref: 00CAABBE
CreateSolidBrush.GDI32(?), ref: 00CAABC3
GetSysColor.USER32(00000011), ref: 00CAABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CAABE9
SelectObject.GDI32(?,00000000), ref: 00CAABFA
SetBkColor.GDI32(?,00000000), ref: 00CAAC03
SelectObject.GDI32(?,?), ref: 00CAAC10
InflateRect.USER32(?,000000FF,000000FF), ref: 00CAAC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CAAC46
GetWindowLongW.USER32(00000000,000000F0), ref: 00CAAC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CAACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00CAACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 00CAACEC
DrawFocusRect.USER32(?,?), ref: 00CAACF7
GetSysColor.USER32(00000011), ref: 00CAAD05
SetTextColor.GDI32(?,00000000), ref: 00CAAD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00CAAD21
SelectObject.GDI32(?,00CAA869), ref: 00CAAD38
DeleteObject.GDI32(?), ref: 00CAAD43
SelectObject.GDI32(?,?), ref: 00CAAD49
DeleteObject.GDI32(?), ref: 00CAAD4E
SetTextColor.GDI32(?,?), ref: 00CAAD54
SetBkColor.GDI32(?,?), ref: 00CAAD5E

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: a5000c0f5595674b67bf4e7e603091fa91a258a78e3de021503410527d296124
Instruction ID: a29ae17b0ffbe5ca0340f1383bd45fb4621f4ec5b97e241e202e43f980c7fbdf
Opcode Fuzzy Hash: a5000c0f5595674b67bf4e7e603091fa91a258a78e3de021503410527d296124
Instruction Fuzzy Hash: AE616D71900219EFDB119FE4DC48FAE7B79FB0A324F104229FA11AB2A1D7719E41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CA8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00CA8D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CA8D45
CharNextW.USER32(0000014E), ref: 00CA8D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00CA8DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00CA8DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CA8DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00CA8DF9
SetWindowTextW.USER32(?,0000014E), ref: 00CA8E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00CA8E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CA8E8C
_memset.LIBCMT ref: 00CA8EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00CA8EFA
_memset.LIBCMT ref: 00CA8F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00CA8F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00CA8FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00CA9088
InvalidateRect.USER32(?,00000000,00000001), ref: 00CA90AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CA90F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CA9121
DrawMenuBar.USER32(?), ref: 00CA9130
SetWindowTextW.USER32(?,0000014E), ref: 00CA9158

Strings

0, xrefs: 00CA90C2

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: add39583e7cbd7c79cabaaab3a678e7c99aa308ab2e19e4e38d577fb58517485
Instruction ID: e8ab22043ff13507fb0e01ef843221f536f900f8c5963ed9780074d1918e7626
Opcode Fuzzy Hash: add39583e7cbd7c79cabaaab3a678e7c99aa308ab2e19e4e38d577fb58517485
Instruction Fuzzy Hash: F8E1927090021AABDF209F91CC89FEE7B79FF06718F148159F9259B291DB708A85DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00CA4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00CA4C51
GetDesktopWindow.USER32 ref: 00CA4C66
GetWindowRect.USER32(00000000), ref: 00CA4C6D
GetWindowLongW.USER32(?,000000F0), ref: 00CA4CCF
DestroyWindow.USER32(?), ref: 00CA4CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00CA4D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CA4D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00CA4D68
SendMessageW.USER32(?,00000421,?,?), ref: 00CA4D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00CA4D90
IsWindowVisible.USER32(?), ref: 00CA4DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00CA4DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00CA4DDF
GetWindowRect.USER32(?,?), ref: 00CA4DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00CA4E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00CA4E37
CopyRect.USER32(?,?), ref: 00CA4E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00CA4EB9

Strings

tooltips_class32, xrefs: 00CA4D1D
(, xrefs: 00CA4E2A
0, xrefs: 00CA4BFC

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: c4cc8df9b7cee9c9ff75aeb1a1730b84fffa5ead670ea1553c4838b635c5bc49
Instruction ID: 12bf22542dd720448764b8d9a672e6bdff051d2c562ab84cf8728ebbc6032109
Opcode Fuzzy Hash: c4cc8df9b7cee9c9ff75aeb1a1730b84fffa5ead670ea1553c4838b635c5bc49
Instruction Fuzzy Hash: 9DB19B70604351AFDB08DF64D848B6ABBE4FF8A318F00891CF5999B2A1D7B1ED05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C846D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C846E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C8470E
_wcscpy.LIBCMT ref: 00C8473C
_wcscmp.LIBCMT ref: 00C84747
_wcscat.LIBCMT ref: 00C8475D
_wcsstr.LIBCMT ref: 00C84768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C84784
_wcscat.LIBCMT ref: 00C847CD
_wcscat.LIBCMT ref: 00C847D4
_wcsncpy.LIBCMT ref: 00C847FF

Strings

%u.%u.%u.%u, xrefs: 00C84862
\VarFileInfo\Translation, xrefs: 00C8477C
DefaultLangCodepage, xrefs: 00C847E7
04090000, xrefs: 00C847BA
StringFileInfo\, xrefs: 00C84757

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 873556f6e9cd599647f1bd0849a8aedb5003e2a167158dca369f3416d9034757
Instruction ID: d5df48f037386abe6e41dfab4a18640045fe765d95a437f40d8bb4bbb9e9c9b1
Opcode Fuzzy Hash: 873556f6e9cd599647f1bd0849a8aedb5003e2a167158dca369f3416d9034757
Instruction Fuzzy Hash: D3411871A002117AE714BBB58C43FBF77ACFF46710F14007AF904E6182EB749A02A7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00C227D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C228BC
GetSystemMetrics.USER32(00000007), ref: 00C228C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C228EF
GetSystemMetrics.USER32(00000008), ref: 00C228F7
GetSystemMetrics.USER32(00000004), ref: 00C2291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C22939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C22949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C2297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C22990
GetClientRect.USER32(00000000,000000FF), ref: 00C229AE
GetStockObject.GDI32(00000011), ref: 00C229CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C229D5

Part of subcall function 00C22344: GetCursorPos.USER32(?), ref: 00C22357
Part of subcall function 00C22344: ScreenToClient.USER32(00CE67B0,?), ref: 00C22374
Part of subcall function 00C22344: GetAsyncKeyState.USER32(00000001), ref: 00C22399
Part of subcall function 00C22344: GetAsyncKeyState.USER32(00000002), ref: 00C223A7

SetTimer.USER32(00000000,00000000,00000028,00C21256), ref: 00C229FC

Strings

AutoIt v3 GUI, xrefs: 00C22974

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 9cb632a3cd086bdc2b41a1d471220f44b0b7b126a6ff18101a78116cfc1c5f71
Instruction ID: 7814d6a8070a2a05ec6b6e34bbb3bb8d732b764f5318d08b7bf0db6281a352ff
Opcode Fuzzy Hash: 9cb632a3cd086bdc2b41a1d471220f44b0b7b126a6ff18101a78116cfc1c5f71
Instruction Fuzzy Hash: DDB16D75A0021AEFDB14DFA8DC85BAD7BB4FB08315F104229FA15A72E0DB74D941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00CA4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CA40F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00CA41B6

Strings

FINDITEM, xrefs: 00CA4329
SELECTALL, xrefs: 00CA421D
SELECTINVERT, xrefs: 00CA4286
GETSELECTED, xrefs: 00CA42E4
DESELECT, xrefs: 00CA42A4
GETSUBITEMCOUNT, xrefs: 00CA4141
SELECT, xrefs: 00CA4250
ISSELECTED, xrefs: 00CA41C1
VIEWCHANGE, xrefs: 00CA4375
SELECTCLEAR, xrefs: 00CA4235
GETTEXT, xrefs: 00CA415F
GETSELECTEDCOUNT, xrefs: 00CA4199
GETITEMCOUNT, xrefs: 00CA4128

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 8273022b9be2cf17415c7d54464152e6e3fe83703d192de704219e04bae78356
Instruction ID: 9a3134683173fd93cf0ed4853117871df044c063f90917a1ccd2e60f3414afa5
Opcode Fuzzy Hash: 8273022b9be2cf17415c7d54464152e6e3fe83703d192de704219e04bae78356
Instruction Fuzzy Hash: F3A1A070214312DBCB18EF20C941A6AB3A5FF85318F10896DB9A65B7D2DB70ED09DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00C952F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00C95309
LoadCursorW.USER32(00000000,00007F8A), ref: 00C95314
LoadCursorW.USER32(00000000,00007F00), ref: 00C9531F
LoadCursorW.USER32(00000000,00007F03), ref: 00C9532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00C95335
LoadCursorW.USER32(00000000,00007F01), ref: 00C95340
LoadCursorW.USER32(00000000,00007F81), ref: 00C9534B
LoadCursorW.USER32(00000000,00007F88), ref: 00C95356
LoadCursorW.USER32(00000000,00007F80), ref: 00C95361
LoadCursorW.USER32(00000000,00007F86), ref: 00C9536C
LoadCursorW.USER32(00000000,00007F83), ref: 00C95377
LoadCursorW.USER32(00000000,00007F85), ref: 00C95382
LoadCursorW.USER32(00000000,00007F82), ref: 00C9538D
LoadCursorW.USER32(00000000,00007F84), ref: 00C95398
LoadCursorW.USER32(00000000,00007F04), ref: 00C953A3
LoadCursorW.USER32(00000000,00007F02), ref: 00C953AE
GetCursorInfo.USER32(?), ref: 00C953BE
GetLastError.KERNEL32(00000001,00000000), ref: 00C953E9

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: f146fb67a738fce0e4287b97ffcd7b34d3d01cf43e8e8d66805b07267d83bb77
Instruction ID: 7f0733858690982a9d762d1737ffd3ae9cfecb26836bc88d58edd3d3b039d141
Opcode Fuzzy Hash: f146fb67a738fce0e4287b97ffcd7b34d3d01cf43e8e8d66805b07267d83bb77
Instruction Fuzzy Hash: BE415170E04319AADF109FBA8C4996EFFF8EF51B50B10452FA519E7290DAB8A5018F61

Uniqueness

Uniqueness Score: -1.00%

Function 00C7AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C7AAA5
__swprintf.LIBCMT ref: 00C7AB46
_wcscmp.LIBCMT ref: 00C7AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C7ABAE
_wcscmp.LIBCMT ref: 00C7ABEA
GetClassNameW.USER32(?,?,00000400), ref: 00C7AC21
GetDlgCtrlID.USER32(?), ref: 00C7AC73
GetWindowRect.USER32(?,?), ref: 00C7ACA9
GetParent.USER32(?), ref: 00C7ACC7
ScreenToClient.USER32(00000000), ref: 00C7ACCE
GetClassNameW.USER32(?,?,00000100), ref: 00C7AD48
_wcscmp.LIBCMT ref: 00C7AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 00C7AD82
_wcscmp.LIBCMT ref: 00C7AD96

Part of subcall function 00C4386C: _iswctype.LIBCMT ref: 00C43874

Strings

%s%u, xrefs: 00C7AB40

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 72b15d20a23a5434337b9979e68798ed03742df1b7a5fcf3b52c719f888dff62
Instruction ID: a79f1cf61676f3941105dc5cd0a5929c5ee8546b110469b442be6351548b3539
Opcode Fuzzy Hash: 72b15d20a23a5434337b9979e68798ed03742df1b7a5fcf3b52c719f888dff62
Instruction Fuzzy Hash: 4AA1D071204306AFD729DF60C884BAEB7E8FF94355F108629F9ADD2190D730EA45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C7B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00C7B3DB
_wcscmp.LIBCMT ref: 00C7B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00C7B414
CharUpperBuffW.USER32(?,00000000), ref: 00C7B431
_wcscmp.LIBCMT ref: 00C7B44F
_wcsstr.LIBCMT ref: 00C7B460
GetClassNameW.USER32(00000018,?,00000400), ref: 00C7B498
_wcscmp.LIBCMT ref: 00C7B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00C7B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 00C7B518
_wcscmp.LIBCMT ref: 00C7B528
GetClassNameW.USER32(00000010,?,00000400), ref: 00C7B550
GetWindowRect.USER32(00000004,?), ref: 00C7B5B9

Strings

ThumbnailClass, xrefs: 00C7B4A3, 00C7B523
@, xrefs: 00C7B3BC

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: c8e9de0fb9f61f6b17accc8563c608a0ef9805993325e95335bebf0b6b1d6d57
Instruction ID: f3a789a621ca29c141e048d39b86679bfaaf2c7d30d0d41f23b1cc46aa9ab7fb
Opcode Fuzzy Hash: c8e9de0fb9f61f6b17accc8563c608a0ef9805993325e95335bebf0b6b1d6d57
Instruction Fuzzy Hash: 1B819D710083099BDB04DF11C985FAA7BE8FF44318F08C569FD999A0A2DB34DE4ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C7B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00C7B23F

Strings

[HANDLE:, xrefs: 00C7B24B
LAST, xrefs: 00C7B204
[LAST, xrefs: 00C7B2EC
REGEXP=, xrefs: 00C7B254
ACTIVE, xrefs: 00C7B21A
[REGEXPTITLE:, xrefs: 00C7B267
[ACTIVE, xrefs: 00C7B22C
ALL, xrefs: 00C7B2D3
[CLASS:, xrefs: 00C7B28F
[ALL, xrefs: 00C7B2E5
HANDLE=, xrefs: 00C7B238
CLASSNAME=, xrefs: 00C7B27C

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: be09f42fc50a4d6413c41bf240d65f3e369d28bb10274d2af30bafb9d5f4794d
Instruction ID: 76637130e32ea32259b5580b19416aac9d20b9e29a73677c9a3c6f26a8dee608
Opcode Fuzzy Hash: be09f42fc50a4d6413c41bf240d65f3e369d28bb10274d2af30bafb9d5f4794d
Instruction Fuzzy Hash: 0031F035A44215A6DB10FA60DD83FEE77B8EF20750F20412AF519B15E2EF31AF04E651

Uniqueness

Uniqueness Score: -1.00%

Function 00C7C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00C7C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C7C4E6
SetWindowTextW.USER32(?,?), ref: 00C7C4FD
GetDlgItem.USER32(?,000003EA), ref: 00C7C512
SetWindowTextW.USER32(00000000,?), ref: 00C7C518
GetDlgItem.USER32(?,000003E9), ref: 00C7C528
SetWindowTextW.USER32(00000000,?), ref: 00C7C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C7C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C7C569
GetWindowRect.USER32(?,?), ref: 00C7C572
SetWindowTextW.USER32(?,?), ref: 00C7C5DD
GetDesktopWindow.USER32 ref: 00C7C5E3
GetWindowRect.USER32(00000000), ref: 00C7C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00C7C636
GetClientRect.USER32(?,?), ref: 00C7C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00C7C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C7C693

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: e6d38bd427d29bdf746539e9e8a346708ae9066a613bcc79078f59176c1f15b7
Instruction ID: 8e18121a1d57f8c0bac41c1af042eec7fac08cb2a99ef2f76f397e2627aa25a0
Opcode Fuzzy Hash: e6d38bd427d29bdf746539e9e8a346708ae9066a613bcc79078f59176c1f15b7
Instruction Fuzzy Hash: 7E515C7090070AAFDB209FA8DD85B6EBBF5FF04705F00492CF696A35A0C775A945DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00CAA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CAA4C8
DestroyWindow.USER32(?,?), ref: 00CAA542

Part of subcall function 00C27D2C: _memmove.LIBCMT ref: 00C27D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00CAA5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00CAA5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CAA5F1
DestroyWindow.USER32(00000000), ref: 00CAA613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C20000,00000000), ref: 00CAA64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CAA663
GetDesktopWindow.USER32 ref: 00CAA67C
GetWindowRect.USER32(00000000), ref: 00CAA683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CAA69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00CAA6B3

Part of subcall function 00C225DB: GetWindowLongW.USER32(?,000000EB), ref: 00C225EC

Strings

tooltips_class32, xrefs: 00CAA5B5, 00CAA643
0, xrefs: 00CAA4DE

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: ed5b805c32a6ab2e20489e8e74ab1236df550a4e352dd30bfb2207eba978a9b6
Instruction ID: 3aed5c9814b41adc76cf7fff19ca52ef2a3e9316f79f3dc6ced7bfacae14d959
Opcode Fuzzy Hash: ed5b805c32a6ab2e20489e8e74ab1236df550a4e352dd30bfb2207eba978a9b6
Instruction Fuzzy Hash: E371AE71140246AFD720CF28CC49F6A7BE5FB9A308F08452DF995872A1D770EA02DF56

Uniqueness

Uniqueness Score: -1.00%

Function 00CAC8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

DragQueryPoint.SHELL32(?,?), ref: 00CAC917

Part of subcall function 00CAADF1: ClientToScreen.USER32(?,?), ref: 00CAAE1A
Part of subcall function 00CAADF1: GetWindowRect.USER32(?,?), ref: 00CAAE90
Part of subcall function 00CAADF1: PtInRect.USER32(?,?,00CAC304), ref: 00CAAEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 00CAC980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00CAC98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00CAC9AE
_wcscat.LIBCMT ref: 00CAC9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00CAC9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 00CACA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 00CACA25
SendMessageW.USER32(?,000000B1,?,?), ref: 00CACA47
DragFinish.SHELL32(?), ref: 00CACA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00CACB41

Strings

@GUI_DROPID, xrefs: 00CACA6E
@GUI_DRAGID, xrefs: 00CACAB9
@GUI_DRAGFILE, xrefs: 00CACAF0

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: c0cc5f5dd036fa692e9247c76d11a8e59775b3d62b621cae253ba75caac4694b
Instruction ID: 6d5bd4f0887a6aa598e03f9b962c3ad7bcf029cf8f865276402919b6637874d8
Opcode Fuzzy Hash: c0cc5f5dd036fa692e9247c76d11a8e59775b3d62b621cae253ba75caac4694b
Instruction Fuzzy Hash: F6616B71108311AFC711DFA4DC85E9FBBE8EF89714F040A2EF591971A1DB709A09DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00CA4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CA46AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CA46F6

Strings

GETTOTALCOUNT, xrefs: 00CA46DD
ISCHECKED, xrefs: 00CA4879
COLLAPSE, xrefs: 00CA473C
SELECT, xrefs: 00CA48A7
UNCHECK, xrefs: 00CA48D2
CHECK, xrefs: 00CA4716
EXISTS, xrefs: 00CA475F
EXPAND, xrefs: 00CA47A8
GETSELECTED, xrefs: 00CA4806
GETTEXT, xrefs: 00CA4849
GETITEMCOUNT, xrefs: 00CA47D8

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 1e75724649b9b38042e1484a56435a67517dbb27cd48c10b78cf69c82713d6f0
Instruction ID: 8e7f80727d5b440348ff89b0227ef68b43af8acc16b8fa3259a36abd59e92d08
Opcode Fuzzy Hash: 1e75724649b9b38042e1484a56435a67517dbb27cd48c10b78cf69c82713d6f0
Instruction Fuzzy Hash: 76919F74604712CBCB18EF20D451A6EB7A1FF85314F10885DF89A5B7A2CB71ED4AEB41

Uniqueness

Uniqueness Score: -1.00%

Function 00CABAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00CABB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00CA9431), ref: 00CABBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CABC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00CABC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CABC7D
FreeLibrary.KERNEL32(?), ref: 00CABC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CABC99
DestroyIcon.USER32(?,?,?,?,?,00CA9431), ref: 00CABCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00CABCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00CABCD1

Part of subcall function 00C4313D: __wcsicmp_l.LIBCMT ref: 00C431C6

Strings

.exe, xrefs: 00CABB04
.dll, xrefs: 00CABB27
.icl, xrefs: 00CABAE4

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 143bdabdcc54421fa0c3739a47ee910d46869365d1c8ec0806f9e823582ca560
Instruction ID: 3b622114cfcdb009dcb8959a84f85ac273a4d63366518e518c44f1cb9f8ee283
Opcode Fuzzy Hash: 143bdabdcc54421fa0c3739a47ee910d46869365d1c8ec0806f9e823582ca560
Instruction Fuzzy Hash: 3E61F27150021ABBEB14DF60DC45FBE77A8FB09729F104119F925D61C1DB709E90DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C9762D Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C976A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00C976AE
CreateCompatibleDC.GDI32(?), ref: 00C976BA
SelectObject.GDI32(00000000,?), ref: 00C976C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,es-mx), ref: 00C9771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00C97757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00C9777B
SelectObject.GDI32(00000006,?), ref: 00C97783
DeleteObject.GDI32(?), ref: 00C9778C
DeleteDC.GDI32(00000006), ref: 00C97793
ReleaseDC.USER32(00000000,?), ref: 00C9779E

Strings

es-mx, xrefs: 00C97706
(, xrefs: 00C97723

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: ($es-mx
API String ID: 2598888154-1799561661
Opcode ID: dabc22a12aca8345226f488169c9372ae8ebbcba3261b66aa25091647b72b031
Instruction ID: 77648c510aec772bc4bd14e3626d936e03006eb81098052320a473e3ee65fed5
Opcode Fuzzy Hash: dabc22a12aca8345226f488169c9372ae8ebbcba3261b66aa25091647b72b031
Instruction Fuzzy Hash: EC515A75904209EFCB15CFA8CC89FAEBBB9EF49310F14852DF95A97210D731A941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C8A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00C29997: __itow.LIBCMT ref: 00C299C2
Part of subcall function 00C29997: __swprintf.LIBCMT ref: 00C29A0C

CharLowerBuffW.USER32(?,?), ref: 00C8A636
GetDriveTypeW.KERNEL32 ref: 00C8A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C8A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C8A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C8A730

Part of subcall function 00C27D2C: _memmove.LIBCMT ref: 00C27D66

Strings

close cd wait, xrefs: 00C8A71B
wait, xrefs: 00C8A6ED
type cdaudio alias cd wait, xrefs: 00C8A6AE
open, xrefs: 00C8A65D
close, xrefs: 00C8A63C
closed, xrefs: 00C8A64A, 00C8A653
set cd door , xrefs: 00C8A6D1
open , xrefs: 00C8A692

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: be29ec029673a8ac339bcbaeb4b7e4c9c6c5244082c6462871d2fec1c809ff38
Instruction ID: 46601265b82ebc609de45bd8f157c1c6d6377de603ef734edf72c73677a6dc92
Opcode Fuzzy Hash: be29ec029673a8ac339bcbaeb4b7e4c9c6c5244082c6462871d2fec1c809ff38
Instruction Fuzzy Hash: 54517A711083149FD700EF20D88196AB7F8FF88718F14496DF89A976A1DB31EE0ADB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C8A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C8A47A
__swprintf.LIBCMT ref: 00C8A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C8A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C8A4FE
_memset.LIBCMT ref: 00C8A51D
_wcsncpy.LIBCMT ref: 00C8A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C8A58E
CloseHandle.KERNEL32(00000000), ref: 00C8A599
RemoveDirectoryW.KERNEL32(?), ref: 00C8A5A2
CloseHandle.KERNEL32(00000000), ref: 00C8A5AC

Strings

\, xrefs: 00C8A4B2
\??\%s, xrefs: 00C8A496
:, xrefs: 00C8A4BD

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 5f5a88213fd775599e0e7d8dbebc6877198d73218fa9c3f35dc726c331f5ce9b
Instruction ID: 763ced8dbac2768430041267a6033c26e31eb1f744cf3f249714e18988acad6b
Opcode Fuzzy Hash: 5f5a88213fd775599e0e7d8dbebc6877198d73218fa9c3f35dc726c331f5ce9b
Instruction Fuzzy Hash: 703190B5500109ABEB219FA0DC49FEF73BCEF89705F1041BAFA18D2160E77497858B29

Uniqueness

Uniqueness Score: -1.00%

Function 00C8DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00C8DC7B
_wcscat.LIBCMT ref: 00C8DC93
_wcscat.LIBCMT ref: 00C8DCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C8DCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 00C8DCCE
GetFileAttributesW.KERNEL32(?), ref: 00C8DCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 00C8DD00
SetCurrentDirectoryW.KERNEL32(?), ref: 00C8DD12

Strings

*.*, xrefs: 00C8DD51

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: b6682ab0f69e8e21b516a98f69955a61c71bd37399b3d90c11895d0122fc6019
Instruction ID: 1013d2a20871813e881c459031b8c53e5f5d1de445a5c0b5331669899c3fd164
Opcode Fuzzy Hash: b6682ab0f69e8e21b516a98f69955a61c71bd37399b3d90c11895d0122fc6019
Instruction Fuzzy Hash: 0B8192715043419FCB24FF64C8459BAB7E8BB88318F15882EF89AC7291E730EE45DB56

Uniqueness

Uniqueness Score: -1.00%

Function 00CAC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CAC4EC
GetFocus.USER32 ref: 00CAC4FC
GetDlgCtrlID.USER32(00000000), ref: 00CAC507
_memset.LIBCMT ref: 00CAC632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00CAC65D
GetMenuItemCount.USER32(?), ref: 00CAC67D
GetMenuItemID.USER32(?,00000000), ref: 00CAC690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00CAC6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00CAC70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CAC744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00CAC779

Strings

0, xrefs: 00CAC62A

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: c063e0c0b966248c3147f2c3c3d99059ae1b1b67c60e525211a048fe66727c67
Instruction ID: 319f83a387361fd5e6da14d11ee38aa6e6e6bbf606abce0875d63025362c6c83
Opcode Fuzzy Hash: c063e0c0b966248c3147f2c3c3d99059ae1b1b67c60e525211a048fe66727c67
Instruction Fuzzy Hash: 56817E70508346AFDB20CF24C9C4A6BBBE5FB8A358F00452DF9A5D7291D770DA05DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C783F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C78766
Part of subcall function 00C7874A: GetLastError.KERNEL32(?,00C7822A,?,?,?), ref: 00C78770
Part of subcall function 00C7874A: GetProcessHeap.KERNEL32(00000008,?,?,00C7822A,?,?,?), ref: 00C7877F
Part of subcall function 00C7874A: HeapAlloc.KERNEL32(00000000,?,00C7822A,?,?,?), ref: 00C78786
Part of subcall function 00C7874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C7879D

Part of subcall function 00C787E7: GetProcessHeap.KERNEL32(00000008,00C78240,00000000,00000000,?,00C78240,?), ref: 00C787F3
Part of subcall function 00C787E7: HeapAlloc.KERNEL32(00000000,?,00C78240,?), ref: 00C787FA
Part of subcall function 00C787E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C78240,?), ref: 00C7880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C78458
_memset.LIBCMT ref: 00C7846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C7848C
GetLengthSid.ADVAPI32(?), ref: 00C7849D
GetAce.ADVAPI32(?,00000000,?), ref: 00C784DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C784F6
GetLengthSid.ADVAPI32(?), ref: 00C78513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C78522
HeapAlloc.KERNEL32(00000000), ref: 00C78529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C7854A
CopySid.ADVAPI32(00000000), ref: 00C78551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C78582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C785A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C785BC

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 088968e6078fc272b8e150ba6eb49787803fc42fe76ab61c29564b7d0814abef
Instruction ID: 85a59af4679e26398c7fbb17fa14172d0e5167e0268f72f264b4982869d81dfc
Opcode Fuzzy Hash: 088968e6078fc272b8e150ba6eb49787803fc42fe76ab61c29564b7d0814abef
Instruction Fuzzy Hash: E7613F7194010AAFDF14DF94DC49AEEBB79FF05304F148169F929A7291DB319A05CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00C8A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00CAFB78), ref: 00C8A0FC

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 00C8A11E
__swprintf.LIBCMT ref: 00C8A177
__swprintf.LIBCMT ref: 00C8A190
_wprintf.LIBCMT ref: 00C8A246
_wprintf.LIBCMT ref: 00C8A264

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00C8A241
"%s" (%d) : ==> %s:, xrefs: 00C8A25F
Line %d (File "%s"):, xrefs: 00C8A171, 00C8A18A
Error: , xrefs: 00C8A20E
^ ERROR, xrefs: 00C8A1E8

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: b4bbd759d051a11c19e44439684884d952edbc023e920893e58dab8098c9589a
Instruction ID: 43792aab600105294d0e1e8e72f91c86e311f933007de3cae5f98ade6b192e4c
Opcode Fuzzy Hash: b4bbd759d051a11c19e44439684884d952edbc023e920893e58dab8098c9589a
Instruction Fuzzy Hash: 93518C71900219ABDF15FBE0DD86EEEB778AF14304F100266F515721A1EB316F58EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C26BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00C40B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00C26C6C,?,00008000), ref: 00C40BB7

Part of subcall function 00C248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C248A1,?,?,00C237C0,?), ref: 00C248CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C26D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00C26E5A

Part of subcall function 00C259CD: _wcscpy.LIBCMT ref: 00C25A05

Part of subcall function 00C4387D: _iswctype.LIBCMT ref: 00C43885

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 00C5E84A
Bad directive syntax error, xrefs: 00C5EBC6
AU3!, xrefs: 00C26CC1
Unterminated string, xrefs: 00C5EC0D
>>>AUTOIT SCRIPT<<<, xrefs: 00C5E8BF
Error opening the file, xrefs: 00C5E866, 00C5E8E1
EA06, xrefs: 00C5E87B

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 8988407130cbf7ac9a49c288ed6473910bcd67620ddd929aa7e4427fd7a51c8a
Instruction ID: 8d7fbf7522eba836360259ca2608a3ba9f18cd767b348dbd5ceaf5899f466f49
Opcode Fuzzy Hash: 8988407130cbf7ac9a49c288ed6473910bcd67620ddd929aa7e4427fd7a51c8a
Instruction Fuzzy Hash: C402CF341083519FC724EF24D881AAFBBE5FF89314F04491DF896972A1DB30DA89EB56

Uniqueness

Uniqueness Score: -1.00%

Function 00C245DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C245F9
GetMenuItemCount.USER32(00CE6890), ref: 00C5D7CD
GetMenuItemCount.USER32(00CE6890), ref: 00C5D87D
GetCursorPos.USER32(?), ref: 00C5D8C1
SetForegroundWindow.USER32(00000000), ref: 00C5D8CA
TrackPopupMenuEx.USER32(00CE6890,00000000,?,00000000,00000000,00000000), ref: 00C5D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C5D8E9

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: a95020bdada4724bf366863fcaeacc528ca27f8063f6bca60896ac41ae537880
Instruction ID: df5d5e69a705ca26eb8d1867c4aeb91ab440630431189603f390296807990211
Opcode Fuzzy Hash: a95020bdada4724bf366863fcaeacc528ca27f8063f6bca60896ac41ae537880
Instruction Fuzzy Hash: 10714734600315BFEB309F54DC89FAABF64FF05369F100216F926661E0C7B15954DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00CA10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CA0038,?,?), ref: 00CA10BC

Strings

HKCR, xrefs: 00CA1164
HKEY_LOCAL_MACHINE, xrefs: 00CA1125
HKCC, xrefs: 00CA118A
HKCU, xrefs: 00CA11AC
HKEY_CURRENT_CONFIG, xrefs: 00CA1179
HKLM, xrefs: 00CA113A
HKU, xrefs: 00CA11CE
HKEY_USERS, xrefs: 00CA11BD
HKEY_CURRENT_USER, xrefs: 00CA119B
HKEY_CLASSES_ROOT, xrefs: 00CA114F

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: d4423efb243ff9b9169a5e32aa6a17e60be1ab23b40699ce2d6761dc2bddccd1
Instruction ID: 311247d6cb76570ead8178adc62ea574c909e3d86764ab28a3fcb7bc4ea3f3cf
Opcode Fuzzy Hash: d4423efb243ff9b9169a5e32aa6a17e60be1ab23b40699ce2d6761dc2bddccd1
Instruction Fuzzy Hash: FF41597055025BCBCF10EF90D891AEE3724BF12354F194559FEA15B292DB30EE1ADB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C85569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00C27D2C: _memmove.LIBCMT ref: 00C27D66

Part of subcall function 00C27A84: _memmove.LIBCMT ref: 00C27B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C855D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C855E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C855F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C8560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C8561C

Strings

play PlayMe, xrefs: 00C85617
close PlayMe, xrefs: 00C855E3, 00C85610
play PlayMe wait, xrefs: 00C85606
status PlayMe mode, xrefs: 00C855CD
open , xrefs: 00C85581
alias PlayMe, xrefs: 00C855AB

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: bedecd23e8e0e0a4386ae5ae82c4b13b1ef3ca2ad64ac2b481b85e01280bf6df
Instruction ID: 6f10842281af0de76a94fd630cec7ff6221b4974649a15ce214dea9c03070d9b
Opcode Fuzzy Hash: bedecd23e8e0e0a4386ae5ae82c4b13b1ef3ca2ad64ac2b481b85e01280bf6df
Instruction Fuzzy Hash: F211C420A90169B9D720B761DC8ADFF7B7DEF91B00F40052AB511A21E1EEA08E05C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00C848F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C8490E
gethostname.WSOCK32(?,00000100), ref: 00C84928
gethostbyname.WSOCK32(?), ref: 00C84935
_wcscpy.LIBCMT ref: 00C8495D
_memmove.LIBCMT ref: 00C84970
inet_ntoa.WSOCK32(?), ref: 00C8497B
_strcat.LIBCMT ref: 00C84989
_wcscpy.LIBCMT ref: 00C849A0
WSACleanup.WSOCK32 ref: 00C849AE
_wcscpy.LIBCMT ref: 00C849BC

Strings

0.0.0.0, xrefs: 00C84957

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 52ff1247d6cb17dce20b09538f3cf7bc4a16b2829a858f29ecd1651376e8796d
Instruction ID: 8d5fb8e80feb1004c827cc8df94ce7998262255242ea948c0639a82a51cdf83c
Opcode Fuzzy Hash: 52ff1247d6cb17dce20b09538f3cf7bc4a16b2829a858f29ecd1651376e8796d
Instruction Fuzzy Hash: 6211F331904125ABCB34FBA49C06FDF77ACAF02718F04017AF44892091EF749A829765

Uniqueness

Uniqueness Score: -1.00%

Function 00C85217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C8521C

Part of subcall function 00C40719: timeGetTime.WINMM(?,76C1B400,00C30FF9), ref: 00C4071D

Sleep.KERNEL32(0000000A), ref: 00C85248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00C8526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C8528E
SetActiveWindow.USER32 ref: 00C852AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C852BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 00C852DA
Sleep.KERNEL32(000000FA), ref: 00C852E5
IsWindow.USER32 ref: 00C852F1
EndDialog.USER32(00000000), ref: 00C85302

Strings

BUTTON, xrefs: 00C85280

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 02fb5d3db82f5ed380db0733140ec60d55ada46c93ac533db9f2b28e84fea9b5
Instruction ID: 206779efe9bb55b5df0aa81f89054ffac60d8de5788a0210550fa7e5eff63c4f
Opcode Fuzzy Hash: 02fb5d3db82f5ed380db0733140ec60d55ada46c93ac533db9f2b28e84fea9b5
Instruction Fuzzy Hash: 7721A171205B49AFE7006BB0EDCCB3E3B69EB5638EF041438F101861B1CBB19D029B65

Uniqueness

Uniqueness Score: -1.00%

Function 00C8D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29997: __itow.LIBCMT ref: 00C299C2
Part of subcall function 00C29997: __swprintf.LIBCMT ref: 00C29A0C

CoInitialize.OLE32(00000000), ref: 00C8D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C8D8E8
SHGetDesktopFolder.SHELL32(?), ref: 00C8D8FC
CoCreateInstance.OLE32(00CB2D7C,00000000,00000001,00CDA89C,?), ref: 00C8D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C8D9B7
CoTaskMemFree.OLE32(?,?), ref: 00C8DA0F
_memset.LIBCMT ref: 00C8DA4C
SHBrowseForFolderW.SHELL32(?), ref: 00C8DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C8DAAB
CoTaskMemFree.OLE32(00000000), ref: 00C8DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00C8DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 00C8DAEB

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 73c9b547202da98f82222595162a32fe3e054c147ff16d3ff5c16bcd25257938
Instruction ID: 1f1a2ee444223c9fcfd34c6ea6a35daef60e832f9c859e92b42c03e9129db98c
Opcode Fuzzy Hash: 73c9b547202da98f82222595162a32fe3e054c147ff16d3ff5c16bcd25257938
Instruction Fuzzy Hash: 80B11E75A00119AFDB04EFA4D888EAEBBB9FF49314F148469F40AEB251DB30ED41DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00C8052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C805A7
SetKeyboardState.USER32(?), ref: 00C80612
GetAsyncKeyState.USER32(000000A0), ref: 00C80632
GetKeyState.USER32(000000A0), ref: 00C80649
GetAsyncKeyState.USER32(000000A1), ref: 00C80678
GetKeyState.USER32(000000A1), ref: 00C80689
GetAsyncKeyState.USER32(00000011), ref: 00C806B5
GetKeyState.USER32(00000011), ref: 00C806C3
GetAsyncKeyState.USER32(00000012), ref: 00C806EC
GetKeyState.USER32(00000012), ref: 00C806FA
GetAsyncKeyState.USER32(0000005B), ref: 00C80723
GetKeyState.USER32(0000005B), ref: 00C80731

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c9adea10c514d68ede992772668f55e6b71b6abb402658fdb51dfe3e144b649b
Instruction ID: a762edcce317310c2704fdc76aec0f85d85ea254ca468040d1254048118f6a61
Opcode Fuzzy Hash: c9adea10c514d68ede992772668f55e6b71b6abb402658fdb51dfe3e144b649b
Instruction Fuzzy Hash: 44510930A0478429FB74FBA084157EEBFF49F02388F18459D99D2571C2EA64AB4CCB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00C7C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00C7C746
GetWindowRect.USER32(00000000,?), ref: 00C7C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00C7C7B6
GetDlgItem.USER32(?,00000002), ref: 00C7C7C1
GetWindowRect.USER32(00000000,?), ref: 00C7C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00C7C827
GetDlgItem.USER32(?,000003E9), ref: 00C7C835
GetWindowRect.USER32(00000000,?), ref: 00C7C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00C7C889
GetDlgItem.USER32(?,000003EA), ref: 00C7C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C7C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 00C7C8C1

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: d94a46d63f65006ad44538ac00c45039b3097412c59298824a253ac1a6164004
Instruction ID: 07143f84a9df0934f8401985091700ff56e7058ede0f065b8e1abbb5e295f70b
Opcode Fuzzy Hash: d94a46d63f65006ad44538ac00c45039b3097412c59298824a253ac1a6164004
Instruction Fuzzy Hash: 34514371B00205AFDB18CFA9DD89BAEBBB6EB89310F14812DF51AD7290D7709E01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C2201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00C21B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C22036,?,00000000,?,?,?,?,00C216CB,00000000,?), ref: 00C21B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00C220D3
KillTimer.USER32(-00000001,?,?,?,?,00C216CB,00000000,?,?,00C21AE2,?,?), ref: 00C2216E
DestroyAcceleratorTable.USER32(00000000), ref: 00C5BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C216CB,00000000,?,?,00C21AE2,?,?), ref: 00C5BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C216CB,00000000,?,?,00C21AE2,?,?), ref: 00C5BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C216CB,00000000,?,?,00C21AE2,?,?), ref: 00C5BF5A
DeleteObject.GDI32(00000000), ref: 00C5BF6C

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 17a6a8868bde6f0c0c44773db8375788f8d5eeaae916055cab8b126897b5f2ab
Instruction ID: 862f46f23db4bcac404cc125f3400bc1e2106daccb06529bca8d4e83d57faea6
Opcode Fuzzy Hash: 17a6a8868bde6f0c0c44773db8375788f8d5eeaae916055cab8b126897b5f2ab
Instruction Fuzzy Hash: E661AC39110660EFCB359F55ED88B29BBF1FB50316F10452DE9928B9A0C771AD91DF80

Uniqueness

Uniqueness Score: -1.00%

Function 00C221A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00C225DB: GetWindowLongW.USER32(?,000000EB), ref: 00C225EC

GetSysColor.USER32(0000000F), ref: 00C221D3

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 0c8810c51e042da6b71d6c7e6a93a989b91866b6077e8b8f737ba4c8dcafc97c
Instruction ID: a918eff065c1106a9a431fa377db2e9605476f27c1de51b32e329dcf00d343f8
Opcode Fuzzy Hash: 0c8810c51e042da6b71d6c7e6a93a989b91866b6077e8b8f737ba4c8dcafc97c
Instruction Fuzzy Hash: 31417C35100650EEDB255F68EC88BBD3B65EB06335F144265EE659B1E2C7328D829B21

Uniqueness

Uniqueness Score: -1.00%

Function 00C8AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00CAF910), ref: 00C8AB76
GetDriveTypeW.KERNEL32(00000061,00CDA620,00000061), ref: 00C8AC40
_wcscpy.LIBCMT ref: 00C8AC6A

Strings

removable, xrefs: 00C8ABA8
ramdisk, xrefs: 00C8ABEA
network, xrefs: 00C8ABD4
cdrom, xrefs: 00C8AB92
fixed, xrefs: 00C8ABBE
all, xrefs: 00C8AB7C
unknown, xrefs: 00C8AC01

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: b410a60f16cd139991bfb9099a8f6e8c637c86f37a1b32d0386bf8c700f50460
Instruction ID: 6a81f5ddf93135f1df29b5497b4721c01c4f67898b1695b45f4ee49cbda88f88
Opcode Fuzzy Hash: b410a60f16cd139991bfb9099a8f6e8c637c86f37a1b32d0386bf8c700f50460
Instruction Fuzzy Hash: 8851AD301483119BD710FF14D892AAEB7A5FF84308F14482EF596976A2EB31DE0ADB53

Uniqueness

Uniqueness Score: -1.00%

Function 00C29997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00C299C2
__swprintf.LIBCMT ref: 00C29A0C
__i64tow.LIBCMT ref: 00C5FA0F

Strings

True, xrefs: 00C5F9D0
False, xrefs: 00C5F9D7
%.15g, xrefs: 00C29A06
0x%p, xrefs: 00C5F9F1

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 40e7c6afe0ba356d35b45579fa10a2316abd8d186274ec73190c10881904138a
Instruction ID: 56fb16f98edf053e0a8488ea7ccd75dcfea56fd54e1e363eaef617e95645a363
Opcode Fuzzy Hash: 40e7c6afe0ba356d35b45579fa10a2316abd8d186274ec73190c10881904138a
Instruction Fuzzy Hash: C5412935504615AFDB28EF74E842F76B3E8FF48310F20446FE549D7281EA719986DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00CA73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CA73D9
CreateMenu.USER32 ref: 00CA73F4
SetMenu.USER32(?,00000000), ref: 00CA7403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CA7490
IsMenu.USER32(?), ref: 00CA74A6
CreatePopupMenu.USER32 ref: 00CA74B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CA74DD
DrawMenuBar.USER32 ref: 00CA74E5

Strings

F, xrefs: 00CA74D1
0, xrefs: 00CA73CF

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: f0e700ee091f48ba2c036f54095ad2313ba79e0de0fb0140ec5dd01cf8de4f4e
Instruction ID: 2b150fd00227d4617a9db9ef31e21ac992b4f1240feecab7e033eb902f064c82
Opcode Fuzzy Hash: f0e700ee091f48ba2c036f54095ad2313ba79e0de0fb0140ec5dd01cf8de4f4e
Instruction Fuzzy Hash: 7F412575A0020AEFDB20DFA4D984B9ABBB9FF4A354F144129E95597360DB31AA10CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CA772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00CA77CD
CreateCompatibleDC.GDI32(00000000), ref: 00CA77D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00CA77E7
SelectObject.GDI32(00000000,00000000), ref: 00CA77EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 00CA77FA
DeleteDC.GDI32(00000000), ref: 00CA7803
GetWindowLongW.USER32(?,000000EC), ref: 00CA780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00CA7821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00CA782D

Strings

static, xrefs: 00CA7765

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: e44f16a9c7322f54848a886f4e558bd347bb3a0f2132e1cf4c9f28993d3b6465
Instruction ID: b0c1c39379c1a4d309ed610a0574f82f3835d4d03b6052dbf9a80c714c877433
Opcode Fuzzy Hash: e44f16a9c7322f54848a886f4e558bd347bb3a0f2132e1cf4c9f28993d3b6465
Instruction Fuzzy Hash: F9316E32105116ABDF125FA4DC08FDF3B69FF0A329F110328FA65A60A0C735D812DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C47040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C4707B

Part of subcall function 00C48D68: __getptd_noexit.LIBCMT ref: 00C48D68

__gmtime64_s.LIBCMT ref: 00C47114
__gmtime64_s.LIBCMT ref: 00C4714A
__gmtime64_s.LIBCMT ref: 00C47167
__allrem.LIBCMT ref: 00C471BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C471D9
__allrem.LIBCMT ref: 00C471F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C4720E
__allrem.LIBCMT ref: 00C47225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C47243
__invoke_watson.LIBCMT ref: 00C472B4

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: c6d8e9ac4c433df13e8dc76f1cea3d8f8caf1f70723467e290480d528c7d5cf4
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 5F710771A05717EBE7249F79CC41B5AB3A8BF14364F14433AF824E7281E770EA449790

Uniqueness

Uniqueness Score: -1.00%

Function 00C82A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C82A31
GetMenuItemInfoW.USER32(00CE6890,000000FF,00000000,00000030), ref: 00C82A92
SetMenuItemInfoW.USER32(00CE6890,00000004,00000000,00000030), ref: 00C82AC8
Sleep.KERNEL32(000001F4), ref: 00C82ADA
GetMenuItemCount.USER32(?), ref: 00C82B1E
GetMenuItemID.USER32(?,00000000), ref: 00C82B3A
GetMenuItemID.USER32(?,-00000001), ref: 00C82B64
GetMenuItemID.USER32(?,?), ref: 00C82BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C82BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C82C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C82C24

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 1f6a712fe85920e80f6ea876e7a5e79fddcb4f8a18f27fdb595c6285b5588531
Instruction ID: 1c9013ad8ee99348ca037af1e6fe9663bd9a34ab7a7402e547e06477cd14c270
Opcode Fuzzy Hash: 1f6a712fe85920e80f6ea876e7a5e79fddcb4f8a18f27fdb595c6285b5588531
Instruction Fuzzy Hash: EB6191B0901249AFDB21EFA4C88CEBE7BB8FB4134CF140559E85297251D731AE46DB24

Uniqueness

Uniqueness Score: -1.00%

Function 00CA7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00CA7214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00CA7217
GetWindowLongW.USER32(?,000000F0), ref: 00CA723B
_memset.LIBCMT ref: 00CA724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CA725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00CA72D6

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 2f9ddf2d790d9a869b11155660407cc69ab15762a402b2d281a55bacdc9b36ed
Instruction ID: 207dd48480a88b0f7d1e8652524c487f2ea51bec5c7720072d355f38151c9069
Opcode Fuzzy Hash: 2f9ddf2d790d9a869b11155660407cc69ab15762a402b2d281a55bacdc9b36ed
Instruction Fuzzy Hash: AF617B71900249AFDB20DFA4CC81FEE77F8BB0A704F140259FA14A72A1C770AE45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C7710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C77135
SafeArrayAllocData.OLEAUT32(?), ref: 00C7718E
VariantInit.OLEAUT32(?), ref: 00C771A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 00C771C0
VariantCopy.OLEAUT32(?,?), ref: 00C77213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00C77227
VariantClear.OLEAUT32(?), ref: 00C7723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00C77249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C77252
VariantClear.OLEAUT32(?), ref: 00C77264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C7726F

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 2e67d0976feb7b55c3e635dda2c833a4021e8c136c44204cd1576fc46fe8950c
Instruction ID: 1435b656949350bec6bf5d21959badb9395deb5fd8758c418e290664cfc0ceec
Opcode Fuzzy Hash: 2e67d0976feb7b55c3e635dda2c833a4021e8c136c44204cd1576fc46fe8950c
Instruction Fuzzy Hash: B7415335A04219DFCF00DFA4D844AAEBBB8FF08354F00C169F959A7261CB30A946DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C95A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C95AA6
inet_addr.WSOCK32(?,?,?), ref: 00C95AEB
gethostbyname.WSOCK32(?), ref: 00C95AF7
IcmpCreateFile.IPHLPAPI ref: 00C95B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C95B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C95B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00C95C00
WSACleanup.WSOCK32 ref: 00C95C06

Strings

Ping, xrefs: 00C95B29

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 47d31fdd2d1bf8a0255cb430adc0e8595561838e02d42388d77be5d41899ab76
Instruction ID: d594958b2e29ad6de178b4a355b46684131abbe27a365e8fc568396bb8c57de4
Opcode Fuzzy Hash: 47d31fdd2d1bf8a0255cb430adc0e8595561838e02d42388d77be5d41899ab76
Instruction Fuzzy Hash: 425191316047109FDB12EF25DC49B2EB7E4EF48710F14892AF96ADB2A1DB70E901DB46

Uniqueness

Uniqueness Score: -1.00%

Function 00C8B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C8B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C8B7B1
GetLastError.KERNEL32 ref: 00C8B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 00C8B828

Strings

UNKNOWN, xrefs: 00C8B7E0
NOTREADY, xrefs: 00C8B7E7
READONLY, xrefs: 00C8B7F3
INVALID, xrefs: 00C8B7FA
READY, xrefs: 00C8B801

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 441df639c00545dbfd1d421e7a721838903c4e94c6ca89007a5fe102addf7976
Instruction ID: 9653a0129fb34e581351091efd0c6853161d8b07fd8e5492c9c2996ed6f8d3d7
Opcode Fuzzy Hash: 441df639c00545dbfd1d421e7a721838903c4e94c6ca89007a5fe102addf7976
Instruction Fuzzy Hash: 2931AE35A002099FDB10FF64DC85AAE7BB8EF44708F10802AF916D7291DB71AE42DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00C79471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

Part of subcall function 00C7B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C7B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00C794F6
GetDlgCtrlID.USER32 ref: 00C79501
GetParent.USER32 ref: 00C7951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C79520
GetDlgCtrlID.USER32(?), ref: 00C79529
GetParent.USER32(?), ref: 00C79545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00C79548

Strings

ComboBox, xrefs: 00C7947E
ListBox, xrefs: 00C794B3

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: ba3447b0e010ef785bae3c19c3684e18a32cfc3eff6ff5579ef425dd89bf420d
Instruction ID: f74a7f3db6b8978a32310e2b489f31d1f9d003155a3d51e982ff0ae603e493ac
Opcode Fuzzy Hash: ba3447b0e010ef785bae3c19c3684e18a32cfc3eff6ff5579ef425dd89bf420d
Instruction Fuzzy Hash: 0B21C474900108BBCF05ABA4DC85EFEBB75EF45300F104269B561972E1DB755919EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C7955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

Part of subcall function 00C7B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C7B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00C795DF
GetDlgCtrlID.USER32 ref: 00C795EA
GetParent.USER32 ref: 00C79606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C79609
GetDlgCtrlID.USER32(?), ref: 00C79612
GetParent.USER32(?), ref: 00C7962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00C79631

Strings

ComboBox, xrefs: 00C79569
ListBox, xrefs: 00C7959E

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 838b15f95e71a47f1a0e7729080ef769a11047322d1166c1ec30bfc940fc2481
Instruction ID: 5786cee3ffca5c518bd67e7e7cec04d54d12c103276cebafe38ab2a9aafa5ec9
Opcode Fuzzy Hash: 838b15f95e71a47f1a0e7729080ef769a11047322d1166c1ec30bfc940fc2481
Instruction Fuzzy Hash: EA21C574900208BBDF01ABA0CCC5FFEBB79EF49300F104169FA21972A1DB759919EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00C79645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00C79651
GetClassNameW.USER32(00000000,?,00000100), ref: 00C79666
_wcscmp.LIBCMT ref: 00C79678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C796F3

Strings

SHELLDLL_DefView, xrefs: 00C79672
list, xrefs: 00C796D5
largeicons, xrefs: 00C79687
smallicons, xrefs: 00C796BB
details, xrefs: 00C796A1

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: b9c40f9e6326ea13f7cd6fdcd43c0ec34320fe6d637f7ceb68c87fe6b8793f49
Instruction ID: 6627a8bde1df28bde83f2052a21387358f9a3241ca77fad3344e77c5091984d4
Opcode Fuzzy Hash: b9c40f9e6326ea13f7cd6fdcd43c0ec34320fe6d637f7ceb68c87fe6b8793f49
Instruction Fuzzy Hash: 1511637A248347BAFA012621EC0BEAA779CEF05374F204337FB14E50E1FE715A115658

Uniqueness

Uniqueness Score: -1.00%

Function 00C98BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C98BEC
CoInitialize.OLE32(00000000), ref: 00C98C19
CoUninitialize.OLE32 ref: 00C98C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00C98D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00C98E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00CB2C0C), ref: 00C98E84
CoGetObject.OLE32(?,00000000,00CB2C0C,?), ref: 00C98EA7
SetErrorMode.KERNEL32(00000000), ref: 00C98EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C98F3A
VariantClear.OLEAUT32(?), ref: 00C98F4A

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: ca7f915ed6fb00a65e19b43e1f3c027de7bd69f2a5dcffcefdcfdeec5630a296
Instruction ID: f7657084a8aeb62ddf8a3224b6205c4541d3343328051d17155dadd5f2721e7d
Opcode Fuzzy Hash: ca7f915ed6fb00a65e19b43e1f3c027de7bd69f2a5dcffcefdcfdeec5630a296
Instruction Fuzzy Hash: 30C12671208305AFDB00DF64C88892BB7E9FF8A748F00496DF59A9B251DB71ED09CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C84189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00C8419D
__swprintf.LIBCMT ref: 00C841AA

Part of subcall function 00C438D8: __woutput_l.LIBCMT ref: 00C43931

FindResourceW.KERNEL32(?,?,0000000E), ref: 00C841D4
LoadResource.KERNEL32(?,00000000), ref: 00C841E0
LockResource.KERNEL32(00000000), ref: 00C841ED
FindResourceW.KERNEL32(?,?,00000003), ref: 00C8420D
LoadResource.KERNEL32(?,00000000), ref: 00C8421F
SizeofResource.KERNEL32(?,00000000), ref: 00C8422E
LockResource.KERNEL32(?), ref: 00C8423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00C8429B

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 2016022e6074760af369872b951ba7100f9e95632824fe9ce454a42096901066
Instruction ID: ae37b3f8f70374894b1044bc55ed710b5dfb32a0e3c18480f0e2ab6fcdcb386b
Opcode Fuzzy Hash: 2016022e6074760af369872b951ba7100f9e95632824fe9ce454a42096901066
Instruction Fuzzy Hash: 5531B27160521BABDB19AFA0DC48FBF7BACFF05309F004629F911D6150D770DA529BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C816DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C81700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C80778,?,00000001), ref: 00C81714
GetWindowThreadProcessId.USER32(00000000), ref: 00C8171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C80778,?,00000001), ref: 00C8172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C8173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C80778,?,00000001), ref: 00C81755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C80778,?,00000001), ref: 00C81767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C80778,?,00000001), ref: 00C817AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C80778,?,00000001), ref: 00C817C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C80778,?,00000001), ref: 00C817CC

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 0fd0f4c7778adb6c17b0b94549c2c432290cc14ac46104ee857e24ef70c95fc4
Instruction ID: dc9bd3b3dbd07af577310cc7ea3ba26789970a555c3ce40df6c10b297aee3ff1
Opcode Fuzzy Hash: 0fd0f4c7778adb6c17b0b94549c2c432290cc14ac46104ee857e24ef70c95fc4
Instruction Fuzzy Hash: 0E31B175600204BBEB21AF94DC88FAD37EDEB16719F16411CFC14CB2A0D7B49E428B54

Uniqueness

Uniqueness Score: -1.00%

Function 00C2FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C2FC06
OleUninitialize.OLE32(?,00000000), ref: 00C2FCA5
UnregisterHotKey.USER32(?), ref: 00C2FDFC
DestroyWindow.USER32(?), ref: 00C64A00
FreeLibrary.KERNEL32(?), ref: 00C64A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C64A92

Strings

close all, xrefs: 00C2FC01

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 35845aaed4eabecb69c1e8c4e52498ebc45bf6aa3a1a51cf2eb956a17803d843
Instruction ID: c417825bcf214f54b35bc75b748c42f80b75a69d676b3249a5ac3b2760d10cc6
Opcode Fuzzy Hash: 35845aaed4eabecb69c1e8c4e52498ebc45bf6aa3a1a51cf2eb956a17803d843
Instruction Fuzzy Hash: 83A16A30701222DFCB29EF54D495B6AF764BF04704F1442ADE90AAB662CB30AE17EF54

Uniqueness

Uniqueness Score: -1.00%

Function 00C7A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00C7AA64), ref: 00C7A9A2

Strings

NAME, xrefs: 00C7A7D4
CLASSNN, xrefs: 00C7A744
REGEXPCLASS, xrefs: 00C7A767
INSTANCE, xrefs: 00C7A8B0
CLASS, xrefs: 00C7A721
TEXT, xrefs: 00C7A8D9

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: e17e7b9b7d16d8797387e9bb2a1f9273caaf0c38ab07124b5b078b74fc58c60b
Instruction ID: 020331249a1f15b1761806126fa52d708e08b58d6139b6db88521e2d2130acf7
Opcode Fuzzy Hash: e17e7b9b7d16d8797387e9bb2a1f9273caaf0c38ab07124b5b078b74fc58c60b
Instruction Fuzzy Hash: C5918270A00606EBDB58DF60C481BEDFB74FF44354F10C119EA9EA7291DB30AA5ADB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C22E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00C22EAE

Part of subcall function 00C21DB3: GetClientRect.USER32(?,?), ref: 00C21DDC
Part of subcall function 00C21DB3: GetWindowRect.USER32(?,?), ref: 00C21E1D
Part of subcall function 00C21DB3: ScreenToClient.USER32(?,?), ref: 00C21E45

GetDC.USER32 ref: 00C5CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C5CF95
SelectObject.GDI32(00000000,00000000), ref: 00C5CFA3
SelectObject.GDI32(00000000,00000000), ref: 00C5CFB8
ReleaseDC.USER32(?,00000000), ref: 00C5CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C5D04B

Strings

U, xrefs: 00C5CF20

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 616eff947fd0c4bdb2a5ffb71e9af5ba77dddded71a8217643b90f2b7e874fb4
Instruction ID: 198806cb9cefea61f0e0b8f31114de8d1847aa9ad65bc6c46fc09075fd3b04ba
Opcode Fuzzy Hash: 616eff947fd0c4bdb2a5ffb71e9af5ba77dddded71a8217643b90f2b7e874fb4
Instruction Fuzzy Hash: 9571D234400305EFCF31CFA4D8C4AAA3BB6FF49356F144269ED665A1A6C7318D86EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CAC27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

Part of subcall function 00C22344: GetCursorPos.USER32(?), ref: 00C22357
Part of subcall function 00C22344: ScreenToClient.USER32(00CE67B0,?), ref: 00C22374
Part of subcall function 00C22344: GetAsyncKeyState.USER32(00000001), ref: 00C22399
Part of subcall function 00C22344: GetAsyncKeyState.USER32(00000002), ref: 00C223A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00CAC2E4
ImageList_EndDrag.COMCTL32 ref: 00CAC2EA
ReleaseCapture.USER32 ref: 00CAC2F0
SetWindowTextW.USER32(?,00000000), ref: 00CAC39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00CAC3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00CAC48F

Strings

@GUI_DROPID, xrefs: 00CAC3E1
@GUI_DRAGFILE, xrefs: 00CAC424

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 9a2f9edc89b8ca0b81f804b6411531ba3ca292c2949962b863e28ca1e8b31211
Instruction ID: cacd61e9d42950968644d7ad0fe7e4af23a3805d7d29de22f462f27ade13319a
Opcode Fuzzy Hash: 9a2f9edc89b8ca0b81f804b6411531ba3ca292c2949962b863e28ca1e8b31211
Instruction Fuzzy Hash: 15518970204305EFDB10EF24D896FAE7BE5EB99314F00452DF5918B2E1CB70A959EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C98F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00CAF910), ref: 00C9903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00CAF910), ref: 00C99071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00C991EB
SysFreeString.OLEAUT32(?), ref: 00C99215

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 87eeebe39519477c679530fc3a9f9d355f81eadcdd33d214145bcaf42e5c1264
Instruction ID: e3b5bab23ded2fe50d272ae0739dae4decdd08f44186673c4fb5312fd7a2f7d3
Opcode Fuzzy Hash: 87eeebe39519477c679530fc3a9f9d355f81eadcdd33d214145bcaf42e5c1264
Instruction Fuzzy Hash: 4AF12B71A00119EFDF14DF98C888EAEB7B9FF49315F108059F516AB2A1DB31AE46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C9F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C9F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C9FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C9FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C9FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C9FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C9FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00C9FD90
CloseHandle.KERNEL32(?), ref: 00C9FDBF
CloseHandle.KERNEL32(?), ref: 00C9FE36

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 8eb33c61b57feebebab4a756e0baed6d77ffdb8bae0ad2f4c436f3cda5fddf71
Instruction ID: bc4e955a837f7e5bfda26c5e833fa108918d6f8f95c19c0dbf230f6a9019fabd
Opcode Fuzzy Hash: 8eb33c61b57feebebab4a756e0baed6d77ffdb8bae0ad2f4c436f3cda5fddf71
Instruction Fuzzy Hash: CFE1A031604201DFCB24EF24D495B6ABBE0FF85314F14896DF89A8B2A2DB31DD46DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C84F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C848AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C838D3,?), ref: 00C848C7

Part of subcall function 00C848AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C838D3,?), ref: 00C848E0

Part of subcall function 00C84CD3: GetFileAttributesW.KERNEL32(?,00C83947), ref: 00C84CD4

lstrcmpiW.KERNEL32(?,?), ref: 00C84FE2
_wcscmp.LIBCMT ref: 00C84FFC
MoveFileW.KERNEL32(?,?), ref: 00C85017

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 1b837ece7eed896d72e9eee596fe2c7682670e87720670540c7156edf276f9b1
Instruction ID: f530b322a081668f3f3c9d64ef45b5aeb0abe228ce90df4640515635f5c203c2
Opcode Fuzzy Hash: 1b837ece7eed896d72e9eee596fe2c7682670e87720670540c7156edf276f9b1
Instruction Fuzzy Hash: 405177B20087859BC724EB90D8819DFB3ECAF85345F40092EB695D3151EF74A68C976A

Uniqueness

Uniqueness Score: -1.00%

Function 00CA88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00CA896E

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: a1a551c6fcb8927567a886f1c1984657f8389bd39ea568fbbf045b0caa525d0d
Instruction ID: e7ecf82a3e6d3b9a6187bc6673abe892daf240b6bd019e1ccd2ccabf8264006e
Opcode Fuzzy Hash: a1a551c6fcb8927567a886f1c1984657f8389bd39ea568fbbf045b0caa525d0d
Instruction Fuzzy Hash: E551B63060020ABFDF309F25CC89B6E7B65BB07358F504116F521E65E1DF75AE88AB41

Uniqueness

Uniqueness Score: -1.00%

Function 00C22B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00C5C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C5C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C5C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00C5C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C5C5C0
DestroyIcon.USER32(00000000), ref: 00C5C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C5C5EC
DestroyIcon.USER32(?), ref: 00C5C5FB

Part of subcall function 00CAA71E: DeleteObject.GDI32(00000000), ref: 00CAA757

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 3fb39abeb8c6c67f1099501e4c111fef6e31c1980e1fa5a76badfa925d48fb18
Instruction ID: fa74707d4f03a310222e1d0fc79d0c27ce78646ebeabdab1be00bbcea24086f1
Opcode Fuzzy Hash: 3fb39abeb8c6c67f1099501e4c111fef6e31c1980e1fa5a76badfa925d48fb18
Instruction Fuzzy Hash: 9A518874600309AFDB20DF65DC85FAA3BB5EB58351F100528F912E76A0DB70EE90EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C79B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C7AE77
Part of subcall function 00C7AE57: GetCurrentThreadId.KERNEL32 ref: 00C7AE7E
Part of subcall function 00C7AE57: AttachThreadInput.USER32(00000000,?,00C79B65,?,00000001), ref: 00C7AE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 00C79B70
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C79B8D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00C79B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C79B99
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C79BB7
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C79BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C79BC3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C79BDA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C79BDD

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: f412097c793126717c5928e681b0f454200ffd737de5d470bece93d43fd785f6
Instruction ID: 972cb1865d84d6b6f1cc2e66246527a7ac6016683d80112cdaf415c09082df27
Opcode Fuzzy Hash: f412097c793126717c5928e681b0f454200ffd737de5d470bece93d43fd785f6
Instruction Fuzzy Hash: 3E11E171550218BFF7106FA0DC8AF6E7B2DEB4D759F100429F348AB0A0C9F25C12DAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C78E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00C78A84,00000B00,?,?), ref: 00C78E0C
HeapAlloc.KERNEL32(00000000,?,00C78A84,00000B00,?,?), ref: 00C78E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C78A84,00000B00,?,?), ref: 00C78E28
GetCurrentProcess.KERNEL32(?,00000000,?,00C78A84,00000B00,?,?), ref: 00C78E30
DuplicateHandle.KERNEL32(00000000,?,00C78A84,00000B00,?,?), ref: 00C78E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00C78A84,00000B00,?,?), ref: 00C78E43
GetCurrentProcess.KERNEL32(00C78A84,00000000,?,00C78A84,00000B00,?,?), ref: 00C78E4B
DuplicateHandle.KERNEL32(00000000,?,00C78A84,00000B00,?,?), ref: 00C78E4E
CreateThread.KERNEL32(00000000,00000000,00C78E74,00000000,00000000,00000000), ref: 00C78E68

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: a03e1d4e91bded1d253ac98cd5c645429f58f7871f4df0536c49f37adc36861c
Instruction ID: 267b765eb2e1ccbb2ee07b2d4f7f44b1e40b36d4f736325b5553264fde46e046
Opcode Fuzzy Hash: a03e1d4e91bded1d253ac98cd5c645429f58f7871f4df0536c49f37adc36861c
Instruction Fuzzy Hash: 4D01A8B5240308FFE660ABA5DC4DFAF3BACEB89715F004425FA05DB1A1DA7098018B20

Uniqueness

Uniqueness Score: -1.00%

Function 00C99428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C9947C
VariantInit.OLEAUT32(?), ref: 00C9954D
VariantInit.OLEAUT32(?), ref: 00C9964E
VariantClear.OLEAUT32(?), ref: 00C99658
VariantClear.OLEAUT32(?), ref: 00C996B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00C99631
Null Object assignment in FOR..IN loop, xrefs: 00C994DD, 00C9960B, 00C996C3

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 5d37a66665308ca4d28098187d0d22575de05f76b0b7387c920c7436025c2bc5
Instruction ID: b1819a8cb6b2fa114836075f9bbe40e05f4955a4a82b6d03dcdd8fcdc77645e4
Opcode Fuzzy Hash: 5d37a66665308ca4d28098187d0d22575de05f76b0b7387c920c7436025c2bc5
Instruction Fuzzy Hash: AD91AE71A00219ABDF25DFA9C848FAFBBB8EF45314F10815EF515AB290D7709A45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C99A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00C77652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C7758C,80070057,?,?,?,00C7799D), ref: 00C7766F
Part of subcall function 00C77652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C7758C,80070057,?,?), ref: 00C7768A
Part of subcall function 00C77652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C7758C,80070057,?,?), ref: 00C77698
Part of subcall function 00C77652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C7758C,80070057,?), ref: 00C776A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00C99B1B
_memset.LIBCMT ref: 00C99B28
_memset.LIBCMT ref: 00C99C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00C99C97
CoTaskMemFree.OLE32(?), ref: 00C99CA2

Strings

NULL Pointer assignment, xrefs: 00C99CF0

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: cb5059826950b70852ee4dcdbbec6c1205545781aa4284bdf5c9c71b8db0f9ad
Instruction ID: 6d1dcc2c6dbf31bf16cf54e723e5c67a18f68171c9651ff96bf41209661e03a0
Opcode Fuzzy Hash: cb5059826950b70852ee4dcdbbec6c1205545781aa4284bdf5c9c71b8db0f9ad
Instruction Fuzzy Hash: 54913871D00229EBDF20DFA5DC85ADEBBB8EF08710F20415AF519A7281DB719A45DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00CA7093
SendMessageW.USER32(?,00001036,00000000,?), ref: 00CA70A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00CA70C1
_wcscat.LIBCMT ref: 00CA711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00CA7133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00CA7161

Strings

SysListView32, xrefs: 00CA7065

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: de98e40da12b8495a89e63cb9131151fd2044f52b2e18b7c29f383e713865af8
Instruction ID: 62d28f4aa333658a7e3c8f6b708b12547e2eb3271e87123ff23fb465d93efbed
Opcode Fuzzy Hash: de98e40da12b8495a89e63cb9131151fd2044f52b2e18b7c29f383e713865af8
Instruction Fuzzy Hash: EC41C270A04309AFDB219FA4CC89BEE77F8EF09358F10052AF954E7291D7719D859B60

Uniqueness

Uniqueness Score: -1.00%

Function 00C9EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00C83E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00C83EB6
Part of subcall function 00C83E91: Process32FirstW.KERNEL32(00000000,?), ref: 00C83EC4
Part of subcall function 00C83E91: CloseHandle.KERNEL32(00000000), ref: 00C83F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C9ECB8
GetLastError.KERNEL32 ref: 00C9ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C9ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00C9ED77
GetLastError.KERNEL32(00000000), ref: 00C9ED82
CloseHandle.KERNEL32(00000000), ref: 00C9EDB7

Strings

SeDebugPrivilege, xrefs: 00C9ECD6

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 9d8872e3d8a2df33647fb6520816adeade15f5d98241921b74406a9eb818f0c1
Instruction ID: 70f28a976fe8b4b9d4a38b591217e292acbde679215d829abb712199d6647f07
Opcode Fuzzy Hash: 9d8872e3d8a2df33647fb6520816adeade15f5d98241921b74406a9eb818f0c1
Instruction Fuzzy Hash: A741EE716002009FDB10EF24CC9AF6EB7A0EF94714F08841CF9469B2D2CB75A905EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C83226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00C832C5

Strings

warning, xrefs: 00C832AE
question, xrefs: 00C8327E
blank, xrefs: 00C83247
stop, xrefs: 00C83296
info, xrefs: 00C83266

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: b935a8f6619e845dda5fedd25a7c2053075fbd2cd8a6874397a6bb9f8c7c0723
Instruction ID: 2fda84cc1d083a74ebbd0d05b2e9945490ed50b2aa74c17b837d523bf4c8feef
Opcode Fuzzy Hash: b935a8f6619e845dda5fedd25a7c2053075fbd2cd8a6874397a6bb9f8c7c0723
Instruction Fuzzy Hash: C61127312083C6BAA7016B55DC42D6EB39CEF19B78F20002AF910EA2C3E6755B4147A9

Uniqueness

Uniqueness Score: -1.00%

Function 00C84534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C8454E
LoadStringW.USER32(00000000), ref: 00C84555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C8456B
LoadStringW.USER32(00000000), ref: 00C84572
_wprintf.LIBCMT ref: 00C84598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C845B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C84593

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 9445b869c2dbdcaf7b065a4b438122d59d6dedd6af7f1f37c67757e53176e9de
Instruction ID: 116603fe12e94fe74c091af40f8ef8dfeb9fe1873143c698cdc63148827514e8
Opcode Fuzzy Hash: 9445b869c2dbdcaf7b065a4b438122d59d6dedd6af7f1f37c67757e53176e9de
Instruction Fuzzy Hash: E2014FF6900208BFE750A7E09D89FEF776CE709305F0005A9BB45D3051EA749E868B74

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

GetSystemMetrics.USER32(0000000F), ref: 00CAD78A
GetSystemMetrics.USER32(0000000F), ref: 00CAD7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00CAD9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00CADA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00CADA24
ShowWindow.USER32(00000003,00000000), ref: 00CADA43
InvalidateRect.USER32(?,00000000,00000001), ref: 00CADA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 00CADA8B

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: d7b4d913f0259dc3bc14836ec7875a3e5d1237cc19d2655d712353745571792b
Instruction ID: 9bc02f554ee7b2ca8fd6f3f3a70ea9a4ab1b3a96cd1608f3bdef334b68940c81
Opcode Fuzzy Hash: d7b4d913f0259dc3bc14836ec7875a3e5d1237cc19d2655d712353745571792b
Instruction Fuzzy Hash: 6DB1CB71500216EBDF14CF68C9C87BE7BB1BF06709F088069EC5A9B695DB34AE50CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C22A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C5C417,00000004,00000000,00000000,00000000), ref: 00C22ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00C5C417,00000004,00000000,00000000,00000000,000000FF), ref: 00C22B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00C5C417,00000004,00000000,00000000,00000000), ref: 00C5C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C5C417,00000004,00000000,00000000,00000000), ref: 00C5C4D6

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 070698407678cd420fcd76be7998ce24657ca4d3619613fbf57075e9a22218c6
Instruction ID: 7f9ab0be50de9f41601664849c9714a8bdb6fbec126fe5a5bdd3b13465dc26aa
Opcode Fuzzy Hash: 070698407678cd420fcd76be7998ce24657ca4d3619613fbf57075e9a22218c6
Instruction Fuzzy Hash: 48412631208790FFC7358B29ECD8B7A7BA2AB56304F18882DE46787D60C6359986F714

Uniqueness

Uniqueness Score: -1.00%

Function 00C87368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00C8737F

Part of subcall function 00C40FF6: std::exception::exception.LIBCMT ref: 00C4102C
Part of subcall function 00C40FF6: __CxxThrowException@8.LIBCMT ref: 00C41041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00C873B6
EnterCriticalSection.KERNEL32(?), ref: 00C873D2
_memmove.LIBCMT ref: 00C87420
_memmove.LIBCMT ref: 00C8743D
LeaveCriticalSection.KERNEL32(?), ref: 00C8744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00C87461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00C87480

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: e289e5995f01e5419c51972c28ad80e4678eedc91fcc0c1a983b4aec631496d7
Instruction ID: 90b794dc859237a2cec8862f0d1e7ede20fd216ae269c62587cfcd051fdaf67d
Opcode Fuzzy Hash: e289e5995f01e5419c51972c28ad80e4678eedc91fcc0c1a983b4aec631496d7
Instruction Fuzzy Hash: 9F318D31904205EBDB10EFA4DC85BAE7BB8FF45710B2441BAF904AB246DB30DA55DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00CA6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CA645A
GetDC.USER32(00000000), ref: 00CA6462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CA646D
ReleaseDC.USER32(00000000,00000000), ref: 00CA6479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00CA64B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CA64C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00CA9299,?,?,000000FF,00000000,?,000000FF,?), ref: 00CA6500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00CA6520

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 5d1ae3b621641f84ecb56b8c2a38c4c1599ffcbfd05001492399d036518801e5
Instruction ID: 5e239a54ab49c3e9563f82b8231c015a46f1df9b00219b4226078e415e7f0733
Opcode Fuzzy Hash: 5d1ae3b621641f84ecb56b8c2a38c4c1599ffcbfd05001492399d036518801e5
Instruction Fuzzy Hash: CF316D72601214BFEB118F50CC4AFEA3FA9EF0A769F084069FE089A191D6759D42CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00C7C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00C7C087
_memcmp.LIBCMT ref: 00C7C0A9
_memcmp.LIBCMT ref: 00C7C0C1
_memcmp.LIBCMT ref: 00C7C0D4
_memcmp.LIBCMT ref: 00C7C0EE
_memcmp.LIBCMT ref: 00C7C101
_memcmp.LIBCMT ref: 00C7C119
_memcmp.LIBCMT ref: 00C7C134

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c15a80e0397dc03221cc04d56f20032a84f22d2f3279854dac544da9efe9f8a9
Instruction ID: fe137b9dc80ca716f212f398c4fb10a50f5e0ba808668ecce3af68f8d281d798
Opcode Fuzzy Hash: c15a80e0397dc03221cc04d56f20032a84f22d2f3279854dac544da9efe9f8a9
Instruction Fuzzy Hash: A0218E71600206BBA624A921DD82FEF279CEF20394F488038FD0D96286FB51DE1192E5

Uniqueness

Uniqueness Score: -1.00%

Function 00C8ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00C29997: __itow.LIBCMT ref: 00C299C2
Part of subcall function 00C29997: __swprintf.LIBCMT ref: 00C29A0C

Part of subcall function 00C3FEC6: _wcscpy.LIBCMT ref: 00C3FEE9

_wcstok.LIBCMT ref: 00C8EEFF
_wcscpy.LIBCMT ref: 00C8EF8E
_memset.LIBCMT ref: 00C8EFC1

Strings

X, xrefs: 00C8EFFE

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 56df60a6f36f3bbb87e858ebe790b54eaa2736e6256dbc582087f27b044fed08
Instruction ID: 561352cb651590b1a7ef979aa036bc7a2fbd01cd556f8b31443b56a7669bd3d7
Opcode Fuzzy Hash: 56df60a6f36f3bbb87e858ebe790b54eaa2736e6256dbc582087f27b044fed08
Instruction Fuzzy Hash: 60C17A716083109FC724EF24D885A6EB7E0FF84314F04492DF99A9B6A2DB30ED45DB86

Uniqueness

Uniqueness Score: -1.00%

Function 00C96E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00C96F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C96F35
WSAGetLastError.WSOCK32(00000000), ref: 00C96F48
htons.WSOCK32(?,?,?,00000000,?), ref: 00C96FFE
inet_ntoa.WSOCK32(?), ref: 00C96FBB

Part of subcall function 00C7AE14: _strlen.LIBCMT ref: 00C7AE1E
Part of subcall function 00C7AE14: _memmove.LIBCMT ref: 00C7AE40

_strlen.LIBCMT ref: 00C97058
_memmove.LIBCMT ref: 00C970C1

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 0a5b02566d538483c671d15c980478580bcc867b0d55041b35d5fde5a2545ef6
Instruction ID: 0113b0831d9414e07b5b929e0d6002ce4d18359366e28be2fb357554efc07359
Opcode Fuzzy Hash: 0a5b02566d538483c671d15c980478580bcc867b0d55041b35d5fde5a2545ef6
Instruction Fuzzy Hash: 3081CE31508310ABDB10EB24DC8AF6FB3A9EF84714F144A1DF5569B2E2DA70DE05DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C21424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b258f8a91504be05e603f1f82ab1f39fbeef791a4c9f73b31ccf3aff367a2802
Instruction ID: b01504f53f6ba89681207f4aa642cd6c4fe54fee49c8186daf49140a8f7583bb
Opcode Fuzzy Hash: b258f8a91504be05e603f1f82ab1f39fbeef791a4c9f73b31ccf3aff367a2802
Instruction Fuzzy Hash: 3B71BD34900119EFCB04DF98DC48ABEBBB9FF85314F188158F915AB251C730AA51CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00CAB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01407310), ref: 00CAB6A5
IsWindowEnabled.USER32(01407310), ref: 00CAB6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00CAB795
SendMessageW.USER32(01407310,000000B0,?,?), ref: 00CAB7CC
IsDlgButtonChecked.USER32(?,?), ref: 00CAB809
GetWindowLongW.USER32(01407310,000000EC), ref: 00CAB82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00CAB843

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 847c3f03acf4af1eca65f4de5e448025579042ab611ef9fd77ad3f08a9abfc40
Instruction ID: d6a83aae8f5b46bdfdc141268076f203908822ff46a0220451dba21b7849e87b
Opcode Fuzzy Hash: 847c3f03acf4af1eca65f4de5e448025579042ab611ef9fd77ad3f08a9abfc40
Instruction Fuzzy Hash: 0871C034600206AFDF249FA5C8D4FAE7BB9FF5A348F040059F965972A2C771AE41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C9F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C9F75C
_memset.LIBCMT ref: 00C9F825
ShellExecuteExW.SHELL32(?), ref: 00C9F86A

Part of subcall function 00C29997: __itow.LIBCMT ref: 00C299C2
Part of subcall function 00C29997: __swprintf.LIBCMT ref: 00C29A0C

Part of subcall function 00C3FEC6: _wcscpy.LIBCMT ref: 00C3FEE9

GetProcessId.KERNEL32(00000000), ref: 00C9F8E1
CloseHandle.KERNEL32(00000000), ref: 00C9F910

Strings

@, xrefs: 00C9F839

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: a8c0d775414bec451fccc98a6ac6a69fce1fe28bad9bbf74f110c6b33f83adcb
Instruction ID: 9a38a5b6d3b12d4400b50f482bfed2369c829a0a4bc64fb7a79ad1ae18a4532b
Opcode Fuzzy Hash: a8c0d775414bec451fccc98a6ac6a69fce1fe28bad9bbf74f110c6b33f83adcb
Instruction Fuzzy Hash: 0E61A075A00629DFCF04EF54D485AADBBB0FF49310F14846DE859AB751CB30AE41DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00C8145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C8149C
GetKeyboardState.USER32(?), ref: 00C814B1
SetKeyboardState.USER32(?), ref: 00C81512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00C81540
PostMessageW.USER32(?,00000101,00000011,?), ref: 00C8155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00C815A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C815C8

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7dcec026582d1b23d4b269c10f4c299a7bf99b370b5b1778b86a6ea954031ad0
Instruction ID: ea57769a22407a81b10b784750ccbeabfa4429845e1766a51689387951468b13
Opcode Fuzzy Hash: 7dcec026582d1b23d4b269c10f4c299a7bf99b370b5b1778b86a6ea954031ad0
Instruction Fuzzy Hash: C851F3A0A046D53DFB3262648C45BBA7FED5B46308F0C848DF9E5868C2D2A49E86D758

Uniqueness

Uniqueness Score: -1.00%

Function 00C81276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00C812B5
GetKeyboardState.USER32(?), ref: 00C812CA
SetKeyboardState.USER32(?), ref: 00C8132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C81357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C81374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C813B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C813D9

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8bbf87fb1398d9fb8effe808c64683764a3de23f4afdba3bb2e33391a0ad1dd6
Instruction ID: 167ef1c3cf6423b75f08ace4c14bf8a73b6086ca7c8b101785fb4aae988298ba
Opcode Fuzzy Hash: 8bbf87fb1398d9fb8effe808c64683764a3de23f4afdba3bb2e33391a0ad1dd6
Instruction Fuzzy Hash: A15106A05047D53DFB32A7248C45B7A7FED5B06308F0C848DE9E4868D2D395EE86E758

Uniqueness

Uniqueness Score: -1.00%

Function 00C8589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00C858AC
_wcsncpy.LIBCMT ref: 00C858E1
_wcsncpy.LIBCMT ref: 00C85913
_wcsncpy.LIBCMT ref: 00C85946
_wcsncpy.LIBCMT ref: 00C85988
_wcsncpy.LIBCMT ref: 00C859C2
_wcsncpy.LIBCMT ref: 00C859F1

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: b944e35f9aa9e6e8ace3d59d50b70adbab5c29c8aabd4d97b58512065bb41de3
Instruction ID: e9cbbe4dd990f105df30e1a5178268e48c96d3144b614dcfa4ed15cb6c81edcc
Opcode Fuzzy Hash: b944e35f9aa9e6e8ace3d59d50b70adbab5c29c8aabd4d97b58512065bb41de3
Instruction Fuzzy Hash: 1B41A265C2061876CB10FBB5CC86ACFB3A8AF45310F608556F518E3221F774E715D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00C838AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C848AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C838D3,?), ref: 00C848C7

Part of subcall function 00C848AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C838D3,?), ref: 00C848E0

lstrcmpiW.KERNEL32(?,?), ref: 00C838F3
_wcscmp.LIBCMT ref: 00C8390F
MoveFileW.KERNEL32(?,?), ref: 00C83927
_wcscat.LIBCMT ref: 00C8396F
SHFileOperationW.SHELL32(?), ref: 00C839DB

Strings

\*.*, xrefs: 00C83969

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: b3b202ac84082a3f2758ff867cac6747a737c78e74187dd2446a658d0ebbced2
Instruction ID: fb25c36c395b69bfe8357fbd51b0416721205e86500f8860a39ec27f06f7c6d7
Opcode Fuzzy Hash: b3b202ac84082a3f2758ff867cac6747a737c78e74187dd2446a658d0ebbced2
Instruction Fuzzy Hash: 3C41C0B10083849AC751FF60C481AEFB7ECAF88744F44192EF49AC3191EA74D788C756

Uniqueness

Uniqueness Score: -1.00%

Function 00CA7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CA7519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CA75C0
IsMenu.USER32(?), ref: 00CA75D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CA7620
DrawMenuBar.USER32 ref: 00CA7633

Strings

0, xrefs: 00CA750D

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: d223152307e642581dd0d50a7fe3f593c047582e2adef0a7c4106ca06302fc25
Instruction ID: 5dc57feea10b63a26dd06bf5150fa5b6f945d5f2274441cd30295981791b1784
Opcode Fuzzy Hash: d223152307e642581dd0d50a7fe3f593c047582e2adef0a7c4106ca06302fc25
Instruction Fuzzy Hash: C4412875A0460AAFDB20DF54D884B9ABBF8FB06358F048229F92597290D730EE51CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CA122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00CA125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CA1286
FreeLibrary.KERNEL32(00000000), ref: 00CA133D

Part of subcall function 00CA122D: RegCloseKey.ADVAPI32(?), ref: 00CA12A3
Part of subcall function 00CA122D: FreeLibrary.KERNEL32(?), ref: 00CA12F5
Part of subcall function 00CA122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00CA1318

RegDeleteKeyW.ADVAPI32(?,?), ref: 00CA12E0

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 37094e09a64fa7925911691fedc52edea2385d54c1ce25b1848616c94f0470dc
Instruction ID: 9d7fe24c52306d0dd1e8bf6c705c579b0451ec55fb83fe285b8d383bf7a04b1d
Opcode Fuzzy Hash: 37094e09a64fa7925911691fedc52edea2385d54c1ce25b1848616c94f0470dc
Instruction Fuzzy Hash: 41311AB190110ABFDB149FD0DC89AFEB7BCEF0A308F040169E912E3151EA749F459BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00CA653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00CA655B
GetWindowLongW.USER32(01407310,000000F0), ref: 00CA658E
GetWindowLongW.USER32(01407310,000000F0), ref: 00CA65C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00CA65F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00CA661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00CA6630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00CA664A

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 2398a31df8338f7046157097b64cf746815ddae6f4242a20f1143741849228bc
Instruction ID: c5872fa46a6292cee7ef406a42d9e91f45abd013fd4182f717f40d3be2d95b26
Opcode Fuzzy Hash: 2398a31df8338f7046157097b64cf746815ddae6f4242a20f1143741849228bc
Instruction Fuzzy Hash: C6310230A04256AFDB21CF68DC88F593BE1FB5A358F1901A8F5218F2B6CB71A940DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00C96486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C980A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C980CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C964D9
WSAGetLastError.WSOCK32(00000000), ref: 00C964E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C96521
connect.WSOCK32(00000000,?,00000010), ref: 00C9652A
WSAGetLastError.WSOCK32 ref: 00C96534
closesocket.WSOCK32(00000000), ref: 00C9655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C96576

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 968254c3c8450a992faea388f30c1be5a599ec211ed268b2fc61b5c8f4c494ed
Instruction ID: 838bb8fd25ca582cf893f17429dcc2550fc0cd5b661da898693cb753aa4ecfab
Opcode Fuzzy Hash: 968254c3c8450a992faea388f30c1be5a599ec211ed268b2fc61b5c8f4c494ed
Instruction Fuzzy Hash: 5931B131600218AFDF10EF64DC89BBE7BA8EB45724F008069F919D72D1DB74AD05DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C7E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C7E120
SysAllocString.OLEAUT32(00000000), ref: 00C7E123
SysAllocString.OLEAUT32 ref: 00C7E144
SysFreeString.OLEAUT32 ref: 00C7E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 00C7E167
SysAllocString.OLEAUT32(?), ref: 00C7E175

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 6be5aeb45fc4e1cc8a0f50ebf42484164bc21b4b281f355e3cf1aadecf3bb0cf
Instruction ID: 9cce587fbdee3165671daad671dd13667dafd1a44c3d43db206d03ed99480476
Opcode Fuzzy Hash: 6be5aeb45fc4e1cc8a0f50ebf42484164bc21b4b281f355e3cf1aadecf3bb0cf
Instruction Fuzzy Hash: 71219032200108AF9B109FB9DC89EAF77ACEB0D760B508169F918CB2A1DA709D418B64

Uniqueness

Uniqueness Score: -1.00%

Function 00C7FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00C7FB81
__wcsnicmp.LIBCMT ref: 00C7FBA2
__wcsnicmp.LIBCMT ref: 00C7FBBC

Strings

#notrayicon, xrefs: 00C7FB79
#requireadmin, xrefs: 00C7FB9C
#OnAutoItStartRegister, xrefs: 00C7FBB6

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 9a35ee8cf64fb6f78722aa1db83cf4332fe9ebbf40c5ff3cf879aae5af41ade1
Instruction ID: dfb7e440318590c7a96f913d15d73eaf7b650b7c81d1b3446d9362bb02f473dd
Opcode Fuzzy Hash: 9a35ee8cf64fb6f78722aa1db83cf4332fe9ebbf40c5ff3cf879aae5af41ade1
Instruction Fuzzy Hash: A0214972104151E7D331E635DC92EAB77A8EF51340F14C43DFC9987181EB51AE87E295

Uniqueness

Uniqueness Score: -1.00%

Function 00CA783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C21D73
Part of subcall function 00C21D35: GetStockObject.GDI32(00000011), ref: 00C21D87
Part of subcall function 00C21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C21D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00CA78A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00CA78AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00CA78B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00CA78C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00CA78D4

Strings

Msctls_Progress32, xrefs: 00CA7872

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 9d9bfe0e0d3a7deb56f0d008be9de7e22386ae5e3e89b937f2c1a94580108b27
Instruction ID: e0f7b83110152cc1dd1eec1245f1e7a5f152021aa12a151b5335d9049ac728aa
Opcode Fuzzy Hash: 9d9bfe0e0d3a7deb56f0d008be9de7e22386ae5e3e89b937f2c1a94580108b27
Instruction Fuzzy Hash: C81193B111021ABFEF159F60CC85EEB7F6DEF09798F014115BA04A6090C7719C21DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C441C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00C44292,?), ref: 00C441E3
GetProcAddress.KERNEL32(00000000), ref: 00C441EA
EncodePointer.KERNEL32(00000000), ref: 00C441F6
DecodePointer.KERNEL32(00000001,00C44292,?), ref: 00C44213

Strings

combase.dll, xrefs: 00C441DE
RoInitialize, xrefs: 00C441D2

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 7e186fbe8d3f3d5355bacb3c5ceba3860e9c45cae238019d0751aef0a7f30131
Instruction ID: e21f639d2c9af12b24cd15b89c8129800c479adbb34d31bff531453df23bd085
Opcode Fuzzy Hash: 7e186fbe8d3f3d5355bacb3c5ceba3860e9c45cae238019d0751aef0a7f30131
Instruction Fuzzy Hash: 04E01AB0A90340AEEF246BB0EC89B4C3AA4B76270BF104838F521DA0B0DBB54092DF00

Uniqueness

Uniqueness Score: -1.00%

Function 00C4429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00C441B8), ref: 00C442B8
GetProcAddress.KERNEL32(00000000), ref: 00C442BF
EncodePointer.KERNEL32(00000000), ref: 00C442CA
DecodePointer.KERNEL32(00C441B8), ref: 00C442E5

Strings

combase.dll, xrefs: 00C442B3
RoUninitialize, xrefs: 00C442A7

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 182ac78ee8894848680c52fbf28c8c16c7c9cf5a80fca82e2f1e0695b889c5cc
Instruction ID: 8b1f074f03157d205b7bf577586599b893eb6d07d043d9ba51f17a419bf8d0d8
Opcode Fuzzy Hash: 182ac78ee8894848680c52fbf28c8c16c7c9cf5a80fca82e2f1e0695b889c5cc
Instruction Fuzzy Hash: 18E0B678681340AFEF28ABB1EC4DF4D3AA4B72574AF20453CF111EA0B0CBB44541DA14

Uniqueness

Uniqueness Score: -1.00%

Function 00C8675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C868AD
_memmove.LIBCMT ref: 00C867E8

Part of subcall function 00C29997: __itow.LIBCMT ref: 00C299C2
Part of subcall function 00C29997: __swprintf.LIBCMT ref: 00C29A0C

_memmove.LIBCMT ref: 00C8685B
_memmove.LIBCMT ref: 00C86942
_memmove.LIBCMT ref: 00C8695B
_memmove.LIBCMT ref: 00C86977

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 9bd310fd09ae2354bcac085273aa9b4df644df47a2912129c0e3355fe0b9d60c
Instruction ID: d8949b1f5691b3644858d3e9f646c78da97fde7604539c28e91b6004d2fd2aa6
Opcode Fuzzy Hash: 9bd310fd09ae2354bcac085273aa9b4df644df47a2912129c0e3355fe0b9d60c
Instruction Fuzzy Hash: 0361AC3050066A9BDF11FF60DC82EFE37A4AF04308F044519F89A5B2D2DB34AD85EB94

Uniqueness

Uniqueness Score: -1.00%

Function 00CA046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

Part of subcall function 00CA10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CA0038,?,?), ref: 00CA10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CA0548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CA0588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00CA05AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00CA05D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CA0617
RegCloseKey.ADVAPI32(00000000), ref: 00CA0624

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 67b75f8decf407a9ad89cd9917458d0c3c29f86737beda934d05588de7014cf3
Instruction ID: bd8525f5a23c1857b41901bd497f535bcf4054520a64406ff08105fae0da16f9
Opcode Fuzzy Hash: 67b75f8decf407a9ad89cd9917458d0c3c29f86737beda934d05588de7014cf3
Instruction Fuzzy Hash: BC516A31508201AFCB10EF64D885E6FBBE8FF89358F14491DF995872A1DB31EA05EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00CA5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00CA5A82
GetMenuItemCount.USER32(00000000), ref: 00CA5AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00CA5AE1
GetMenuItemID.USER32(?,?), ref: 00CA5B50
GetSubMenu.USER32(?,?), ref: 00CA5B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00CA5BAF

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: fee862c0b5deb4c2ad4e565af0fe0ae3c5bd12f8b5750dff2361accb34f36b10
Instruction ID: def4792bb3ccc9543471a37fd573dafe24b689db40035cfb785170db2d0bfb13
Opcode Fuzzy Hash: fee862c0b5deb4c2ad4e565af0fe0ae3c5bd12f8b5750dff2361accb34f36b10
Instruction Fuzzy Hash: CD51AE31E00626EFDF11EFA4D845AAEB7B4EF49324F108469F816B7351CB70AE419B90

Uniqueness

Uniqueness Score: -1.00%

Function 00C7F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C7F3F7
VariantClear.OLEAUT32(00000013), ref: 00C7F469
VariantClear.OLEAUT32(00000000), ref: 00C7F4C4
_memmove.LIBCMT ref: 00C7F4EE
VariantClear.OLEAUT32(?), ref: 00C7F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C7F569

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: f5de8bb38205338ad5bc7a31c0d590f870c3edce260b05d15f607223fccf9fdd
Instruction ID: 94c4bf1edd3c7f94265b7dbc6303f7fe8d54f50b29d12376ba80646a53c38e63
Opcode Fuzzy Hash: f5de8bb38205338ad5bc7a31c0d590f870c3edce260b05d15f607223fccf9fdd
Instruction Fuzzy Hash: 295157B5A00209EFCB10CF58D884AAAB7F8FF4C354B15816DE959DB300D730EA52CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C826F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C82747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C82792
IsMenu.USER32(00000000), ref: 00C827B2
CreatePopupMenu.USER32 ref: 00C827E6
GetMenuItemCount.USER32(000000FF), ref: 00C82844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00C82875

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: e83a81441bf5050e7c72d05782179fbd8774de7dec8a2db293801b18dd9a2f16
Instruction ID: dc1b2f84c97aafc51edcdd4a69f770527dc9fa22564cbf8e623f97419715e7b9
Opcode Fuzzy Hash: e83a81441bf5050e7c72d05782179fbd8774de7dec8a2db293801b18dd9a2f16
Instruction Fuzzy Hash: C851AE71A00205EFDF24EFA9D88CBAEBBF4EF45318F104169E8219B2D1D7709A05CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00C21765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00C2179A
GetWindowRect.USER32(?,?), ref: 00C217FE
ScreenToClient.USER32(?,?), ref: 00C2181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C2182C
EndPaint.USER32(?,?), ref: 00C21876

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: eb69edc456574ecb7f299ab40a0cae5c1f01242f5a6795c935efca91361b5d8f
Instruction ID: 24caff137388eac76474ee9fe6099df764daab28da1a05e3a2eb17ab8ce13ec1
Opcode Fuzzy Hash: eb69edc456574ecb7f299ab40a0cae5c1f01242f5a6795c935efca91361b5d8f
Instruction Fuzzy Hash: 9241BE70100350AFC720DF25DCC4BBA7BE8EB6A724F180628F9A48B2E1C7309D45DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CAB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00CE67B0,00000000,01407310,?,?,00CE67B0,?,00CAB862,?,?), ref: 00CAB9CC
EnableWindow.USER32(00000000,00000000), ref: 00CAB9F0
ShowWindow.USER32(00CE67B0,00000000,01407310,?,?,00CE67B0,?,00CAB862,?,?), ref: 00CABA50
ShowWindow.USER32(00000000,00000004,?,00CAB862,?,?), ref: 00CABA62
EnableWindow.USER32(00000000,00000001), ref: 00CABA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00CABAA9

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 6010e1d21f41455d51c23b090015f984710f81c9830791a8538ee83f77565796
Instruction ID: 7b71ef6101017f34926ec3881d52c32417274237b3433aa63e366daaccdfca49
Opcode Fuzzy Hash: 6010e1d21f41455d51c23b090015f984710f81c9830791a8538ee83f77565796
Instruction Fuzzy Hash: 42415131600242AFDB22CF64C489B997BF0BB06318F1841B9FA588F6A3C731AD46DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C973B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00C95134,?,?,00000000,00000001), ref: 00C973BF

Part of subcall function 00C93C94: GetWindowRect.USER32(?,?), ref: 00C93CA7

GetDesktopWindow.USER32 ref: 00C973E9
GetWindowRect.USER32(00000000), ref: 00C973F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00C97422

Part of subcall function 00C854E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C8555E

GetCursorPos.USER32(?), ref: 00C9744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C974AC

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: cb1e8f3ea2c419e6464fe213198d2dc7c4e63d4ee10a772d2bb507055fc087e4
Instruction ID: f02f94989a5bc88d773b1b16d739ffceba68401d184cea342318768b2ad0192a
Opcode Fuzzy Hash: cb1e8f3ea2c419e6464fe213198d2dc7c4e63d4ee10a772d2bb507055fc087e4
Instruction Fuzzy Hash: AA31F472509305ABCB20DF54C849F5FBBE9FF89318F000A19F49997191C770EA09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C78D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C785F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C78608
Part of subcall function 00C785F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C78612
Part of subcall function 00C785F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C78621
Part of subcall function 00C785F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C78628
Part of subcall function 00C785F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C7863E

GetLengthSid.ADVAPI32(?,00000000,00C78977), ref: 00C78DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C78DB8
HeapAlloc.KERNEL32(00000000), ref: 00C78DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00C78DD8
GetProcessHeap.KERNEL32(00000000,00000000,00C78977), ref: 00C78DEC
HeapFree.KERNEL32(00000000), ref: 00C78DF3

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 2eff1c5dee59e7d4f1ac87b6a028afc1751c4aa2d3cee69f7246ccd7d1944893
Instruction ID: 7a54ffd588ecc3228aac518f2d6c9419303c4db789e3e96025aea836f79f78be
Opcode Fuzzy Hash: 2eff1c5dee59e7d4f1ac87b6a028afc1751c4aa2d3cee69f7246ccd7d1944893
Instruction Fuzzy Hash: F311B131640606FFDB209FA4CC0DBAE7B6DFF65319F10802DEA5997250CB319A09DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C78AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C78B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00C78B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C78B40
CloseHandle.KERNEL32(00000004), ref: 00C78B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C78B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00C78B8E

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: dac398a80cc7a945c174b7b541d08da68fa79bb4f8a6b1725a56a0d75902516d
Instruction ID: b17916bf7f2b0d7d1ef4ca5b0eaaaed053da4ad7b5dbc702e29b2aea70873de7
Opcode Fuzzy Hash: dac398a80cc7a945c174b7b541d08da68fa79bb4f8a6b1725a56a0d75902516d
Instruction Fuzzy Hash: 12115CB2541209ABDF018FA4DD49FDE7BA9EF09348F044068FE04A2160C7718E659B60

Uniqueness

Uniqueness Score: -1.00%

Function 00CAC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00C212F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C2134D
Part of subcall function 00C212F3: SelectObject.GDI32(?,00000000), ref: 00C2135C
Part of subcall function 00C212F3: BeginPath.GDI32(?), ref: 00C21373
Part of subcall function 00C212F3: SelectObject.GDI32(?,00000000), ref: 00C2139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00CAC1C4
LineTo.GDI32(00000000,00000003,?), ref: 00CAC1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00CAC1E6
LineTo.GDI32(00000000,00000000,?), ref: 00CAC1F6
EndPath.GDI32(00000000), ref: 00CAC206
StrokePath.GDI32(00000000), ref: 00CAC216

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 9ed957ef14b8d88cd8d39b7b0f2359a02602d5278d5af887986d0c4cc704389d
Instruction ID: 6cec0acf9835f3c6b2788b34761cb79abbcd37fe1c6e289f4e7e6941da1252a5
Opcode Fuzzy Hash: 9ed957ef14b8d88cd8d39b7b0f2359a02602d5278d5af887986d0c4cc704389d
Instruction Fuzzy Hash: 22111B7640014DBFEF119F94DC88FAE7FADEB09398F048025BA194A1A1C7719E55DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C403A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C403D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 00C403DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C403E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C403F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00C403F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C40401

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 0341254dafc94dcd0b4762e4e8067099380b9b635fd29e67c0439eefecfe6185
Instruction ID: abcf78e044182aa1ecc89bd9239d5ebae7e4419cd6e00599b08367c1d061dbc3
Opcode Fuzzy Hash: 0341254dafc94dcd0b4762e4e8067099380b9b635fd29e67c0439eefecfe6185
Instruction Fuzzy Hash: A10148B09017597DE3008F5A8C85B56FEA8FF19354F00411BA15847941C7B5A864CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00C8568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C8569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C856B1
GetWindowThreadProcessId.USER32(?,?), ref: 00C856C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C856CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C856D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C856E0

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 5fbe4a5e1e5030fbca2454489cbbcfbdd4fdce28a7af5dc0d072e204ec56091d
Instruction ID: cba790f7da5a24b40e4c60687843b03e10279cb702dd8dae4e1a07a3484b0fbc
Opcode Fuzzy Hash: 5fbe4a5e1e5030fbca2454489cbbcfbdd4fdce28a7af5dc0d072e204ec56091d
Instruction Fuzzy Hash: 1FF01D32241158BBE7215BE2DC0DFEF7A7CEBC7B19F00016DFA04D206096B11A0286B5

Uniqueness

Uniqueness Score: -1.00%

Function 00C874D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00C874E5
EnterCriticalSection.KERNEL32(?,?,00C31044,?,?), ref: 00C874F6
TerminateThread.KERNEL32(00000000,000001F6,?,00C31044,?,?), ref: 00C87503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00C31044,?,?), ref: 00C87510

Part of subcall function 00C86ED7: CloseHandle.KERNEL32(00000000,?,00C8751D,?,00C31044,?,?), ref: 00C86EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00C87523
LeaveCriticalSection.KERNEL32(?,?,00C31044,?,?), ref: 00C8752A

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 459d2e59fb4320b113df801112024f75965c8200f9a2a5f9558ed8aa14f2425b
Instruction ID: 0f3dffd1c5d47b0576712769750d03621422a97e35263b746cfd7bf9d380e263
Opcode Fuzzy Hash: 459d2e59fb4320b113df801112024f75965c8200f9a2a5f9558ed8aa14f2425b
Instruction Fuzzy Hash: 9BF05E3A140612EBDB612BA4FC8CBEF772AEF4630AB100639F202924B1DB755902CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C78E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C78E7F
UnloadUserProfile.USERENV(?,?), ref: 00C78E8B
CloseHandle.KERNEL32(?), ref: 00C78E94
CloseHandle.KERNEL32(?), ref: 00C78E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00C78EA5
HeapFree.KERNEL32(00000000), ref: 00C78EAC

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 4fbb95a978838b5934d55f5e64fc3feaffc271673fb9b217a3a78e4a0b0dbcad
Instruction ID: c7a855911c7335a1bea6ab52b99c8fd1013f27f0cd2891cab893adb44d5ba479
Opcode Fuzzy Hash: 4fbb95a978838b5934d55f5e64fc3feaffc271673fb9b217a3a78e4a0b0dbcad
Instruction Fuzzy Hash: 81E05276104505FFDB021FE5EC0CB5EBB69FB8A76AB508639F219C2470CB329462DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C98902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C98928
CharUpperBuffW.USER32(?,?), ref: 00C98A37
VariantClear.OLEAUT32(?), ref: 00C98BAF

Part of subcall function 00C87804: VariantInit.OLEAUT32(00000000), ref: 00C87844
Part of subcall function 00C87804: VariantCopy.OLEAUT32(00000000,?), ref: 00C8784D
Part of subcall function 00C87804: VariantClear.OLEAUT32(00000000), ref: 00C87859

Strings

Incorrect Parameter format, xrefs: 00C98960, 00C98B22
AUTOIT.ERROR, xrefs: 00C98A3D

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: e1a09003c576d92a1d53972a6fb839406e25bdfc1ba7857357e19e4618601716
Instruction ID: a177d81aaaa1f98905890943551e082442f78ddb7d4ca4d2802404af6ef9d34c
Opcode Fuzzy Hash: e1a09003c576d92a1d53972a6fb839406e25bdfc1ba7857357e19e4618601716
Instruction Fuzzy Hash: 14917F71608301DFCB10DF24C48596BBBE4EF8A714F14896EF89A8B361DB31E949DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C82F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3FEC6: _wcscpy.LIBCMT ref: 00C3FEE9

_memset.LIBCMT ref: 00C83077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C830A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C83159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C83187

Strings

0, xrefs: 00C83063

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 0ddf1260f2c2e0da4f6b13774cf0c7439b2bdfc04f071b907342813edc5f5d2d
Instruction ID: d3b5953f560e689b9ce0321eeb4c79c42268f16a81916ea3d9e90c2e68d540cb
Opcode Fuzzy Hash: 0ddf1260f2c2e0da4f6b13774cf0c7439b2bdfc04f071b907342813edc5f5d2d
Instruction Fuzzy Hash: 5951EE316083809AD725BF28C849A6FB7E4AF55F68F041A2DF8A5D31A0DB70CB44975A

Uniqueness

Uniqueness Score: -1.00%

Function 00C7DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C7DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C7DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C7DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C7DB8E

Strings

DllGetClassObject, xrefs: 00C7DB01

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 45717c2ff466c5062b24974dde09af2ea35871cb5f4319bbb4513fd2932bb94d
Instruction ID: 29fe928fc7f4fc7e3d07a8d2ea1fd3051c6c89c865b4a84a1c629c58337903b8
Opcode Fuzzy Hash: 45717c2ff466c5062b24974dde09af2ea35871cb5f4319bbb4513fd2932bb94d
Instruction Fuzzy Hash: B24183B1600208DFDB15CF55C888B9A7BB9EF44310F15C1AEAD0A9F205D7B1DE40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C82C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C82CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C82CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00C82D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00CE6890,00000000), ref: 00C82D5A

Strings

0, xrefs: 00C82CA4

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: e0288ffbb439d5b7faf482be30e371931929476955665b395419b735ca1bafbc
Instruction ID: 629bbca65419f474190d0c858476fa806d4757bb2b3f0a677e1974c5029568f6
Opcode Fuzzy Hash: e0288ffbb439d5b7faf482be30e371931929476955665b395419b735ca1bafbc
Instruction Fuzzy Hash: 3A41A2302053119FD720EF24C888B1BBBE4FF85328F144A2EF965972A1D770E905CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00C9DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C9DAD9

Part of subcall function 00C279AB: _memmove.LIBCMT ref: 00C279F9

Strings

stdcall, xrefs: 00C9DB5B
winapi, xrefs: 00C9DB4A
cdecl, xrefs: 00C9DB30
none, xrefs: 00C9DBB4

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 83e4b85ac79ebd59944fb0052dfe7346d5ee714a63a4df915812f60bebb79be1
Instruction ID: 93568d4deaf1f71c829fc245ca11a364cc9a215403887b2d8ce0b9d81828f934
Opcode Fuzzy Hash: 83e4b85ac79ebd59944fb0052dfe7346d5ee714a63a4df915812f60bebb79be1
Instruction Fuzzy Hash: E8319471500619DFCF10EF94CC819AEB3B4FF05710B10866AE976A77D1DB31AA05DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00C79372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

Part of subcall function 00C7B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C7B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C793F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C79409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00C79439

Part of subcall function 00C27D2C: _memmove.LIBCMT ref: 00C27D66

Strings

ComboBox, xrefs: 00C79380
ListBox, xrefs: 00C793B5

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 83a0e7c380898791136cf6fdd11cb0e53223c503a6cd42573349399302d8aee2
Instruction ID: e0f41be05fcb1871914868c18c5f1652e9bdf238bf1595a5d9aee131bf221e10
Opcode Fuzzy Hash: 83a0e7c380898791136cf6fdd11cb0e53223c503a6cd42573349399302d8aee2
Instruction Fuzzy Hash: 7A210571900108BFDB14ABB0DC86DFFB77CDF05360B148229F929A72E1DB350E0AA620

Uniqueness

Uniqueness Score: -1.00%

Function 00CA6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C21D73
Part of subcall function 00C21D35: GetStockObject.GDI32(00000011), ref: 00C21D87
Part of subcall function 00C21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C21D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00CA66D0
LoadLibraryW.KERNEL32(?), ref: 00CA66D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00CA66EC
DestroyWindow.USER32(?), ref: 00CA66F4

Strings

SysAnimate32, xrefs: 00CA66AB

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 5e72f5c2c79885ac7601c78c83402733ed89a63cfe9d5ffc454b32f167e6dcc0
Instruction ID: f52ec167e7564d913390d9703abe30fcfec239b203a37fd14b149265f5e61957
Opcode Fuzzy Hash: 5e72f5c2c79885ac7601c78c83402733ed89a63cfe9d5ffc454b32f167e6dcc0
Instruction Fuzzy Hash: 8F218B71210206ABEF104FA4EC80FAB77ADEB5A36CF184629F961D21A0DB718D51A760

Uniqueness

Uniqueness Score: -1.00%

Function 00C8703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00C8705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C87091
GetStdHandle.KERNEL32(0000000C), ref: 00C870A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00C870DD

Strings

nul, xrefs: 00C870D8

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 9d0f510fa1c1a16b9449e81cc77f05d0b40692b2a44680cb0cb2c5bfe354c0c1
Instruction ID: 2d4c9432942c8b777b857b00208fac742ff8988febff0ee8ed94152b3e674a18
Opcode Fuzzy Hash: 9d0f510fa1c1a16b9449e81cc77f05d0b40692b2a44680cb0cb2c5bfe354c0c1
Instruction Fuzzy Hash: 0A217F74504209ABDF20AF69D805B9E7BE8AF55728F304729F9B0D72D0E771D940CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00C8710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00C8712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C8715D
GetStdHandle.KERNEL32(000000F6), ref: 00C8716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00C871A8

Strings

nul, xrefs: 00C871A3

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: e9cc0bea8cd0be8c5b4df857f3cf3b0640559a7d5ad8ac88603be345a9edd80a
Instruction ID: 5e7693c1fb8a6de0b2a402722ae6e1a97e617a2b5c0602bd3bff81c2b61aa414
Opcode Fuzzy Hash: e9cc0bea8cd0be8c5b4df857f3cf3b0640559a7d5ad8ac88603be345a9edd80a
Instruction Fuzzy Hash: 4D21C4716042059BDB20AF689C08B9E77E8AF55728F300719FDB4D76D0E770D941CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00C8AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C8AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C8AF13
__swprintf.LIBCMT ref: 00C8AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,00CAF910), ref: 00C8AF6A

Strings

%lu, xrefs: 00C8AF26

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: f7628b1df8071d9c3aec4b3e5e69c4517f6da0079c8f70a6ea063765461d437e
Instruction ID: 02c517eb7ace3c90a0707c1c9662f4148505dd41de67dfea51caeb11ff37cda9
Opcode Fuzzy Hash: f7628b1df8071d9c3aec4b3e5e69c4517f6da0079c8f70a6ea063765461d437e
Instruction Fuzzy Hash: DD218631A00109AFDB10EFA4DC85EAE77B8EF49704B104069F909DB251DB31EE41DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00C7A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27D2C: _memmove.LIBCMT ref: 00C27D66

Part of subcall function 00C7A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00C7A399
Part of subcall function 00C7A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C7A3AC
Part of subcall function 00C7A37C: GetCurrentThreadId.KERNEL32 ref: 00C7A3B3
Part of subcall function 00C7A37C: AttachThreadInput.USER32(00000000), ref: 00C7A3BA

GetFocus.USER32 ref: 00C7A554

Part of subcall function 00C7A3C5: GetParent.USER32(?), ref: 00C7A3D3

GetClassNameW.USER32(?,?,00000100), ref: 00C7A59D
EnumChildWindows.USER32(?,00C7A615), ref: 00C7A5C5
__swprintf.LIBCMT ref: 00C7A5DF

Strings

%s%d, xrefs: 00C7A5D9

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: b1c0eda65a49c94c82ca571c75da2c3dfb5324c0d817c5b18bbd5554afadc641
Instruction ID: 1fd3f07cdeaddfd579f13e3dc356c4c7fa35cca7712d0072d480a89559e4c9c7
Opcode Fuzzy Hash: b1c0eda65a49c94c82ca571c75da2c3dfb5324c0d817c5b18bbd5554afadc641
Instruction Fuzzy Hash: 7B11B471200209BBDF117FB4DC85FEE777CAF89710F048079B91CAA192CA7099469B75

Uniqueness

Uniqueness Score: -1.00%

Function 00C82017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C82048

Strings

REMOVE, xrefs: 00C8204E
KEYS, xrefs: 00C8205F
EXISTS, xrefs: 00C82070
APPEND, xrefs: 00C82081

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 4b91d4d3ecf2d2946873028cf1395ce7ad187ccfab922273187b24855b805e92
Instruction ID: f8e4cf04ae2f74ab037d812ecc15bb70fd2c89dd2dba03747438e0bfe2e231d5
Opcode Fuzzy Hash: 4b91d4d3ecf2d2946873028cf1395ce7ad187ccfab922273187b24855b805e92
Instruction Fuzzy Hash: E0113C70D40119DFCF00EFA4D9419AEB7B4BF16304F108469D95567351DB326A0AEB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C9EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C9EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C9EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00C9F07E
CloseHandle.KERNEL32(?), ref: 00C9F0FF

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 4553b6fd8679c72ad3933b510db70ff48322837ea88de69bdfb2c83e3cb5b8d3
Instruction ID: 00cb437d1d09a2ba86d6dde52f70cdf2abd36651f06384fcfaa9687ec56c00a1
Opcode Fuzzy Hash: 4553b6fd8679c72ad3933b510db70ff48322837ea88de69bdfb2c83e3cb5b8d3
Instruction Fuzzy Hash: 618182716043109FDB20EF28D846F2EB7E5EF48720F14881DF999DB692DB70AD419B92

Uniqueness

Uniqueness Score: -1.00%

Function 00CA02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

Part of subcall function 00CA10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CA0038,?,?), ref: 00CA10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CA0388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CA03C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00CA040E
RegCloseKey.ADVAPI32(?,?), ref: 00CA043A
RegCloseKey.ADVAPI32(00000000), ref: 00CA0447

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: fe8b90a0ce8435ad11b0e50015410a43d05bef422aa1e8c8fe72791fc97f062f
Instruction ID: 1061f1055aa4bd407245cc3e3b69afe3d83edc1e201033c2b086b35720cd1005
Opcode Fuzzy Hash: fe8b90a0ce8435ad11b0e50015410a43d05bef422aa1e8c8fe72791fc97f062f
Instruction Fuzzy Hash: 15518E31208205AFDB00EF54D881F6EB7E8FF89308F14892DF596871A1DB31E905DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C9DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29997: __itow.LIBCMT ref: 00C299C2
Part of subcall function 00C29997: __swprintf.LIBCMT ref: 00C29A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C9DC3B
GetProcAddress.KERNEL32(00000000,?), ref: 00C9DCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 00C9DCDA
GetProcAddress.KERNEL32(00000000,?), ref: 00C9DD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C9DD35

Part of subcall function 00C25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C87B20,?,?,00000000), ref: 00C25B8C
Part of subcall function 00C25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C87B20,?,?,00000000,?,?), ref: 00C25BB0

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 0128ede95fa1f1d3d94bfb874f8809114be8003f5cf3cbdf92795a28d19c7f17
Instruction ID: 3257d1b9b7892cb61bce2cbabdc6b6b99c7ac2971c07c27508b4048335f445a7
Opcode Fuzzy Hash: 0128ede95fa1f1d3d94bfb874f8809114be8003f5cf3cbdf92795a28d19c7f17
Instruction Fuzzy Hash: E9513B35A00215DFDB00EFA8D4889ADB7F4FF59320B1480A9E91AAB351DB30EE45DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00C8E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C8E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00C8E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C8E8F2

Part of subcall function 00C29997: __itow.LIBCMT ref: 00C299C2
Part of subcall function 00C29997: __swprintf.LIBCMT ref: 00C29A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C8E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C8E91F

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 148536c6f71bcce60396549f01f03ebce4707f1e701a582cf3a065e7f1f4ba06
Instruction ID: a7d65d7c0ba077d0494d94c87c86bb1acf3994b602111b6c77403febccce3f37
Opcode Fuzzy Hash: 148536c6f71bcce60396549f01f03ebce4707f1e701a582cf3a065e7f1f4ba06
Instruction Fuzzy Hash: F8510835A00215DFDB01EFA4D981AAEBBF5FF09314B1484A9E849AB361CB31ED51EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00CAA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a43d9b8b6b75515824a372e16386977c92c57cca00b542c2400b666f71d060c7
Instruction ID: fd3a4f100ea42165456c30027d42bb360a42e9066ee15e86060d77dde53e06a6
Opcode Fuzzy Hash: a43d9b8b6b75515824a372e16386977c92c57cca00b542c2400b666f71d060c7
Instruction Fuzzy Hash: 2C41D135901206AFDB20DF68CC48FB9BBA4EB0A318F140165F966A72F1D770EE41DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C22344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C22357
ScreenToClient.USER32(00CE67B0,?), ref: 00C22374
GetAsyncKeyState.USER32(00000001), ref: 00C22399
GetAsyncKeyState.USER32(00000002), ref: 00C223A7

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 9e0a41f40abced0f8a9f7bbc383d485d5a859d6fbc6e901e14cbf61c6e15f01c
Instruction ID: aceb0097ccbac641aef321c2f6a290eca9ed6130de5d0894af4f3e4fd61fbafd
Opcode Fuzzy Hash: 9e0a41f40abced0f8a9f7bbc383d485d5a859d6fbc6e901e14cbf61c6e15f01c
Instruction Fuzzy Hash: B4417E39504215FFDF15DFA5D884AEDBBB4BB05324F204319F834962A0C7345A94EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C76920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C7695D
TranslateAcceleratorW.USER32(?,?,?), ref: 00C769A9
TranslateMessage.USER32(?), ref: 00C769D2
DispatchMessageW.USER32(?), ref: 00C769DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C769EB

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 38c0cbb21b3e78f849705e9d167027f2e86bfe8ab525ed5244a58723ce8aa5dd
Instruction ID: cfe28c17d637d3b9bf0ee2c6af597e318bd648a4d46e4d22fbe0e1e237303793
Opcode Fuzzy Hash: 38c0cbb21b3e78f849705e9d167027f2e86bfe8ab525ed5244a58723ce8aa5dd
Instruction Fuzzy Hash: B6312631910A82AADB20CFB5CC84FBA7BACAB12354F108129E139C71A0E7349985DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C78F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C78F12
PostMessageW.USER32(?,00000201,00000001), ref: 00C78FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00C78FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00C78FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00C78FDA

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 42ac6710acce8da6e3ef48138f9f91396c14e9103b50a3e565c80a9ce51b60eb
Instruction ID: a027076be31e9fe03a81ac4a278d227303e9d59ede6e6dec5424355eea6c85ee
Opcode Fuzzy Hash: 42ac6710acce8da6e3ef48138f9f91396c14e9103b50a3e565c80a9ce51b60eb
Instruction Fuzzy Hash: 6A31BF71500219EFDB14CFE8D94CB9E7BB6EB05315F108229FA29E71D0C7B09A18DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C7B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C7B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C7B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C7B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C7B742
_wcsstr.LIBCMT ref: 00C7B74C

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 103fdb525113f0306d4552f750a2b090a6baf96fbcf09b5de9a433b1d29c6338
Instruction ID: 108708a833142c6b05d7b12cf30b360abd844ae9e5be521474ec1eeb3bfefbbe
Opcode Fuzzy Hash: 103fdb525113f0306d4552f750a2b090a6baf96fbcf09b5de9a433b1d29c6338
Instruction Fuzzy Hash: CB21D731204244BBEB295B799C49F7F7BA8EF89720F14803DFD09CA1A1EB71DD4196A0

Uniqueness

Uniqueness Score: -1.00%

Function 00CAB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

GetWindowLongW.USER32(?,000000F0), ref: 00CAB44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00CAB471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00CAB489
GetSystemMetrics.USER32(00000004), ref: 00CAB4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00C91184,00000000), ref: 00CAB4D0

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: a02aa3f81cd65a6dc01e292d5fcc5d0b666339c5261870888889a04a496307e4
Instruction ID: e80af6f062df79016d83fd907d460b291fad97061661e38c97fecfd6c9f3a064
Opcode Fuzzy Hash: a02aa3f81cd65a6dc01e292d5fcc5d0b666339c5261870888889a04a496307e4
Instruction Fuzzy Hash: 0F219171910266AFCB209F798C44B6A3BA4FB0A728F104738F936C71E2E7309D11DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C797E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C79802

Part of subcall function 00C27D2C: _memmove.LIBCMT ref: 00C27D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C79834
__itow.LIBCMT ref: 00C7984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C79874
__itow.LIBCMT ref: 00C79885

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 52a2a152ac083c93dc953b6d6302aa90751173f4ca4b01d47b56c7ae578c65f2
Instruction ID: 5c42aa8882632438635b2fc87529d8c51c8bc1179dff94e5c765e6a8248e0f54
Opcode Fuzzy Hash: 52a2a152ac083c93dc953b6d6302aa90751173f4ca4b01d47b56c7ae578c65f2
Instruction Fuzzy Hash: 5B21AA31701218ABDB109AB59C8AFEE7BB9EF4A714F088039FD09DB291D6708D45D7D2

Uniqueness

Uniqueness Score: -1.00%

Function 00C212F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C2134D
SelectObject.GDI32(?,00000000), ref: 00C2135C
BeginPath.GDI32(?), ref: 00C21373
SelectObject.GDI32(?,00000000), ref: 00C2139C

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: fbb5eabe9cd777a7a75f6fdcac15166f9d3e26b4a6e93fb412b6e1cc1b1a137e
Instruction ID: 6ad8e300a929d9939e038ecc3866208245a5b46fd856790244e14d71fd2aefc5
Opcode Fuzzy Hash: fbb5eabe9cd777a7a75f6fdcac15166f9d3e26b4a6e93fb412b6e1cc1b1a137e
Instruction Fuzzy Hash: FE215E70810354EBDB20CF65EC4476D7BB9FB20361F18422AE8209A5F0D3719995DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C7C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00C7C176
_memcmp.LIBCMT ref: 00C7C194
_memcmp.LIBCMT ref: 00C7C1A7
_memcmp.LIBCMT ref: 00C7C1BF
_memcmp.LIBCMT ref: 00C7C1D7

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e96b5e76b7c5ac54a6a6bc0da2c0abd36fe63c4ebfc538ebbed57bb1de17b94b
Instruction ID: 6aa12f730e949cbd419e9467839c4a0e2ceb212298032698ab9a65246b6f8097
Opcode Fuzzy Hash: e96b5e76b7c5ac54a6a6bc0da2c0abd36fe63c4ebfc538ebbed57bb1de17b94b
Instruction Fuzzy Hash: 7401B5B16041077BE204A6229CC2FEF779CEB213A4F888139FD1896283FA50DF1192E0

Uniqueness

Uniqueness Score: -1.00%

Function 00C84D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C84D5C
__beginthreadex.LIBCMT ref: 00C84D7A
MessageBoxW.USER32(?,?,?,?), ref: 00C84D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C84DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C84DAC

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: a8c6ca961d20216aa9dc0819fd1c2da5bbc3252a868c2c902fd17c0c8b972e2e
Instruction ID: a8df54e5e6db08d1a0408749f2922f9c8c72d0fa0f78fae89d3ba959d4ed5f51
Opcode Fuzzy Hash: a8c6ca961d20216aa9dc0819fd1c2da5bbc3252a868c2c902fd17c0c8b972e2e
Instruction Fuzzy Hash: 03110872904249BBCB059BB8DC48BDE7FACEB45328F14426AFA24D7350D6718D0487A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C7874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C78766
GetLastError.KERNEL32(?,00C7822A,?,?,?), ref: 00C78770
GetProcessHeap.KERNEL32(00000008,?,?,00C7822A,?,?,?), ref: 00C7877F
HeapAlloc.KERNEL32(00000000,?,00C7822A,?,?,?), ref: 00C78786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C7879D

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: b6dbaaebfb779da06c4d4dbaa45002df96e5ea794b83260c6cd573fb3d837510
Instruction ID: 28f85e88843580b7f13b3a47936913ef4d24888271b3e711e7049721f03f73c3
Opcode Fuzzy Hash: b6dbaaebfb779da06c4d4dbaa45002df96e5ea794b83260c6cd573fb3d837510
Instruction Fuzzy Hash: BE014F71241204EFDB244FAADC4CE6F7B6CFF86355B204429F94AC3160DA318D05CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00C854E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C85502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C85510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C85518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C85522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C8555E

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 15916ebe47dc2c46321d25a4f4df73aad22d97d877f274d844fd924b8f9e35ef
Instruction ID: df94b5884742303f4c7a2de9b9555198cb83b5d5e40db30ed4f09c4439b459bb
Opcode Fuzzy Hash: 15916ebe47dc2c46321d25a4f4df73aad22d97d877f274d844fd924b8f9e35ef
Instruction Fuzzy Hash: C0016D35C00A1DDBCF00EFE9E848BEDBB79FB09709F00015AE941B2150DB705A55CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C77652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C7758C,80070057,?,?,?,00C7799D), ref: 00C7766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C7758C,80070057,?,?), ref: 00C7768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C7758C,80070057,?,?), ref: 00C77698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C7758C,80070057,?), ref: 00C776A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C7758C,80070057,?,?), ref: 00C776B4

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 14f1eaebf4defd82ee78e519120065bc4ec7526f010b6f0ccf281f30368e2413
Instruction ID: 073e7761e2771084b33315f59da6ea7f63712664f741b32bd349f9bf9c166dc6
Opcode Fuzzy Hash: 14f1eaebf4defd82ee78e519120065bc4ec7526f010b6f0ccf281f30368e2413
Instruction Fuzzy Hash: 3301D476601608BBDB105F58DC08BAE7BACEB46755F204228FD08D3225E775DE4187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C785F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C78608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C78612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C78621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C78628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C7863E

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c8f01ff8c59f355aa19f6095312d9a24e99c2e24ee6cd8cbbe97cde2df3861af
Instruction ID: 9e310d83cb3f0b69e070c0aa65c0c40af637fcb2c55603d724f69c6cfd2619ee
Opcode Fuzzy Hash: c8f01ff8c59f355aa19f6095312d9a24e99c2e24ee6cd8cbbe97cde2df3861af
Instruction Fuzzy Hash: 2BF03C31241204BFEB100FE5DC8DFAF3BACEF8A759B004429FA5987150CBB19D46DA60

Uniqueness

Uniqueness Score: -1.00%

Function 00C78652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C78669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C78673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C78682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C78689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C7869F

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f00b78b506d0d391da10f1efdbefd6f5e5c99693bfb8e818979f451ad6ddd0a2
Instruction ID: c49bab2476a3eb82b80871cb8a87bbb9eade70dd4b953a29e4967f9e0327b8cd
Opcode Fuzzy Hash: f00b78b506d0d391da10f1efdbefd6f5e5c99693bfb8e818979f451ad6ddd0a2
Instruction Fuzzy Hash: 08F0A470280204BFDB111FA4DC8CF6F3BACFF46759B100029F649C3150CB709905DA61

Uniqueness

Uniqueness Score: -1.00%

Function 00C7C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00C7C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 00C7C6D1
MessageBeep.USER32(00000000), ref: 00C7C6E9
KillTimer.USER32(?,0000040A), ref: 00C7C705
EndDialog.USER32(?,00000001), ref: 00C7C71F

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 0c705a2dd6eed15114cd86b54cd2b5844a2bf373573b7e51c2bb58135ead9d8b
Instruction ID: fda26a7c3aea955637c18949290bfd24e571fb3032bbd99486789ab5c19d2468
Opcode Fuzzy Hash: 0c705a2dd6eed15114cd86b54cd2b5844a2bf373573b7e51c2bb58135ead9d8b
Instruction Fuzzy Hash: BE018F70400705ABEB245B60DC8EB9A77B8BB01705F00466DB596A24E1DBF0A9558B80

Uniqueness

Uniqueness Score: -1.00%

Function 00C213B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00C213BF
StrokeAndFillPath.GDI32(?,?,00C5BAD8,00000000,?), ref: 00C213DB
SelectObject.GDI32(?,00000000), ref: 00C213EE
DeleteObject.GDI32 ref: 00C21401
StrokePath.GDI32(?), ref: 00C2141C

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: a201bd4fbb71afc658c8ec75c9a54761c293123203e52796b836c65a6dcb74ab
Instruction ID: 5322c2b1c6b0fe64e88b86392904eba0bef2e685afea2237b5ede55ad72fc9e0
Opcode Fuzzy Hash: a201bd4fbb71afc658c8ec75c9a54761c293123203e52796b836c65a6dcb74ab
Instruction Fuzzy Hash: BCF0FF30014348EBDB255F6AEC8C75C3FA5AB2137AF08C228F969894F1C7314996DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00C8C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C8C69D
CoCreateInstance.OLE32(00CB2D6C,00000000,00000001,00CB2BDC,?), ref: 00C8C6B5

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

CoUninitialize.OLE32 ref: 00C8C922

Strings

.lnk, xrefs: 00C8C631, 00C8C659, 00C8C663

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 87b57effcafb7926f36e25fb7a1d022c1b4c40d4bc262e4559cd9aa7f62cb833
Instruction ID: d03d4873f9e4f1269cabcee26e3bfc05bf5eab1c8dec923e61d828ba7922cb4a
Opcode Fuzzy Hash: 87b57effcafb7926f36e25fb7a1d022c1b4c40d4bc262e4559cd9aa7f62cb833
Instruction Fuzzy Hash: 8EA13C71108315AFD700EF54D892EABB7E8EF89704F00496CF196971A2EB70EA49DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C32E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00C40FF6: std::exception::exception.LIBCMT ref: 00C4102C
Part of subcall function 00C40FF6: __CxxThrowException@8.LIBCMT ref: 00C41041

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

Part of subcall function 00C27BB1: _memmove.LIBCMT ref: 00C27C0B

__swprintf.LIBCMT ref: 00C3302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00C32EC6

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: ff104a934564fe9f4be8790bae1cc6ffe49c00ef5e63b7be9dd8d63154b83b9f
Instruction ID: cff879c81c4fbeff28aedf9df079928bbbbd2461e0d8e7e180313d06b92622a0
Opcode Fuzzy Hash: ff104a934564fe9f4be8790bae1cc6ffe49c00ef5e63b7be9dd8d63154b83b9f
Instruction Fuzzy Hash: 57918B311183519FCB28EF64E8C5D6FB7A4EF85750F00091DF8929B2A1DA30EE44DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C8BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C248A1,?,?,00C237C0,?), ref: 00C248CE

CoInitialize.OLE32(00000000), ref: 00C8BC26
CoCreateInstance.OLE32(00CB2D6C,00000000,00000001,00CB2BDC,?), ref: 00C8BC3F
CoUninitialize.OLE32 ref: 00C8BC5C

Part of subcall function 00C29997: __itow.LIBCMT ref: 00C299C2
Part of subcall function 00C29997: __swprintf.LIBCMT ref: 00C29A0C

Strings

.lnk, xrefs: 00C8BC08, 00C8BC16

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: d3a3f1c82ec5af5b188254f3f4f0538d8f394c94cc15675323c7987c4f5621fe
Instruction ID: 6f1d593f9bc2f1b3d428dae4ef2a7ffa5528ae98adb8151e8c2b24bc6cfae817
Opcode Fuzzy Hash: d3a3f1c82ec5af5b188254f3f4f0538d8f394c94cc15675323c7987c4f5621fe
Instruction Fuzzy Hash: 5DA136756043119FCB10EF14C484E6ABBE5FF89318F148999F8AA9B3A1CB31ED45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C4524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00C452DD

Part of subcall function 00C50340: __87except.LIBCMT ref: 00C5037B

Strings

pow, xrefs: 00C452B5, 00C452D2

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 33b0c76663c844ed8adf8d311974949b5bcdb7d15a2df8e26ee95e7ff6a91cf7
Instruction ID: 55e4ebf704cd938f05745faa7ad508ca9d0e1c2bed5eda3d80c1ceb1a75d8e86
Opcode Fuzzy Hash: 33b0c76663c844ed8adf8d311974949b5bcdb7d15a2df8e26ee95e7ff6a91cf7
Instruction Fuzzy Hash: 6E515B25A0DA0187C7217B15C94137E3B94BB40752F308E5DE8A5C62F7EF748ED8EA4A

Uniqueness

Uniqueness Score: -1.00%

Function 00C4023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00C40280
+, xrefs: 00C40277

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 2c3f83af94453dfec8a5289dca46f964af68301dfe0c7f5f994bd4026a98ad04
Instruction ID: f87559dbb1e0b0eeef844ee6621069ae8c5783bac4acc42b05eaa2e7c0e2816f
Opcode Fuzzy Hash: 2c3f83af94453dfec8a5289dca46f964af68301dfe0c7f5f994bd4026a98ad04
Instruction Fuzzy Hash: 0D512475504255CFDF25DF28C488AFE7BA4FF2A310F248059ECA59B2A0D7749E42D760

Uniqueness

Uniqueness Score: -1.00%

Function 00C362F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C363A8
_memmove.LIBCMT ref: 00C36446
_memset.LIBCMT ref: 00C3646A

Strings

ERCP, xrefs: 00C36313

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 1e56dc2290c8b76649e3067c7b88ccbb6571b86d87028c261e46bf4077c7ba6f
Instruction ID: 66362cee5617c0b8775d30113c8ba64da4f5abb3c34d28341580037d1737f288
Opcode Fuzzy Hash: 1e56dc2290c8b76649e3067c7b88ccbb6571b86d87028c261e46bf4077c7ba6f
Instruction Fuzzy Hash: 50519271910709EBDB24CF65C881BAABBF4FF04714F24C56EEA5ACB241E7719A84CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00CA7BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00CAF910,00000000,?,?,?,?), ref: 00CA7C4E
GetWindowLongW.USER32 ref: 00CA7C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CA7C7B

Strings

SysTreeView32, xrefs: 00CA7C20

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 0f469354e6ffc196411115f84379a18919226d36cd056fdca2da42f1b72a47c0
Instruction ID: 289b4433afb34ffd37240c3e46fd971447c3abaf1f6a11bf4a81de20170320b7
Opcode Fuzzy Hash: 0f469354e6ffc196411115f84379a18919226d36cd056fdca2da42f1b72a47c0
Instruction Fuzzy Hash: B131BE31244206ABDB219F38DC45BEA77A9FB4A338F244729F875932E0D731ED519B60

Uniqueness

Uniqueness Score: -1.00%

Function 00CA7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00CA76D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00CA76E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CA7708

Strings

SysMonthCal32, xrefs: 00CA769B

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 6906d949f371a5bcf9377ac306c099f58f38543f82ec7342af470a9bb1e97a87
Instruction ID: 1cf2e9a0fb385a25f27bab260a40454834b468796de63028d8fde61ca58ffc4a
Opcode Fuzzy Hash: 6906d949f371a5bcf9377ac306c099f58f38543f82ec7342af470a9bb1e97a87
Instruction Fuzzy Hash: 0A219132540219ABDF119FA4CC46FEA3B79FB49718F110214FE156B1D0D6B5A8519BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00CA6FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00CA6FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00CA6FDF

Strings

Listbox, xrefs: 00CA6F77

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 6d6b1eb74c803354e5115a30b58d7936d6987bc738c7ebc362a6785de5b69101
Instruction ID: 7ee6103107133c989baa497ed459f66b049789c2356f468f9338e920840afac8
Opcode Fuzzy Hash: 6d6b1eb74c803354e5115a30b58d7936d6987bc738c7ebc362a6785de5b69101
Instruction Fuzzy Hash: 16219232610119BFDF118F94DC85FAF37AAEF8A768F058128F9159B190C671AC519BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00CA79E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00CA79F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00CA7A03

Strings

msctls_trackbar32, xrefs: 00CA79B8

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 7d5b869185c0a702c16691a68ba9433be4f608d5075a8778a9723f2570a20103
Instruction ID: 065148d3cea3497691e8117a1f71ad82f8cecd7471e8f195ebc0fcff4a5128e1
Opcode Fuzzy Hash: 7d5b869185c0a702c16691a68ba9433be4f608d5075a8778a9723f2570a20103
Instruction Fuzzy Hash: D311E332244249BBEF109F74CC05FEB77ADEF8A768F020629FA51A6091D271D811DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C24C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C24C2E), ref: 00C24CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C24CB5

Strings

GetNativeSystemInfo, xrefs: 00C24CAF
kernel32.dll, xrefs: 00C24C9E

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: e4b8e4016f118a31ca36f31296e755224581d09d59c7dad19705c022826c0a10
Instruction ID: c4d2a5482808ff0e1a7fb4273425e3ec7c747407ef54e3e8bd413d96f6dac5ae
Opcode Fuzzy Hash: e4b8e4016f118a31ca36f31296e755224581d09d59c7dad19705c022826c0a10
Instruction Fuzzy Hash: 46D0C770600323CFC7209FB4EA0870AB2E4AF02788B10883ED892C2550E670C881CA20

Uniqueness

Uniqueness Score: -1.00%

Function 00C24D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C24CE1,?), ref: 00C24DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C24DB4

Strings

kernel32.dll, xrefs: 00C24D9D
Wow64RevertWow64FsRedirection, xrefs: 00C24DAE

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 699191e177c1690d499d2113fa769879b568cfdd9d47d29470b00026d36a4320
Instruction ID: 8af214bc7689e60113577ea27a2adb16b01cf20f75f83be35c57094e6cfa3d3b
Opcode Fuzzy Hash: 699191e177c1690d499d2113fa769879b568cfdd9d47d29470b00026d36a4320
Instruction Fuzzy Hash: F6D01731550723CFD7209FB1E848B8A76E4AF06359F11C83ED9D6D6690E770D881CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00C24D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C24D2E,?,00C24F4F,?,00CE62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C24D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C24D81

Strings

kernel32.dll, xrefs: 00C24D6A
Wow64DisableWow64FsRedirection, xrefs: 00C24D7B

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 558ef4fd260cb7aa1702265a21f8597a81a64c8454f15ae35eaed41e079c109a
Instruction ID: bd827842a63f7d8e908ba7bbefa5f010368274e682eab7d8d0a9dfa2395ac05c
Opcode Fuzzy Hash: 558ef4fd260cb7aa1702265a21f8597a81a64c8454f15ae35eaed41e079c109a
Instruction Fuzzy Hash: 7AD01731510723CFD7209FB1E84875A76E8AF16356F11C93ED596D6690E670D882CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00CA1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00CA12C1), ref: 00CA1080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CA1092

Strings

advapi32.dll, xrefs: 00CA107B
RegDeleteKeyExW, xrefs: 00CA108C

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: a176340f6b9dd1a05d72520e48be3745bb968b6e242fe30e9148b04ed5f967a7
Instruction ID: 8bef978bf1f1d4ff800b0af3b1674a487f928fa548c7da01e697bd6d09c1f91f
Opcode Fuzzy Hash: a176340f6b9dd1a05d72520e48be3745bb968b6e242fe30e9148b04ed5f967a7
Instruction Fuzzy Hash: F8D0E232510713CFD7209BB5D958A1E76E4AF06369B168C3EA9DADA250E770C8808A50

Uniqueness

Uniqueness Score: -1.00%

Function 00C993F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00C99009,?,00CAF910), ref: 00C99403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00C99415

Strings

GetModuleHandleExW, xrefs: 00C9940F
kernel32.dll, xrefs: 00C993FE

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 0c3dbbf6931fe29a0ec18cfe379c87ee2d7fdee6debdc654e7a427f6a070a140
Instruction ID: ed3b4e21de8b3403563b779046171be6567a89a279086a87733255ebf5d4e5a1
Opcode Fuzzy Hash: 0c3dbbf6931fe29a0ec18cfe379c87ee2d7fdee6debdc654e7a427f6a070a140
Instruction Fuzzy Hash: E5D0C730510313CFCB309FB4D90C30A76E4AF22355B00C83EE592C2650E670C882CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00C776C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a3534aaa0e0223afe2a532fded7decd7fd4b3e56efc1b6021aa51a7bd0eece4
Instruction ID: d84d773f44b604d563bdde1aa49859345d92fc0be9a6ca48ebeb555dbdf23df9
Opcode Fuzzy Hash: 4a3534aaa0e0223afe2a532fded7decd7fd4b3e56efc1b6021aa51a7bd0eece4
Instruction Fuzzy Hash: 77C1A475A0421AEFDB14CFA4C888E6EB7F5FF48714B118698E819EB251D730DE81DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C9E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00C9E3D2
CharLowerBuffW.USER32(?,?), ref: 00C9E415

Part of subcall function 00C9DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C9DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00C9E615
_memmove.LIBCMT ref: 00C9E628

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: dc2d9174b9d60a6d6c395095464e7b0c4fd9a2ae7cdcbef6df77622521e16c41
Instruction ID: d690c30edb33c7997b2a72832e7c0f2f934d82083675f4a3e5e32cf73d77f648
Opcode Fuzzy Hash: dc2d9174b9d60a6d6c395095464e7b0c4fd9a2ae7cdcbef6df77622521e16c41
Instruction Fuzzy Hash: 5EC16B71A083119FCB14DF28C48496ABBE4FF98714F14896DF8999B351D731EA46CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00C983A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C983D8
CoUninitialize.OLE32 ref: 00C983E3

Part of subcall function 00C7DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C7DAC5

VariantInit.OLEAUT32(?), ref: 00C983EE
VariantClear.OLEAUT32(?), ref: 00C986BF

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: d54ae9b3890ea364efd10b4c39866c439160aa79d13fa18a8e29b524cf8500a5
Instruction ID: c921c1d6e314c5cb3e76a60de94d14fbb0dc6d697fa37bb3fae55f28d76e8b88
Opcode Fuzzy Hash: d54ae9b3890ea364efd10b4c39866c439160aa79d13fa18a8e29b524cf8500a5
Instruction Fuzzy Hash: 46A137752047119FDB10EF24C485B2AB7E4FF89324F144849F99A9B7A1CB30ED48DB42

Uniqueness

Uniqueness Score: -1.00%

Function 00C77A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00CB2C7C,?), ref: 00C77C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00CB2C7C,?), ref: 00C77C4A
CLSIDFromProgID.OLE32(?,?,00000000,00CAFB80,000000FF,?,00000000,00000800,00000000,?,00CB2C7C,?), ref: 00C77C6F
_memcmp.LIBCMT ref: 00C77C90

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: f9b6a777c4affd8f243eaec3a512dccb71363277afaaae36d4769800cefaec02
Instruction ID: 5041800bec8a7ed38395b4ffa8d0f64d226f0d09fa16f09e005e857a831ed067
Opcode Fuzzy Hash: f9b6a777c4affd8f243eaec3a512dccb71363277afaaae36d4769800cefaec02
Instruction Fuzzy Hash: 87810B75A00109EFCB05DF94C988EEEB7B9FF89315F208198E515AB250DB71AE46CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C76DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C76E04
SysAllocString.OLEAUT32(00000000), ref: 00C76EAD
VariantCopy.OLEAUT32 ref: 00C76EDC
VariantClear.OLEAUT32(?), ref: 00C76F03

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 485ec3b5c2fed5e31d3efcc629893ae86aa183739a42ff323f310fb1848481b8
Instruction ID: b0729c2a2cfa775e25788a816b49fd6bebf58bc5e1316341dc51457925b248e0
Opcode Fuzzy Hash: 485ec3b5c2fed5e31d3efcc629893ae86aa183739a42ff323f310fb1848481b8
Instruction Fuzzy Hash: D851A5306087059ADB20AFB6D895B2EB3E5AF49310F20C91FE59ECB691DB709940AB15

Uniqueness

Uniqueness Score: -1.00%

Function 00CA9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(01410BB8,?), ref: 00CA9AD2
ScreenToClient.USER32(00000002,00000002), ref: 00CA9B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00CA9B72

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 8059c3109038a19215de6c031b5abb8fedbeb34a3361624caf7d087ad6880791
Instruction ID: 59396fc0e7f5646e8c648572ed948e24f1a3476b2a01e5557317154dee65de32
Opcode Fuzzy Hash: 8059c3109038a19215de6c031b5abb8fedbeb34a3361624caf7d087ad6880791
Instruction Fuzzy Hash: 8A51353490024AEFCF24DF54E881AAE7BB6FF56364F148159F9259B2A0D730AE41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C96CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00C96CE4
WSAGetLastError.WSOCK32(00000000), ref: 00C96CF4

Part of subcall function 00C29997: __itow.LIBCMT ref: 00C299C2
Part of subcall function 00C29997: __swprintf.LIBCMT ref: 00C29A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C96D58
WSAGetLastError.WSOCK32(00000000), ref: 00C96D64

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 2a3e0991a8de3a2b9ce0db84abeada4b76becbe37a05c592ab2469237b829c7a
Instruction ID: 7696d3a7cc6d4c0c6796e21b37640947161312dc529d6c038b44a01698af50e5
Opcode Fuzzy Hash: 2a3e0991a8de3a2b9ce0db84abeada4b76becbe37a05c592ab2469237b829c7a
Instruction Fuzzy Hash: 2E41C175B40210AFEB20AF24EC87F3E77E5EB09B14F448018FA599B2D2DA759D019B91

Uniqueness

Uniqueness Score: -1.00%

Function 00C9672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00CAF910), ref: 00C967BA
_strlen.LIBCMT ref: 00C967EC

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 86f060ff5597a4c22cad7b35e093ad974d5d216bc03d7cc637386d958d35b816
Instruction ID: ae524b989e974e0f12eab4a9b749f2d398246ceb8ef80af2bf9b56455bef9c0d
Opcode Fuzzy Hash: 86f060ff5597a4c22cad7b35e093ad974d5d216bc03d7cc637386d958d35b816
Instruction Fuzzy Hash: 99419331A00114ABCF14EBA4DCC9FBEB3A9EF48354F148169F81A972D2DB30AD45E754

Uniqueness

Uniqueness Score: -1.00%

Function 00C8BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C8BB09
GetLastError.KERNEL32(?,00000000), ref: 00C8BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C8BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C8BB80

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 6a5f8d65e41b2b620a9a4d26eec3ab4c6a375956f1db14b85003615a240f74cd
Instruction ID: f019861c4571aa5c6f7abb783c6476c021aa4296684ceea18b23cd8404d1eada
Opcode Fuzzy Hash: 6a5f8d65e41b2b620a9a4d26eec3ab4c6a375956f1db14b85003615a240f74cd
Instruction Fuzzy Hash: D0416739200A20DFDB10EF14D485A5DBBE1EF89324F088488EC4A9B762CB31FD41EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00CA8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CA8B4D

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: e25132d65eb6aee2b4beb6cd49d4e9a62c5152cd89c2603f43afcc0fef73cece
Instruction ID: 3305d64ca0ea664d36590bf34f7a5d73a9735da9237d7f5a1cdba9db23229758
Opcode Fuzzy Hash: e25132d65eb6aee2b4beb6cd49d4e9a62c5152cd89c2603f43afcc0fef73cece
Instruction Fuzzy Hash: F131C3B4600216BFEF249E58EC85FA937A4EB07318F244516FA61D72E1DF30AE489761

Uniqueness

Uniqueness Score: -1.00%

Function 00CAADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00CAAE1A
GetWindowRect.USER32(?,?), ref: 00CAAE90
PtInRect.USER32(?,?,00CAC304), ref: 00CAAEA0
MessageBeep.USER32(00000000), ref: 00CAAF11

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 9328a6c8811cc1afbc4254a04250cba62d27035fb9bbe6d361b2e7edd81b5912
Instruction ID: d32d6bf2a46b068d09efd5513909dc13591e6b5d36f638e51f75be59a5399ce1
Opcode Fuzzy Hash: 9328a6c8811cc1afbc4254a04250cba62d27035fb9bbe6d361b2e7edd81b5912
Instruction Fuzzy Hash: 94419F7060021ADFCB25CF99C884B6DBBF5FF4A348F1481A9E414CB251D731A952DF92

Uniqueness

Uniqueness Score: -1.00%

Function 00C80FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00C81037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00C81053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00C810B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00C8110B

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: be68286aa48c8a0c8a95af6098c212363b813dc5cad3c9af50db2bd4b56f2dad
Instruction ID: e0e29a17fb0ae3366888d2bbd971b74d9f31e426d9be20b248a321fd89c3d10c
Opcode Fuzzy Hash: be68286aa48c8a0c8a95af6098c212363b813dc5cad3c9af50db2bd4b56f2dad
Instruction Fuzzy Hash: A4316F30E40658AEFB30AB658C05BFDBBEDAB45319F0C431AE9A4521D1C3744AC79759

Uniqueness

Uniqueness Score: -1.00%

Function 00C81121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00C81176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00C81192
PostMessageW.USER32(00000000,00000101,00000000), ref: 00C811F1
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00C81243

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a8f346beae4cc13a7a87e38d14ca8739691aec7eca168b25414c24fe09711cb1
Instruction ID: 61c887cd10db80f037461dfa4b2db748e4fae7ace031aec8da9312c54bb3664c
Opcode Fuzzy Hash: a8f346beae4cc13a7a87e38d14ca8739691aec7eca168b25414c24fe09711cb1
Instruction Fuzzy Hash: 74312B70D406185AFF30AAA5CC087FE7BEDAB45328F1C431EF9A5921D1C3348A569759

Uniqueness

Uniqueness Score: -1.00%

Function 00C56415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00C5644B
__isleadbyte_l.LIBCMT ref: 00C56479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C564A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C564DD

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: b84b11b587fd03b80972eea086d670b17eeaec8715d8941674870e259aa1b7ed
Instruction ID: 053d38b25464ec63cbe12345edd41e262ab05cda5e5f376d3480c0d46fadbc63
Opcode Fuzzy Hash: b84b11b587fd03b80972eea086d670b17eeaec8715d8941674870e259aa1b7ed
Instruction Fuzzy Hash: A131F035600246AFDB21CF75C844BAA7BA5FF40312F954528FC64871A0E730D9D9DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00CA5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00CA5189

Part of subcall function 00C8387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C83897
Part of subcall function 00C8387D: GetCurrentThreadId.KERNEL32 ref: 00C8389E
Part of subcall function 00C8387D: AttachThreadInput.USER32(00000000,?,00C852A7), ref: 00C838A5

GetCaretPos.USER32(?), ref: 00CA519A
ClientToScreen.USER32(00000000,?), ref: 00CA51D5
GetForegroundWindow.USER32 ref: 00CA51DB

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 0b4dbe0fd7591c570528d9d9b27621ecd8c0f5bc5708597cd2921cb679ab31db
Instruction ID: 1c580ef6e2a30e6d6b1ec8295d5156ce92e2c517957f577d0cf10a832d6ccea4
Opcode Fuzzy Hash: 0b4dbe0fd7591c570528d9d9b27621ecd8c0f5bc5708597cd2921cb679ab31db
Instruction Fuzzy Hash: E1313E71D00218AFDB00EFA5D885EEFB7F9EF99304F10406AE415E7241EA759E05DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CAC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

GetCursorPos.USER32(?), ref: 00CAC7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C5BBFB,?,?,?,?,?), ref: 00CAC7D7
GetCursorPos.USER32(?), ref: 00CAC824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C5BBFB,?,?,?), ref: 00CAC85E

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: aabe37a648b4052e55343e1933a0d4e7045743537787b1facfebadab5e6ebafe
Instruction ID: 901ec5a83e0b168675b84711ec3b81e06158c39b9097e3c6004f4804d4e66a35
Opcode Fuzzy Hash: aabe37a648b4052e55343e1933a0d4e7045743537787b1facfebadab5e6ebafe
Instruction Fuzzy Hash: F6316139500018AFCB25CF59C8D8EEE7BB6FB4A714F044069F9158B2A1D7395E51DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00C40BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00C40BF2

Part of subcall function 00C25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C87B20,?,?,00000000), ref: 00C25B8C
Part of subcall function 00C25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C87B20,?,?,00000000,?,?), ref: 00C25BB0

_fprintf.LIBCMT ref: 00C40C29
OutputDebugStringW.KERNEL32(?), ref: 00C76331

Part of subcall function 00C44CDA: _flsall.LIBCMT ref: 00C44CF3

__setmode.LIBCMT ref: 00C40C5E

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 15b8df3fc9bf20fb20de763fc670addfa1247516360c3d5b9b632209063d17cc
Instruction ID: cd6ec8f570726cadee77494f541599d9a8e3a93c56dbb261eed1708bf1fd0881
Opcode Fuzzy Hash: 15b8df3fc9bf20fb20de763fc670addfa1247516360c3d5b9b632209063d17cc
Instruction Fuzzy Hash: 6F113632904614BFDB08B3B4AC83ABE7B69EF41320F24411AF204571D2DE315D86B395

Uniqueness

Uniqueness Score: -1.00%

Function 00C78B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C78652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C78669
Part of subcall function 00C78652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C78673
Part of subcall function 00C78652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C78682
Part of subcall function 00C78652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C78689
Part of subcall function 00C78652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C7869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C78BEB
_memcmp.LIBCMT ref: 00C78C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C78C44
HeapFree.KERNEL32(00000000), ref: 00C78C4B

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: f2d3bc852eebbd610f75350588da5ff3fa89cea2da6f281289f31d52c2e23eff
Instruction ID: 250279ff5aa6e3dc449eb8ffb95f3f1b248ab882931a45e68df4ba34a9daf5c3
Opcode Fuzzy Hash: f2d3bc852eebbd610f75350588da5ff3fa89cea2da6f281289f31d52c2e23eff
Instruction Fuzzy Hash: 89219271E41208EFDB10DF94C949BEEB7B8FF44354F158059E668A7240DB31AE0ADB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C91A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C91A97

Part of subcall function 00C91B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C91B40
Part of subcall function 00C91B21: InternetCloseHandle.WININET(00000000), ref: 00C91BDD

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: d449f0ec165e697f0e93f4dca93d2653f42cedb386fbfab1416ea1cb8122c4d5
Instruction ID: daadeabb484cc1a9ec54f11e75adb8fb46b5b98953e3b61c6d8a36df472798d5
Opcode Fuzzy Hash: d449f0ec165e697f0e93f4dca93d2653f42cedb386fbfab1416ea1cb8122c4d5
Instruction Fuzzy Hash: AA21C275200606BFDF119FA0CC0AFBAB7AEFF44710F14001AF951D6550EB319911A794

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00C7E1C4,?,?,?,00C7EFB7,00000000,000000EF,00000119,?,?), ref: 00C7F5BC
Part of subcall function 00C7F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00C7F5E2
Part of subcall function 00C7F5AD: lstrcmpiW.KERNEL32(00000000,?,00C7E1C4,?,?,?,00C7EFB7,00000000,000000EF,00000119,?,?), ref: 00C7F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00C7EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00C7E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 00C7E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,00C7EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00C7E237

Strings

cdecl, xrefs: 00C7E22E

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 17999454b6c863faf93974fea732de7404c5fe7fadb108410516355d7013d61f
Instruction ID: be688dad7cbd6b50896cbc3006e72a8969386ccf2954eeb53119a04c5391e13d
Opcode Fuzzy Hash: 17999454b6c863faf93974fea732de7404c5fe7fadb108410516355d7013d61f
Instruction Fuzzy Hash: 1E11D03B200301EFCB25AF74DC45E7A77A8FF89350B40806AF91ACB261EB719951D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C55332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C55351

Part of subcall function 00C4594C: __FF_MSGBANNER.LIBCMT ref: 00C45963
Part of subcall function 00C4594C: __NMSG_WRITE.LIBCMT ref: 00C4596A
Part of subcall function 00C4594C: RtlAllocateHeap.NTDLL(013F0000,00000000,00000001,00000000,?,?,?,00C41013,?), ref: 00C4598F

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 4e4cc8d7c79d2f3a3540d61f739078ebd60620d867b3adb770a522a433aefcbc
Instruction ID: a476b65bfc155e4d1a9acf715d73b61db09975f691700e97f1e8428945925848
Opcode Fuzzy Hash: 4e4cc8d7c79d2f3a3540d61f739078ebd60620d867b3adb770a522a433aefcbc
Instruction Fuzzy Hash: EA112736805A16AFCF302F70EC5571D3798AF113E2B100429FD589A0B1DE708A89A354

Uniqueness

Uniqueness Score: -1.00%

Function 00C24531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C24560

Part of subcall function 00C2410D: _memset.LIBCMT ref: 00C2418D
Part of subcall function 00C2410D: _wcscpy.LIBCMT ref: 00C241E1
Part of subcall function 00C2410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C241F1

KillTimer.USER32(?,00000001,?,?), ref: 00C245B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C245C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C5D6CE

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: e9b9082c9bd3932fabc0ceddd9899077b3b84c537336af779da15d1dbe95c8a1
Instruction ID: 8e21c852e859894f152784060222998f0bdaeacdd04a852b68a68275685413b8
Opcode Fuzzy Hash: e9b9082c9bd3932fabc0ceddd9899077b3b84c537336af779da15d1dbe95c8a1
Instruction Fuzzy Hash: 28210774904394AFEB328B24D845BEBBBEC9F11309F00049EE6DE57241C7B41AC99B55

Uniqueness

Uniqueness Score: -1.00%

Function 00C9667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C87B20,?,?,00000000), ref: 00C25B8C
Part of subcall function 00C25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C87B20,?,?,00000000,?,?), ref: 00C25BB0

gethostbyname.WSOCK32(?,?,?), ref: 00C966AC
WSAGetLastError.WSOCK32(00000000), ref: 00C966B7
_memmove.LIBCMT ref: 00C966E4
inet_ntoa.WSOCK32(?), ref: 00C966EF

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: d5c7d34ef7237f18255b5c7e830a979d44bf465f14f0f4b9c8fd4e6b57a96c0a
Instruction ID: aad0eb5c854b9fb8d36aafde07f71a900623861073dff84461e084461bf16c67
Opcode Fuzzy Hash: d5c7d34ef7237f18255b5c7e830a979d44bf465f14f0f4b9c8fd4e6b57a96c0a
Instruction Fuzzy Hash: BC113035500519AFCF04FBA4ED96DEEB7B8EF05314B144069F506A75A1DF30AE04EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C79023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00C79043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C79055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C7906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C79086

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0e79d3da5afb41a07201350371dc36b6c3ac7ee767e651a619e9dd4bfddc58c1
Instruction ID: 9e57a81f8442316e1223c77b80ebb8c7d2c520cd969d1352b06640ce987d4495
Opcode Fuzzy Hash: 0e79d3da5afb41a07201350371dc36b6c3ac7ee767e651a619e9dd4bfddc58c1
Instruction Fuzzy Hash: 9B114879900218FFEB10DFA5C885FADBBB8FB48310F2040A5EA04B7290D6726E10DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C21290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

DefDlgProcW.USER32(?,00000020,?), ref: 00C212D8
GetClientRect.USER32(?,?), ref: 00C5B84B
GetCursorPos.USER32(?), ref: 00C5B855
ScreenToClient.USER32(?,?), ref: 00C5B860

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: de54c5997c1bfcadff4fc321a1feee2605dd6d113c3ddfeed5f56520de942703
Instruction ID: 0c7f7d7f573b058f292ffeca0c3065aadc3d712b6062568576849bd5e021097d
Opcode Fuzzy Hash: de54c5997c1bfcadff4fc321a1feee2605dd6d113c3ddfeed5f56520de942703
Instruction Fuzzy Hash: 8C114C35900129FFCB10DFA8E885AFE77B8FB16305F100455F911E7651C730BA529BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C81652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C801FD,?,00C81250,?,00008000), ref: 00C8166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00C801FD,?,00C81250,?,00008000), ref: 00C81694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C801FD,?,00C81250,?,00008000), ref: 00C8169E
Sleep.KERNEL32(?,?,?,?,?,?,?,00C801FD,?,00C81250,?,00008000), ref: 00C816D1

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: e89a3a6546101bc5c1be2af7bd4409da9890181ae54535d38c4594be73933138
Instruction ID: c61219e4a82458324711518a37e2c413793d3fdbce4335119ae0fd81702b46f1
Opcode Fuzzy Hash: e89a3a6546101bc5c1be2af7bd4409da9890181ae54535d38c4594be73933138
Instruction Fuzzy Hash: 30117031C1051CD7CF00AFE5D849BEEBBB8FF09715F094059EE84B6140DB3155528B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00C57207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00C5722B

Part of subcall function 00C57912: __fltout2.LIBCMT ref: 00C5793B

__cftog_l.LIBCMT ref: 00C57251
__cftoe_l.LIBCMT ref: 00C57283

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: d1d0031d6f456c1f85ab206d0e35e687e8d479271086a8206bc1f7f22a91b3af
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: D1014E3A04414AFBCF125F85EC018EE3F62BF59352F588615FE2858431D236CAF9AB85

Uniqueness

Uniqueness Score: -1.00%

Function 00CAB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CAB59E
ScreenToClient.USER32(?,?), ref: 00CAB5B6
ScreenToClient.USER32(?,?), ref: 00CAB5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CAB5F5

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: f975d182e6bb41f766340ae09c2ed55b482c001a2586be4905e157aaba85dafb
Instruction ID: abf06e9ae20cb8dfbb1522a9f6f098aae46259e19596f50b8de5be8a20c46569
Opcode Fuzzy Hash: f975d182e6bb41f766340ae09c2ed55b482c001a2586be4905e157aaba85dafb
Instruction Fuzzy Hash: A61146B5D00209EFDB41CFA9C484AEEFBB5FB09314F104166E914E3220D735AA558F90

Uniqueness

Uniqueness Score: -1.00%

Function 00CAB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CAB8FE
_memset.LIBCMT ref: 00CAB90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00CE7F20,00CE7F64), ref: 00CAB93C
CloseHandle.KERNEL32 ref: 00CAB94E

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 415005743c588e8e3d21171f0c693ff3a73298e5e00aded27b71c92404499d27
Instruction ID: 62c72872d8297bb9d3d0978d0f7a8145f311973274ab0cdd17fd1f8e4f046d45
Opcode Fuzzy Hash: 415005743c588e8e3d21171f0c693ff3a73298e5e00aded27b71c92404499d27
Instruction Fuzzy Hash: 20F05EF25443807BEB1027E1AC45FBF3A5CEB09358F000220BA08DA1A2D7714D1187A8

Uniqueness

Uniqueness Score: -1.00%

Function 00C86E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00C86E88

Part of subcall function 00C8794E: _memset.LIBCMT ref: 00C87983

_memmove.LIBCMT ref: 00C86EAB
_memset.LIBCMT ref: 00C86EB8
LeaveCriticalSection.KERNEL32(?), ref: 00C86EC8

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 42436401643f04c0ef18d68bda1b7c88f9f9c3be849e4ce66f586548ddc48b3d
Instruction ID: 8a728ed2828cc728aafc9b313cbdc19a1c37067be9ae834ab7b18465b0309a13
Opcode Fuzzy Hash: 42436401643f04c0ef18d68bda1b7c88f9f9c3be849e4ce66f586548ddc48b3d
Instruction Fuzzy Hash: 53F0543A100200ABCF416F55DC85B8ABB29EF45324B048165FE085F227C731E951DBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00CAC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00C212F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C2134D
Part of subcall function 00C212F3: SelectObject.GDI32(?,00000000), ref: 00C2135C
Part of subcall function 00C212F3: BeginPath.GDI32(?), ref: 00C21373
Part of subcall function 00C212F3: SelectObject.GDI32(?,00000000), ref: 00C2139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00CAC030
LineTo.GDI32(00000000,?,?), ref: 00CAC03D
EndPath.GDI32(00000000), ref: 00CAC04D
StrokePath.GDI32(00000000), ref: 00CAC05B

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: a6a0ccd1f12853a53e51d3519ae730ec1446c7e5e0bb834ebb77d18b9cb7466b
Instruction ID: 8aaa5707fcfa52fe6c9fe7ef1677db6e7e0cad9f06130b886e0d3bac55f11be0
Opcode Fuzzy Hash: a6a0ccd1f12853a53e51d3519ae730ec1446c7e5e0bb834ebb77d18b9cb7466b
Instruction Fuzzy Hash: EAF08231001259FBDB226F94EC09FCE3F59AF17315F044004FA11660E287B55652DFE5

Uniqueness

Uniqueness Score: -1.00%

Function 00C7A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00C7A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C7A3AC
GetCurrentThreadId.KERNEL32 ref: 00C7A3B3
AttachThreadInput.USER32(00000000), ref: 00C7A3BA

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: b546533aba8a7e8870c2cc91ae1a22e3fac9ba3554c3d2948db1cfed433c65b4
Instruction ID: 5ddddfae8e5c9b4d22afa05222afee0be8ee5b5ba72978fbc29c9db4ad6a5748
Opcode Fuzzy Hash: b546533aba8a7e8870c2cc91ae1a22e3fac9ba3554c3d2948db1cfed433c65b4
Instruction Fuzzy Hash: 29E0C931545228BADB205FA2DC0DFDF7F5CEF167A6F008029F609960A0C671C541DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C22218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00C22231
SetTextColor.GDI32(?,000000FF), ref: 00C2223B
SetBkMode.GDI32(?,00000001), ref: 00C22250
GetStockObject.GDI32(00000005), ref: 00C22258
GetWindowDC.USER32(?,00000000), ref: 00C5C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 00C5C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 00C5C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 00C5C112
GetPixel.GDI32(00000000,?,?), ref: 00C5C132
ReleaseDC.USER32(?,00000000), ref: 00C5C13D

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 5d7ff40dc90e40f7ca1b435df13323932aec944ab485df9a30e9b8d64447b082
Instruction ID: 90db302acaa822049495df6ffa4815a4d2721cb28d540576f063af149cff6790
Opcode Fuzzy Hash: 5d7ff40dc90e40f7ca1b435df13323932aec944ab485df9a30e9b8d64447b082
Instruction Fuzzy Hash: EAE03932600244EEDB215FA4FC497DC3B20EB0633AF00836AFB79490E187724A85DB22

Uniqueness

Uniqueness Score: -1.00%

Function 00C78C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00C78C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,00C7882E), ref: 00C78C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C7882E), ref: 00C78C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,00C7882E), ref: 00C78C7E

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 72e5223b00115bad9ead2e7498a19408ab19f365757397d43f03b0e4d9fae849
Instruction ID: d632ce22b48be236cdd98418b702777b3fb7430eb8814ab724924be15c182105
Opcode Fuzzy Hash: 72e5223b00115bad9ead2e7498a19408ab19f365757397d43f03b0e4d9fae849
Instruction Fuzzy Hash: 55E08636642211DBD7205FF26D0CB9F3BACEF52796F08892CB245CB050DA748446CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C62187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C62187
GetDC.USER32(00000000), ref: 00C62191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C621B1
ReleaseDC.USER32(?), ref: 00C621D2

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 267b607054bcc3155662e6f9726fd07108c799262dabc2d6a0393f364a8653cf
Instruction ID: 8aaf24bf993307ad553d78461f53fffb5a8f78a3431e9cfdf1ed71ca55a00da6
Opcode Fuzzy Hash: 267b607054bcc3155662e6f9726fd07108c799262dabc2d6a0393f364a8653cf
Instruction Fuzzy Hash: 60E012B5800614EFDB219FA1D848BAD7BF1EB4D355F108429FD5AA7220CB388542AF40

Uniqueness

Uniqueness Score: -1.00%

Function 00C6219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C6219B
GetDC.USER32(00000000), ref: 00C621A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C621B1
ReleaseDC.USER32(?), ref: 00C621D2

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: eb42d43c4e9cbc764ef9342f0a217b74b5e7d954e4667a2c90b99bb9d1b47a62
Instruction ID: 70f7a799fe15fabc3f3e59492d13a8f38b02690c7742de06e06ae3d3d4a3aafd
Opcode Fuzzy Hash: eb42d43c4e9cbc764ef9342f0a217b74b5e7d954e4667a2c90b99bb9d1b47a62
Instruction Fuzzy Hash: 3CE012B5C00214EFCB219FB0D80879D7BF1EB4D315F108029F95AA7220CB389142AF40

Uniqueness

Uniqueness Score: -1.00%

Function 00C7B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00C7B981

Strings

Container, xrefs: 00C7B8FE
AutoIt3GUI, xrefs: 00C7B8F9

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 6bc9ff970ec3573d2c3852892ca17f9446bf627cace52de2ca8a1664992c3e2b
Instruction ID: 482b03ca614ba05748093f0507307c38fb7a0940b3b72c5de88be843f9cb2714
Opcode Fuzzy Hash: 6bc9ff970ec3573d2c3852892ca17f9446bf627cace52de2ca8a1664992c3e2b
Instruction Fuzzy Hash: 3B9138746006019FDB24DF68C885B6ABBF9FF48710F24856EEA5ACB691DB70ED40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C8B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3FEC6: _wcscpy.LIBCMT ref: 00C3FEE9

Part of subcall function 00C29997: __itow.LIBCMT ref: 00C299C2
Part of subcall function 00C29997: __swprintf.LIBCMT ref: 00C29A0C

__wcsnicmp.LIBCMT ref: 00C8B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00C8B361

Strings

LPT, xrefs: 00C8B292

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 46effaf2ba9455b6bf49e1a5201dc9fbc52ba74cf937d53dd9805b02edebacd3
Instruction ID: 7c2a5359517275a645436c203347e9ec0ca806e6bbc72d6b1f702a53b104913a
Opcode Fuzzy Hash: 46effaf2ba9455b6bf49e1a5201dc9fbc52ba74cf937d53dd9805b02edebacd3
Instruction Fuzzy Hash: 40619175A00215EFCB14EF94C881EAEB7B4FF08314F15446AF956AB3A1DB70AE80DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00C32AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00C32AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00C32AE1

Strings

@, xrefs: 00C32AD5

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 5b38eeff6e58ef587e7d14ed2ee4a9bdab0c0815f836a98c9c521e8edc843431
Instruction ID: 05e7c066f3b6db697f6b6fe2db8d32a70197a4f22d0521def2b655c475904f78
Opcode Fuzzy Hash: 5b38eeff6e58ef587e7d14ed2ee4a9bdab0c0815f836a98c9c521e8edc843431
Instruction Fuzzy Hash: 505148714187589BE320AF10EC86BAFBBE8FF84314F42885DF1D9411A5DB708929DB67

Uniqueness

Uniqueness Score: -1.00%

Function 00C899BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00C2506B: __fread_nolock.LIBCMT ref: 00C25089

_wcscmp.LIBCMT ref: 00C89AAE
_wcscmp.LIBCMT ref: 00C89AC1

Strings

FILE, xrefs: 00C899FA

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 8fdec391781cad660835d5931a4713348de62e5df4b2f689df666300247c41f3
Instruction ID: c831ecea063dfffe86726a4ab04f619581f3839d5ad0e5cfc54d7d85926a0ba4
Opcode Fuzzy Hash: 8fdec391781cad660835d5931a4713348de62e5df4b2f689df666300247c41f3
Instruction Fuzzy Hash: DC41C471A00619BBDF20AAA4DC45FEFBBBDEF45714F04007AF900A71C1DA75AA0497A5

Uniqueness

Uniqueness Score: -1.00%

Function 00C92882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C92892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C928C8

Strings

|, xrefs: 00C92899

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 18d245d23e101cf45b4f743eafc68ee142c7e6ee7d6dee74ca5b2539f70a445a
Instruction ID: 328ac2d3387566afc12a0942461374c90ac77732e8513afb5fefad39cbf14f3b
Opcode Fuzzy Hash: 18d245d23e101cf45b4f743eafc68ee142c7e6ee7d6dee74ca5b2539f70a445a
Instruction Fuzzy Hash: D4311E71800219AFCF01DFA1DC89EEEBFB9FF08310F104169F915A6165EB315A56DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00CA6D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00CA6DC2

Strings

static, xrefs: 00CA6D22

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 7e43b2670024f20a16a4afd7f7ad6dd40f7e246ff3735515c38f4f5e665ea67e
Instruction ID: cfd32d36ae00c1302d71eaf710aafcaaa9e2da108ac63b477719dc601200e51e
Opcode Fuzzy Hash: 7e43b2670024f20a16a4afd7f7ad6dd40f7e246ff3735515c38f4f5e665ea67e
Instruction Fuzzy Hash: 7731AD71600205AEDB109F78CC80BFB77B9FF49768F14862DF9A697190CA31AC91DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C82D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C82E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C82E3B

Strings

0, xrefs: 00C82DF9

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 6de11a68a89e3349abb1bcb2e17f281b5a7f24cedb3f33b806e990a560868201
Instruction ID: e3de02077e306207063001075763f43efda2f884033c3b13b0e6c7899424b69f
Opcode Fuzzy Hash: 6de11a68a89e3349abb1bcb2e17f281b5a7f24cedb3f33b806e990a560868201
Instruction Fuzzy Hash: 1231E971A00309ABEB24EF58C849B9EBBB5FF05359F14002EED95971A0D7709E44DB5C

Uniqueness

Uniqueness Score: -1.00%

Function 00CA6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CA69D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CA69DB

Strings

Combobox, xrefs: 00CA699D

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: f0599e2eb6ebaef7790c688b68e69e8ef51ef7dbe15af727aede15ea5306129a
Instruction ID: ebfa9d0db07f019bd8ade7d07c46e1e9dea92dbd2254a7905bc7a4f6d0f9b779
Opcode Fuzzy Hash: f0599e2eb6ebaef7790c688b68e69e8ef51ef7dbe15af727aede15ea5306129a
Instruction Fuzzy Hash: CC11B67160020AAFEF119F24DC80FAF376EEB963A8F150125F96897290D6719D5187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00C21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C21D73
Part of subcall function 00C21D35: GetStockObject.GDI32(00000011), ref: 00C21D87
Part of subcall function 00C21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C21D91

GetWindowRect.USER32(00000000,?), ref: 00CA6EE0
GetSysColor.USER32(00000012), ref: 00CA6EFA

Strings

static, xrefs: 00CA6EBD

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: a163c6e8f426ef94170743e213fba056b10799ece1c4f9981ccab1ec61ecc123
Instruction ID: 581012080e1bf8bb568d32c58a20d94128ad42bdabf92ff77e1fd36c79f30bed
Opcode Fuzzy Hash: a163c6e8f426ef94170743e213fba056b10799ece1c4f9981ccab1ec61ecc123
Instruction Fuzzy Hash: 5721297261020AAFDB04DFB8DD45AEA7BB8FB09318F044629FE55D3250D635E8619B50

Uniqueness

Uniqueness Score: -1.00%

Function 00CA6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00CA6C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00CA6C20

Strings

edit, xrefs: 00CA6BF5

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 2dd8a5bb18b6ce648839fbef7adc00eaf6999b5e82a8ab32e086447956a55303
Instruction ID: 623c558f82bd6b319a9d328463188a274638efb075ec7ab0dc573039585586f1
Opcode Fuzzy Hash: 2dd8a5bb18b6ce648839fbef7adc00eaf6999b5e82a8ab32e086447956a55303
Instruction Fuzzy Hash: 8C116A7150020AABEB118E64EC45AEA376AEB1637CF244728F971D71E0C775DC91AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C82E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C82F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00C82F30

Strings

0, xrefs: 00C82F07

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 1978f6a06599a6ae941070e22c2c3ea1da6510fbb76261d18407a93c19bca5c2
Instruction ID: 9f868fbb75c18d27555df4bb17ca4b8850743cc073acb3e1d96dbfebbec274c1
Opcode Fuzzy Hash: 1978f6a06599a6ae941070e22c2c3ea1da6510fbb76261d18407a93c19bca5c2
Instruction Fuzzy Hash: FA11E231D01164ABCB20FB98DC48B9E73B9EB11358F0400B6E964A72A0D7B0AE04D79D

Uniqueness

Uniqueness Score: -1.00%

Function 00C924CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C92520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C92549

Strings

<local>, xrefs: 00C92511

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 3fa09093f64478889ffbe5a622adec6ed8fc818f20e9a86d6f539d747fd96c5a
Instruction ID: ab3b01feec536bca059a48fa2c436b0099c386e8e2dafe58173c32abee33d03a
Opcode Fuzzy Hash: 3fa09093f64478889ffbe5a622adec6ed8fc818f20e9a86d6f539d747fd96c5a
Instruction Fuzzy Hash: 7A11A070501225BADF248F628C9DEBBFF68FB06751F10812AF99586140D270AA91DAE0

Uniqueness

Uniqueness Score: -1.00%

Function 00C980A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00C980C8,?,00000000,?,?), ref: 00C98322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C980CB
htons.WSOCK32(00000000,?,00000000), ref: 00C98108

Strings

255.255.255.255, xrefs: 00C980E3

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: af4a0f832a774643be37170160cef1a4fa373534ae7d13b444160d49d78c09c7
Instruction ID: db94e2c10ef798e9f6c99a7193ee1c2e95a4918614d359003c229f66db8d779f
Opcode Fuzzy Hash: af4a0f832a774643be37170160cef1a4fa373534ae7d13b444160d49d78c09c7
Instruction Fuzzy Hash: C711E134600205ABCF20AFA4CC4AFBEB334FF05320F10852BE92197291DB32A919D691

Uniqueness

Uniqueness Score: -1.00%

Function 00C792E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

Part of subcall function 00C7B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C7B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C79355

Strings

ComboBox, xrefs: 00C792F4
ListBox, xrefs: 00C7931F

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 379ae98133bf33f1ede1f0848e9d71297eab9abc49e84e851f82b90e8b92ae4a
Instruction ID: f00efc778a1ffbb42ca9f3838d297a20dc2417f2d4f56932eb30e8288af42b0a
Opcode Fuzzy Hash: 379ae98133bf33f1ede1f0848e9d71297eab9abc49e84e851f82b90e8b92ae4a
Instruction Fuzzy Hash: 2201B571A45224ABCB04EBA4DC929FE7769FF06320B144719F936572E1DB315908A750

Uniqueness

Uniqueness Score: -1.00%

Function 00C791DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

Part of subcall function 00C7B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C7B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00C7924D

Strings

ComboBox, xrefs: 00C791EC
ListBox, xrefs: 00C79217

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: fec961eac771117ec745565f58ad3e1819a94981f6e44516e1d2f7aa7df595a1
Instruction ID: 2a30f0d5e65e57006ecf6eecef24ba944f292bab9fed72b67191aaf28018022e
Opcode Fuzzy Hash: fec961eac771117ec745565f58ad3e1819a94981f6e44516e1d2f7aa7df595a1
Instruction Fuzzy Hash: 5601D4B1A45108BBCB04FBA0D992EFF73A8DF05300F144169B916636D2EA306F08A2B1

Uniqueness

Uniqueness Score: -1.00%

Function 00C79264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

Part of subcall function 00C7B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C7B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00C792D0

Strings

ComboBox, xrefs: 00C79271
ListBox, xrefs: 00C7929C

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: fbbadc6511c4a3a99d5595d57b40235d448331c62a1c3121e6ebd22b0e034ca9
Instruction ID: 4aa5647e3a042c5e8c7afea04fbca98498f725510406799554892d140daf66b8
Opcode Fuzzy Hash: fbbadc6511c4a3a99d5595d57b40235d448331c62a1c3121e6ebd22b0e034ca9
Instruction Fuzzy Hash: 1401A2B1A45118B7CF04FAA0D992EFF77ACDF11300F244125B916736D2DA315F08A675

Uniqueness

Uniqueness Score: -1.00%

Function 00C851CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C851E8
_wcscmp.LIBCMT ref: 00C851FA

Strings

#32770, xrefs: 00C851F4

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: c9ed3783d971c17b301dbe455d0e894a3908eee32ea9216ef1063b2282c7b51d
Instruction ID: f7b38503a2893c68298ab673faa0047a177f3b7ca72fe8cba7b3bdb6062e2b79
Opcode Fuzzy Hash: c9ed3783d971c17b301dbe455d0e894a3908eee32ea9216ef1063b2282c7b51d
Instruction Fuzzy Hash: C6E0613350022C17D31096959C45FA7F7ACEB41731F00016BFD54D3040D5709A0587D0

Uniqueness

Uniqueness Score: -1.00%

Function 00C781BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C781CA

Part of subcall function 00C43598: _doexit.LIBCMT ref: 00C435A2

Strings

Error allocating memory., xrefs: 00C781C3
AutoIt, xrefs: 00C781BE

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 96db60f266009262acbcd24c7d6ef4652926559a177845b1282ad143f92f4d74
Instruction ID: 7ed101421bdb513a2ead3059d518a05953da326673c50c21c139f7a4e860adc3
Opcode Fuzzy Hash: 96db60f266009262acbcd24c7d6ef4652926559a177845b1282ad143f92f4d74
Instruction Fuzzy Hash: D2D05E323C536833D21432E86C0BFCE7A888F05B56F484426BF08965D38EE299C252E9

Uniqueness

Uniqueness Score: -1.00%

Function 00C5B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C5B564: _memset.LIBCMT ref: 00C5B571

Part of subcall function 00C40B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C5B540,?,?,?,00C2100A), ref: 00C40B89

IsDebuggerPresent.KERNEL32(?,?,?,00C2100A), ref: 00C5B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C2100A), ref: 00C5B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C5B54E

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: fc28b68f92312517d20fe060a2b88a1f26d07ef3e4ae64673286f80e39e5876a
Instruction ID: d035bfe001cb913144d6c5ba1c1f4b57f48674ef347f7f3fe6b6fc188704fd41
Opcode Fuzzy Hash: fc28b68f92312517d20fe060a2b88a1f26d07ef3e4ae64673286f80e39e5876a
Instruction Fuzzy Hash: D5E092B42003118FD725DF68E5047467BE0BF0074AF008A2DE896C7662EBB4D888CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CA5BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CA5BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00CA5C08

Part of subcall function 00C854E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C8555E

Strings

Shell_TrayWnd, xrefs: 00CA5BEE

Memory Dump Source

Source File: 00000000.00000002.1399556995.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1399541103.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399615893.0000000000CD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399671095.0000000000CDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399694055.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_charesworh.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 771e65ed2ed8bd1474dd9233f58695acb0b9e0cdffc2e455d5486c901770054c
Instruction ID: 9fef3e54e04bbce91cf5656532156b579e4ca88be582170b44c0afe0475f0a39
Opcode Fuzzy Hash: 771e65ed2ed8bd1474dd9233f58695acb0b9e0cdffc2e455d5486c901770054c
Instruction Fuzzy Hash: 8AD0C931788311B6E764BBB0AC4BF9B6A64AB41B55F000839B755AA1D0D9F46801C654

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report charesworh.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newfile.exe.log

C:\Users\user\AppData\Local\Temp\Marquand

C:\Users\user\AppData\Local\Temp\aut92D3.tmp

C:\Users\user\AppData\Local\Temp\aut9370.tmp

C:\Users\user\AppData\Local\Temp\sulfhydric

C:\Users\user\AppData\Roaming\newfile\newfile.exe

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
charesworh.exe

Function 00C23B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00C24AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00C24FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00C893DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00C2302C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 63
windowregistryCOMMON

Function 00C23041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00C271EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00C23A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00C23633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00C23778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 00C239E7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 44
COMMON

Function 01382630 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre