Edit tour

Windows Analysis Report
2aFb7hE00o.exe

Overview

General Information

Sample name:	2aFb7hE00o.exe renamed because original name is a hash value
Original sample name:	a7e106df2ca7b17bd39ec582d19522a0.exe
Analysis ID:	1447010
MD5:	a7e106df2ca7b17bd39ec582d19522a0
SHA1:	45f693deef24825c496315d3e71ed6500532c30b
SHA256:	75cd3d0756f7378ee32e18a6ab93046be2a095829806867086b373c40b91b24f
Tags:	32exetrojan
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

2aFb7hE00o.exe (PID: 3996 cmdline: "C:\Users\user\Desktop\2aFb7hE00o.exe" MD5: A7E106DF2CA7B17BD39EC582D19522A0)

RegSvcs.exe (PID: 6496 cmdline: "C:\Users\user\Desktop\2aFb7hE00o.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.midhcodistribuciones.com", "Username": "v3doo@midhcodistribuciones.com", "Password": ",A7}+JV4KExQ"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2000596760.00000000018B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2000596760.00000000018B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.2000596760.00000000018B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2000596760.00000000018B0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33a3b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33aad:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33b37:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33bc9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33c33:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33ca5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33d3b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33dcb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000000.00000002.2000596760.00000000018B0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30ca6:$s2: GetPrivateProfileString 0x3033c:$s3: get_OSFullName 0x3197d:$s5: remove_Key 0x31af3:$s5: remove_Key 0x32a22:$s6: FtpWebRequest 0x33a1d:$s7: logins 0x33f8f:$s7: logins 0x36d08:$s7: logins 0x36d52:$s7: logins 0x38651:$s7: logins 0x378ec:$s9: 1.85 (Hash, version 2, native byte-order)
00000002.00000002.3236838574.0000000003455000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3235173900.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3235173900.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: 2aFb7hE00o.exe PID: 3996	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 2aFb7hE00o.exe PID: 3996	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 2aFb7hE00o.exe PID: 3996	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 6496	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6496	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.2aFb7hE00o.exe.18b0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.2aFb7hE00o.exe.18b0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.2aFb7hE00o.exe.18b0000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33a3b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33aad:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33b37:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33bc9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33c33:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33ca5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33d3b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33dcb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30ca6:$s2: GetPrivateProfileString 0x3033c:$s3: get_OSFullName 0x3197d:$s5: remove_Key 0x31af3:$s5: remove_Key 0x32a22:$s6: FtpWebRequest 0x33a1d:$s7: logins 0x33f8f:$s7: logins 0x36d08:$s7: logins 0x36d52:$s7: logins 0x38651:$s7: logins 0x378ec:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.2aFb7hE00o.exe.18b0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33a3b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33aad:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33b37:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33bc9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33c33:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33ca5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33d3b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33dcb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.2aFb7hE00o.exe.18b0000.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30ca6:$s2: GetPrivateProfileString 0x3033c:$s3: get_OSFullName 0x3197d:$s5: remove_Key 0x31af3:$s5: remove_Key 0x32a22:$s6: FtpWebRequest 0x33a1d:$s7: logins 0x33f8f:$s7: logins 0x36d08:$s7: logins 0x36d52:$s7: logins 0x38651:$s7: logins 0x378ec:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.2aFb7hE00o.exe.18b0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.2aFb7hE00o.exe.18b0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.2aFb7hE00o.exe.18b0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31c3b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31cad:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31d37:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31dc9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31e33:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31ea5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31f3b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31fcb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.2aFb7hE00o.exe.18b0000.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2eea6:$s2: GetPrivateProfileString 0x2e53c:$s3: get_OSFullName 0x2fb7d:$s5: remove_Key 0x2fcf3:$s5: remove_Key 0x30c22:$s6: FtpWebRequest 0x31c1d:$s7: logins 0x3218f:$s7: logins 0x34f08:$s7: logins 0x34f52:$s7: logins 0x36851:$s7: logins 0x35aec:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 9 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.midhcodistribuciones.com", "Username": "v3doo@midhcodistribuciones.com", "Password": ",A7}+JV4KExQ"}

Multi AV Scanner detection for submitted file

Source: 2aFb7hE00o.exe	ReversingLabs: Detection: 42%
Source: 2aFb7hE00o.exe	Virustotal: Detection: 43%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.0% probability

Machine Learning detection for sample

Source: 2aFb7hE00o.exe

Joe Sandbox ML: detected

Source: 2aFb7hE00o.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: 2aFb7hE00o.exe, 00000000.00000003.1999675798.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, 2aFb7hE00o.exe, 00000000.00000003.1998713066.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 2aFb7hE00o.exe, 00000000.00000003.1999675798.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, 2aFb7hE00o.exe, 00000000.00000003.1998713066.0000000003600000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B44696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B44696
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B4C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B4C9C7
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B4C93C FindFirstFileW,FindClose,	0_2_00B4C93C
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B4F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B4F200
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B4F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B4F35D
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B4F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B4F65E
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B43A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B43A2B
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B43D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B43D4E
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B4BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B4BF27

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2aFb7hE00o.exe.18b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2000596760.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View

ASN Name: TUT-ASUS TUT-ASUS

Source: unknown

DNS query: name: ip-api.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B525E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00B525E2

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: RegSvcs.exe, 00000002.00000002.3236838574.0000000003501000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3236838574.0000000003421000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3236838574.00000000034E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: 2aFb7hE00o.exe, 00000000.00000002.2000596760.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3236838574.0000000003421000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3236838574.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3235173900.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegSvcs.exe, 00000002.00000002.3236838574.0000000003421000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3236838574.00000000034E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 2aFb7hE00o.exe, 00000000.00000002.2000596760.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3235173900.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.2aFb7hE00o.exe.18b0000.1.raw.unpack, FaJzHLniypp.cs

.Net Code: UZ6rXXVq3Ow

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B5425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00B5425A

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B54458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00B54458

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

0_2_00B5425A

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B40219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00B40219

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B6CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00B6CDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.2aFb7hE00o.exe.18b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.2aFb7hE00o.exe.18b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.2aFb7hE00o.exe.18b0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.2aFb7hE00o.exe.18b0000.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000000.00000002.2000596760.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2000596760.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00AE3B4C
Source: 2aFb7hE00o.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 2aFb7hE00o.exe, 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e39451b9-f
Source: 2aFb7hE00o.exe, 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_340cb9b8-0
Source: 2aFb7hE00o.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_04f5f357-1
Source: 2aFb7hE00o.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_2a431280-c

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B440B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_00B440B1

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B38858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00B38858

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B4545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00B4545F

Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00AEE800	0_2_00AEE800
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B0DBB5	0_2_00B0DBB5
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00AEE060	0_2_00AEE060
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B6804A	0_2_00B6804A
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00AF4140	0_2_00AF4140
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B02405	0_2_00B02405
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B16522	0_2_00B16522
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B1267E	0_2_00B1267E
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B60665	0_2_00B60665
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B0283A	0_2_00B0283A
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00AF6843	0_2_00AF6843
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B189DF	0_2_00B189DF
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B16A94	0_2_00B16A94
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B60AE2	0_2_00B60AE2
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00AF8A0E	0_2_00AF8A0E
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B48B13	0_2_00B48B13
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B3EB07	0_2_00B3EB07
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B0CD61	0_2_00B0CD61
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B17006	0_2_00B17006
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00AF3190	0_2_00AF3190
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00AF710E	0_2_00AF710E
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00AE1287	0_2_00AE1287
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B033C7	0_2_00B033C7
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B0F419	0_2_00B0F419
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00AF5680	0_2_00AF5680
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B016C4	0_2_00B016C4
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B078D3	0_2_00B078D3
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00AF58C0	0_2_00AF58C0
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B01BB8	0_2_00B01BB8
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B19D05	0_2_00B19D05
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00AEFE40	0_2_00AEFE40
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B0BFE6	0_2_00B0BFE6
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B01FD0	0_2_00B01FD0
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00C13680	0_2_00C13680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_016EA5F0	2_2_016EA5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_016ED870	2_2_016ED870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_016E4A80	2_2_016E4A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_016E3E68	2_2_016E3E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_016E41B0	2_2_016E41B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06A025C8	2_2_06A025C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06A01418	2_2_06A01418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06A03D60	2_2_06A03D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06A03678	2_2_06A03678

Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: String function: 00B00D27 appears 70 times
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: String function: 00AE7F41 appears 35 times
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: String function: 00B08B40 appears 42 times

Source: 2aFb7hE00o.exe, 00000000.00000003.1999568220.0000000003723000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 2aFb7hE00o.exe
Source: 2aFb7hE00o.exe, 00000000.00000003.1997619062.00000000038CD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 2aFb7hE00o.exe
Source: 2aFb7hE00o.exe, 00000000.00000002.2000596760.00000000018B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameed6d94e2-6208-4795-9a94-d4ceaf934adf.exe4 vs 2aFb7hE00o.exe

Source: 2aFb7hE00o.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.2aFb7hE00o.exe.18b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.2aFb7hE00o.exe.18b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.2aFb7hE00o.exe.18b0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.2aFb7hE00o.exe.18b0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000000.00000002.2000596760.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.2000596760.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: 0.2.2aFb7hE00o.exe.18b0000.1.raw.unpack, Tk7F6W0v.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.2aFb7hE00o.exe.18b0000.1.raw.unpack, Tk7F6W0v.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.2aFb7hE00o.exe.18b0000.1.raw.unpack, Tk7F6W0v.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.2aFb7hE00o.exe.18b0000.1.raw.unpack, Tk7F6W0v.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.2aFb7hE00o.exe.18b0000.1.raw.unpack, ivMw3WGb8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.2aFb7hE00o.exe.18b0000.1.raw.unpack, ivMw3WGb8.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.2aFb7hE00o.exe.18b0000.1.raw.unpack, cdw.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.2aFb7hE00o.exe.18b0000.1.raw.unpack, cdw.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@1/1

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B4A2D5 GetLastError,FormatMessageW,

0_2_00B4A2D5

Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B38713 AdjustTokenPrivileges,CloseHandle,		0_2_00B38713
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B38CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00B38CC3

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B4B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00B4B59E

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B5F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00B5F121

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B586D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00B586D0

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00AE4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00AE4FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

File created: C:\Users\user\AppData\Local\Temp\aut4A8E.tmp

Jump to behavior

Source: 2aFb7hE00o.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3236838574.0000000003531000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3236838574.000000000351E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 2aFb7hE00o.exe	ReversingLabs: Detection: 42%
Source: 2aFb7hE00o.exe	Virustotal: Detection: 43%

Source: unknown	Process created: C:\Users\user\Desktop\2aFb7hE00o.exe "C:\Users\user\Desktop\2aFb7hE00o.exe"
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\2aFb7hE00o.exe"
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\2aFb7hE00o.exe"	Jump to behavior

Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: 2aFb7hE00o.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 2aFb7hE00o.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 2aFb7hE00o.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 2aFb7hE00o.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 2aFb7hE00o.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 2aFb7hE00o.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 2aFb7hE00o.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: 2aFb7hE00o.exe, 00000000.00000003.1999675798.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, 2aFb7hE00o.exe, 00000000.00000003.1998713066.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 2aFb7hE00o.exe, 00000000.00000003.1999675798.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, 2aFb7hE00o.exe, 00000000.00000003.1998713066.0000000003600000.00000004.00001000.00020000.00000000.sdmp

Source: 2aFb7hE00o.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 2aFb7hE00o.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 2aFb7hE00o.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 2aFb7hE00o.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 2aFb7hE00o.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B5C304 LoadLibraryA,GetProcAddress,

0_2_00B5C304

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B08B85 push ecx; ret

0_2_00B08B98

Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00AE4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00AE4A35
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B655FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00B655FD

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B033C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00B033C7

Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 2aFb7hE00o.exe PID: 3996, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 2aFb7hE00o.exe, 00000000.00000002.2000596760.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3236838574.0000000003501000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3236838574.0000000003455000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3235173900.0000000000402000.00000040.80000000.00040000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-99771

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

API coverage: 4.7 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B44696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B44696
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B4C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B4C9C7
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B4C93C FindFirstFileW,FindClose,	0_2_00B4C93C
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B4F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B4F200
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B4F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B4F35D
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B4F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B4F65E
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B43A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B43A2B
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B43D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B43D4E
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B4BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B4BF27

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00AE4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AE4AFE

Source: RegSvcs.exe, 00000002.00000002.3236838574.0000000003455000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegSvcs.exe, 00000002.00000002.3235173900.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000002.00000002.3235173900.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: RegSvcs.exe, 00000002.00000002.3237534788.00000000065EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf

Source: C:\Users\user\Desktop\2aFb7hE00o.exe	API call chain: ExitProcess graph end node			graph_0-99134
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	API call chain: ExitProcess graph end node			graph_0-98705

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_016E7060 CheckRemoteDebuggerPresent,

2_2_016E7060

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B541FD BlockInput,

0_2_00B541FD

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00AE3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00AE3B4C

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B15CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00B15CCC

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B5C304 LoadLibraryA,GetProcAddress,

0_2_00B5C304

Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00C13570 mov eax, dword ptr fs:[00000030h]	0_2_00C13570
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00C13510 mov eax, dword ptr fs:[00000030h]	0_2_00C13510
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00C11ED0 mov eax, dword ptr fs:[00000030h]	0_2_00C11ED0

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B381F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00B381F7

Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B0A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00B0A395
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B0A364 SetUnhandledExceptionFilter,		0_2_00B0A364

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 103B008

Jump to behavior

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B38C93 LogonUserW,

0_2_00B38C93

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00AE3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00AE3B4C

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00AE4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00AE4A35

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B44EF5 mouse_event,

0_2_00B44EF5

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\2aFb7hE00o.exe"

Jump to behavior

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

0_2_00B381F7

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B44C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00B44C03

Source: 2aFb7hE00o.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 2aFb7hE00o.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B0886B cpuid

0_2_00B0886B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B150D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00B150D7

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B22230 GetUserNameW,

0_2_00B22230

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00B1418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00B1418A

Source: C:\Users\user\Desktop\2aFb7hE00o.exe

Code function: 0_2_00AE4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AE4AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2aFb7hE00o.exe.18b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2aFb7hE00o.exe.18b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2000596760.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3235173900.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2aFb7hE00o.exe PID: 3996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6496, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: 2aFb7hE00o.exe	Binary or memory string: WIN_81
Source: 2aFb7hE00o.exe	Binary or memory string: WIN_XP
Source: 2aFb7hE00o.exe	Binary or memory string: WIN_XPe
Source: 2aFb7hE00o.exe	Binary or memory string: WIN_VISTA
Source: 2aFb7hE00o.exe	Binary or memory string: WIN_7
Source: 2aFb7hE00o.exe	Binary or memory string: WIN_8
Source: 2aFb7hE00o.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2aFb7hE00o.exe.18b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2aFb7hE00o.exe.18b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2000596760.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3236838574.0000000003455000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3235173900.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2aFb7hE00o.exe PID: 3996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6496, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2aFb7hE00o.exe.18b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2aFb7hE00o.exe.18b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2000596760.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3235173900.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2aFb7hE00o.exe PID: 3996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6496, type: MEMORYSTR

Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B56596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00B56596
Source: C:\Users\user\Desktop\2aFb7hE00o.exe	Code function: 0_2_00B56A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00B56A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	38 System Information Discovery	Distributed Component Object Model	121 Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	551 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	22 Virtualization/Sandbox Evasion	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2aFb7hE00o.exe	42%	ReversingLabs	Win32.Trojan.Nymeria
2aFb7hE00o.exe	43%	Virustotal		Browse
2aFb7hE00o.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
ip-api.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://account.dyn.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
http://ip-api.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://account.dyn.com/	2aFb7hE00o.exe, 00000000.00000002.2000596760.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3235173900.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.3236838574.0000000003421000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3236838574.00000000034E6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	RegSvcs.exe, 00000002.00000002.3236838574.0000000003501000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3236838574.0000000003421000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3236838574.00000000034E6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447010
Start date and time:	2024-05-24 08:27:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2aFb7hE00o.exe renamed because original name is a hash value
Original Sample Name:	a7e106df2ca7b17bd39ec582d19522a0.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 58 Number of non-executed functions: 270
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	documentos.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	6743.pdf.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	W0Gtjt6n6J.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	VwjpUyPk2S.exe	Get hash	malicious	Python Stealer, Monster Stealer	Browse	ip-api.com/json
	QUOTATION_MAYQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	HSBCR22022121218457670.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765 .exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	nv6mqExGOo.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	y9vR6M5sU6.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	doc023571961504.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	documentos.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	6743.pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	W0Gtjt6n6J.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	VwjpUyPk2S.exe	Get hash	malicious	Python Stealer, Monster Stealer	Browse	208.95.112.1
	QUOTATION_MAYQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	HSBCR22022121218457670.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765 .exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	nv6mqExGOo.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	y9vR6M5sU6.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	doc023571961504.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	documentos.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	6743.pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	W0Gtjt6n6J.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	VwjpUyPk2S.exe	Get hash	malicious	Python Stealer, Monster Stealer	Browse	208.95.112.1
	QUOTATION_MAYQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	HSBCR22022121218457670.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765 .exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	nv6mqExGOo.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	y9vR6M5sU6.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	doc023571961504.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\2aFb7hE00o.exe
File Type:	data
Category:	dropped
Size (bytes):	141506
Entropy (8bit):	7.8862324288743375
Encrypted:	false
SSDEEP:	3072:ba8AKVr9hu20l5Di11SMoj05Wx7RZ7ifvZRzp6h+fHYdYnfXoP:28Amrn07lRleZRz8hTqnAP
MD5:	2C38067BB11E3DA658CD5A9AFD7FAC0E
SHA1:	0FD25A39303105450288AC54D4E64EF0B0DF78A9
SHA-256:	5C30D586210659096B0A42C5FD375719D9D7DA18F4C1ACA6F921F2EC168E9C99
SHA-512:	C4CB8BA0156358E3E9AC276D8AA45B9A6EC6BF3F5E430C76F2E9B6D2F9031FBE079BDBA159D0FBACCCC37AAB4AE857EE27494791C3C65EE205B8A1B524F255DF
Malicious:	false
Reputation:	low
Preview:	EA06.......3..b.J..5-..I..g ...my.Rh.Md.;3...r..N.8:.'.A.^13..f.a.T$6...M>..&.IMR.W..l.e.L.]$u...;...d..^.Y.D@....Nk..\.m..Y. .Z..u:...I...&.... ....sx.~:....I..@..D.m=.....kVze&.3......R)4......jT....(..........s...c.@..{R...~...4ZsR...vcr.....]....h.q..M.......+@....5.E......8..@?3A..33.....X.B.tJ..M$.Rj..P.qP..<.....31..>8/..A.Rb ..Z.0.ixt.<..X....i.R......>....q.@gWj..m.l..I.{.Z.~&.{..3A..[]...E.u......3..YZE....L;.\.~...S'._;..[%S.<.u..Y..<...a.q.4&.....T?/..K.m....F...a..}.o.u..c1.."......bE9..l.~s&..&.:......_...AP.@..ZUZ_..K#..7[?}..#.-.[+..+........i. ."L.pM.8....8C.[1J.......h.8\..3.U...^.GF..B.gGyh.I..]\|7wp..2.zF.U..........Z.e....D`..............T.Bb....{].Sf3Y.....l1...r.O..g..-....=..=.i.u2]Y...H.3`..m.5...A.....E'.1...e.......;;..b.$.U.{L.Oi..)Sy.......{D.W^...b.K.S)....s+.Dh4.=...[..Jw.F.tQf..6BM..MfQ....4.Lg5..boH.T.4...p._+3Y..K.....W..Mf.I.&.L...t)x.....)S..&.5.........`.~=f...G.w.}..C..*.H...8.m..(..9.W.@x.Z...S..

C:\Users\user\AppData\Local\Temp\aut4ADE.tmp

Download File

Process:	C:\Users\user\Desktop\2aFb7hE00o.exe
File Type:	data
Category:	dropped
Size (bytes):	9860
Entropy (8bit):	7.601040192017558
Encrypted:	false
SSDEEP:	192:0yaFcK6f01Ehm0qek9Gh0q9bfiEwLeKETeYZeCJCvJWLIhnd63fi:WF76Mkm7ek9y0e2EwLeKueOJCvJvB8fi
MD5:	100C44B1B7E50E18CC385C1550A6AA9F
SHA1:	2F87F0AABB4D9EBFDA72EAF42421F2095137EDB6
SHA-256:	6E3C0374CD29B993BA7CEB3AF80A58CDDCE4359FD91446F4EEF6F1C23D57C00D
SHA-512:	4B2C04294073643E18CD1CE86555FDB9E7F3028583ED7013C4B1F02AD96C0718A8D6425CE9B8C07D145B4890B5908B93AB3A163564EB1FDED71B026329EB2BBA
Malicious:	false
Reputation:	low
Preview:	EA06..t..L&.I..A.L&....qb.....-..c.L.....m5...k..c0.M....k8.X.3i...l..%.o2....A8.6,.........3k....e.N&s0.oNf.)...k.K$.eb....5..f.........6.0.o.p....l39....V0...S..$.if...6....f.I...@.....i8........X@.4.1..........$.P...0z.5..$}3Y.....=5..`d....!d..V...7f.[$..8...\|.I..W.d...\|vI..W.d...\|vK..W.d...\|vK(.W.e...\|vY..W,.O...k.`..X@..9..^.8..F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d........#.......2.rXl.pGr....Bnp......f

C:\Users\user\AppData\Local\Temp\beeish

Download File

Process:	C:\Users\user\Desktop\2aFb7hE00o.exe
File Type:	ASCII text, with very long lines (29708), with no line terminators
Category:	dropped
Size (bytes):	29708
Entropy (8bit):	3.5400796178467355
Encrypted:	false
SSDEEP:	768:6iTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbQE+I+h6584vfF3if6gO:6iTZ+2QoioGRk6ZklputwjpjBkCiw2Rf
MD5:	CD404CAE7EDCF747FF3A69B93599D00A
SHA1:	39373E45CE9F275049452977CCFDBCFBBE416BD4
SHA-256:	CF10E1ABFC7392C74071ED6CA7AA4E5F924699369B143850448A38F4F76BFE1A
SHA-512:	4D9E75038F75182ACBCED59929FA27C171BE2E866406C808A2E8F203CB860A7A814479D8C67298C12EA2828FB5257AE3E7CDE72C2D2579970E31B09FE894549A
Malicious:	false
Reputation:	low
Preview:	004411AA000x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c0000006689857effffff33c966894d80ba7300000066

C:\Users\user\AppData\Local\Temp\unnervousness

Download File

Process:	C:\Users\user\Desktop\2aFb7hE00o.exe
File Type:	data
Category:	dropped
Size (bytes):	241664
Entropy (8bit):	6.565466777864786
Encrypted:	false
SSDEEP:	6144:zQbctFkG8dLp80p/f3jQrnvsdDvqCxWBecAcLC:7kGo8UPjQT0dLqCOAb
MD5:	E11602CF6F070C418808F25D7C5766E6
SHA1:	9E57AF9CBB19429D2364A7A8E431EA1A382A1350
SHA-256:	D04111D1FEE0B9A19884CDEDFB8E45895E82B528F2174CA44659B8D6522BCBBD
SHA-512:	214D3351C550496C2DD72396D1C196CD68BC7BC27F9EC7D66D732477DF21C1274EA5A2F54DBBEA30A8168F422D0C0B0CC9B330EA1EC13DE2CC3008A68559B345
Malicious:	false
Reputation:	low
Preview:	...1:XTJ169R..HI.19XTJ56yRIGHIY19XTJ569RIGHIY19XTJ569RIGHIY1.XTJ;).\I.A.x.8..ka^P!i7:&>CX5t)TXW==g,yCL6t#[.}..g%&=T.UY@.69RIGHI.t9X.K66..f!HIY19XTJ.6;SBFCIY.:XTB569RIG..Z19xTJ5.:RIG.IY.9XTH56=RIGHIY1=XTJ569RIgLIY39XTJ56;R..HII19HTJ56)RIWHIY19XDJ569RIGHIY1.WJz69RI.KI.49XTJ569RIGHIY19XTJ56=REGHIY19XTJ569RIGHIY19XTJ569RIGHIY19XTJ569RIGHIY19XTJ5.9RAGHIY19XTJ561rIG.IY19XTJ569Rg3-1-19X..669rIGH.Z19ZTJ569RIGHIY19XtJ5V. :5+IY1.]TJ5.:RIAHIY.:XTJ569RIGHIY1yXT..D\>&$HIU19XTJ169PIGH.Z19XTJ569RIGHI.19.TJ569RIGHIY19XTJ..:RIGHI.19XVJ06..KG({X1:XTJ469TIGHIY19XTJ569RIGHIY19XTJ569RIGHIY19XTJ569RIGHIY1$....ql.:vC;6.~.-.5..Z..0.~6.A.N"....E....s?3.pR.Hx...0...C.ZL>I....l>G7:.0gF8.$......&...O7.C...K..<Oc.`...~w...u]=....E..7%X.X"9+-g.P_9&#.4.SIGHI........P..eJV/.J,....}U0...J56]RIG:IY1XXTJr69R&GHI719XJ56GRIG.IY1yXTJ.69RlGHI419XpJ56GRIG.4V>..#F..RIGHIl.h.'.....p...H..W..#...k<..E].N.....W..3.."dRTj..NX7=]VM155oG.....;\PO71=QEzF....y.l.....9...j".6569RIG.IY.9XT.6.RIG.I.1..TJ5..R.G.I..X

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.932527836979604
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2aFb7hE00o.exe
File size:	1'035'264 bytes
MD5:	a7e106df2ca7b17bd39ec582d19522a0
SHA1:	45f693deef24825c496315d3e71ed6500532c30b
SHA256:	75cd3d0756f7378ee32e18a6ab93046be2a095829806867086b373c40b91b24f
SHA512:	76c80302fe7b64217f8713f771ca369a7eb3725a0d7d2c0160d35422e52883c553f61f4e1b5c677077308a0ec26532b48f789f78572d7c22b4011ebba185fc18
SSDEEP:	24576:GAHnh+eWsN3skA4RV1Hom2KXMmHas7XpzREq05:hh+ZkldoPK8YasxGB
TLSH:	05259D0273D1C036FFABA2739B6AF20556BD79254123852F13981DB9BD701B2263E763
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x664F6F80 [Thu May 23 16:32:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F06E8BBD41Dh
jmp 00007F06E8BB01D4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F06E8BB035Ah
cmp edi, eax
jc 00007F06E8BB06BEh
bt dword ptr [004C41FCh], 01h
jnc 00007F06E8BB0359h
rep movsb
jmp 00007F06E8BB066Ch
cmp ecx, 00000080h
jc 00007F06E8BB0524h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F06E8BB0360h
bt dword ptr [004BF324h], 01h
jc 00007F06E8BB0830h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F06E8BB04FDh
test edi, 00000003h
jne 00007F06E8BB050Eh
test esi, 00000003h
jne 00007F06E8BB04EDh
bt edi, 02h
jnc 00007F06E8BB035Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F06E8BB0363h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F06E8BB03B5h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x325dc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfb000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x325dc	0x32600	0b40ef1c04cdaa9f219878efb1f1acd5	False	0.8702407723325062	data	7.745575371869262	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfb000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x29872	data			1.0003586167973757
RT_GROUP_ICON	0xfa02c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xfa0a4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xfa0b8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xfa0cc	0x14	data	English	Great Britain	1.25
RT_VERSION	0xfa0e0	0x10c	data	English	Great Britain	0.5932835820895522
RT_MANIFEST	0xfa1ec	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 24, 2024 08:27:58.954981089 CEST	49704	80	192.168.2.5	208.95.112.1
May 24, 2024 08:27:58.964413881 CEST	80	49704	208.95.112.1	192.168.2.5
May 24, 2024 08:27:58.964513063 CEST	49704	80	192.168.2.5	208.95.112.1
May 24, 2024 08:27:58.965600967 CEST	49704	80	192.168.2.5	208.95.112.1
May 24, 2024 08:27:58.996179104 CEST	80	49704	208.95.112.1	192.168.2.5
May 24, 2024 08:27:59.467958927 CEST	80	49704	208.95.112.1	192.168.2.5
May 24, 2024 08:27:59.509497881 CEST	49704	80	192.168.2.5	208.95.112.1
May 24, 2024 08:29:07.384751081 CEST	80	49704	208.95.112.1	192.168.2.5
May 24, 2024 08:29:07.384886980 CEST	49704	80	192.168.2.5	208.95.112.1
May 24, 2024 08:29:39.479649067 CEST	49704	80	192.168.2.5	208.95.112.1
May 24, 2024 08:29:39.486295938 CEST	80	49704	208.95.112.1	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 24, 2024 08:27:58.931977987 CEST	58874	53	192.168.2.5	1.1.1.1
May 24, 2024 08:27:58.948666096 CEST	53	58874	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 24, 2024 08:27:58.931977987 CEST	192.168.2.5	1.1.1.1	0xd76f	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 24, 2024 08:27:58.948666096 CEST	1.1.1.1	192.168.2.5	0xd76f	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	208.95.112.1	80	6496	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 08:27:58.965600967 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
May 24, 2024 08:27:59.467958927 CEST	175	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 06:27:59 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	02:27:56
Start date:	24/05/2024
Path:	C:\Users\user\Desktop\2aFb7hE00o.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\2aFb7hE00o.exe"
Imagebase:	0xae0000
File size:	1'035'264 bytes
MD5 hash:	A7E106DF2CA7B17BD39EC582D19522A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2000596760.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.2000596760.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2000596760.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.2000596760.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000000.00000002.2000596760.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:27:57
Start date:	24/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\2aFb7hE00o.exe"
Imagebase:	0xe60000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3236838574.0000000003455000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3235173900.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3235173900.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	6.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	191

Executed Functions

Function 00AE3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AE3B7A
IsDebuggerPresent.KERNEL32 ref: 00AE3B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00BA62F8,00BA62E0,?,?), ref: 00AE3BFD

Part of subcall function 00AE7D2C: _memmove.LIBCMT ref: 00AE7D66

Part of subcall function 00AF0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00AE3C26,00BA62F8,?,?,?), ref: 00AF0ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00AE3C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00B993F0,00000010), ref: 00B1D4BC
SetCurrentDirectoryW.KERNEL32(?,00BA62F8,?,?,?), ref: 00B1D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00B95D40,00BA62F8,?,?,?), ref: 00B1D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00B1D581

Part of subcall function 00AE3A58: GetSysColorBrush.USER32(0000000F), ref: 00AE3A62
Part of subcall function 00AE3A58: LoadCursorW.USER32(00000000,00007F00), ref: 00AE3A71
Part of subcall function 00AE3A58: LoadIconW.USER32(00000063), ref: 00AE3A88
Part of subcall function 00AE3A58: LoadIconW.USER32(000000A4), ref: 00AE3A9A
Part of subcall function 00AE3A58: LoadIconW.USER32(000000A2), ref: 00AE3AAC
Part of subcall function 00AE3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00AE3AD2
Part of subcall function 00AE3A58: RegisterClassExW.USER32(?), ref: 00AE3B28

Part of subcall function 00AE39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00AE3A15
Part of subcall function 00AE39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00AE3A36
Part of subcall function 00AE39E7: ShowWindow.USER32(00000000,?,?), ref: 00AE3A4A
Part of subcall function 00AE39E7: ShowWindow.USER32(00000000,?,?), ref: 00AE3A53

Part of subcall function 00AE43DB: _memset.LIBCMT ref: 00AE4401
Part of subcall function 00AE43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AE44A6

Strings

runas, xrefs: 00B1D575
This is a third-party compiled AutoIt script., xrefs: 00B1D4B4

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: cd31d0cf05c254899f3cedca7982ebccd329afcb53cfc7b8e7597e7adbb700f1
Instruction ID: fe877d00a576eb7d778dd24520ed0ba6763f577f24761c19c94a3c84fc78befa
Opcode Fuzzy Hash: cd31d0cf05c254899f3cedca7982ebccd329afcb53cfc7b8e7597e7adbb700f1
Instruction Fuzzy Hash: 62510A72908389AECF11EBB5DD1AEFD7BB8AF46300F1440B5F411631A1DE749A45CB21

Function 00AE4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00AE4B2B

Part of subcall function 00AE7D2C: _memmove.LIBCMT ref: 00AE7D66

GetCurrentProcess.KERNEL32(?,00B6FAEC,00000000,00000000,?), ref: 00AE4BF8
IsWow64Process.KERNEL32(00000000), ref: 00AE4BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00AE4C45
FreeLibrary.KERNEL32(00000000), ref: 00AE4C50
GetSystemInfo.KERNEL32(00000000), ref: 00AE4C81
GetSystemInfo.KERNEL32(00000000), ref: 00AE4C8D

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 2c644495badf0b6f69a1e29bc716d345d43cc11f38f3fb946d89eb621b1abf40
Instruction ID: b306ceb8a456f2545113f96d30abebfb87744dd9b294227a45e6c6009b05bc68
Opcode Fuzzy Hash: 2c644495badf0b6f69a1e29bc716d345d43cc11f38f3fb946d89eb621b1abf40
Instruction Fuzzy Hash: A091E43154A7C0DEC731CB7995512ABBFF8AF6A300B584D9DE0CB93A41D224F948C759

Function 00AE4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00AE4EEE,?,?,00000000,00000000), ref: 00AE4FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00AE4EEE,?,?,00000000,00000000), ref: 00AE5010
LoadResource.KERNEL32(?,00000000,?,?,00AE4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00AE4F8F), ref: 00B1DD60
SizeofResource.KERNEL32(?,00000000,?,?,00AE4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00AE4F8F), ref: 00B1DD75
LockResource.KERNEL32(00AE4EEE,?,?,00AE4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00AE4F8F,00000000), ref: 00B1DD88

Strings

SCRIPT, xrefs: 00AE5006

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 4d3c3d6e8abcd4fc1cc4606575e152cafafc8e942378317c62246e35f926808c
Instruction ID: 1efaeaaa9df4c95c93e5424176e2a3b6a69304650ede566c6bdc95acc81d3eb9
Opcode Fuzzy Hash: 4d3c3d6e8abcd4fc1cc4606575e152cafafc8e942378317c62246e35f926808c
Instruction Fuzzy Hash: AF112A75640741AFD7218B6AEC58F677BB9EBC9B55F204168F406D72A0DBA1E8008A60

Function 00B44696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00B1E7C1), ref: 00B446A6
FindFirstFileW.KERNELBASE(?,?), ref: 00B446B7
FindClose.KERNEL32(00000000), ref: 00B446C7

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: f33717810903b23ccd47e840271e9ba916cad8a3058e91a0aad01bad859b0e32
Instruction ID: a01893eca31fd70ba8f763629df25bb15301c148dc095277eeaa4f43e180b94d
Opcode Fuzzy Hash: f33717810903b23ccd47e840271e9ba916cad8a3058e91a0aad01bad859b0e32
Instruction Fuzzy Hash: 02E0D8314104015B42106B38FC4D4FA779CDE06335F100796F835C21E0EBF45A60A999

Function 00AEE800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00B2428C

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 92fa688b1d00ca21612a9da47a31e76afd7cc0331b1b8f2780736deb53e64c51
Instruction ID: 53d50f793f3174bf7b967c3b8426f6e5abb8f532ec508a9969d6d79c94a3bfa4
Opcode Fuzzy Hash: 92fa688b1d00ca21612a9da47a31e76afd7cc0331b1b8f2780736deb53e64c51
Instruction Fuzzy Hash: 75A2A274A04255CFCB24CF5AC980AAEB7F1FF59300F2481A9E91AAB351D735ED42CB91

Function 00AF0B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AF0BBB
timeGetTime.WINMM ref: 00AF0E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AF0FB3
TranslateMessage.USER32(?), ref: 00AF0FC7
DispatchMessageW.USER32(?), ref: 00AF0FD5
Sleep.KERNEL32(0000000A), ref: 00AF0FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 00AF105A
DestroyWindow.USER32 ref: 00AF1066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00AF1080
Sleep.KERNEL32(0000000A,?,?), ref: 00B252AD
TranslateMessage.USER32(?), ref: 00B2608A
DispatchMessageW.USER32(?), ref: 00B26098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B260AC

Strings

@GUI_CTRLID, xrefs: 00B25364
@GUI_CTRLHANDLE, xrefs: 00B2540E
@TRAY_ID, xrefs: 00B25BB9
@COM_EVENTOBJ, xrefs: 00B2591A
@GUI_WINHANDLE, xrefs: 00B253B9

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: 5b1dbcf38bae2ce7a93bce98dbbd7f952b597fe251c1cdb06fb40e7b4ce35c16
Instruction ID: df7f69e498b230528fa117e4d8e3ae7d2e0e0196f804e5d788768c731ffc4230
Opcode Fuzzy Hash: 5b1dbcf38bae2ce7a93bce98dbbd7f952b597fe251c1cdb06fb40e7b4ce35c16
Instruction Fuzzy Hash: CAB2AC70608751DFD738DB24D885BAABBE5FF84304F14499DF58A872A2DB74E844CB82

Function 00B493DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B491E9: __time64.LIBCMT ref: 00B491F3

Part of subcall function 00AE5045: _fseek.LIBCMT ref: 00AE505D

__wsplitpath.LIBCMT ref: 00B494BE

Part of subcall function 00B0432E: __wsplitpath_helper.LIBCMT ref: 00B0436E

_wcscpy.LIBCMT ref: 00B494D1
_wcscat.LIBCMT ref: 00B494E4
__wsplitpath.LIBCMT ref: 00B49509
_wcscat.LIBCMT ref: 00B4951F
_wcscat.LIBCMT ref: 00B49532

Part of subcall function 00B4922F: _memmove.LIBCMT ref: 00B49268
Part of subcall function 00B4922F: _memmove.LIBCMT ref: 00B49277

_wcscmp.LIBCMT ref: 00B49479

Part of subcall function 00B499BE: _wcscmp.LIBCMT ref: 00B49AAE
Part of subcall function 00B499BE: _wcscmp.LIBCMT ref: 00B49AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B496DC
_wcsncpy.LIBCMT ref: 00B4974F
DeleteFileW.KERNEL32(?,?), ref: 00B49785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B4979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B497AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B497BE

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 3db9eb2eb709636c095013b8c02241174e4f2b83551bd1795baeb89ea5b97309
Instruction ID: 62a9b54801b8c6903e1b67dbfc32ca74416fd69295888e6527573d6eb83c3378
Opcode Fuzzy Hash: 3db9eb2eb709636c095013b8c02241174e4f2b83551bd1795baeb89ea5b97309
Instruction Fuzzy Hash: 9CC128B1D00229AEDF21DFA5CD85ADFBBBDEF44304F0040AAF609E6151DB709A849F65

Function 00AE3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AE3074
RegisterClassExW.USER32(00000030), ref: 00AE309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AE30AF
InitCommonControlsEx.COMCTL32(?), ref: 00AE30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AE30DC
LoadIconW.USER32(000000A9), ref: 00AE30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AE3101

Strings

TaskbarCreated, xrefs: 00AE30A4
AutoIt v3 GUI, xrefs: 00AE3090
0, xrefs: 00AE3056
+, xrefs: 00AE305D

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: a407fa877b9cc8cb200a1e0aad7c664c8e77afa0e236e8a9cfd0d7842575fbd2
Instruction ID: cb1639e5e73f78303296d3910f70fc6dc19f1fb34b3d34941bdc2596e04e5183
Opcode Fuzzy Hash: a407fa877b9cc8cb200a1e0aad7c664c8e77afa0e236e8a9cfd0d7842575fbd2
Instruction Fuzzy Hash: 0E3149B184430AAFDB40CFA4EC85AD9BBF4FB09310F14456AE590E72A0DBB94585CF90

Function 00AE3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AE3074
RegisterClassExW.USER32(00000030), ref: 00AE309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AE30AF
InitCommonControlsEx.COMCTL32(?), ref: 00AE30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AE30DC
LoadIconW.USER32(000000A9), ref: 00AE30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AE3101

Strings

TaskbarCreated, xrefs: 00AE30A4
AutoIt v3 GUI, xrefs: 00AE3090
0, xrefs: 00AE3056
+, xrefs: 00AE305D

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: b982f4324f2caab1612db1e7838ced15e89f07631f0bebbb7d6db0afb9a2241d
Instruction ID: 3fbe224ed6a060633ae53ed8ead6c64317253c115442da12921ea22679480b51
Opcode Fuzzy Hash: b982f4324f2caab1612db1e7838ced15e89f07631f0bebbb7d6db0afb9a2241d
Instruction Fuzzy Hash: FC21C5B1D01219AFDB00DFA4EC49BADBBF8FB09700F04412AF510A72A0DBB945448F91

Function 00AE71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AE4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00BA62F8,?,00AE37C0,?), ref: 00AE4882

Part of subcall function 00B0074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00AE72C5), ref: 00B00771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00AE7308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00B1ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00B1ED32
RegCloseKey.ADVAPI32(?), ref: 00B1ED70
_wcscat.LIBCMT ref: 00B1EDC9

Strings

\, xrefs: 00B1EDEC
Software\AutoIt v3\AutoIt, xrefs: 00AE72FE
Include, xrefs: 00B1ECE8, 00B1ED29
\Include\, xrefs: 00AE72C5

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 8555fbcef5734a70aae41409fd8ab15fdab039208d4adaab21634806d1e4c1eb
Instruction ID: 1ece123bc27126dc49425729f11dafb193e593ebb6359b7b8d3aa8ec86ea1fc5
Opcode Fuzzy Hash: 8555fbcef5734a70aae41409fd8ab15fdab039208d4adaab21634806d1e4c1eb
Instruction Fuzzy Hash: 89714A7254C3419EC314EF66EC86AABBBE8FF9A340F40446EF455871A1EF709948CB51

Function 00AE3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AE3A62
LoadCursorW.USER32(00000000,00007F00), ref: 00AE3A71
LoadIconW.USER32(00000063), ref: 00AE3A88
LoadIconW.USER32(000000A4), ref: 00AE3A9A
LoadIconW.USER32(000000A2), ref: 00AE3AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00AE3AD2
RegisterClassExW.USER32(?), ref: 00AE3B28

Part of subcall function 00AE3041: GetSysColorBrush.USER32(0000000F), ref: 00AE3074
Part of subcall function 00AE3041: RegisterClassExW.USER32(00000030), ref: 00AE309E
Part of subcall function 00AE3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AE30AF
Part of subcall function 00AE3041: InitCommonControlsEx.COMCTL32(?), ref: 00AE30CC
Part of subcall function 00AE3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AE30DC
Part of subcall function 00AE3041: LoadIconW.USER32(000000A9), ref: 00AE30F2
Part of subcall function 00AE3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AE3101

Strings

AutoIt v3, xrefs: 00AE3B17
#, xrefs: 00AE3B0D
0, xrefs: 00AE3B06

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: d03bb6e96dd0b6263990b0b1aa3c3ecb5ddafc3413375c427970c1acaeb269ab
Instruction ID: 45ef3f40d9bef6863bb1bd6355e4d42e79d3f418ab4ca6c217a5074082fb6701
Opcode Fuzzy Hash: d03bb6e96dd0b6263990b0b1aa3c3ecb5ddafc3413375c427970c1acaeb269ab
Instruction Fuzzy Hash: 06215EB1D00305AFEB149FA5EC0ABAD7BB4FB09711F040129F504A72E0DBBA59549F84

Function 00AE3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00AE36D2
KillTimer.USER32(?,00000001), ref: 00AE36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AE371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AE372A
CreatePopupMenu.USER32 ref: 00AE373E
PostQuitMessage.USER32(00000000), ref: 00AE375F

Strings

TaskbarCreated, xrefs: 00AE3725

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 5b629f42794f22481a4afe42e524c653024220b83ea38ab7455d3b67028c417f
Instruction ID: cf9344fb3cf363c9be94581576fd880f438f07ce31ae81ae4b7cc24b8e451a18
Opcode Fuzzy Hash: 5b629f42794f22481a4afe42e524c653024220b83ea38ab7455d3b67028c417f
Instruction Fuzzy Hash: 4F412AF3204285BBDF149F75EC0EB7E37A8EB05300F180129F612872E1DEA59E509765

Function 00AE3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3OutputDebug, xrefs: 00AE38A4
/ErrorStdOut, xrefs: 00AE388F
CMDLINERAW, xrefs: 00AE380D
/AutoIt3ExecuteLine, xrefs: 00AE38B9
/AutoIt3ExecuteScript, xrefs: 00AE38CE
CMDLINE, xrefs: 00AE3834
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00AE37C0

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 3c28165deee24393e2b01bd89f29f1bb37a9a11f702abf3df287667ce33590f3
Instruction ID: 5b101cd57a193264afaab47536d287f5ec973032bdbbe4806a2798c24748d7ed
Opcode Fuzzy Hash: 3c28165deee24393e2b01bd89f29f1bb37a9a11f702abf3df287667ce33590f3
Instruction Fuzzy Hash: 3BA151B2C102699ACF04EFA6DD95EEEB7B8BF14300F440569F416B7191EF745A09CB60

Function 00C12660 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00C12731
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C12957

Memory Dump Source

Source File: 00000000.00000002.2000430294.0000000000C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_2aFb7hE00o.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 30e8af4b53c3aa052917812e21e5e8fbde56ed90f0e39d50c947676a587081b9
Instruction ID: 764528229b5cd0b741d92950fef8515115c0618d12c3b7d09fce4d5e3f79b6e3
Opcode Fuzzy Hash: 30e8af4b53c3aa052917812e21e5e8fbde56ed90f0e39d50c947676a587081b9
Instruction Fuzzy Hash: CDA10775E00209EBEB14CFA4C894BEEBBB5FF49304F208159E511BB2C0D7759A91EB94

Function 00AE39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00AE3A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00AE3A36
ShowWindow.USER32(00000000,?,?), ref: 00AE3A4A
ShowWindow.USER32(00000000,?,?), ref: 00AE3A53

Strings

AutoIt v3, xrefs: 00AE3A0D, 00AE3A12, 00AE3A13
edit, xrefs: 00AE3A30

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 070fb7670884fcf7f909935987cf392759704de4df585b88d7daa2be79ac23f4
Instruction ID: 7ea3b6dd881b4355be674c34c0ee8e554147336f83d2310a5cbe1ffa0ec606e4
Opcode Fuzzy Hash: 070fb7670884fcf7f909935987cf392759704de4df585b88d7daa2be79ac23f4
Instruction Fuzzy Hash: BAF0DAB16413907EEA315B677C4AF772F7DE7C7F50B04412AB904E31B0CAA91851DAB0

Function 00C12410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C12300: Sleep.KERNELBASE(000001F4), ref: 00C12311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00C1254D

Strings

HIY19XTJ569RIG, xrefs: 00C125B0, 00C125B3

Memory Dump Source

Source File: 00000000.00000002.2000430294.0000000000C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_2aFb7hE00o.jbxd

Similarity

API ID: CreateFileSleep
String ID: HIY19XTJ569RIG
API String ID: 2694422964-3972060199
Opcode ID: 680dd79dd718dbbd9a61c592bc08e720d0ef228a093fdc911aa9b2c5af7113c4
Instruction ID: eec176f666afbab3e3f415dd9d410c3af20572ba050ca45310a7b70a7ab44ad3
Opcode Fuzzy Hash: 680dd79dd718dbbd9a61c592bc08e720d0ef228a093fdc911aa9b2c5af7113c4
Instruction Fuzzy Hash: 3551A234D04248EBEF11DBE4C854BEEBB79AF19300F104199E209BB2C0DBB95B85DB65

Function 00AE410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00B1D5EC

Part of subcall function 00AE7D2C: _memmove.LIBCMT ref: 00AE7D66

_memset.LIBCMT ref: 00AE418D
_wcscpy.LIBCMT ref: 00AE41E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00AE41F1

Strings

Line: , xrefs: 00B1D615

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 76d17735bac7e1430378d4dbc39c9f26707f8fef7b74483b116e0f901b88ec2d
Instruction ID: 31dc9c11c0470bcf4bb9e9f45b157daf92640aee04aaa00483feed44b331dbeb
Opcode Fuzzy Hash: 76d17735bac7e1430378d4dbc39c9f26707f8fef7b74483b116e0f901b88ec2d
Instruction Fuzzy Hash: 1B31E0B1008385AAD721EB61DD46FEF77ECAF59300F14461EF185930A1EF74AA48CB92

Function 00B0564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00B056AB
_memcpy_s.LIBCMT ref: 00B0571D
__read_nolock.LIBCMT ref: 00B0577B
__filbuf.LIBCMT ref: 00B0579E
_memset.LIBCMT ref: 00B057E2

Part of subcall function 00B08D68: __getptd_noexit.LIBCMT ref: 00B08D68

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 73eee4d5567ce86c4afb21f56c771010cc6aac9564621d55a4b7618a692be49f
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 06519070A00B05DFDB349FA988846AF7FE5EF40320F6487A9E82596AD0D7719E50AF50

Function 00AE69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00AE4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00BA62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00AE4F6F

_free.LIBCMT ref: 00B1E68C
_free.LIBCMT ref: 00B1E6D3

Part of subcall function 00AE6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00AE6D0D

Strings

Bad directive syntax error, xrefs: 00B1E6BB
>>>AUTOIT SCRIPT<<<, xrefs: 00B1E462

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: ddd791e123d51bfef39432ca9168fb3859246318555394d63ee565a4a2524823
Instruction ID: 2c6eaff6341afb2c9f458208abba8f064a9fba5107d67199de9ca6fa7c155ca3
Opcode Fuzzy Hash: ddd791e123d51bfef39432ca9168fb3859246318555394d63ee565a4a2524823
Instruction Fuzzy Hash: 7C918B71910259AFCF04EFA5C8919EDB7F5FF18304F9444A9F825AB2A1EB30E944CB60

Function 00AE35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00AE35A1,SwapMouseButtons,00000004,?), ref: 00AE35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00AE35A1,SwapMouseButtons,00000004,?,?,?,?,00AE2754), ref: 00AE35F5
RegCloseKey.KERNELBASE(00000000,?,?,00AE35A1,SwapMouseButtons,00000004,?,?,?,?,00AE2754), ref: 00AE3617

Strings

Control Panel\Mouse, xrefs: 00AE35D2

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: df49339bf0552b108dad3ca6d14160eb473777c58562198b236f4ff56d64b9d2
Instruction ID: 7f180973ee4e6fd5c389944c6f3b33d4798c8b6d3430d9cfa6c3ed94fcf9d5e5
Opcode Fuzzy Hash: df49339bf0552b108dad3ca6d14160eb473777c58562198b236f4ff56d64b9d2
Instruction Fuzzy Hash: FB114872510248BFDF20CFA9EC489BFB7B8EF05740F018469E805D7210D6719E409760

Function 00C11300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00C11B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00C11B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00C11B73

Memory Dump Source

Source File: 00000000.00000002.2000430294.0000000000C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_2aFb7hE00o.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction ID: 43cbf8ee743f9c3b02e4cbe9fb15f25c485be0faa0a6fdbda8b33f7491d82bfc
Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction Fuzzy Hash: 13622B30A14258DBEB24CFA4C850BDEB372EF59300F1491A9D60DEB390E7799E81DB59

Function 00B497E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00AE5045: _fseek.LIBCMT ref: 00AE505D

Part of subcall function 00B499BE: _wcscmp.LIBCMT ref: 00B49AAE
Part of subcall function 00B499BE: _wcscmp.LIBCMT ref: 00B49AC1

_free.LIBCMT ref: 00B4992C
_free.LIBCMT ref: 00B49933
_free.LIBCMT ref: 00B4999E

Part of subcall function 00B02F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00B09C64), ref: 00B02FA9
Part of subcall function 00B02F95: GetLastError.KERNEL32(00000000,?,00B09C64), ref: 00B02FBB

_free.LIBCMT ref: 00B499A6

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: d9ae0c5d453641694606f69828c3ed73b5fd5779769f00272cc49afe01aba135
Instruction ID: b1a9a0573c6e6c92314845dc9f10e70aa8111011c662c37dcf4f2afb2713f64c
Opcode Fuzzy Hash: d9ae0c5d453641694606f69828c3ed73b5fd5779769f00272cc49afe01aba135
Instruction Fuzzy Hash: ED515BB1D04258AFDF249F65DC85A9EBBB9EF48314F1004EEB609A7281DB715E80CF58

Function 00B0493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B049D0
__flush.LIBCMT ref: 00B049F0
__write.LIBCMT ref: 00B04A23
__flsbuf.LIBCMT ref: 00B04A51

Part of subcall function 00B08D68: __getptd_noexit.LIBCMT ref: 00B08D68

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 057c52fb1c7e432d11fee0286921f3eab756d6e834edeb4d478c8e1f16b2ab96
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: B24195B17406059FDF288EA9C88096F7FE5EF84360B2485BDEA55C76D0D7709D418744

Function 00AE73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B1EE62
GetOpenFileNameW.COMDLG32(?), ref: 00B1EEAC

Part of subcall function 00AE48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AE48A1,?,?,00AE37C0,?), ref: 00AE48CE

Part of subcall function 00B009D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B009F4

Strings

X, xrefs: 00B1EE7A

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 27f8d465b698cd1058369670b8b653d0b0d5cc72aa5d8b0b4dddc64fd67e9a27
Instruction ID: 0900ca2248ba694d1bf0705a4ded92290b4462aae4c875232d9e7462328824bb
Opcode Fuzzy Hash: 27f8d465b698cd1058369670b8b653d0b0d5cc72aa5d8b0b4dddc64fd67e9a27
Instruction Fuzzy Hash: 3E21D571A142989BDF51DF98CC45BEEBBFC9F49700F00405AE408E7281DBB499898FA1

Function 00B4901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B49036
__fread_nolock.LIBCMT ref: 00B4904B

Strings

EA06, xrefs: 00B4907D

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 06343a615181abf98cabf92d070345fb6c3de55771e28ca5d7e38b4d8ea06b8d
Instruction ID: 602ecc4bb0bb5539b3e1016f4654084cd2ddd096f2785dafc2340cb694053b93
Opcode Fuzzy Hash: 06343a615181abf98cabf92d070345fb6c3de55771e28ca5d7e38b4d8ea06b8d
Instruction Fuzzy Hash: 7901F971804218AEDB28C6A8C856EEE7FFCDB01301F0041DAF592D22C1E575A7089BA0

Function 00B49B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00B49B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00B49B99

Strings

aut, xrefs: 00B49B93

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 11547f1e147753d0ad63e37aaa59bdd8d08b3c9bcd783d9da385151ecd834b91
Instruction ID: fa4b090a0a23748c2ef20b4db966cc96a35ef53419150690f74dd2b7f6739b37
Opcode Fuzzy Hash: 11547f1e147753d0ad63e37aaa59bdd8d08b3c9bcd783d9da385151ecd834b91
Instruction Fuzzy Hash: E7D05E7A94030EABDB109B90EC0EFAA776CE704704F0042B1FE54921E1DEF455988FD1

Function 00B5CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dffaa441c12ea4401850c627dca6e9d0fd98d2890a83c8c313816966db5ff3db
Instruction ID: f0d7f7a0259d12360a79048df1a66280a05efc087abb178d55a6c8479126ec16
Opcode Fuzzy Hash: dffaa441c12ea4401850c627dca6e9d0fd98d2890a83c8c313816966db5ff3db
Instruction Fuzzy Hash: 51F16C706083419FC724DF28C584A6ABBE5FF88314F1489ADF8999B351D771E94ACF82

Function 00AEF8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B003A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B003D3
Part of subcall function 00B003A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B003DB
Part of subcall function 00B003A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B003E6
Part of subcall function 00B003A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B003F1
Part of subcall function 00B003A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B003F9
Part of subcall function 00B003A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B00401

Part of subcall function 00AF6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00AEFA90), ref: 00AF62B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00AEFB2D
OleInitialize.OLE32(00000000), ref: 00AEFBAA
CloseHandle.KERNEL32(00000000), ref: 00B249F2

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 4af8db771598cdc56d0352e7f117e8f46a10feab5dee61fcf061b363be371922
Instruction ID: 2622542b2318b1ca1ec113c483d9028663aa88263f06bca4703d25b300262662
Opcode Fuzzy Hash: 4af8db771598cdc56d0352e7f117e8f46a10feab5dee61fcf061b363be371922
Instruction Fuzzy Hash: F881B9F19182808ECB84DF7AE9566297BE4FB5E30871885BAD429C73A2EF754805CF14

Function 00AE43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AE4401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AE44A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00AE44C3

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: d294c9fc318853a644162f26fb95a83ef57e702c37e9827e342578e1574dfde1
Instruction ID: f00d505dd7d1d95b93f39c05f2b41e88216b8485db7fa4b8942f5dfe9ce3f740
Opcode Fuzzy Hash: d294c9fc318853a644162f26fb95a83ef57e702c37e9827e342578e1574dfde1
Instruction Fuzzy Hash: 963171B06057418FD721DF25D88579BBBF8FB49304F04092EF59A83291EBB5A944CB92

Function 00B0594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00B05963

Part of subcall function 00B0A3AB: __NMSG_WRITE.LIBCMT ref: 00B0A3D2
Part of subcall function 00B0A3AB: __NMSG_WRITE.LIBCMT ref: 00B0A3DC

__NMSG_WRITE.LIBCMT ref: 00B0596A

Part of subcall function 00B0A408: GetModuleFileNameW.KERNEL32(00000000,00BA43BA,00000104,?,00000001,00000000), ref: 00B0A49A
Part of subcall function 00B0A408: ___crtMessageBoxW.LIBCMT ref: 00B0A548

Part of subcall function 00B032DF: ___crtCorExitProcess.LIBCMT ref: 00B032E5
Part of subcall function 00B032DF: ExitProcess.KERNEL32 ref: 00B032EE

Part of subcall function 00B08D68: __getptd_noexit.LIBCMT ref: 00B08D68

RtlAllocateHeap.NTDLL(00C30000,00000000,00000001,00000000,?,?,?,00B01013,?), ref: 00B0598F

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 5c86b3daef0f98fcd50b2782eadf7ea490607570d7502fc431815289ae177105
Instruction ID: f15a6ed3be977e3dfcfc1aa71916e63d1456896a6cddcf97c6fcfa5a1ee86e07
Opcode Fuzzy Hash: 5c86b3daef0f98fcd50b2782eadf7ea490607570d7502fc431815289ae177105
Instruction Fuzzy Hash: 8A01B535200B15EEE6352B64EC46B7F7EC8DF92B70F1002BAF541AB5D1DEB09D019A64

Function 00B49B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00B497D2,?,?,?,?,?,00000004), ref: 00B49B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00B497D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00B49B5B
CloseHandle.KERNEL32(00000000,?,00B497D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B49B62

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: fcc10253b81fc6af7f5bcbce69c9fe42f92052986624d7445c1cb93fee337bd9
Instruction ID: 75e87daaec57db002d64890e33ac96aef9939c36845a9e51273e119d574d3e0b
Opcode Fuzzy Hash: fcc10253b81fc6af7f5bcbce69c9fe42f92052986624d7445c1cb93fee337bd9
Instruction Fuzzy Hash: B0E08632181215B7D7211B54FC09FDA7B58EB067A1F104120FB547A0E08BF52A119798

Function 00B48F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B48FA5

Part of subcall function 00B02F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00B09C64), ref: 00B02FA9
Part of subcall function 00B02F95: GetLastError.KERNEL32(00000000,?,00B09C64), ref: 00B02FBB

_free.LIBCMT ref: 00B48FB6
_free.LIBCMT ref: 00B48FC8

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: efa5cfa9b1b2f41bce9affd07bef402890ef9bb67adc050918c04926c1923072
Instruction ID: fda0399ba627250473bd4eb6ce9f83f7fed11a028c85b11cedc8957baa952b4c
Opcode Fuzzy Hash: efa5cfa9b1b2f41bce9affd07bef402890ef9bb67adc050918c04926c1923072
Instruction Fuzzy Hash: B1E02BB170C7024BCA20A738AD05E871BFE9F48390B080C8DB409DB1C2DF20FD489034

Function 00AEAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00B2002B

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 1a550d3174a9fb1761cfe5150a73fe63ff1cae5eff577511fdf1eec2efb19260
Instruction ID: 61b36e7055948c7cfdb6b81775b51d36e27bf9f06c7578f83ac31e32fe36b451
Opcode Fuzzy Hash: 1a550d3174a9fb1761cfe5150a73fe63ff1cae5eff577511fdf1eec2efb19260
Instruction Fuzzy Hash: 6A2237705182919FC724DF15C594B6ABBF1FF94300F1489ADE89A8B362DB31ED85CB82

Function 00AE4DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AE4E1A

Strings

EA06, xrefs: 00B1DCF5

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 1687ae910b1c0af289630d24733c5869353d13d10bd6142e830a7f1fef98c5ed
Instruction ID: c37a40dcd93f50fac120847e05d0c5fc9ecb743979cf7f154791b8ad301dfa3e
Opcode Fuzzy Hash: 1687ae910b1c0af289630d24733c5869353d13d10bd6142e830a7f1fef98c5ed
Instruction Fuzzy Hash: 69416D32A041D45BCF255F6699517FE7FBEEF0D300F6844B5F882AB282C6219D8483E1

Function 00AE492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00AE4992

Part of subcall function 00B035AC: __lock.LIBCMT ref: 00B035B2
Part of subcall function 00B035AC: DecodePointer.KERNEL32(00000001,?,00AE49A7,00B381BC), ref: 00B035BE
Part of subcall function 00B035AC: EncodePointer.KERNEL32(?,?,00AE49A7,00B381BC), ref: 00B035C9

Part of subcall function 00AE4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00AE4A73
Part of subcall function 00AE4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00AE4A88

Part of subcall function 00AE3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AE3B7A
Part of subcall function 00AE3B4C: IsDebuggerPresent.KERNEL32 ref: 00AE3B8C
Part of subcall function 00AE3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00BA62F8,00BA62E0,?,?), ref: 00AE3BFD
Part of subcall function 00AE3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00AE3C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00AE49D2

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: da0c36b01251602c09c71499d6d1ea18ffaea3e5aa412e6f3222a867c3be5b15
Instruction ID: 9b8c58bd33db170d64dedd1cccec2bacfaa1fc8419e22084c9078ce7ea5b1815
Opcode Fuzzy Hash: da0c36b01251602c09c71499d6d1ea18ffaea3e5aa412e6f3222a867c3be5b15
Instruction Fuzzy Hash: 18118CB19083519BC700EF2AED0691ABFE8EF99750F00452EF055972B1DFB09945CB92

Function 00AE5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00AE5981,?,?,?,?), ref: 00AE5E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00AE5981,?,?,?,?), ref: 00B1E19C

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1bc6978e9dbdc7f02abf5a806b070db22816c0cbdf13ad30e5b063445d487266
Instruction ID: c50c749adff7dcb7c2bbe9bdbd97d9c973f5b15d1719cdd9297c0e59a9558247
Opcode Fuzzy Hash: 1bc6978e9dbdc7f02abf5a806b070db22816c0cbdf13ad30e5b063445d487266
Instruction Fuzzy Hash: 95018070644648BEF3240E29EC8AF663ADCEB0176CF148318BAE56A1E0C6B45E458B50

Function 00B00FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B0594C: __FF_MSGBANNER.LIBCMT ref: 00B05963
Part of subcall function 00B0594C: __NMSG_WRITE.LIBCMT ref: 00B0596A
Part of subcall function 00B0594C: RtlAllocateHeap.NTDLL(00C30000,00000000,00000001,00000000,?,?,?,00B01013,?), ref: 00B0598F

std::exception::exception.LIBCMT ref: 00B0102C
__CxxThrowException@8.LIBCMT ref: 00B01041

Part of subcall function 00B087DB: RaiseException.KERNEL32(?,?,?,00B9BAF8,00000000,?,?,?,?,00B01046,?,00B9BAF8,?,00000001), ref: 00B08830

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 3e9d195dd0f1c06fea083cd418d4688b38dc6351416f6f6176e2f076ce7de339
Instruction ID: d51b021e6437e6b416d6ddb8c76de67476d6be99249ab5e7b4cf40b8cf582795
Opcode Fuzzy Hash: 3e9d195dd0f1c06fea083cd418d4688b38dc6351416f6f6176e2f076ce7de339
Instruction Fuzzy Hash: 3EF08135500219A6CB25AB58ED069DF7FECDF00360F1044E5F898966E1EFB19A809691

Function 00B0582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B0585C
__lock_file.LIBCMT ref: 00B0587D

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 59aca6475a3d52599fe88dabf66e2a3342f56b387437eb3b69129e022383f927
Instruction ID: fbb8bdbf8ceff23ce54c4f0da48b4784586d6401043e48bc972a6364b3ca3c37
Opcode Fuzzy Hash: 59aca6475a3d52599fe88dabf66e2a3342f56b387437eb3b69129e022383f927
Instruction Fuzzy Hash: 78017171800B09EBCF22AF698C0599F7FE5AF40360F14C2A5B8145A1E1EB31CA21DF91

Function 00B055D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B08D68: __getptd_noexit.LIBCMT ref: 00B08D68

__lock_file.LIBCMT ref: 00B0561B

Part of subcall function 00B06E4E: __lock.LIBCMT ref: 00B06E71

__fclose_nolock.LIBCMT ref: 00B05626

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: f3dae88c46c6c9847b8ccfe0fe856e16854a96839cfb3f86bd2e0e47dcb7925d
Instruction ID: dcfa9fe024553dc70d0dcefb75957943bcd486d5e07cb922e0b1a38919cb04ca
Opcode Fuzzy Hash: f3dae88c46c6c9847b8ccfe0fe856e16854a96839cfb3f86bd2e0e47dcb7925d
Instruction Fuzzy Hash: F0F09A71801A059ADB30AF798802B6F7FE1AF40334F6582C9A465AB5C2CF7D8A019F65

Function 00AE81C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,00AE558F,?,?,?,?,?), ref: 00AE81DA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,00AE558F,?,?,?,?,?), ref: 00AE820D

Part of subcall function 00AE78AD: _memmove.LIBCMT ref: 00AE78E9

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: 957e78f2b5d8d64968dd41946dd66d6402168c6e8e4046da6076f989d7520456
Instruction ID: 568cfc495b4a344f44e3af489cae945739022861ad02e2d2cd8ed0139e1e58ff
Opcode Fuzzy Hash: 957e78f2b5d8d64968dd41946dd66d6402168c6e8e4046da6076f989d7520456
Instruction Fuzzy Hash: D4018B31201544BEEB246B26ED4AF7B3FACEB8A760F10802AFA05DE1D0DE7098009661

Function 00C112FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00C11B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00C11B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00C11B73

Memory Dump Source

Source File: 00000000.00000002.2000430294.0000000000C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_2aFb7hE00o.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction ID: ed679a4f9b885f79f688eee8db5f02b30ab464d4a9336c39174734e82d839253
Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction Fuzzy Hash: 4712DE24E24658C6EB24DF64D8507DEB232EF69300F1090E9910DEB7A5E77A4F81CB5A

Function 00AF2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d2e86d20c6ba0ceeef0aeb325b6b005a35d2b6c44c27496076e28b14484f0e8
Instruction ID: c483947139111f626f210485b6e0f9211935dcaf34eb5cae71a135399027a032
Opcode Fuzzy Hash: 9d2e86d20c6ba0ceeef0aeb325b6b005a35d2b6c44c27496076e28b14484f0e8
Instruction Fuzzy Hash: 2E518335600614AFCF14EB68DA91FBE77E5AF49314F1481A8F90AAB392DB30ED00CB55

Function 00AE766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AE774A

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 66df3c07b3103f0ef04c0b15b29fab749f31eee2ad856efa914133f647b06a1e
Instruction ID: fdaa6efd01d18a9304cda1439d6e70e9cf07b0747d7e6cae80599c029f6e6998
Opcode Fuzzy Hash: 66df3c07b3103f0ef04c0b15b29fab749f31eee2ad856efa914133f647b06a1e
Instruction Fuzzy Hash: 47318579608A42DFD724DF1AC590A25F7F0FF08310B14C569E999CB7A5E730D881CB54

Function 00AE5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00AE5CF6

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 1263c85e79c9483b2a9f5f46fb93f29fb63a8676dae0506d796dc79645bab6b0
Instruction ID: 0ec67e3cc9209c739ad9376c5f6e78263ff49140456cca71ec6094e4fbb9a4ba
Opcode Fuzzy Hash: 1263c85e79c9483b2a9f5f46fb93f29fb63a8676dae0506d796dc79645bab6b0
Instruction Fuzzy Hash: B4316D31E00B49AFCB18CF2ED9946ADB7B5FF88314F248629D81993710D771B960DB90

Function 00B200D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00B200E1

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: c5a27dbd400c46533cdb48808e28d05890d724af826b67fa65ec5c9cc704677e
Instruction ID: 24b9abdea134650e6da9e94cb8ddc9c002c47c5b4ea6d45e23d2c34a6c8817f2
Opcode Fuzzy Hash: c5a27dbd400c46533cdb48808e28d05890d724af826b67fa65ec5c9cc704677e
Instruction Fuzzy Hash: 15410574508391CFDB24DF15C484B1ABBE0BF45318F1988ACE8998B762C736EC85CB52

Function 00AE4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE4D13: FreeLibrary.KERNEL32(00000000,?), ref: 00AE4D4D

Part of subcall function 00B0548B: __wfsopen.LIBCMT ref: 00B05496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00BA62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00AE4F6F

Part of subcall function 00AE4CC8: FreeLibrary.KERNEL32(00000000), ref: 00AE4D02

Part of subcall function 00AE4DD0: _memmove.LIBCMT ref: 00AE4E1A

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: a6fed814a712cf3de124e93b25ed8eb1a9d4482c65086199e2bab87f982c7d08
Instruction ID: f4a78da764efaeb8856edb2e3eb54d6d17660682f12f7e053aaa71d60e927536
Opcode Fuzzy Hash: a6fed814a712cf3de124e93b25ed8eb1a9d4482c65086199e2bab87f982c7d08
Instruction Fuzzy Hash: B311E731A00709AACB10AF71DD52BAE77E8DF48B00F208429F541A72C1DA759A05AB50

Function 00B201AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00B201BB

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 392d860d00d9b951882c7cf2433f538c5357120e902b3f7b65db7ccebbce5ed0
Instruction ID: c96e6688f938bf250f717e72eeca535da4df2a1d31461d47c30c3cbd0761ed81
Opcode Fuzzy Hash: 392d860d00d9b951882c7cf2433f538c5357120e902b3f7b65db7ccebbce5ed0
Instruction Fuzzy Hash: 8E2122B4508391DFDB28DF65C484B1BBBE0BF88304F0589A8E89A47762D731F845CB52

Function 00AE78AD Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AE78E9

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: e0b0f1feff7007f9a685850875a5a6e1ea6a23f504afe070e1a0459631d1335c
Instruction ID: 5279797130d5c4482aef57205e4dde6358c3bd9ee77f4619460487faa9fdc671
Opcode Fuzzy Hash: e0b0f1feff7007f9a685850875a5a6e1ea6a23f504afe070e1a0459631d1335c
Instruction Fuzzy Hash: 0611A5722092956BC714AB6DE892E7EB79DEF45320714422AFD59C72D1DF319C108790

Function 00AE5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00AE5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00AE5D76

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 36d1e56f376e79eedabd549641c2eb8997198b003f95cc85d040dbd04b1bda97
Instruction ID: 08126c069e540ca0a4b96ebf3dabb13caab54035f096adb800fb9864f9cf5204
Opcode Fuzzy Hash: 36d1e56f376e79eedabd549641c2eb8997198b003f95cc85d040dbd04b1bda97
Instruction Fuzzy Hash: 89113A31600B419FD330CF26E884B62B7F9EF45764F10C92EE4AA86A50D7B0E945CB60

Function 00B04A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00B04AD6

Part of subcall function 00B08D68: __getptd_noexit.LIBCMT ref: 00B08D68

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 82b1d9e7e24c3793ff77397505ec8982168e9efa72c6811d53ba04adf5d5440b
Instruction ID: 946cbbb8ddc9db0d1e48c7e92a275352a854e9ed8ea63a5fbd709a023dfc4ab2
Opcode Fuzzy Hash: 82b1d9e7e24c3793ff77397505ec8982168e9efa72c6811d53ba04adf5d5440b
Instruction Fuzzy Hash: E4F0AFB1A40209ABDF61BF74CC0679F3EE1AF00365F1486A4B524AA1E1CB788A60DF51

Function 00AE4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00BA62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00AE4FDE

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 809218ad23ed75bf9d30338612bd28d901d65f83562150fab30da25aa507f792
Instruction ID: e2fc37621e51793400949837d80ed4ae390a149876ac808e49e9404bc85e4117
Opcode Fuzzy Hash: 809218ad23ed75bf9d30338612bd28d901d65f83562150fab30da25aa507f792
Instruction Fuzzy Hash: 5FF03071109B52CFC7349F65E494912BBF9BF18B253208A7EE1D682A10C7719840DF50

Function 00B009D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B009F4

Part of subcall function 00AE7D2C: _memmove.LIBCMT ref: 00AE7D66

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: f7bc74d09aa4e205da2fd2ad4b22d59d7591cbac0a226fe651284fb95cac289a
Instruction ID: 320490204bc047009e6547c9fe1f9538ae0ec258e3e4c94a412027262746949e
Opcode Fuzzy Hash: f7bc74d09aa4e205da2fd2ad4b22d59d7591cbac0a226fe651284fb95cac289a
Instruction Fuzzy Hash: B0E0867690422857C720D65C9C05FFA77EDDF88690F0401B5FD0CD7248D9A49C818A90

Function 00B49129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00B4914B

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: c8c33fdef82b5da319073cdaf454adc145f37396cc8b3c95d92ef051d350ebfc
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: 6FE092B0104B005FD7348A24D8107E377E0EB06315F00085DF69A93341EB6278419B59

Function 00AE5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00B1E16B,?,?,00000000), ref: 00AE5DBF

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 454f2f9317dfc8c17f19390df74458fddb91ad548376ff1c547c326f7b889ff7
Instruction ID: cf7013f60bf05623e84819d8179b5942a3d67e8e114dec55d6660bbe705eb09e
Opcode Fuzzy Hash: 454f2f9317dfc8c17f19390df74458fddb91ad548376ff1c547c326f7b889ff7
Instruction Fuzzy Hash: E1D0C77464420CBFE710DB80DC46FA9777CD705710F100194FD0467290D6F27D508795

Function 00B0548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00B05496

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 4227a6a2070449e2852e7afb99fa5cc7c4cabc0b4e2ca818ff8b1a51092e6f48
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 72B09B7544010C77DE111D42EC02A593F595740674F404050FB0C18561957395605585

Function 00B4D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00B4D46A

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: eefb7da937f9f801c95c282f4863ad2ee50f91c783e34bcd1ad49a9d70748d64
Instruction ID: 1eab777101bd45e6c868df2901f0f788a2ef893009d2aa99a83cc02aec55618f
Opcode Fuzzy Hash: eefb7da937f9f801c95c282f4863ad2ee50f91c783e34bcd1ad49a9d70748d64
Instruction Fuzzy Hash: 72715E306043428FC714EF29D591A6EB7E0EF88354F0449ADF4968B3A2DB70EA45DB52

Function 00B00E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00B00EF7

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 4cf513f2966df6617bfcd4d2536444bcbc925934f749392e46791c5037d7a228
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: EB31A271A10106DBC718EF58D480A69FBE6FF59300F648AE5E409DB692DB31EDC1DB80

Function 00C12300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00C12311

Memory Dump Source

Source File: 00000000.00000002.2000430294.0000000000C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_2aFb7hE00o.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 3123577294b0932fd087147d238e8fa7f8310f485c4ff3f9fee5b00a498f2764
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 76E0E67494010DDFDB00EFF4D5496DE7FB4EF04301F500561FD01D2280D6309D609A62

Non-executed Functions

Function 00B6CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE2612: GetWindowLongW.USER32(?,000000EB), ref: 00AE2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00B6CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B6CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00B6CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B6CF00
SendMessageW.USER32 ref: 00B6CF29
_wcsncpy.LIBCMT ref: 00B6CFA1
GetKeyState.USER32(00000011), ref: 00B6CFC2
GetKeyState.USER32(00000009), ref: 00B6CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B6CFE5
GetKeyState.USER32(00000010), ref: 00B6CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B6D018
SendMessageW.USER32 ref: 00B6D03F
SendMessageW.USER32(?,00001030,?,00B6B602), ref: 00B6D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00B6D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00B6D16E
SetCapture.USER32(?), ref: 00B6D177
ClientToScreen.USER32(?,?), ref: 00B6D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00B6D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B6D203
ReleaseCapture.USER32 ref: 00B6D20E
GetCursorPos.USER32(?), ref: 00B6D248
ScreenToClient.USER32(?,?), ref: 00B6D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B6D2B1
SendMessageW.USER32 ref: 00B6D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B6D31C
SendMessageW.USER32 ref: 00B6D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B6D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B6D37B
GetCursorPos.USER32(?), ref: 00B6D39B
ScreenToClient.USER32(?,?), ref: 00B6D3A8
GetParent.USER32(?), ref: 00B6D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B6D431
SendMessageW.USER32 ref: 00B6D462
ClientToScreen.USER32(?,?), ref: 00B6D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B6D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B6D51A
SendMessageW.USER32 ref: 00B6D53D
ClientToScreen.USER32(?,?), ref: 00B6D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B6D5C3

Part of subcall function 00AE25DB: GetWindowLongW.USER32(?,000000EB), ref: 00AE25EC

GetWindowLongW.USER32(?,000000F0), ref: 00B6D65F

Strings

F, xrefs: 00B6D543
@GUI_DRAGID, xrefs: 00B6D1AA

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: f90dce9ed6bc4a59015719d6ddfb950ba4c50e39b123ffb41f6658dee17f71c0
Instruction ID: 65cac0c14c62787391df788a195744a092995d3958f239bdba3aade39e5d4809
Opcode Fuzzy Hash: f90dce9ed6bc4a59015719d6ddfb950ba4c50e39b123ffb41f6658dee17f71c0
Instruction Fuzzy Hash: 96429E71604241AFD721CF28C884FBABFF5FF49314F144599F6A5872A0CB7AA854CB92

Function 00B6804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00B6873F

Strings

%d/%02d/%02d, xrefs: 00B68478

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 86e24a525e55c61871ef9da6037fb6bba9684af01586a1e26c32ff2232e0eac6
Instruction ID: 0e257614d2dce70860726b26937c08bd4f850c6768891e7469ef8cce725e00ba
Opcode Fuzzy Hash: 86e24a525e55c61871ef9da6037fb6bba9684af01586a1e26c32ff2232e0eac6
Instruction Fuzzy Hash: 8912A371500245ABEB259F24DC89FBA7BF8EF45710F2442A9F516EB2E1DF788941CB10

Function 00AF710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AF75C2
_memset.LIBCMT ref: 00AF76B1
_memmove.LIBCMT ref: 00AF7C4B
_memmove.LIBCMT ref: 00AF7E4F

Strings

\b(?=\w), xrefs: 00B33C34
\b(?<=\w), xrefs: 00B33C41
DEFINE, xrefs: 00B325AF
[:>:]], xrefs: 00AF760A
Q\E, xrefs: 00AF81C1
[:<:]], xrefs: 00AF75F1

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 12a06636054fb3e1595841aba06b638b809985cb0325eee89822a5703444d4e6
Instruction ID: b30f73090db143864d6ee2929e4a0b3e8edc62ebc43d98b9174319b2bb2015b1
Opcode Fuzzy Hash: 12a06636054fb3e1595841aba06b638b809985cb0325eee89822a5703444d4e6
Instruction Fuzzy Hash: 90938075A04219DBDB24CF98C881BBDB7F1FF48710F3581AAE955AB290E7749E81CB40

Function 00AE4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00AE4A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B1DA8E
IsIconic.USER32(?), ref: 00B1DA97
ShowWindow.USER32(?,00000009), ref: 00B1DAA4
SetForegroundWindow.USER32(?), ref: 00B1DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B1DAC4
GetCurrentThreadId.KERNEL32 ref: 00B1DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B1DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B1DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B1DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 00B1DAF8
SetForegroundWindow.USER32(?), ref: 00B1DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B1DB10
keybd_event.USER32(00000012,00000000), ref: 00B1DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B1DB25
keybd_event.USER32(00000012,00000000), ref: 00B1DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B1DB33
keybd_event.USER32(00000012,00000000), ref: 00B1DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B1DB42
keybd_event.USER32(00000012,00000000), ref: 00B1DB47
SetForegroundWindow.USER32(?), ref: 00B1DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 00B1DB71

Strings

Shell_TrayWnd, xrefs: 00B1DA89

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 5170c2ad6c57b49d2be9e78baf10946d87bb92fb4e23be8c0624ef5dd727efd7
Instruction ID: ff32f942eb13787e8233a80b8d45891b77ca7824a4536b2d26283097e7bad926
Opcode Fuzzy Hash: 5170c2ad6c57b49d2be9e78baf10946d87bb92fb4e23be8c0624ef5dd727efd7
Instruction Fuzzy Hash: 27318571A44318BBEB206FA1AC49FBF3EACEB44B50F114075FA05E71D0CAB45D40EAA5

Function 00B38858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00B38CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B38D0D
Part of subcall function 00B38CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B38D3A
Part of subcall function 00B38CC3: GetLastError.KERNEL32 ref: 00B38D47

_memset.LIBCMT ref: 00B3889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00B388ED
CloseHandle.KERNEL32(?), ref: 00B388FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00B38915
GetProcessWindowStation.USER32 ref: 00B3892E
SetProcessWindowStation.USER32(00000000), ref: 00B38938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00B38952

Part of subcall function 00B38713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B38851), ref: 00B38728
Part of subcall function 00B38713: CloseHandle.KERNEL32(?,?,00B38851), ref: 00B3873A

Strings

default, xrefs: 00B3894D
, xrefs: 00B388AA
winsta0, xrefs: 00B38910

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 095ea7e0d0d9bed84fe8ba586eba65cdf02152756d8eeeccf4548c8bc775408b
Instruction ID: 13072239118e9e7f40ab46139530411afb88974499c6e7c5a234319a87411c61
Opcode Fuzzy Hash: 095ea7e0d0d9bed84fe8ba586eba65cdf02152756d8eeeccf4548c8bc775408b
Instruction Fuzzy Hash: BB812971900309AFDF11DFA4EC45AEE7BB8EF04304F2841AAF910A62A1DF759E15DB61

Function 00B5425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00B6F910), ref: 00B54284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00B54292
GetClipboardData.USER32(0000000D), ref: 00B5429A
CloseClipboard.USER32 ref: 00B542A6
GlobalLock.KERNEL32(00000000), ref: 00B542C2
CloseClipboard.USER32 ref: 00B542CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00B542E1
IsClipboardFormatAvailable.USER32(00000001), ref: 00B542EE
GetClipboardData.USER32(00000001), ref: 00B542F6
GlobalLock.KERNEL32(00000000), ref: 00B54303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00B54337
CloseClipboard.USER32 ref: 00B54447

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: f898e9366878403de37825acb01d62df2fc7d8a50d5d41cc2854f5d85708eb03
Instruction ID: 4eb40aedcb5f46c42897ec9f7f58ac33aa571aeaa9046412a2ee294fb4a95d1f
Opcode Fuzzy Hash: f898e9366878403de37825acb01d62df2fc7d8a50d5d41cc2854f5d85708eb03
Instruction Fuzzy Hash: 54518B31204302ABD300AB61ED96F7F77A8AF84B05F1045A9F956D32E1DFB499488A62

Function 00B4C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B4C9F8
FindClose.KERNEL32(00000000), ref: 00B4CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B4CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B4CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B4CAAF
__swprintf.LIBCMT ref: 00B4CAFB
__swprintf.LIBCMT ref: 00B4CB3E

Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82

__swprintf.LIBCMT ref: 00B4CB92

Part of subcall function 00B038D8: __woutput_l.LIBCMT ref: 00B03931

__swprintf.LIBCMT ref: 00B4CBE0

Part of subcall function 00B038D8: __flsbuf.LIBCMT ref: 00B03953
Part of subcall function 00B038D8: __flsbuf.LIBCMT ref: 00B0396B

__swprintf.LIBCMT ref: 00B4CC2F
__swprintf.LIBCMT ref: 00B4CC7E
__swprintf.LIBCMT ref: 00B4CCCD

Strings

%02d, xrefs: 00B4CB86, 00B4CB90, 00B4CBDE, 00B4CC2D, 00B4CC7C, 00B4CCCB
%4d, xrefs: 00B4CB38
%4d%02d%02d%02d%02d%02d, xrefs: 00B4CAF5

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 9741411f5301c26759654b053e555f8ad318b8fd8322a8134a246c35ba02fa4c
Instruction ID: 78910b52f230c9537afdbd0c2625c825374ea909d374181bbab965a3a9b50e0b
Opcode Fuzzy Hash: 9741411f5301c26759654b053e555f8ad318b8fd8322a8134a246c35ba02fa4c
Instruction Fuzzy Hash: 0EA14CB2508345ABC700EB65C986DAFB7ECFF94704F40496DF586C7191EA74DA08CB62

Function 00B4F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00B4F221
_wcscmp.LIBCMT ref: 00B4F236
_wcscmp.LIBCMT ref: 00B4F24D
GetFileAttributesW.KERNEL32(?), ref: 00B4F25F
SetFileAttributesW.KERNEL32(?,?), ref: 00B4F279
FindNextFileW.KERNEL32(00000000,?), ref: 00B4F291
FindClose.KERNEL32(00000000), ref: 00B4F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 00B4F2B8
_wcscmp.LIBCMT ref: 00B4F2DF
_wcscmp.LIBCMT ref: 00B4F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 00B4F308
SetCurrentDirectoryW.KERNEL32(00B9A5A0), ref: 00B4F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B4F330
FindClose.KERNEL32(00000000), ref: 00B4F33D
FindClose.KERNEL32(00000000), ref: 00B4F34F

Strings

*.*, xrefs: 00B4F2B3

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 304922502741d2ae5afb325700ef7a18d4165bbc340aa0600bcc9c2bd780b665
Instruction ID: 30c41afcefcd2f3c8537e6fbd5529891706f8ce6539c0399842c92e57e236d01
Opcode Fuzzy Hash: 304922502741d2ae5afb325700ef7a18d4165bbc340aa0600bcc9c2bd780b665
Instruction Fuzzy Hash: 8B31AE7660121A6ADB10DFA4EC98AFE77ECEF08360F1401B6F814D30A0EB74DB459A64

Function 00B60AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B60BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00B6F910,00000000,?,00000000,?,?), ref: 00B60C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00B60C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00B60D1D
RegCloseKey.ADVAPI32(?), ref: 00B6103D
RegCloseKey.ADVAPI32(00000000), ref: 00B6104A

Strings

REG_EXPAND_SZ, xrefs: 00B60CBA
REG_SZ, xrefs: 00B60D5B
REG_DWORD, xrefs: 00B60F0E
REG_BINARY, xrefs: 00B60FD8
REG_MULTI_SZ, xrefs: 00B60E05
REG_QWORD, xrefs: 00B60F8B

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 1f4a2a8e6bdbf53fe162be1494d86b2505f96cfe4eef5433260c369c625de8d2
Instruction ID: fe340a4c3aa5d18d012c6033b2b4562b1ee7bd422a8f546f61f41ed3a8c0b548
Opcode Fuzzy Hash: 1f4a2a8e6bdbf53fe162be1494d86b2505f96cfe4eef5433260c369c625de8d2
Instruction Fuzzy Hash: 92025C756006519FCB14EF19C995E2AB7E5FF88714F04889DF88A9B3A2CB34ED41CB81

Function 00B4F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00B4F37E
_wcscmp.LIBCMT ref: 00B4F393
_wcscmp.LIBCMT ref: 00B4F3AA

Part of subcall function 00B445C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00B445DC

FindNextFileW.KERNEL32(00000000,?), ref: 00B4F3D9
FindClose.KERNEL32(00000000), ref: 00B4F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 00B4F400
_wcscmp.LIBCMT ref: 00B4F427
_wcscmp.LIBCMT ref: 00B4F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 00B4F450
SetCurrentDirectoryW.KERNEL32(00B9A5A0), ref: 00B4F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B4F478
FindClose.KERNEL32(00000000), ref: 00B4F485
FindClose.KERNEL32(00000000), ref: 00B4F497

Strings

*.*, xrefs: 00B4F3FB

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 2e918d395205c9884b0016fb77a050917a68dedcb236074f4e10a4e331923988
Instruction ID: d625a27210f19aa149cba2fde3ca8f08d449c8d6eb5072a8b081ee3b479c6ef8
Opcode Fuzzy Hash: 2e918d395205c9884b0016fb77a050917a68dedcb236074f4e10a4e331923988
Instruction Fuzzy Hash: FA319E7660121A6ACF10AFA4EC98AFE77ECDF49360F1401F6E854A31A0DB74DF44DA64

Function 00B381F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B38766
Part of subcall function 00B3874A: GetLastError.KERNEL32(?,00B3822A,?,?,?), ref: 00B38770
Part of subcall function 00B3874A: GetProcessHeap.KERNEL32(00000008,?,?,00B3822A,?,?,?), ref: 00B3877F
Part of subcall function 00B3874A: HeapAlloc.KERNEL32(00000000,?,00B3822A,?,?,?), ref: 00B38786
Part of subcall function 00B3874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B3879D

Part of subcall function 00B387E7: GetProcessHeap.KERNEL32(00000008,00B38240,00000000,00000000,?,00B38240,?), ref: 00B387F3
Part of subcall function 00B387E7: HeapAlloc.KERNEL32(00000000,?,00B38240,?), ref: 00B387FA
Part of subcall function 00B387E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00B38240,?), ref: 00B3880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B3825B
_memset.LIBCMT ref: 00B38270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B3828F
GetLengthSid.ADVAPI32(?), ref: 00B382A0
GetAce.ADVAPI32(?,00000000,?), ref: 00B382DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B382F9
GetLengthSid.ADVAPI32(?), ref: 00B38316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00B38325
HeapAlloc.KERNEL32(00000000), ref: 00B3832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B3834D
CopySid.ADVAPI32(00000000), ref: 00B38354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B38385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B383AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B383BF

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: a72e9ef52b2e8cf014b41e543ba2992c544599d1672a5365134801e1a30423fc
Instruction ID: e409a53058b39dc83f745b6b45379fdc6c407f6401ab81ecde8a017d8f3b50d7
Opcode Fuzzy Hash: a72e9ef52b2e8cf014b41e543ba2992c544599d1672a5365134801e1a30423fc
Instruction Fuzzy Hash: 9C61677190020AEFCF009FA4DC85AEEBBB9FF04700F2481A9F815A7291DF759A05CB61

Function 00AF6843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

CR), xrefs: 00B316C0
LIMIT_MATCH=, xrefs: 00B315A9
LF), xrefs: 00B316DD
LIMIT_RECURSION=, xrefs: 00B31635
ANY), xrefs: 00B31717
UTF16), xrefs: 00B31508
NO_AUTO_POSSESS), xrefs: 00B31567
NO_START_OPT), xrefs: 00B31588
CRLF), xrefs: 00B316FA
UCP), xrefs: 00B31546
BSR_ANYCRLF), xrefs: 00B31757
UTF), xrefs: 00B31533
ANYCRLF), xrefs: 00B31734
BSR_UNICODE), xrefs: 00B31771

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: b9df19ff244a47d86ce8a1f35f37d48de0e0a94bf7af0538aa7deea186774f10
Instruction ID: ce58ecf6435fd65798b4fbdf4c87ca66859ae5b7ac1160664f0070a2bec5bd3e
Opcode Fuzzy Hash: b9df19ff244a47d86ce8a1f35f37d48de0e0a94bf7af0538aa7deea186774f10
Instruction Fuzzy Hash: CB724F75E00219DBDB24CF99C8807BEB7F5EF48710F2485AAE949EB290DB749D41CB90

Function 00B60665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B610A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B60038,?,?), ref: 00B610BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B60737

Part of subcall function 00AE9997: __itow.LIBCMT ref: 00AE99C2
Part of subcall function 00AE9997: __swprintf.LIBCMT ref: 00AE9A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B607D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00B6086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00B60AAD
RegCloseKey.ADVAPI32(00000000), ref: 00B60ABA

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 5ed7f46c92d4a2791e8923c890a1e231d843d61a67aa896f7be7ef75678e198f
Instruction ID: 4e42b0f4e9680103ec59ecc9dd1384e1e1c3622b0eaff45c989d6beb9dfba27d
Opcode Fuzzy Hash: 5ed7f46c92d4a2791e8923c890a1e231d843d61a67aa896f7be7ef75678e198f
Instruction Fuzzy Hash: 27E14C31214300AFCB14EF69C991E2BBBE4EF89714B0489ADF449DB2A2DA34ED01CB51

Function 00B40219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B40241
GetAsyncKeyState.USER32(000000A0), ref: 00B402C2
GetKeyState.USER32(000000A0), ref: 00B402DD
GetAsyncKeyState.USER32(000000A1), ref: 00B402F7
GetKeyState.USER32(000000A1), ref: 00B4030C
GetAsyncKeyState.USER32(00000011), ref: 00B40324
GetKeyState.USER32(00000011), ref: 00B40336
GetAsyncKeyState.USER32(00000012), ref: 00B4034E
GetKeyState.USER32(00000012), ref: 00B40360
GetAsyncKeyState.USER32(0000005B), ref: 00B40378
GetKeyState.USER32(0000005B), ref: 00B4038A

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 38ad4801283ba3f87ce408c8cdf687482f76c4e970ce21b9520a8930396762a7
Instruction ID: dc7781b43d97bc336f251fcb0941193f8b2d7bc77d067644f499a73ce5d216f7
Opcode Fuzzy Hash: 38ad4801283ba3f87ce408c8cdf687482f76c4e970ce21b9520a8930396762a7
Instruction Fuzzy Hash: 894186245247CA6AFF31AA6494083B5BEE0EB15340F0840DEDBC6471C2DBF45EC4AB96

Function 00B586D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE9997: __itow.LIBCMT ref: 00AE99C2
Part of subcall function 00AE9997: __swprintf.LIBCMT ref: 00AE9A0C

CoInitialize.OLE32 ref: 00B58718
CoUninitialize.OLE32 ref: 00B58723
CoCreateInstance.OLE32(?,00000000,00000017,00B72BEC,?), ref: 00B58783
IIDFromString.OLE32(?,?), ref: 00B587F6
VariantInit.OLEAUT32(?), ref: 00B58890
VariantClear.OLEAUT32(?), ref: 00B588F1

Strings

NULL Pointer assignment, xrefs: 00B587C8
Failed to create object, xrefs: 00B5878E, 00B58844
Invalid parameter, xrefs: 00B5880F

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: bc9ca5b7e2251db28c4c011cdd3aa810c4b3d1e0643f2deaa4481ee7bc8848c8
Instruction ID: eebf28eb56807c07eec2e675ff71ffe0bf76c60aa337a62a73f8ace6d6b56754
Opcode Fuzzy Hash: bc9ca5b7e2251db28c4c011cdd3aa810c4b3d1e0643f2deaa4481ee7bc8848c8
Instruction Fuzzy Hash: FC61AE70608311AFD710DF24D985B6BBBE4EF48715F1048D9F985AB2A1DB70ED48CB92

Function 00B54458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00B5447F
EmptyClipboard.USER32 ref: 00B54485
GlobalAlloc.KERNEL32(00000002,?), ref: 00B5449A
CloseClipboard.USER32 ref: 00B54539

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: e21b9910a31993ffcad6f8ddf9062de7445f3a27b67b31bc8db5ffa971775d61
Instruction ID: 3a130e30acaca082cc651d331f3ec104e600c9f5b4163d706c59309547261037
Opcode Fuzzy Hash: e21b9910a31993ffcad6f8ddf9062de7445f3a27b67b31bc8db5ffa971775d61
Instruction Fuzzy Hash: FD218B75200211AFDB10AF24EC49B7A7BA8EF54715F1080AAF906DB2B1DFB8AD01CB54

Function 00B43A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AE48A1,?,?,00AE37C0,?), ref: 00AE48CE

Part of subcall function 00B44CD3: GetFileAttributesW.KERNEL32(?,00B43947), ref: 00B44CD4

FindFirstFileW.KERNEL32(?,?), ref: 00B43ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00B43B87
MoveFileW.KERNEL32(?,?), ref: 00B43B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00B43BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B43BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00B43BF5

Strings

\*.*, xrefs: 00B43A8A, 00B43A93, 00B43AA8

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 6d6c189dd39b21cfdb1813640c1bf6c7f36ad5d92bd82c5db156aeb2426d6d6e
Instruction ID: 0811391f1ac8d0b6852d6bdeb1bbe0840d0e1c7f47135dce6176a8d62bb77d79
Opcode Fuzzy Hash: 6d6c189dd39b21cfdb1813640c1bf6c7f36ad5d92bd82c5db156aeb2426d6d6e
Instruction Fuzzy Hash: B95181318052899ACF05EBA1DE929FDB7F9EF14300F6841A9E44177092DF716F09DBA0

Function 00B4F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00B4F6AB
Sleep.KERNEL32(0000000A), ref: 00B4F6DB
_wcscmp.LIBCMT ref: 00B4F6EF
_wcscmp.LIBCMT ref: 00B4F70A
FindNextFileW.KERNEL32(?,?), ref: 00B4F7A8
FindClose.KERNEL32(00000000), ref: 00B4F7BE

Strings

*.*, xrefs: 00B4F690

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: b9e289992d2361e0ff8ef72dd516eeab236bb778fa764417ef56b8a06bad61ed
Instruction ID: e6555ed2c742430b362e2fb6d2f3cd140ae1ed92e01d009a7dbb84e0cdc8647b
Opcode Fuzzy Hash: b9e289992d2361e0ff8ef72dd516eeab236bb778fa764417ef56b8a06bad61ed
Instruction Fuzzy Hash: 59417C7190021AABDF11DF64CC99AFEBBF4FF05310F1445A6E815A31A0EB349E44DBA0

Function 00AF4140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00B27B0C
VUUU, xrefs: 00AF4520
ERCP, xrefs: 00AF421F
VUUU, xrefs: 00AF44DB
VUUU, xrefs: 00AF44ED

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: ba1ddd1f58d267ec2022cc5cdb8f77956ca1d82a07f182cf0c6251b2210d65d1
Instruction ID: 525e2fb9a3f6463f1f92c95c488aff14dc5e759b83c954168e010f0aad0b15f0
Opcode Fuzzy Hash: ba1ddd1f58d267ec2022cc5cdb8f77956ca1d82a07f182cf0c6251b2210d65d1
Instruction Fuzzy Hash: 78A28270E0422E8BDF24DF98D9907BEB7B1FB58314F1481A9E959A7280DB709E81CF54

Function 00AF58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AF5A05
_memmove.LIBCMT ref: 00AF5A55
_memmove.LIBCMT ref: 00AF5ABB

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 5bb5102c595640636ffc42ed117a89809615f9198e848aa94a4bafe78db52f49
Instruction ID: d79fe40681273bbeb39ac30e2527f74e4f57d13c41bf1b2c49976e6701bc6508
Opcode Fuzzy Hash: 5bb5102c595640636ffc42ed117a89809615f9198e848aa94a4bafe78db52f49
Instruction Fuzzy Hash: A612A970E00609DFDF14DFA5DA81AAEB7F5FF48300F2086A9E546A7291EB35AD11CB50

Function 00B4545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00B38CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B38D0D
Part of subcall function 00B38CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B38D3A
Part of subcall function 00B38CC3: GetLastError.KERNEL32 ref: 00B38D47

ExitWindowsEx.USER32(?,00000000), ref: 00B4549B

Strings

, xrefs: 00B45489
SeShutdownPrivilege, xrefs: 00B4546B
@, xrefs: 00B4548E

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: d2f2e1aff8325b3be8c7fa197043a6930212bf7edaac451a5c02a22d9c4f8032
Instruction ID: 4ae29cfe83678b64cb6dd8b6e68898145f027ff2f9295f78782b461f5383bc57
Opcode Fuzzy Hash: d2f2e1aff8325b3be8c7fa197043a6930212bf7edaac451a5c02a22d9c4f8032
Instruction Fuzzy Hash: 67014771655F026BF7385674EC8ABBA72D8EB00752F3400B0FC07DA2D7DA940E80A190

Function 00B56596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00B565EF
WSAGetLastError.WSOCK32(00000000), ref: 00B565FE
bind.WSOCK32(00000000,?,00000010), ref: 00B5661A
listen.WSOCK32(00000000,00000005), ref: 00B56629
WSAGetLastError.WSOCK32(00000000), ref: 00B56643
closesocket.WSOCK32(00000000,00000000), ref: 00B56657

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: d14097267aae753fbbd42e05797c5c65be832c7a236d5047661200c769892307
Instruction ID: 7e1871b0021f749f2f6a9e987ca69a3b63ce8408ca8cb3a903243f336d9fc4be
Opcode Fuzzy Hash: d14097267aae753fbbd42e05797c5c65be832c7a236d5047661200c769892307
Instruction Fuzzy Hash: 04219C30600205AFCB10AF24D985B7EB7E9EF48321F2481A9E95AE73E1CB74AD058B51

Function 00AF5680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00B00FF6: std::exception::exception.LIBCMT ref: 00B0102C
Part of subcall function 00B00FF6: __CxxThrowException@8.LIBCMT ref: 00B01041

_memmove.LIBCMT ref: 00B3062F
_memmove.LIBCMT ref: 00B30744
_memmove.LIBCMT ref: 00B307EB

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 9fe73ad271aa36dd78b8f654821308dc7d5b12958fd60b29ce7445b83defad47
Instruction ID: 46339b1878b10055f329f3c01235c93c025f4dd2eef784f3a78df14d7d220eae
Opcode Fuzzy Hash: 9fe73ad271aa36dd78b8f654821308dc7d5b12958fd60b29ce7445b83defad47
Instruction Fuzzy Hash: 48029F70E10209DBDF04EF69D991ABEBBF5EF44340F2480A9E906DB295EB31D950CB91

Function 00AE1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00AE2612: GetWindowLongW.USER32(?,000000EB), ref: 00AE2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00AE19FA
GetSysColor.USER32(0000000F), ref: 00AE1A4E
SetBkColor.GDI32(?,00000000), ref: 00AE1A61

Part of subcall function 00AE1290: DefDlgProcW.USER32(?,00000020,?), ref: 00AE12D8

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 61f929ac3844103562d9440a3c3306744ccecf317f3f151b7ee56c85beb677ef
Instruction ID: c8a75b7f7fddd88aeafd32650ffa1e728f3aece99a85d87d8beeae0e8fd98b7f
Opcode Fuzzy Hash: 61f929ac3844103562d9440a3c3306744ccecf317f3f151b7ee56c85beb677ef
Instruction Fuzzy Hash: 2CA16BB11055E4BED638AB2B8C65DBF3AEDDB463C1B54016AF402D7192CE388D4192B2

Function 00B56A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B580A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B580CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00B56AB1
WSAGetLastError.WSOCK32(00000000), ref: 00B56ADA
bind.WSOCK32(00000000,?,00000010), ref: 00B56B13
WSAGetLastError.WSOCK32(00000000), ref: 00B56B20
closesocket.WSOCK32(00000000,00000000), ref: 00B56B34

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 669417a18f2e989d4bd0d93574cb89b41faeb009076cde0bb772baaa4cae77a5
Instruction ID: a9ef05d4570496d82386d5a1bfe76f49563356f6ea61d8d95af4c2ee85584652
Opcode Fuzzy Hash: 669417a18f2e989d4bd0d93574cb89b41faeb009076cde0bb772baaa4cae77a5
Instruction Fuzzy Hash: 6F419175600310AFEB10AF25DD86F7E77E9DF48710F448098F91AAB2D2DA749D018791

Function 00B655FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00B6564C
IsWindowEnabled.USER32 ref: 00B6565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00B65667
IsIconic.USER32 ref: 00B65675
IsZoomed.USER32 ref: 00B65683

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 26043a18fe4214e4ea268eae4cba57a753112712decaed2278132f55dc0570dc
Instruction ID: f78980bf824e7691dfb7d4d9051519ad65635514184838bf8d2658ae7a7ecf73
Opcode Fuzzy Hash: 26043a18fe4214e4ea268eae4cba57a753112712decaed2278132f55dc0570dc
Instruction Fuzzy Hash: 5F11BF72700A126FE7211F26EC44A2BBBD8FF54761F808079E806D7281CB789D12CAA5

Function 00B5C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00B21D88,?), ref: 00B5C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00B5C324

Strings

GetSystemWow64DirectoryW, xrefs: 00B5C31E
kernel32.dll, xrefs: 00B5C30D

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: dc0eaa46ba2672ccddf7eef5e8fdd20e218d4e2f093471e2270aa2f6bdb62f86
Instruction ID: 3972f8460fe3ffe576ff49e95fad66f89486b62e221c004ac068028aee4b5b04
Opcode Fuzzy Hash: dc0eaa46ba2672ccddf7eef5e8fdd20e218d4e2f093471e2270aa2f6bdb62f86
Instruction Fuzzy Hash: 50E0EC74600717CFDB205F25E804B967AD4EF09756B80C4F9E895D32A0EBB8D884CA60

Function 00AF3190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: dfcafce7ae9e7c6a122cc4102b3fe4d21f88de4eae9f5bc722a75e66c3061d50
Instruction ID: 231df25e9fe22c5cb492ba1d8adf6dae118d75b4b6313c453b7423a6cefd34c1
Opcode Fuzzy Hash: dfcafce7ae9e7c6a122cc4102b3fe4d21f88de4eae9f5bc722a75e66c3061d50
Instruction Fuzzy Hash: C8229B726083559FCB24DF64C981B6FB7E4EF84700F10492DFA9A97291DB70EA04CB92

Function 00B5F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B5F151
Process32FirstW.KERNEL32(00000000,?), ref: 00B5F15F

Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82

Process32NextW.KERNEL32(00000000,?), ref: 00B5F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00B5F22E

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 9486965fa1cb61fa560d57ae55ea3ab289682027e0a7024385b0a3a06cddf908
Instruction ID: a82f2abe06efe1c060b56b92903c5131af5e54365ad7d32553bebbc34a79c280
Opcode Fuzzy Hash: 9486965fa1cb61fa560d57ae55ea3ab289682027e0a7024385b0a3a06cddf908
Instruction Fuzzy Hash: EB518DB15083419FD310EF25DC85E6BBBE8FF88750F10486DF995972A1EB70A908CB92

Function 00B440B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00B440D1
_memset.LIBCMT ref: 00B440F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00B44144
CloseHandle.KERNEL32(00000000), ref: 00B4414D

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: e5aadeeacb51f96e2e8d95ea66971850016fddf9a5867ee31a83b13a805f96b0
Instruction ID: 4d0454e6ce2a3ab05065e4344af89a80c493d8269720c703f616e7428245231d
Opcode Fuzzy Hash: e5aadeeacb51f96e2e8d95ea66971850016fddf9a5867ee31a83b13a805f96b0
Instruction Fuzzy Hash: DE11AB759012287AD7305BA5AC4DFABBBBCEF45760F1041D6F908E72C0D6744F908BA4

Function 00B3EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00B3EB19

Strings

|, xrefs: 00B3EB49
(, xrefs: 00B3EB5F

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: bb17214e9d28ca39538813a8fd4014f5629dce74874d42557b720f16f0daf869
Instruction ID: 0d1bf0a27259300be2e003d64ca50403b264e189fc1be478fcf2fca91b29ad98
Opcode Fuzzy Hash: bb17214e9d28ca39538813a8fd4014f5629dce74874d42557b720f16f0daf869
Instruction Fuzzy Hash: B2321575A006059FDB28CF19C481A6AB7F1FF48310F25C5AEE4AADB3A1E770E941CB40

Function 00B525E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00B526D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00B5270C

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 1b9e6477971efc2a0be13991e0c195de83517fb12af7bc12491bb26bb0ac720f
Instruction ID: 2d532b4edb577941cbdee74497e04e1a090f120be2d39b70d9d31f94681b4397
Opcode Fuzzy Hash: 1b9e6477971efc2a0be13991e0c195de83517fb12af7bc12491bb26bb0ac720f
Instruction Fuzzy Hash: C241C771501209BFEB20DB54DCC5FBB77FCEB45716F1040EAFE01A6180EA719D499A50

Function 00B4B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B4B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00B4B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00B4B655

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 0d046defc5bf54d7c78232eaa632f9b219d7e418d30427402b59d4a3a01ecfe8
Instruction ID: 51610623c695c7bdac6b616de2f105ecd46d13a6d315a225c82019aacb8a7d6d
Opcode Fuzzy Hash: 0d046defc5bf54d7c78232eaa632f9b219d7e418d30427402b59d4a3a01ecfe8
Instruction Fuzzy Hash: CF219035A00218EFCB00EF65E880EAEBBF8FF48310F1480A9E905AB351CB319915CF50

Function 00B38CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00B00FF6: std::exception::exception.LIBCMT ref: 00B0102C
Part of subcall function 00B00FF6: __CxxThrowException@8.LIBCMT ref: 00B01041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B38D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B38D3A
GetLastError.KERNEL32 ref: 00B38D47

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: a753b76dd156dfea319c478f29d09891c95321c9479f2443ea12239e7abb174a
Instruction ID: 139a47d4537d2a2d88d75730caf193103370c3ec953c5711d4a74de86077c84d
Opcode Fuzzy Hash: a753b76dd156dfea319c478f29d09891c95321c9479f2443ea12239e7abb174a
Instruction Fuzzy Hash: BB1182B2414305AFD728AF54EC85D7BB7F8EB44710B20856EF45597281EF70AC408A64

Function 00B44C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00B44C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00B44C43
FreeSid.ADVAPI32(?), ref: 00B44C53

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: edb3aa3477e4d592c9fed715cdfd31e62fa9f5b3bf41f6bc136b41566ecd2d4d
Instruction ID: 5b1c1f91aa32c251f33bfdf0c1f89e7fb10d0854cac672c193b9833ca3c93690
Opcode Fuzzy Hash: edb3aa3477e4d592c9fed715cdfd31e62fa9f5b3bf41f6bc136b41566ecd2d4d
Instruction Fuzzy Hash: AFF03775A11209BBDB04DFE0AD89ABEBBB8EB08201F0044A9E901E2181E6B46A048B50

Function 00AEE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a0de0347f2735f136a8fcf3433a37936b2e696018263f6158aee844e405730d
Instruction ID: 8011434dffe465312f29077f6b6dfb3062e81eec63551e03835cfbe3c2494fea
Opcode Fuzzy Hash: 0a0de0347f2735f136a8fcf3433a37936b2e696018263f6158aee844e405730d
Instruction Fuzzy Hash: 0922C170A00256CFDB24DF59D480ABEBBF1FF08300F1485A9E85A9B395E735AD85CB91

Function 00B4C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B4C966
FindClose.KERNEL32(00000000), ref: 00B4C996

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: b7c540672fbf0f85dc2ecba5560b2dedbcbb9515c033c89f175eef7c56ce6ed7
Instruction ID: a7ba629d857a473b163ea66f13a14c6844f55b8707999cd7b1ac6120139d2d9d
Opcode Fuzzy Hash: b7c540672fbf0f85dc2ecba5560b2dedbcbb9515c033c89f175eef7c56ce6ed7
Instruction Fuzzy Hash: B51161726106009FD710EF29D845A2AFBE9FF84324F00855EF8A9D73A1DB74AD01CB81

Function 00B4A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00B5977D,?,00B6FB84,?), ref: 00B4A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00B5977D,?,00B6FB84,?), ref: 00B4A314

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: dfbc3a0ed5d301c97802d9686be93a7e371ed0369ca2eb9ae4203ab4d017af0c
Instruction ID: 0eacea2cd135fd6a8395929735f76c2f5ca774e9267c9c7e197934d01ec4c727
Opcode Fuzzy Hash: dfbc3a0ed5d301c97802d9686be93a7e371ed0369ca2eb9ae4203ab4d017af0c
Instruction Fuzzy Hash: F4F0823554822DABDB109FA4DC48FEA77ADFF08761F0082A5F918D7181EA709A44CBA1

Function 00B38713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B38851), ref: 00B38728
CloseHandle.KERNEL32(?,?,00B38851), ref: 00B3873A

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 52112ca5884e2eb4284e904d8f4955f752e5a9d9f2a0a5c527f18bd53b9fd5df
Instruction ID: 5af2d9f938106afd4ef2c7f936abecee78b2309a026b163d87151c0c4765a039
Opcode Fuzzy Hash: 52112ca5884e2eb4284e904d8f4955f752e5a9d9f2a0a5c527f18bd53b9fd5df
Instruction Fuzzy Hash: D4E0B676014611EEE7252B64FC09D777BE9EB04350B248869F496814B0DBA2AC90DB50

Function 00B0A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00B08F97,?,?,?,00000001), ref: 00B0A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00B0A3A3

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 065a8caed0d7096cbc5e1c4824f02eaf05cc1ec211b83b2ff21fc83e8a82d0ab
Instruction ID: cd7b914dc5b9083b53db049ae4c6fc14d312d75206e483b337b1245b45a576e0
Opcode Fuzzy Hash: 065a8caed0d7096cbc5e1c4824f02eaf05cc1ec211b83b2ff21fc83e8a82d0ab
Instruction Fuzzy Hash: 48B0923105820AABCA002B91FC09BA83F68EB44AA2F404020F70D862A0EFA654508A99

Function 00B0F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07af707e14b5e8cef7a4f970e6b21910381a22d22f8746d0aa420d347fc023aa
Instruction ID: 534c3eab7194cda88d90c10692a4f3de9253285fc67a3c789000bde8e7fcac0e
Opcode Fuzzy Hash: 07af707e14b5e8cef7a4f970e6b21910381a22d22f8746d0aa420d347fc023aa
Instruction Fuzzy Hash: 9632D122E69F424DD7339634D872335A699EFA63C4F15D737E819B6EA6EF2884C34100

Function 00B1267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58430cfc37dc2282771f18c17bfc81ed0ffcd595a0ed1451fbb931165d727e1e
Instruction ID: 6097341b42849f7a14f6be20856f2de49e329beabd26fe3063bdc99f782c59c3
Opcode Fuzzy Hash: 58430cfc37dc2282771f18c17bfc81ed0ffcd595a0ed1451fbb931165d727e1e
Instruction Fuzzy Hash: 8BB1F120D2AF414DD2639A398875336B69CAFFB2C5F92D71BFC1A75D22EB2185C34141

Function 00B48B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00B48B25

Part of subcall function 00B0543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00B491F8,00000000,?,?,?,?,00B493A9,00000000,?), ref: 00B05443
Part of subcall function 00B0543A: __aulldiv.LIBCMT ref: 00B05463

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 89c3d7f2bd3044f5cfec347c6a89d6b3d8d198d2677e2ffaf614444ceb8da2de
Instruction ID: 9eff63d6d478d52f28e93c8a15e071c88beeaf440938693011bde94d4a9c7ffc
Opcode Fuzzy Hash: 89c3d7f2bd3044f5cfec347c6a89d6b3d8d198d2677e2ffaf614444ceb8da2de
Instruction Fuzzy Hash: C921E4726395108FC329CF25D841A56B3E1EBA5311F288E6CD0E5CB2D0CE75BD05DB94

Function 00B541FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00B54218

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: ca3c0315c1193d75d1defa856d380787b6af22151adc730a2b69e2baca439c55
Instruction ID: 86f91a206a18cbb4eea474ebef9659b9d9f323cd67e5aab83c84e877622a858b
Opcode Fuzzy Hash: ca3c0315c1193d75d1defa856d380787b6af22151adc730a2b69e2baca439c55
Instruction Fuzzy Hash: AEE04F712502149FC710EF5AE844A9BF7E8EF997A1F008066FC4AC7352DBB1E845CBA0

Function 00B44EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00B44F18

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 064934f8809e8c1b6ead3a3d328576a3ed43ee08a38bfe294dd865928d8559b1
Instruction ID: 7cc34056f94f41af46a5403f45a6b3ebe0afd09c5465b2b36d1da4b96a2f4938
Opcode Fuzzy Hash: 064934f8809e8c1b6ead3a3d328576a3ed43ee08a38bfe294dd865928d8559b1
Instruction Fuzzy Hash: A2D05EB016821538FC184B20AC0FF760188E341781F8449C9720A954C19AE56E38B035

Function 00B38C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00B388D1), ref: 00B38CB3

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 2aab1372eef548beba0fc4ac6e833a4e600d2a5da895062724fe81d1755c5620
Instruction ID: c4486dc37eeef0b98556857207be3b08b23a8d3d2f9ff09391516a597dcfea20
Opcode Fuzzy Hash: 2aab1372eef548beba0fc4ac6e833a4e600d2a5da895062724fe81d1755c5620
Instruction Fuzzy Hash: 31D09E3226450EBBEF019EA4ED05EBE3B69EB04B01F408511FE15D61A1C7B5D935AB60

Function 00B22230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00B22242

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 6030af1aaa8d6e5718a79b01a8e0281d157f11b832da8737a2842541bd9ec0a7
Instruction ID: 4f2dea8ce8885ab2a2cef784252444038021a71ed3d40f34f9a5c9a8de939628
Opcode Fuzzy Hash: 6030af1aaa8d6e5718a79b01a8e0281d157f11b832da8737a2842541bd9ec0a7
Instruction Fuzzy Hash: 1CC04CF1801119DBDB05DF90E988DFE77BCAB04304F104495E105F2140D7749B448A71

Function 00B0A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00B0A36A

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 15df079b6f35f27285f1cc98b342e909a30cc0b7cf61006fc5c45e0c2fa1f62f
Instruction ID: db4957c34b17d180044ab6f8217753857383ebd00bf7d36c99439382fa75fb31
Opcode Fuzzy Hash: 15df079b6f35f27285f1cc98b342e909a30cc0b7cf61006fc5c45e0c2fa1f62f
Instruction Fuzzy Hash: A5A0243000010DF7CF001F41FC044547F5CD7001D07004030F50C41131DF73541045C4

Function 00AF8A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7862f35bb4bb48324af86fca8994ba362d06d6fe1d824c15fef974a4cde99c
Instruction ID: 6c4500da2d8a606f88230cc48886f8f62fe070ecc7455aa50396bb44ebf2dbb0
Opcode Fuzzy Hash: 9d7862f35bb4bb48324af86fca8994ba362d06d6fe1d824c15fef974a4cde99c
Instruction Fuzzy Hash: 81220770605659CBDF388BA4C4D467D77F1EB02344F7544AAFA928B291DB3C9D82CB60

Function 00B02405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: b13b6e4d1fdc45eb3e9a78678d31cb983004fd93f8ad38425a07be535680a3fb
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: B4C1803220519309DB2D473D957813EBEE19AA27F171A0BDDE8B3CB5D5EF20D928D620

Function 00B0283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 09672fc9ef5b61cd007f765ab44240405ce867648844c30e289befda350f0d38
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 82C1833220519309DF6D473D957813EBFE19AA27F131A0BEDE4B2DB5D4EF20D5289620

Function 00B01BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: c8c8b1fea45cdae8b85ceaf68def85ffae7563d2fee4cb0536356e48f7c64b3d
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 3EC16F322091930ADB2D463ED57413EBEE1DAA27F131A0FEDE4B2CB5D4EF20D5649620

Function 00C13680 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2000430294.0000000000C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_2aFb7hE00o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 475869e242e40b0b3f3582096becc54989ef4b8e0621d406b9d76e62429b8256
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: B641B571D1051CEBCF48CFADC991AEEBBF1AF88201F548299D516AB345D730AB41DB90

Function 00C13570 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2000430294.0000000000C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_2aFb7hE00o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 0e317876fb7327a1422cb70830a6d2039a6ea0cc28b8cddf9d693f8182022321
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: E2019278A00109EFCB44DF98C5909AEFBB6FB49314F208599E919A7301D730AF81EB90

Function 00C13510 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2000430294.0000000000C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_2aFb7hE00o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: ef14cc232599b26a8022e49140209cc786bcfcad3af4a6990887f7a36cedfee5
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: F6019278A00149EFCB44DF98C5909AEFBB6FB49714F208599E819A7301D730EF81EB90

Function 00C11ED0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2000430294.0000000000C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_2aFb7hE00o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00B57B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B57B70
DeleteObject.GDI32(00000000), ref: 00B57B82
DestroyWindow.USER32 ref: 00B57B90
GetDesktopWindow.USER32 ref: 00B57BAA
GetWindowRect.USER32(00000000), ref: 00B57BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00B57CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00B57D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B57D4A
GetClientRect.USER32(00000000,?), ref: 00B57D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B57D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B57DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B57DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B57DD0
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B57DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B57DE8
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B57DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B57DF8
GlobalFree.KERNEL32(00000000), ref: 00B57E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B57E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00B72CAC,00000000), ref: 00B57E2B
GlobalFree.KERNEL32(00000000), ref: 00B57E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00B57E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00B57E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B57EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B5808F

Strings

AutoIt v3, xrefs: 00B57D42
DISPLAY, xrefs: 00B57EF2
, xrefs: 00B58015
static, xrefs: 00B57D8A, 00B57EE1

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 580945c40d9375ac14a92a4963c132523fd95420ce3667a6be43599803389d83
Instruction ID: 3a845b52e49828ea88ea53d8563354a2ad54f4c1720dbacfb3fbc9d33cee1c5e
Opcode Fuzzy Hash: 580945c40d9375ac14a92a4963c132523fd95420ce3667a6be43599803389d83
Instruction Fuzzy Hash: E9028D71A00215EFDB14DF64ED89EAE7BB9FF49311F148198F915AB2A1CB74AD00CB60

Function 00B637F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00B6F910), ref: 00B638AF
IsWindowVisible.USER32(?), ref: 00B638D3

Strings

EDITPASTE, xrefs: 00B63BE7
UNCHECK, xrefs: 00B63B0B
GETCURRENTSELECTION, xrefs: 00B63A6B
ISENABLED, xrefs: 00B638F3
ISVISIBLE, xrefs: 00B638BF
GETCURRENTCOL, xrefs: 00B63BB0
HIDEDROPDOWN, xrefs: 00B63988
SELECTSTRING, xrefs: 00B63A8E
SENDCOMMANDID, xrefs: 00B63C62
FINDSTRING, xrefs: 00B639FE
ADDSTRING, xrefs: 00B6399E
GETCURRENTLINE, xrefs: 00B63B75
SETCURRENTSELECTION, xrefs: 00B63A3E
SHOWDROPDOWN, xrefs: 00B63968
TABLEFT, xrefs: 00B6390F
DELSTRING, xrefs: 00B639D1
ISCHECKED, xrefs: 00B63AC1
GETLINECOUNT, xrefs: 00B63B4E
GETSELECTED, xrefs: 00B63B2B
CURRENTTAB, xrefs: 00B63945
TABRIGHT, xrefs: 00B63925
GETLINE, xrefs: 00B63C23
CHECK, xrefs: 00B63AF5

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 616ddb4f29a1ee9dab28c3d638e08c1477f70d5a615b9d1e00e869a97e054468
Instruction ID: fbae088cdb64db627801e128f100d1c175fa603f89ab4b0dd5793329081e3930
Opcode Fuzzy Hash: 616ddb4f29a1ee9dab28c3d638e08c1477f70d5a615b9d1e00e869a97e054468
Instruction Fuzzy Hash: 8FD17F30218305ABCB14EF11C591A6EBBE1EF94B44F1445E8F8865B3E2CB75EE0ACB51

Function 00B6A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00B6A89F
GetSysColorBrush.USER32(0000000F), ref: 00B6A8D0
GetSysColor.USER32(0000000F), ref: 00B6A8DC
SetBkColor.GDI32(?,000000FF), ref: 00B6A8F6
SelectObject.GDI32(?,?), ref: 00B6A905
InflateRect.USER32(?,000000FF,000000FF), ref: 00B6A930
GetSysColor.USER32(00000010), ref: 00B6A938
CreateSolidBrush.GDI32(00000000), ref: 00B6A93F
FrameRect.USER32(?,?,00000000), ref: 00B6A94E
DeleteObject.GDI32(00000000), ref: 00B6A955
InflateRect.USER32(?,000000FE,000000FE), ref: 00B6A9A0
FillRect.USER32(?,?,?), ref: 00B6A9D2
GetWindowLongW.USER32(?,000000F0), ref: 00B6A9FD

Part of subcall function 00B6AB60: GetSysColor.USER32(00000012), ref: 00B6AB99
Part of subcall function 00B6AB60: SetTextColor.GDI32(?,?), ref: 00B6AB9D
Part of subcall function 00B6AB60: GetSysColorBrush.USER32(0000000F), ref: 00B6ABB3
Part of subcall function 00B6AB60: GetSysColor.USER32(0000000F), ref: 00B6ABBE
Part of subcall function 00B6AB60: GetSysColor.USER32(00000011), ref: 00B6ABDB
Part of subcall function 00B6AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B6ABE9
Part of subcall function 00B6AB60: SelectObject.GDI32(?,00000000), ref: 00B6ABFA
Part of subcall function 00B6AB60: SetBkColor.GDI32(?,00000000), ref: 00B6AC03
Part of subcall function 00B6AB60: SelectObject.GDI32(?,?), ref: 00B6AC10
Part of subcall function 00B6AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00B6AC2F
Part of subcall function 00B6AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B6AC46
Part of subcall function 00B6AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00B6AC5B

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: f6c6365754ae5923ad595c1bc1091d079063412f333d47c157c23b34cfbafaf3
Instruction ID: afc9759ebb9f094afb669849386e47453cf3ad8d41350a6d9723817335b064fa
Opcode Fuzzy Hash: f6c6365754ae5923ad595c1bc1091d079063412f333d47c157c23b34cfbafaf3
Instruction Fuzzy Hash: DEA17472408302AFDB109F64EC48A6B7BE9FF89321F104A29F552A71E1DB79D944CF52

Function 00AE2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00AE2CA2
DeleteObject.GDI32(00000000), ref: 00AE2CE8
DeleteObject.GDI32(00000000), ref: 00AE2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00AE2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00AE2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00B1C68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00B1C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00B1CAED

Part of subcall function 00AE1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AE2036,?,00000000,?,?,?,?,00AE16CB,00000000,?), ref: 00AE1B9A

SendMessageW.USER32(?,00001053), ref: 00B1CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00B1CB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00B1CB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00B1CB62

Strings

0, xrefs: 00B1C981

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 69fae1537e89e096493d99fad504458a85ee3e3f195ed82e55b30eb5a97eba18
Instruction ID: 55b7b825f47dac8a8fa9dbbf7b54e51d11ba21e97fffe71f5ecc899988374799
Opcode Fuzzy Hash: 69fae1537e89e096493d99fad504458a85ee3e3f195ed82e55b30eb5a97eba18
Instruction Fuzzy Hash: 1012AF30644241EFDB11CF24C884BB9BBE5FF45310FA445A9E596DB2A2CB71EC81CB91

Function 00B577BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00B577F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00B578B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00B578EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00B57900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00B57946
GetClientRect.USER32(00000000,?), ref: 00B57952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00B57996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B579A5
GetStockObject.GDI32(00000011), ref: 00B579B5
SelectObject.GDI32(00000000,00000000), ref: 00B579B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00B579C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B579D2
DeleteDC.GDI32(00000000), ref: 00B579DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00B57A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00B57A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00B57A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00B57A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00B57A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00B57AAE
GetStockObject.GDI32(00000011), ref: 00B57AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00B57AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00B57ACE

Strings

AutoIt v3, xrefs: 00B5793E
msctls_progress32, xrefs: 00B57A4F
DISPLAY, xrefs: 00B5799B
static, xrefs: 00B57990, 00B57AA8

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: ef577038f10b91f7e40b646ab704b5f59be54d3cabeaade80405888cc40e4f07
Instruction ID: af521fdefce7d608e4623568f9bf5e8539ab0a1fde3b77c0cf7630fe9ddeac22
Opcode Fuzzy Hash: ef577038f10b91f7e40b646ab704b5f59be54d3cabeaade80405888cc40e4f07
Instruction Fuzzy Hash: 2FA181B1A40219BFEB14DBA5DC4AFAE7BA9EB49710F144154FA14A71E0CBB4AD00CB60

Function 00B4AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B4AF89
GetDriveTypeW.KERNEL32(?,00B6FAC0,?,\\.\,00B6F910), ref: 00B4B066
SetErrorMode.KERNEL32(00000000,00B6FAC0,?,\\.\,00B6F910), ref: 00B4B1C4

Strings

Fibre, xrefs: 00B4B154
Unknown, xrefs: 00B4B086, 00B4B12A
RAMDisk, xrefs: 00B4B090
PhysicalDrive, xrefs: 00B4B012
ATAPI, xrefs: 00B4B138
iSCSI, xrefs: 00B4B169
Fixed, xrefs: 00B4B0AE
ATA, xrefs: 00B4B13F
SSD, xrefs: 00B4B0F1
CDROM, xrefs: 00B4B09A
1394, xrefs: 00B4B146
\\.\, xrefs: 00B4AFDB
SCSI, xrefs: 00B4B131
Removable, xrefs: 00B4B0B8
SAS, xrefs: 00B4B170
MMC, xrefs: 00B4B185
SSA, xrefs: 00B4B14D
Virtual, xrefs: 00B4B18C
Network, xrefs: 00B4B0A4
SATA, xrefs: 00B4B177
RAID, xrefs: 00B4B162
FileBackedVirtual, xrefs: 00B4B193
USB, xrefs: 00B4B15B

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 87fd843f511d5dfef201e5d52c6389637ff410ac759d67c7a9974b3b3eb4cf0c
Instruction ID: d58ceda50a705dd554ec5f5cb341684e7e782edb78027d6ad4ea74982996fb25
Opcode Fuzzy Hash: 87fd843f511d5dfef201e5d52c6389637ff410ac759d67c7a9974b3b3eb4cf0c
Instruction Fuzzy Hash: 68518130694345ABCF04DB50CAA2E7D73F1EB54741B2040E5E60AB72A1DB79DF41EB82

Function 00AE6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00AE6A91
__wcsnicmp.LIBCMT ref: 00AE6AA9
__wcsnicmp.LIBCMT ref: 00AE6AC1
__wcsnicmp.LIBCMT ref: 00AE6AD9
__wcsnicmp.LIBCMT ref: 00AE6AF1
__wcsnicmp.LIBCMT ref: 00AE6B09
__wcsnicmp.LIBCMT ref: 00AE6B21
__wcsnicmp.LIBCMT ref: 00AE6B35
__wcsnicmp.LIBCMT ref: 00AE6B76
__wcsnicmp.LIBCMT ref: 00AE6B8A
__wcsnicmp.LIBCMT ref: 00AE6B9E
__wcsnicmp.LIBCMT ref: 00AE6BB2

Strings

#cs, xrefs: 00AE6B2F, 00AE6B84
#OnAutoItStartRegister, xrefs: 00AE6AD3
#include, xrefs: 00AE6B03
Cannot parse #include, xrefs: 00B1E819
Unterminated group of comments, xrefs: 00B1E82C
#comments-start, xrefs: 00AE6B1B, 00AE6B70
Bad directive syntax error, xrefs: 00B1E743
#notrayicon, xrefs: 00AE6AA3
#pragma compile, xrefs: 00AE6A8B
#ce, xrefs: 00AE6BAC
#requireadmin, xrefs: 00AE6ABB
#include-once, xrefs: 00AE6AEB
#comments-end, xrefs: 00AE6B98

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 588ff4f54675385731ea9ab5ab57c4ee11c5e86ad96fe5e75f025506fff14465
Instruction ID: cad6aa7448602a9f816aa932349223fe73b57eac320eadb0492f514eac3ffdbf
Opcode Fuzzy Hash: 588ff4f54675385731ea9ab5ab57c4ee11c5e86ad96fe5e75f025506fff14465
Instruction Fuzzy Hash: DB812B70740285BADB20AF61DD86FBE7BE8EF25740F0444A5FD45AB1D2EB60DE41C2A1

Function 00B6AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00B6AB99
SetTextColor.GDI32(?,?), ref: 00B6AB9D
GetSysColorBrush.USER32(0000000F), ref: 00B6ABB3
GetSysColor.USER32(0000000F), ref: 00B6ABBE
CreateSolidBrush.GDI32(?), ref: 00B6ABC3
GetSysColor.USER32(00000011), ref: 00B6ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B6ABE9
SelectObject.GDI32(?,00000000), ref: 00B6ABFA
SetBkColor.GDI32(?,00000000), ref: 00B6AC03
SelectObject.GDI32(?,?), ref: 00B6AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 00B6AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B6AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 00B6AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B6ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00B6ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 00B6ACEC
DrawFocusRect.USER32(?,?), ref: 00B6ACF7
GetSysColor.USER32(00000011), ref: 00B6AD05
SetTextColor.GDI32(?,00000000), ref: 00B6AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00B6AD21
SelectObject.GDI32(?,00B6A869), ref: 00B6AD38
DeleteObject.GDI32(?), ref: 00B6AD43
SelectObject.GDI32(?,?), ref: 00B6AD49
DeleteObject.GDI32(?), ref: 00B6AD4E
SetTextColor.GDI32(?,?), ref: 00B6AD54
SetBkColor.GDI32(?,?), ref: 00B6AD5E

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 9c350db37a0a7563f73cc31f37aedb41286b08af3218bf45544b18f4a18facd1
Instruction ID: 608ae1ed445076c3494a7e466e106dfe4a36ab328120be5193ee320f3098ae70
Opcode Fuzzy Hash: 9c350db37a0a7563f73cc31f37aedb41286b08af3218bf45544b18f4a18facd1
Instruction Fuzzy Hash: CE615F71900219AFDF119FA4EC48AAE7BB9FF08320F144165F915BB2E1DAB99D40DF90

Function 00B68C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B68D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B68D45
CharNextW.USER32(0000014E), ref: 00B68D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B68DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B68DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B68DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00B68DF9
SetWindowTextW.USER32(?,0000014E), ref: 00B68E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00B68E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B68E8C
_memset.LIBCMT ref: 00B68EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00B68EFA
_memset.LIBCMT ref: 00B68F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00B68F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00B68FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00B69088
InvalidateRect.USER32(?,00000000,00000001), ref: 00B690AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B690F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B69121
DrawMenuBar.USER32(?), ref: 00B69130
SetWindowTextW.USER32(?,0000014E), ref: 00B69158

Strings

0, xrefs: 00B690C2

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 752d33194af27908902026241ed1acabf1f4a2f6f9da9641647c68520e943af8
Instruction ID: 37d98acc9ceb82c0ff52f5a4ba1b4474606b78ea64f1083e2b92462569db2b74
Opcode Fuzzy Hash: 752d33194af27908902026241ed1acabf1f4a2f6f9da9641647c68520e943af8
Instruction Fuzzy Hash: 3FE15070901219ABDF209F54DC88EEE7BF9EF05710F148299F915AB1E0DB788A85DF60

Function 00B64B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B64C51
GetDesktopWindow.USER32 ref: 00B64C66
GetWindowRect.USER32(00000000), ref: 00B64C6D
GetWindowLongW.USER32(?,000000F0), ref: 00B64CCF
DestroyWindow.USER32(?), ref: 00B64CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B64D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B64D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00B64D68
SendMessageW.USER32(?,00000421,?,?), ref: 00B64D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00B64D90
IsWindowVisible.USER32(?), ref: 00B64DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00B64DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00B64DDF
GetWindowRect.USER32(?,?), ref: 00B64DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00B64E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00B64E37
CopyRect.USER32(?,?), ref: 00B64E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00B64EB9

Strings

tooltips_class32, xrefs: 00B64D1D
0, xrefs: 00B64BFC
(, xrefs: 00B64E2A

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 673862f1328e7624ae96c5d555ae6b9a6cff30fa9c5de8ebd0cd270223c9ffef
Instruction ID: 22eec5dcb17b97b77cd2b7c786af129106534c6964ff96e18dd1f17e80332d20
Opcode Fuzzy Hash: 673862f1328e7624ae96c5d555ae6b9a6cff30fa9c5de8ebd0cd270223c9ffef
Instruction Fuzzy Hash: 9EB16871608741AFDB04DF25D984B6ABBE4FF88310F00896CF5999B2A1DB75EC04CB91

Function 00B446D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00B446E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00B4470E
_wcscpy.LIBCMT ref: 00B4473C
_wcscmp.LIBCMT ref: 00B44747
_wcscat.LIBCMT ref: 00B4475D
_wcsstr.LIBCMT ref: 00B44768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00B44784
_wcscat.LIBCMT ref: 00B447CD
_wcscat.LIBCMT ref: 00B447D4
_wcsncpy.LIBCMT ref: 00B447FF

Strings

%u.%u.%u.%u, xrefs: 00B44862
StringFileInfo\, xrefs: 00B44757
04090000, xrefs: 00B447BA
DefaultLangCodepage, xrefs: 00B447E7
\VarFileInfo\Translation, xrefs: 00B4477C

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 052078dae8bf7187fceb96ef25f05e8a34aea95887c02120be5a7efd5071ed56
Instruction ID: d96bd5bffbc80251e9e15602b925a93bcb8b2a101e5c1bf01717cdd953b06472
Opcode Fuzzy Hash: 052078dae8bf7187fceb96ef25f05e8a34aea95887c02120be5a7efd5071ed56
Instruction Fuzzy Hash: FD412472A002057AEB10AB649D47FBF7BFCEF41750F1000EAF905E61D2EF749A11A6A5

Function 00AE27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AE28BC
GetSystemMetrics.USER32(00000007), ref: 00AE28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AE28EF
GetSystemMetrics.USER32(00000008), ref: 00AE28F7
GetSystemMetrics.USER32(00000004), ref: 00AE291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00AE2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00AE2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00AE297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00AE2990
GetClientRect.USER32(00000000,000000FF), ref: 00AE29AE
GetStockObject.GDI32(00000011), ref: 00AE29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00AE29D5

Part of subcall function 00AE2344: GetCursorPos.USER32(?), ref: 00AE2357
Part of subcall function 00AE2344: ScreenToClient.USER32(00BA67B0,?), ref: 00AE2374
Part of subcall function 00AE2344: GetAsyncKeyState.USER32(00000001), ref: 00AE2399
Part of subcall function 00AE2344: GetAsyncKeyState.USER32(00000002), ref: 00AE23A7

SetTimer.USER32(00000000,00000000,00000028,00AE1256), ref: 00AE29FC

Strings

AutoIt v3 GUI, xrefs: 00AE2974

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 5319f08f5b4573b767de634d8c7525547f2f2d3453049be1bcbffa81a6790088
Instruction ID: 01c358df692bbb52af3bce59b2599021fd0728fe722cfdacc73ed6c114c633c9
Opcode Fuzzy Hash: 5319f08f5b4573b767de634d8c7525547f2f2d3453049be1bcbffa81a6790088
Instruction Fuzzy Hash: 4EB14C71A4024AEFDB14DFA9EC45BAE7BB8FB08314F108129FA16A72D0DB749950CB54

Function 00B64069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B640F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00B641B6

Strings

SELECT, xrefs: 00B64250
GETITEMCOUNT, xrefs: 00B64128
ISSELECTED, xrefs: 00B641C1
SELECTCLEAR, xrefs: 00B64235
DESELECT, xrefs: 00B642A4
GETSELECTEDCOUNT, xrefs: 00B64199
FINDITEM, xrefs: 00B64329
SELECTINVERT, xrefs: 00B64286
GETSELECTED, xrefs: 00B642E4
VIEWCHANGE, xrefs: 00B64375
SELECTALL, xrefs: 00B6421D
GETTEXT, xrefs: 00B6415F
GETSUBITEMCOUNT, xrefs: 00B64141

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 229d68207fe17666d2cb5117043b8cb59b94e0d21370aa137cf5e11b98929ae3
Instruction ID: 1709bd2f28095daf4a393dce55804fa3cb3af46c3afba0cdfd4646eaa3e1005d
Opcode Fuzzy Hash: 229d68207fe17666d2cb5117043b8cb59b94e0d21370aa137cf5e11b98929ae3
Instruction Fuzzy Hash: 4EA16B302247419FCB14EF20CA91A6AB7E5EF95314F2449BCB8A69B3D2DB74EC05CB51

Function 00B552F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00B55309
LoadCursorW.USER32(00000000,00007F8A), ref: 00B55314
LoadCursorW.USER32(00000000,00007F00), ref: 00B5531F
LoadCursorW.USER32(00000000,00007F03), ref: 00B5532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00B55335
LoadCursorW.USER32(00000000,00007F01), ref: 00B55340
LoadCursorW.USER32(00000000,00007F81), ref: 00B5534B
LoadCursorW.USER32(00000000,00007F88), ref: 00B55356
LoadCursorW.USER32(00000000,00007F80), ref: 00B55361
LoadCursorW.USER32(00000000,00007F86), ref: 00B5536C
LoadCursorW.USER32(00000000,00007F83), ref: 00B55377
LoadCursorW.USER32(00000000,00007F85), ref: 00B55382
LoadCursorW.USER32(00000000,00007F82), ref: 00B5538D
LoadCursorW.USER32(00000000,00007F84), ref: 00B55398
LoadCursorW.USER32(00000000,00007F04), ref: 00B553A3
LoadCursorW.USER32(00000000,00007F02), ref: 00B553AE
GetCursorInfo.USER32(?), ref: 00B553BE
GetLastError.KERNEL32(00000001,00000000), ref: 00B553E9

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 61562f42dcc5f7749a43c843cbbc7e5db4241597875576799bc043dde9087085
Instruction ID: 4da55b1343442a8ffb7707cae587ffff2613a0b0b03e2afad92da366dd4783b6
Opcode Fuzzy Hash: 61562f42dcc5f7749a43c843cbbc7e5db4241597875576799bc043dde9087085
Instruction Fuzzy Hash: 39416470E043196ADB209FBA8C4996FFFF8EF51B51F10456FE509E7290DAB8A401CE61

Function 00B3AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00B3AAA5
__swprintf.LIBCMT ref: 00B3AB46
_wcscmp.LIBCMT ref: 00B3AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00B3ABAE
_wcscmp.LIBCMT ref: 00B3ABEA
GetClassNameW.USER32(?,?,00000400), ref: 00B3AC21
GetDlgCtrlID.USER32(?), ref: 00B3AC73
GetWindowRect.USER32(?,?), ref: 00B3ACA9
GetParent.USER32(?), ref: 00B3ACC7
ScreenToClient.USER32(00000000), ref: 00B3ACCE
GetClassNameW.USER32(?,?,00000100), ref: 00B3AD48
_wcscmp.LIBCMT ref: 00B3AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 00B3AD82
_wcscmp.LIBCMT ref: 00B3AD96

Part of subcall function 00B0386C: _iswctype.LIBCMT ref: 00B03874

Strings

%s%u, xrefs: 00B3AB40

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: da807694889e3e5a2d1b8462fc51ac4f061560ec2dbac82221f0f312c5025814
Instruction ID: ba87fbb7e6969cf24e9c3ec05d984fe506d5abcd897384d6bb8609e057401389
Opcode Fuzzy Hash: da807694889e3e5a2d1b8462fc51ac4f061560ec2dbac82221f0f312c5025814
Instruction Fuzzy Hash: C8A1BE71204706ABDB15DF24C884FAABBE8FF04315F3086A9F9D9D2590DB30E955CB92

Function 00B3B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00B3B3DB
_wcscmp.LIBCMT ref: 00B3B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00B3B414
CharUpperBuffW.USER32(?,00000000), ref: 00B3B431
_wcscmp.LIBCMT ref: 00B3B44F
_wcsstr.LIBCMT ref: 00B3B460
GetClassNameW.USER32(00000018,?,00000400), ref: 00B3B498
_wcscmp.LIBCMT ref: 00B3B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00B3B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 00B3B518
_wcscmp.LIBCMT ref: 00B3B528
GetClassNameW.USER32(00000010,?,00000400), ref: 00B3B550
GetWindowRect.USER32(00000004,?), ref: 00B3B5B9

Strings

ThumbnailClass, xrefs: 00B3B4A3, 00B3B523
@, xrefs: 00B3B3BC

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 55919a106c7a730f449309ef12d25d230c24e7e2828bf066fd433681a0d8b3d7
Instruction ID: 68e59aafb991e8821dfa8619a8bc203b20e63b8d85d8face13cb6f2b063e730d
Opcode Fuzzy Hash: 55919a106c7a730f449309ef12d25d230c24e7e2828bf066fd433681a0d8b3d7
Instruction Fuzzy Hash: B781D1720083069BDB01CF10D885FBABBE8FF54314F2485A9FE898A19ADB34DD45CB61

Function 00B3B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00B3B23F

Strings

[CLASS:, xrefs: 00B3B28F
REGEXP=, xrefs: 00B3B254
CLASSNAME=, xrefs: 00B3B27C
HANDLE=, xrefs: 00B3B238
[LAST, xrefs: 00B3B2EC
LAST, xrefs: 00B3B204
[ALL, xrefs: 00B3B2E5
ALL, xrefs: 00B3B2D3
[HANDLE:, xrefs: 00B3B24B
[ACTIVE, xrefs: 00B3B22C
[REGEXPTITLE:, xrefs: 00B3B267
ACTIVE, xrefs: 00B3B21A

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 74d3338586da424d01c639a1f39b4decbf15cd310a25182df6c986b691db0c60
Instruction ID: 02d4e5912970582b536f8bd38e054111ce04c2d2031fc0e8720cf1f700730233
Opcode Fuzzy Hash: 74d3338586da424d01c639a1f39b4decbf15cd310a25182df6c986b691db0c60
Instruction Fuzzy Hash: C631B231A04245A6DF14FAA5DE83EEE7BE8AF14B50F7001BDF511720E6EF616E04C551

Function 00B3C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00B3C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00B3C4E6
SetWindowTextW.USER32(?,?), ref: 00B3C4FD
GetDlgItem.USER32(?,000003EA), ref: 00B3C512
SetWindowTextW.USER32(00000000,?), ref: 00B3C518
GetDlgItem.USER32(?,000003E9), ref: 00B3C528
SetWindowTextW.USER32(00000000,?), ref: 00B3C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00B3C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00B3C569
GetWindowRect.USER32(?,?), ref: 00B3C572
SetWindowTextW.USER32(?,?), ref: 00B3C5DD
GetDesktopWindow.USER32 ref: 00B3C5E3
GetWindowRect.USER32(00000000), ref: 00B3C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00B3C636
GetClientRect.USER32(?,?), ref: 00B3C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00B3C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00B3C693

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 14867dab4ebcfc9f430fdb71c19f9d6c3826115bb9fd43a4fcc01704e2536ac2
Instruction ID: 9c9aa11256d140f66452fe329becaba77f84520b80a0dad67dc48751b3bb5e22
Opcode Fuzzy Hash: 14867dab4ebcfc9f430fdb71c19f9d6c3826115bb9fd43a4fcc01704e2536ac2
Instruction Fuzzy Hash: BD51717190070AAFDB20DFA8DD86B7EBBF5FF04705F104568E696A35A0CBB4A904CB50

Function 00B6A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B6A4C8
DestroyWindow.USER32(?,?), ref: 00B6A542

Part of subcall function 00AE7D2C: _memmove.LIBCMT ref: 00AE7D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B6A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B6A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B6A5F1
DestroyWindow.USER32(00000000), ref: 00B6A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00AE0000,00000000), ref: 00B6A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B6A663
GetDesktopWindow.USER32 ref: 00B6A67C
GetWindowRect.USER32(00000000), ref: 00B6A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B6A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B6A6B3

Part of subcall function 00AE25DB: GetWindowLongW.USER32(?,000000EB), ref: 00AE25EC

Strings

0, xrefs: 00B6A4DE
tooltips_class32, xrefs: 00B6A5B5, 00B6A643

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: a104e43c4c627946a5660f0977ef7a610379c813b039bf4b1f53bbf7b22fa7c7
Instruction ID: 69a3ca33d557904a1ab875a821d04385ca68417b06b04a796471e80a55b0525f
Opcode Fuzzy Hash: a104e43c4c627946a5660f0977ef7a610379c813b039bf4b1f53bbf7b22fa7c7
Instruction Fuzzy Hash: EB719A71140245AFDB20CF28DC49F6A7BE9FB89700F08456DF995972A0DBB8E912CF12

Function 00B6C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE2612: GetWindowLongW.USER32(?,000000EB), ref: 00AE2623

DragQueryPoint.SHELL32(?,?), ref: 00B6C917

Part of subcall function 00B6ADF1: ClientToScreen.USER32(?,?), ref: 00B6AE1A
Part of subcall function 00B6ADF1: GetWindowRect.USER32(?,?), ref: 00B6AE90
Part of subcall function 00B6ADF1: PtInRect.USER32(?,?,00B6C304), ref: 00B6AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 00B6C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B6C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B6C9AE
_wcscat.LIBCMT ref: 00B6C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B6C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 00B6CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 00B6CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 00B6CA47
DragFinish.SHELL32(?), ref: 00B6CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00B6CB41

Strings

@GUI_DRAGFILE, xrefs: 00B6CAF0
@GUI_DRAGID, xrefs: 00B6CAB9
@GUI_DROPID, xrefs: 00B6CA6E

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: dce65cba674f55959e6321653c1461baa56d057528c7c0bb81011920c7f42d96
Instruction ID: 8f86222eaedc501579f2d4c2aa0083c2736b73200db6206b9f2676d70f6b2f93
Opcode Fuzzy Hash: dce65cba674f55959e6321653c1461baa56d057528c7c0bb81011920c7f42d96
Instruction Fuzzy Hash: 9E619A71108341AFC701DF64DC85DAFBBE8EF89350F000A6EF5A5932A1DB749A09CB62

Function 00B64619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B646AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B646F6

Strings

SELECT, xrefs: 00B648A7
GETITEMCOUNT, xrefs: 00B647D8
UNCHECK, xrefs: 00B648D2
COLLAPSE, xrefs: 00B6473C
GETTOTALCOUNT, xrefs: 00B646DD
ISCHECKED, xrefs: 00B64879
EXPAND, xrefs: 00B647A8
EXISTS, xrefs: 00B6475F
GETSELECTED, xrefs: 00B64806
CHECK, xrefs: 00B64716
GETTEXT, xrefs: 00B64849

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: cc7939fbf4bf8448b4f7a4a1f7e5a138b5b56b0ac41a767764da31c12bcaa1be
Instruction ID: 751f954c144d0096cee3441800f2bb72c02ea3e158881917321f3d5e074a7199
Opcode Fuzzy Hash: cc7939fbf4bf8448b4f7a4a1f7e5a138b5b56b0ac41a767764da31c12bcaa1be
Instruction Fuzzy Hash: E7918F342047419FCB14EF21C591A6ABBE1EF95354F1448ECF8965B3A2CB34ED4ACB91

Function 00B6BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00B6BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00B69431), ref: 00B6BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B6BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00B6BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B6BC7D
FreeLibrary.KERNEL32(?), ref: 00B6BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B6BC99
DestroyIcon.USER32(?,?,?,?,?,00B69431), ref: 00B6BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00B6BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00B6BCD1

Part of subcall function 00B0313D: __wcsicmp_l.LIBCMT ref: 00B031C6

Strings

.icl, xrefs: 00B6BAE4
.dll, xrefs: 00B6BB27
.exe, xrefs: 00B6BB04

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 93aad7d21dcd35898aa2cf59ecb0991d4a32df7d5d2f8ea5ad7728d6a2097096
Instruction ID: a3f45355a94fbc4a872cfbd57e5fe4b306153fffde6a7c849ebf0e9f60b817c9
Opcode Fuzzy Hash: 93aad7d21dcd35898aa2cf59ecb0991d4a32df7d5d2f8ea5ad7728d6a2097096
Instruction Fuzzy Hash: 7A61B071900219BEEB14DF64DC85FBA7BF8FB08710F104195F915D61D1DBB89A90DBA0

Function 00B4A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00AE9997: __itow.LIBCMT ref: 00AE99C2
Part of subcall function 00AE9997: __swprintf.LIBCMT ref: 00AE9A0C

CharLowerBuffW.USER32(?,?), ref: 00B4A636
GetDriveTypeW.KERNEL32 ref: 00B4A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B4A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B4A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B4A730

Part of subcall function 00AE7D2C: _memmove.LIBCMT ref: 00AE7D66

Strings

open , xrefs: 00B4A692
close cd wait, xrefs: 00B4A71B
set cd door , xrefs: 00B4A6D1
closed, xrefs: 00B4A64A, 00B4A653
wait, xrefs: 00B4A6ED
open, xrefs: 00B4A65D
type cdaudio alias cd wait, xrefs: 00B4A6AE
close, xrefs: 00B4A63C

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: e22872979e9444e100830d84eb9aa7a307b4c0e066abdcf1b526bb5ecdb0a6b6
Instruction ID: 818a88809957b249a698596b7c9a458c1f87015bcf82531534f1fdc55a499d1a
Opcode Fuzzy Hash: e22872979e9444e100830d84eb9aa7a307b4c0e066abdcf1b526bb5ecdb0a6b6
Instruction Fuzzy Hash: BB518C711083459FC700EF25C99186AB7F8FF98758F0449ACF896572A1DB31EE0ACB92

Function 00B4A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B4A47A
__swprintf.LIBCMT ref: 00B4A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B4A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00B4A4FE
_memset.LIBCMT ref: 00B4A51D
_wcsncpy.LIBCMT ref: 00B4A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00B4A58E
CloseHandle.KERNEL32(00000000), ref: 00B4A599
RemoveDirectoryW.KERNEL32(?), ref: 00B4A5A2
CloseHandle.KERNEL32(00000000), ref: 00B4A5AC

Strings

\??\%s, xrefs: 00B4A496
:, xrefs: 00B4A4BD
\, xrefs: 00B4A4B2

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 229c3055cd58c54a5984cd9ca2e9489667cacde4b3af807d6b9fba97c5debbda
Instruction ID: 338336a1464624ec881ac45dbb7d0edc07ba2a853f8b144fd10170aa382c1a3d
Opcode Fuzzy Hash: 229c3055cd58c54a5984cd9ca2e9489667cacde4b3af807d6b9fba97c5debbda
Instruction Fuzzy Hash: 87318FB554010AAADB219FA0DC49FAB77BCEF88701F1041F6F908D61A0EBB497448B25

Function 00B6C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE2612: GetWindowLongW.USER32(?,000000EB), ref: 00AE2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B6C4EC
GetFocus.USER32 ref: 00B6C4FC
GetDlgCtrlID.USER32(00000000), ref: 00B6C507
_memset.LIBCMT ref: 00B6C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00B6C65D
GetMenuItemCount.USER32(?), ref: 00B6C67D
GetMenuItemID.USER32(?,00000000), ref: 00B6C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00B6C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00B6C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B6C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00B6C779

Strings

0, xrefs: 00B6C62A

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: d657e2bbd859025f766961be90f519f2718eb445fea9cb4a828d6e14cdbe0b09
Instruction ID: 57eaecab4337dca3b08af0d58fb0ae31f99d792c1942269012a548ecd407b430
Opcode Fuzzy Hash: d657e2bbd859025f766961be90f519f2718eb445fea9cb4a828d6e14cdbe0b09
Instruction Fuzzy Hash: A0818D712083019FD710CF24D985A7BBBE8FB98314F1045AEF99697291DB78DD05CBA2

Function 00B383F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B38766
Part of subcall function 00B3874A: GetLastError.KERNEL32(?,00B3822A,?,?,?), ref: 00B38770
Part of subcall function 00B3874A: GetProcessHeap.KERNEL32(00000008,?,?,00B3822A,?,?,?), ref: 00B3877F
Part of subcall function 00B3874A: HeapAlloc.KERNEL32(00000000,?,00B3822A,?,?,?), ref: 00B38786
Part of subcall function 00B3874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B3879D

Part of subcall function 00B387E7: GetProcessHeap.KERNEL32(00000008,00B38240,00000000,00000000,?,00B38240,?), ref: 00B387F3
Part of subcall function 00B387E7: HeapAlloc.KERNEL32(00000000,?,00B38240,?), ref: 00B387FA
Part of subcall function 00B387E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00B38240,?), ref: 00B3880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B38458
_memset.LIBCMT ref: 00B3846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B3848C
GetLengthSid.ADVAPI32(?), ref: 00B3849D
GetAce.ADVAPI32(?,00000000,?), ref: 00B384DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B384F6
GetLengthSid.ADVAPI32(?), ref: 00B38513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00B38522
HeapAlloc.KERNEL32(00000000), ref: 00B38529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B3854A
CopySid.ADVAPI32(00000000), ref: 00B38551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B38582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B385A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B385BC

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 51ced4be23ec7c33e7195457788d5e83b2fe60b6a1653e0a471e782c9487fe1d
Instruction ID: 46d01044c4688ec94a68d460ea3c8e420f53af304216ac5867fece7dca92be30
Opcode Fuzzy Hash: 51ced4be23ec7c33e7195457788d5e83b2fe60b6a1653e0a471e782c9487fe1d
Instruction Fuzzy Hash: 6C61567190020AEBDF01DFA5EC45AAEBBB9FF04300F2481A9F915A7291DF759A04CF61

Function 00B5762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B576A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00B576AE
CreateCompatibleDC.GDI32(?), ref: 00B576BA
SelectObject.GDI32(00000000,?), ref: 00B576C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00B5771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00B57757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00B5777B
SelectObject.GDI32(00000006,?), ref: 00B57783
DeleteObject.GDI32(?), ref: 00B5778C
DeleteDC.GDI32(00000006), ref: 00B57793
ReleaseDC.USER32(00000000,?), ref: 00B5779E

Strings

(, xrefs: 00B57723

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 69653a7d9b52dd96421237be287d6e51f7c80149569917b4b376ba1b9f2eb7c5
Instruction ID: 653d1bf1a5bd82e94d5c7927714e1fb737aa8e8e0151a0b487a822548d6d3e06
Opcode Fuzzy Hash: 69653a7d9b52dd96421237be287d6e51f7c80149569917b4b376ba1b9f2eb7c5
Instruction Fuzzy Hash: 87515875A04209EFCB15CFA8EC84EAEBBF9EF48310F148469E94997250DA75A844CB60

Function 00B4A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00B6FB78), ref: 00B4A0FC

Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 00B4A11E
__swprintf.LIBCMT ref: 00B4A177
__swprintf.LIBCMT ref: 00B4A190
_wprintf.LIBCMT ref: 00B4A246
_wprintf.LIBCMT ref: 00B4A264

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00B4A241
Line %d (File "%s"):, xrefs: 00B4A171, 00B4A18A
"%s" (%d) : ==> %s:, xrefs: 00B4A25F
Error: , xrefs: 00B4A20E
^ ERROR, xrefs: 00B4A1E8

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 7cb317d390add04e33e9bb5f5faf510ab26f4192a894ad8551b2f61cab498ffb
Instruction ID: 93d2acd1e97d0a1290eed03e0407528e003b5790a00cb6fbee6d9733262ca7ad
Opcode Fuzzy Hash: 7cb317d390add04e33e9bb5f5faf510ab26f4192a894ad8551b2f61cab498ffb
Instruction Fuzzy Hash: FA518D7190024AAACF15EBE0CE86EEEB7B8EF04300F2441A5F505730A1EB716F58DB61

Function 00AE6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00B00B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00AE6C6C,?,00008000), ref: 00B00BB7

Part of subcall function 00AE48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AE48A1,?,?,00AE37C0,?), ref: 00AE48CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00AE6D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00AE6E5A

Part of subcall function 00AE59CD: _wcscpy.LIBCMT ref: 00AE5A05

Part of subcall function 00B0387D: _iswctype.LIBCMT ref: 00B03885

Strings

Unterminated string, xrefs: 00B1EC0D
EA06, xrefs: 00B1E87B
Error opening the file, xrefs: 00B1E866, 00B1E8E1
Bad directive syntax error, xrefs: 00B1EBC6
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00B1E84A
AU3!, xrefs: 00AE6CC1
>>>AUTOIT SCRIPT<<<, xrefs: 00B1E8BF

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: c42ea096436d6bb794ef8d75990f7cd5c5523b842bcd46ac3e919d64aa5ca219
Instruction ID: 3308e4a40d3f0e281909afb88885722cd6bec210d5db53f0a28ecc8fc415ca11
Opcode Fuzzy Hash: c42ea096436d6bb794ef8d75990f7cd5c5523b842bcd46ac3e919d64aa5ca219
Instruction Fuzzy Hash: 9F02CE305083819FC724EF25C981AAFBBE5FF98354F54096DF896972A1DB30D989CB42

Function 00AE45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AE45F9
GetMenuItemCount.USER32(00BA6890), ref: 00B1D7CD
GetMenuItemCount.USER32(00BA6890), ref: 00B1D87D
GetCursorPos.USER32(?), ref: 00B1D8C1
SetForegroundWindow.USER32(00000000), ref: 00B1D8CA
TrackPopupMenuEx.USER32(00BA6890,00000000,?,00000000,00000000,00000000), ref: 00B1D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00B1D8E9

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 9666ebae6ad38066ad1cd6f0987f182c17d513dcbe86f0112bfdbc522cd056ed
Instruction ID: af318184815dcbb1c065a4341543fcbb0540924e9d6dc209e9ddbf1c36333128
Opcode Fuzzy Hash: 9666ebae6ad38066ad1cd6f0987f182c17d513dcbe86f0112bfdbc522cd056ed
Instruction Fuzzy Hash: B5712570600246BEEB219F15DC89FEABFA8FF05368F200256F515A61E0CBB15C50DB94

Function 00B610A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B60038,?,?), ref: 00B610BC

Strings

HKEY_USERS, xrefs: 00B611BD
HKEY_CURRENT_USER, xrefs: 00B6119B
HKLM, xrefs: 00B6113A
HKEY_CLASSES_ROOT, xrefs: 00B6114F
HKCR, xrefs: 00B61164
HKEY_LOCAL_MACHINE, xrefs: 00B61125
HKEY_CURRENT_CONFIG, xrefs: 00B61179
HKU, xrefs: 00B611CE
HKCU, xrefs: 00B611AC
HKCC, xrefs: 00B6118A

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 54e89b3379a147e83966a4ce23a40bf368874393d2e3174ac493a53353d6c177
Instruction ID: 28701e910e88c46e48df02b0017a4dacc803137b489462ad2d6292fe720971ef
Opcode Fuzzy Hash: 54e89b3379a147e83966a4ce23a40bf368874393d2e3174ac493a53353d6c177
Instruction Fuzzy Hash: DE41713112424A9BCF10EF94ED91AEE37A4FF26340F1449E4FD916B291DB34AD1AC760

Function 00B45569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00AE7D2C: _memmove.LIBCMT ref: 00AE7D66

Part of subcall function 00AE7A84: _memmove.LIBCMT ref: 00AE7B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00B455D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00B455E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B455F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00B4560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00B4561C

Strings

open , xrefs: 00B45581
status PlayMe mode, xrefs: 00B455CD
play PlayMe, xrefs: 00B45617
close PlayMe, xrefs: 00B455E3, 00B45610
play PlayMe wait, xrefs: 00B45606
alias PlayMe, xrefs: 00B455AB

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 3c80cf7854d7d8bfaf18c691972dc0990deeb5fbc49981e2755a4fc64ebd93be
Instruction ID: 50cc65b741b8e860920af01639df4eb03b5253a27f087f50f771e1a26f09f482
Opcode Fuzzy Hash: 3c80cf7854d7d8bfaf18c691972dc0990deeb5fbc49981e2755a4fc64ebd93be
Instruction Fuzzy Hash: E51194209545A97ADB20B762DC9ADFF7BBCEF95B40F4004B9B405A30E2DEA01E05C5E5

Function 00B448F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B4490E
gethostname.WSOCK32(?,00000100), ref: 00B44928
gethostbyname.WSOCK32(?), ref: 00B44935
_wcscpy.LIBCMT ref: 00B4495D
_memmove.LIBCMT ref: 00B44970
inet_ntoa.WSOCK32(?), ref: 00B4497B
_strcat.LIBCMT ref: 00B44989
_wcscpy.LIBCMT ref: 00B449A0
WSACleanup.WSOCK32 ref: 00B449AE
_wcscpy.LIBCMT ref: 00B449BC

Strings

0.0.0.0, xrefs: 00B44957

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: d41a93fbc553ceec9a2f0e5aab85d97d04e9bb6c28275970c516633c5269ecbf
Instruction ID: f37ff7adc84fc1bcb85005cedd764d7119def1df17f1cb0e3170b3e43feb0dd5
Opcode Fuzzy Hash: d41a93fbc553ceec9a2f0e5aab85d97d04e9bb6c28275970c516633c5269ecbf
Instruction Fuzzy Hash: CC11C03190811AAFCB24EB24AC4AEEB7BECDF40710F0401F6F444970E1EFB49A95A661

Function 00B45217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B4521C

Part of subcall function 00B00719: timeGetTime.WINMM(?,75A8B400,00AF0FF9), ref: 00B0071D

Sleep.KERNEL32(0000000A), ref: 00B45248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00B4526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00B4528E
SetActiveWindow.USER32 ref: 00B452AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B452BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 00B452DA
Sleep.KERNEL32(000000FA), ref: 00B452E5
IsWindow.USER32 ref: 00B452F1
EndDialog.USER32(00000000), ref: 00B45302

Strings

BUTTON, xrefs: 00B45280

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 6a998c0f9dc22bf505fbb3e10dc519cd9820e3583e9f36c5ca3239ad02751971
Instruction ID: a91486e7c81705cc70ae12d283394822186429201837430edf9477308625ae86
Opcode Fuzzy Hash: 6a998c0f9dc22bf505fbb3e10dc519cd9820e3583e9f36c5ca3239ad02751971
Instruction Fuzzy Hash: 9A218370148B05AFE7116F60FC9AB353BA9E756786B0414AAF102931B2CFA55E00EA71

Function 00B4D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE9997: __itow.LIBCMT ref: 00AE99C2
Part of subcall function 00AE9997: __swprintf.LIBCMT ref: 00AE9A0C

CoInitialize.OLE32(00000000), ref: 00B4D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00B4D8E8
SHGetDesktopFolder.SHELL32(?), ref: 00B4D8FC
CoCreateInstance.OLE32(00B72D7C,00000000,00000001,00B9A89C,?), ref: 00B4D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00B4D9B7
CoTaskMemFree.OLE32(?,?), ref: 00B4DA0F
_memset.LIBCMT ref: 00B4DA4C
SHBrowseForFolderW.SHELL32(?), ref: 00B4DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00B4DAAB
CoTaskMemFree.OLE32(00000000), ref: 00B4DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00B4DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 00B4DAEB

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 2ade974b1918976fb07034cebd10bdb016dadaaa0a1f16bdb6f80a5acf1ce111
Instruction ID: f6ecca836456891bdc2a39ae10761f833640101d63baeb350e5ad03f14243176
Opcode Fuzzy Hash: 2ade974b1918976fb07034cebd10bdb016dadaaa0a1f16bdb6f80a5acf1ce111
Instruction Fuzzy Hash: 59B1FE75A00209AFDB04DFA5D988DAEBBF9FF48314B1484A9F505EB261DB30EE45CB50

Function 00B4052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B405A7
SetKeyboardState.USER32(?), ref: 00B40612
GetAsyncKeyState.USER32(000000A0), ref: 00B40632
GetKeyState.USER32(000000A0), ref: 00B40649
GetAsyncKeyState.USER32(000000A1), ref: 00B40678
GetKeyState.USER32(000000A1), ref: 00B40689
GetAsyncKeyState.USER32(00000011), ref: 00B406B5
GetKeyState.USER32(00000011), ref: 00B406C3
GetAsyncKeyState.USER32(00000012), ref: 00B406EC
GetKeyState.USER32(00000012), ref: 00B406FA
GetAsyncKeyState.USER32(0000005B), ref: 00B40723
GetKeyState.USER32(0000005B), ref: 00B40731

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ecc64ad2e6ebac8b6c75e32ad51054945f90eeff9b5faefc797b03095e703e92
Instruction ID: e7e160d154fab40a80b644e17d48237f469da4407c1e15070ff2a1a1f512500d
Opcode Fuzzy Hash: ecc64ad2e6ebac8b6c75e32ad51054945f90eeff9b5faefc797b03095e703e92
Instruction Fuzzy Hash: 2D51C820A1478429FB35FBA484557EABFF4DF11380F0849D9DAC2571C2DA749B8CDB52

Function 00B3C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00B3C746
GetWindowRect.USER32(00000000,?), ref: 00B3C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00B3C7B6
GetDlgItem.USER32(?,00000002), ref: 00B3C7C1
GetWindowRect.USER32(00000000,?), ref: 00B3C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00B3C827
GetDlgItem.USER32(?,000003E9), ref: 00B3C835
GetWindowRect.USER32(00000000,?), ref: 00B3C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00B3C889
GetDlgItem.USER32(?,000003EA), ref: 00B3C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00B3C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 00B3C8C1

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 213338ef6574a00a078333bb4607fe979fb7d5cc3f670e4187f68ecf403e24ec
Instruction ID: bcf73902404cf128f15af1099a18760003c45e8da87314323ea170e8d54d29f1
Opcode Fuzzy Hash: 213338ef6574a00a078333bb4607fe979fb7d5cc3f670e4187f68ecf403e24ec
Instruction Fuzzy Hash: BD512171B00205ABDB18CFA9DD95ABEBBB6EB88311F14816DF515E72D0DBB49D00CB50

Function 00AE201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AE2036,?,00000000,?,?,?,?,00AE16CB,00000000,?), ref: 00AE1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00AE20D3
KillTimer.USER32(-00000001,?,?,?,?,00AE16CB,00000000,?,?,00AE1AE2,?,?), ref: 00AE216E
DestroyAcceleratorTable.USER32(00000000), ref: 00B1BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AE16CB,00000000,?,?,00AE1AE2,?,?), ref: 00B1BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AE16CB,00000000,?,?,00AE1AE2,?,?), ref: 00B1BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AE16CB,00000000,?,?,00AE1AE2,?,?), ref: 00B1BF5A
DeleteObject.GDI32(00000000), ref: 00B1BF6C

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: e0b229ad26ab8420dafbb8bd457aecf3e9c9e4bfb5606539f7fa91839f419572
Instruction ID: cf6576b44f666b0040690a3d0dec25d4f0776f98ef13c1511eb5084e8d8b294f
Opcode Fuzzy Hash: e0b229ad26ab8420dafbb8bd457aecf3e9c9e4bfb5606539f7fa91839f419572
Instruction Fuzzy Hash: A661BA71100691DFCB359F16DD49B3AB7F9FB41312F54856AE442879A0CB79AC81CF80

Function 00AE21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00AE25DB: GetWindowLongW.USER32(?,000000EB), ref: 00AE25EC

GetSysColor.USER32(0000000F), ref: 00AE21D3

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 80cbfb4ed55bc054f2e5389cf931b59e3f847ee7d8612d55e4087704c710e22a
Instruction ID: bb35bccfe8f7c326be2e4222836dbfef6c9347c8143f9d30248c2b178e726613
Opcode Fuzzy Hash: 80cbfb4ed55bc054f2e5389cf931b59e3f847ee7d8612d55e4087704c710e22a
Instruction Fuzzy Hash: B041B531040180AFDB255F29EC48BF93BA9FB06331F184265FE659B1E6CB758D82DB21

Function 00B4AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00B6F910), ref: 00B4AB76
GetDriveTypeW.KERNEL32(00000061,00B9A620,00000061), ref: 00B4AC40
_wcscpy.LIBCMT ref: 00B4AC6A

Strings

fixed, xrefs: 00B4ABBE
cdrom, xrefs: 00B4AB92
unknown, xrefs: 00B4AC01
network, xrefs: 00B4ABD4
removable, xrefs: 00B4ABA8
all, xrefs: 00B4AB7C
ramdisk, xrefs: 00B4ABEA

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 4f6b454c9f2b379459a61df5ffb8fc1f9b23dc0f1661f914defd3fcca607a769
Instruction ID: daee007eb659ddb083db78ffc9f7b3870d7b7ee035a7a8d6803a42c5d7e98eba
Opcode Fuzzy Hash: 4f6b454c9f2b379459a61df5ffb8fc1f9b23dc0f1661f914defd3fcca607a769
Instruction Fuzzy Hash: 5251AC31158341ABC710EF14C991AAEBBE5EF94300F5048ADF886972E2DB319E09DA53

Function 00AE9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00AE99C2
__swprintf.LIBCMT ref: 00AE9A0C
__i64tow.LIBCMT ref: 00B1FA0F

Strings

True, xrefs: 00B1F9D0
%.15g, xrefs: 00AE9A06
False, xrefs: 00B1F9D7
0x%p, xrefs: 00B1F9F1

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 3fc2b7ce6ebddb19a75afa7ec0792b5f2b2ac865bf6122be135c6c4266027c0b
Instruction ID: 8c932cc3d6ed69352457dd72033b429f685d0f6dcc50a4a19b91967dfb12c05b
Opcode Fuzzy Hash: 3fc2b7ce6ebddb19a75afa7ec0792b5f2b2ac865bf6122be135c6c4266027c0b
Instruction Fuzzy Hash: 6741BF71604306AADB24AB39D842FBBB7F8EF44340F2044EEE549D72A2EA71D941DB11

Function 00B673C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B673D9
CreateMenu.USER32 ref: 00B673F4
SetMenu.USER32(?,00000000), ref: 00B67403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B67490
IsMenu.USER32(?), ref: 00B674A6
CreatePopupMenu.USER32 ref: 00B674B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B674DD
DrawMenuBar.USER32 ref: 00B674E5

Strings

F, xrefs: 00B674D1
0, xrefs: 00B673CF

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 21d9206e9d4d278839f9300b2d95a147a8d0d3ae56d84c936d814c11999a627d
Instruction ID: 8a646726804c1eea7e8736a42d92e313243918852d337978b71ff9c1d96e19f5
Opcode Fuzzy Hash: 21d9206e9d4d278839f9300b2d95a147a8d0d3ae56d84c936d814c11999a627d
Instruction Fuzzy Hash: FB414975A01205EFDB10DF64E888AAABBF9FF49304F144069E956973A0DF78AD10CF90

Function 00B6772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00B677CD
CreateCompatibleDC.GDI32(00000000), ref: 00B677D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00B677E7
SelectObject.GDI32(00000000,00000000), ref: 00B677EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 00B677FA
DeleteDC.GDI32(00000000), ref: 00B67803
GetWindowLongW.USER32(?,000000EC), ref: 00B6780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00B67821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00B6782D

Strings

static, xrefs: 00B67765

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 81d24ebab09ca7821eb84640d9ac6565c62c189144a4c5d85018cd4f1f97f961
Instruction ID: 7754f68c5ce90e36181e2563076b71b89422b710866294133562feb326554bf4
Opcode Fuzzy Hash: 81d24ebab09ca7821eb84640d9ac6565c62c189144a4c5d85018cd4f1f97f961
Instruction Fuzzy Hash: 22318F31104115ABDF119FA5EC09FEA3BA9FF09325F100264FA15A70E0CB79DC11DBA4

Function 00B07040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B0707B

Part of subcall function 00B08D68: __getptd_noexit.LIBCMT ref: 00B08D68

__gmtime64_s.LIBCMT ref: 00B07114
__gmtime64_s.LIBCMT ref: 00B0714A
__gmtime64_s.LIBCMT ref: 00B07167
__allrem.LIBCMT ref: 00B071BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B071D9
__allrem.LIBCMT ref: 00B071F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B0720E
__allrem.LIBCMT ref: 00B07225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B07243
__invoke_watson.LIBCMT ref: 00B072B4

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 2d08b8fb1f3e5f13dd67d2a5474c1b4fe1b1afe46fafb23360c0ddd991bc59ff
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: B671C371E44716ABE7149E79CC81B9AFBE8EF11720F1442BAF414E62C1FB70EA408790

Function 00B42A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B42A31
GetMenuItemInfoW.USER32(00BA6890,000000FF,00000000,00000030), ref: 00B42A92
SetMenuItemInfoW.USER32(00BA6890,00000004,00000000,00000030), ref: 00B42AC8
Sleep.KERNEL32(000001F4), ref: 00B42ADA
GetMenuItemCount.USER32(?), ref: 00B42B1E
GetMenuItemID.USER32(?,00000000), ref: 00B42B3A
GetMenuItemID.USER32(?,-00000001), ref: 00B42B64
GetMenuItemID.USER32(?,?), ref: 00B42BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B42BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B42C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B42C24

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 2b609247ff403adaa76cb81eab6dba506408cb648e0829ca0b6509f502d12fb9
Instruction ID: a3c104eb4a0a29a3c607e3169276d8c03a6d933b777cd0383b7b78ecbb04aff8
Opcode Fuzzy Hash: 2b609247ff403adaa76cb81eab6dba506408cb648e0829ca0b6509f502d12fb9
Instruction Fuzzy Hash: 7B6190B0900249AFDF11CF64D888EBEBBF8EB45304F940599F84297291DB71AE45FB21

Function 00B67192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B67214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B67217
GetWindowLongW.USER32(?,000000F0), ref: 00B6723B
_memset.LIBCMT ref: 00B6724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B6725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B672D6

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 1c1fbc664f641ce628ece3526af70b5ff0eb6d09db9b958f2fa179cca404ad31
Instruction ID: 5cc27b43e204afa7ff088ce1595a565c6a4136ecebdddeb15c38ba2cc7211910
Opcode Fuzzy Hash: 1c1fbc664f641ce628ece3526af70b5ff0eb6d09db9b958f2fa179cca404ad31
Instruction Fuzzy Hash: FF616C71940208AFDB10DFA4CC81EEE77F8EB09714F14019AFA15A73A1DB74AD45DB64

Function 00B3710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00B37135
SafeArrayAllocData.OLEAUT32(?), ref: 00B3718E
VariantInit.OLEAUT32(?), ref: 00B371A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 00B371C0
VariantCopy.OLEAUT32(?,?), ref: 00B37213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00B37227
VariantClear.OLEAUT32(?), ref: 00B3723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00B37249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B37252
VariantClear.OLEAUT32(?), ref: 00B37264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B3726F

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: ec9e3b5b6544bdbdd28552c91380fa8043dedd9f669e9ce8bc0a03edde5876e2
Instruction ID: 8aca950f4c1f54d635a97b02a0471b03e3fdc71195c1a45848368d93c3166602
Opcode Fuzzy Hash: ec9e3b5b6544bdbdd28552c91380fa8043dedd9f669e9ce8bc0a03edde5876e2
Instruction Fuzzy Hash: A3413A75A04219AFCF10DFA8DC489AEBBF8FF08354F1080A9E915A7361CF74A945CB90

Function 00B55A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B55AA6
inet_addr.WSOCK32(?,?,?), ref: 00B55AEB
gethostbyname.WSOCK32(?), ref: 00B55AF7
IcmpCreateFile.IPHLPAPI ref: 00B55B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B55B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B55B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00B55C00
WSACleanup.WSOCK32 ref: 00B55C06

Strings

Ping, xrefs: 00B55B29

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 789a1f9d22b346fa2793fae97362ea5e4bed288a805bf257ea279329fb185ec9
Instruction ID: 6330e6ca962c0754dbfd29f397981d5b0b80a9a0ca0bd34011897b33687fee52
Opcode Fuzzy Hash: 789a1f9d22b346fa2793fae97362ea5e4bed288a805bf257ea279329fb185ec9
Instruction Fuzzy Hash: E151AF716047019FDB20AF25DD99B2AB7E4EF48312F1489AAF955DB2E1DB70EC04CB42

Function 00B4B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B4B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00B4B7B1
GetLastError.KERNEL32 ref: 00B4B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 00B4B828

Strings

UNKNOWN, xrefs: 00B4B7E0
NOTREADY, xrefs: 00B4B7E7
READY, xrefs: 00B4B801
INVALID, xrefs: 00B4B7FA
READONLY, xrefs: 00B4B7F3

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 3791b2b36c197d803c4a8f06acc6322fe2e563f223558b31db03245004e98e22
Instruction ID: 2bc3cab7442b5a25a983484f1c325c29dccfcffe594098f1f8ff1dcddc27aa03
Opcode Fuzzy Hash: 3791b2b36c197d803c4a8f06acc6322fe2e563f223558b31db03245004e98e22
Instruction Fuzzy Hash: 73316135A00205AFDB10EF64D885EBE7BF8EF45740F1480A9E602E7291DB71DE42DB91

Function 00B39471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82

Part of subcall function 00B3B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00B3B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00B394F6
GetDlgCtrlID.USER32 ref: 00B39501
GetParent.USER32 ref: 00B3951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B39520
GetDlgCtrlID.USER32(?), ref: 00B39529
GetParent.USER32(?), ref: 00B39545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00B39548

Strings

ListBox, xrefs: 00B394B3
ComboBox, xrefs: 00B3947E

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: bcfb8bd1efa11de204282f4f014908980ab31758dac0b0136ccd3677426d66b5
Instruction ID: 3271bb3d107999d3e068c8db6e6caef28fcaa914712d19893b5e4ae19fec9ae3
Opcode Fuzzy Hash: bcfb8bd1efa11de204282f4f014908980ab31758dac0b0136ccd3677426d66b5
Instruction Fuzzy Hash: 6621C470D00204BBCF05AB65DC85DFEBBB8EF59300F204169F562972E1DBB95919DB20

Function 00B3955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82

Part of subcall function 00B3B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00B3B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00B395DF
GetDlgCtrlID.USER32 ref: 00B395EA
GetParent.USER32 ref: 00B39606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B39609
GetDlgCtrlID.USER32(?), ref: 00B39612
GetParent.USER32(?), ref: 00B3962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00B39631

Strings

ListBox, xrefs: 00B3959E
ComboBox, xrefs: 00B39569

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: c8a8dde02e6e452e1efe39f4d1399b2a7f4679a3f2f09aa301415fa7d7fba7f3
Instruction ID: 3e7958647671e159eab07448b0cdbd3fa72852cbf46f2c9b09109e6c5878813d
Opcode Fuzzy Hash: c8a8dde02e6e452e1efe39f4d1399b2a7f4679a3f2f09aa301415fa7d7fba7f3
Instruction Fuzzy Hash: 9221C574900205BBDF05AB65DCC5EFEBBB8EF58300F204069F921971E1DBB99919DB20

Function 00B39645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00B39651
GetClassNameW.USER32(00000000,?,00000100), ref: 00B39666
_wcscmp.LIBCMT ref: 00B39678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00B396F3

Strings

SHELLDLL_DefView, xrefs: 00B39672
smallicons, xrefs: 00B396BB
list, xrefs: 00B396D5
largeicons, xrefs: 00B39687
details, xrefs: 00B396A1

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 4925aeefe1823fe66f6b17ae0ad526b89a4c67b52bad631866ba73e425131499
Instruction ID: 2bbb02cfa7628cca767e52876f882f70a322339fc196858785b462964be08966
Opcode Fuzzy Hash: 4925aeefe1823fe66f6b17ae0ad526b89a4c67b52bad631866ba73e425131499
Instruction Fuzzy Hash: AA112C77649307BAFB012625EC0BDA777DCDB14760F3000EAF910A50E1FEE159108558

Function 00B58BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B58BEC
CoInitialize.OLE32(00000000), ref: 00B58C19
CoUninitialize.OLE32 ref: 00B58C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00B58D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00B58E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00B72C0C), ref: 00B58E84
CoGetObject.OLE32(?,00000000,00B72C0C,?), ref: 00B58EA7
SetErrorMode.KERNEL32(00000000), ref: 00B58EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B58F3A
VariantClear.OLEAUT32(?), ref: 00B58F4A

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 866a19b2a6435ae53183869a632886328bbfbaf6d8845b1560c111e6de56f5e2
Instruction ID: 0648bf89e70674090180e444b386784dcb40a5fb50870be6f6cb0012b3e3e52f
Opcode Fuzzy Hash: 866a19b2a6435ae53183869a632886328bbfbaf6d8845b1560c111e6de56f5e2
Instruction Fuzzy Hash: 3EC11771204305AFD700DF64C884A2BB7E9FF89749F1049ADF98A9B261DB71ED09CB52

Function 00B44189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00B4419D
__swprintf.LIBCMT ref: 00B441AA

Part of subcall function 00B038D8: __woutput_l.LIBCMT ref: 00B03931

FindResourceW.KERNEL32(?,?,0000000E), ref: 00B441D4
LoadResource.KERNEL32(?,00000000), ref: 00B441E0
LockResource.KERNEL32(00000000), ref: 00B441ED
FindResourceW.KERNEL32(?,?,00000003), ref: 00B4420D
LoadResource.KERNEL32(?,00000000), ref: 00B4421F
SizeofResource.KERNEL32(?,00000000), ref: 00B4422E
LockResource.KERNEL32(?), ref: 00B4423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00B4429B

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: bcca8881ebc26e56972e954b4cd87e0b81ad431f099af7cb4fdbfe46c4ef721c
Instruction ID: 259aa2c4e1eec2f068d4a428eb9f5bc6330df2dc568a448962fb38e59e642844
Opcode Fuzzy Hash: bcca8881ebc26e56972e954b4cd87e0b81ad431f099af7cb4fdbfe46c4ef721c
Instruction Fuzzy Hash: C031A072A0521AAFCB119F60EC59EBB7BECFF05301F004565F901E3190DBB4DA619BA0

Function 00B416DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B41700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00B40778,?,00000001), ref: 00B41714
GetWindowThreadProcessId.USER32(00000000), ref: 00B4171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B40778,?,00000001), ref: 00B4172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B4173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B40778,?,00000001), ref: 00B41755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B40778,?,00000001), ref: 00B41767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00B40778,?,00000001), ref: 00B417AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00B40778,?,00000001), ref: 00B417C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00B40778,?,00000001), ref: 00B417CC

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 94460e97431490c94ee3f01f4a86054edc98a3c47778cc334811b951e6734a89
Instruction ID: f199669c8bd72421dc2e2a0293fcf19dc2550511e92858e67a3a2fa68e30765a
Opcode Fuzzy Hash: 94460e97431490c94ee3f01f4a86054edc98a3c47778cc334811b951e6734a89
Instruction Fuzzy Hash: 5331BFB5A48204BFEB119F58ED85B793BE9EB16711F1044A4F800C72A0EFB59F81DB61

Function 00AEFBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00AEFC06
OleUninitialize.OLE32(?,00000000), ref: 00AEFCA5
UnregisterHotKey.USER32(?), ref: 00AEFDFC
DestroyWindow.USER32(?), ref: 00B24A00
FreeLibrary.KERNEL32(?), ref: 00B24A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B24A92

Strings

close all, xrefs: 00AEFC01

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 089af7e0f1c02d5765923c949cb4b1e88973a63b3a33e347d2274cb7a2287f2c
Instruction ID: a716b0f17b651941eab2591e19217cb17ab0ce0c90700dba2ba3bb470d1db536
Opcode Fuzzy Hash: 089af7e0f1c02d5765923c949cb4b1e88973a63b3a33e347d2274cb7a2287f2c
Instruction Fuzzy Hash: 4FA18C30701222CFCB28EF15D998B69F7A4EF05700F2442EDE90AAB261DB30AD16CF54

Function 00B3A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00B3AA64), ref: 00B3A9A2

Strings

CLASS, xrefs: 00B3A721
CLASSNN, xrefs: 00B3A744
NAME, xrefs: 00B3A7D4
REGEXPCLASS, xrefs: 00B3A767
INSTANCE, xrefs: 00B3A8B0
TEXT, xrefs: 00B3A8D9

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 6cd5b87ad62fab03afad84444a66cc1d415f4a6d5e22128a1b95c250414d53ad
Instruction ID: 3bef1985756c6d1d735e95333349140b2587371b683c36f483e28b77ba9ba63a
Opcode Fuzzy Hash: 6cd5b87ad62fab03afad84444a66cc1d415f4a6d5e22128a1b95c250414d53ad
Instruction Fuzzy Hash: F4917331900646EADB18DF64C481BE9FBF4FF14344F3482A9D8DAA7191DF306959CBA1

Function 00AE2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00AE2EAE

Part of subcall function 00AE1DB3: GetClientRect.USER32(?,?), ref: 00AE1DDC
Part of subcall function 00AE1DB3: GetWindowRect.USER32(?,?), ref: 00AE1E1D
Part of subcall function 00AE1DB3: ScreenToClient.USER32(?,?), ref: 00AE1E45

GetDC.USER32 ref: 00B1CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00B1CF95
SelectObject.GDI32(00000000,00000000), ref: 00B1CFA3
SelectObject.GDI32(00000000,00000000), ref: 00B1CFB8
ReleaseDC.USER32(?,00000000), ref: 00B1CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00B1D04B

Strings

U, xrefs: 00B1CF20

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 0948b0dc8cf51a52a09d1a66258e012b95f3e10264db5a487af17d13b2081ecd
Instruction ID: 6d2b970dc981136ca20d03ad7efee0012a5e780f49a85e48414e1c8bec3b91fe
Opcode Fuzzy Hash: 0948b0dc8cf51a52a09d1a66258e012b95f3e10264db5a487af17d13b2081ecd
Instruction Fuzzy Hash: 0571C071500245DFCF218F64C895AFA7FFAFF49350F1442AAED555A1A6CB318C82DB60

Function 00B6C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE2612: GetWindowLongW.USER32(?,000000EB), ref: 00AE2623

Part of subcall function 00AE2344: GetCursorPos.USER32(?), ref: 00AE2357
Part of subcall function 00AE2344: ScreenToClient.USER32(00BA67B0,?), ref: 00AE2374
Part of subcall function 00AE2344: GetAsyncKeyState.USER32(00000001), ref: 00AE2399
Part of subcall function 00AE2344: GetAsyncKeyState.USER32(00000002), ref: 00AE23A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00B6C2E4
ImageList_EndDrag.COMCTL32 ref: 00B6C2EA
ReleaseCapture.USER32 ref: 00B6C2F0
SetWindowTextW.USER32(?,00000000), ref: 00B6C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00B6C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00B6C48F

Strings

@GUI_DRAGFILE, xrefs: 00B6C424
@GUI_DROPID, xrefs: 00B6C3E1

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 94350d720611c82f70865ff43a18857e9978edd119ff0618cca2a348ea0bb939
Instruction ID: 41f77147bdf2f01b854ecdb0c1b9f3318196cb37d39a20f229a115b65db511d4
Opcode Fuzzy Hash: 94350d720611c82f70865ff43a18857e9978edd119ff0618cca2a348ea0bb939
Instruction Fuzzy Hash: 9D518B71208305AFD700EF24D896F7A7BE5EB88310F04856DF5A58B2E1DB78A944CB52

Function 00B58F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00B6F910), ref: 00B5903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00B6F910), ref: 00B59071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00B591EB
SysFreeString.OLEAUT32(?), ref: 00B59215

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: a8e59affbb01ba6bdc6c4af5542eca43e06cbe73db39532a87509f0560da6e89
Instruction ID: e3c97143e660f1a70e4fb85e4303a0c62a8aa2e31fc24920ec39611bf8f22d06
Opcode Fuzzy Hash: a8e59affbb01ba6bdc6c4af5542eca43e06cbe73db39532a87509f0560da6e89
Instruction Fuzzy Hash: 28F11971A00219EFDB04DF94C888EAEB7B9FF49315F1084D9F916AB291DB31AD49CB50

Function 00B5F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B5F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B5FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B5FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B5FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B5FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B5FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00B5FD90
CloseHandle.KERNEL32(?), ref: 00B5FDBF
CloseHandle.KERNEL32(?), ref: 00B5FE36

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: f2943de632a116351f7964a41281727044532f7fb2861e4945239a3801c68632
Instruction ID: aebb07514bbd586602966b170678c883de94bd245ce5a8760ca4d300d5cdf505
Opcode Fuzzy Hash: f2943de632a116351f7964a41281727044532f7fb2861e4945239a3801c68632
Instruction Fuzzy Hash: E8E190312043429FC714EF24C981B7ABBE1EF88354F1488ADF8999B2A2DB31DC45CB52

Function 00B44F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B448AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B438D3,?), ref: 00B448C7

Part of subcall function 00B448AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B438D3,?), ref: 00B448E0

Part of subcall function 00B44CD3: GetFileAttributesW.KERNEL32(?,00B43947), ref: 00B44CD4

lstrcmpiW.KERNEL32(?,?), ref: 00B44FE2
_wcscmp.LIBCMT ref: 00B44FFC
MoveFileW.KERNEL32(?,?), ref: 00B45017

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 49af181fb4e3f5074d8864fbd5917c17a4fcc9304ad72c935eed021850513425
Instruction ID: c75e4d5d12c29b5b5a7ad4b02eed404f0bc63d408b16271c9f84d4aa5ab62d1c
Opcode Fuzzy Hash: 49af181fb4e3f5074d8864fbd5917c17a4fcc9304ad72c935eed021850513425
Instruction Fuzzy Hash: 915153B24087859BC725DB60D885ADFB7ECEF84340F10496EF189D3192EF74A68C8766

Function 00B688B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B6896E

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 9a9b48f1628bb2b2061187a0c0525ce3b8270c072057ccf6e5b1ecc7666fb717
Instruction ID: 013dedc5cfca5334e33110a425e47f82caf88d16fb409c134f5a0da0e8465cfb
Opcode Fuzzy Hash: 9a9b48f1628bb2b2061187a0c0525ce3b8270c072057ccf6e5b1ecc7666fb717
Instruction Fuzzy Hash: B351B430500208BFDF209F64DC85BA93BE5FB05310F6042A2FA15E71E1DFB9A980CB91

Function 00AE2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00B1C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B1C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00B1C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00B1C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B1C5C0
DestroyIcon.USER32(00000000), ref: 00B1C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B1C5EC
DestroyIcon.USER32(?), ref: 00B1C5FB

Part of subcall function 00B6A71E: DeleteObject.GDI32(00000000), ref: 00B6A757

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: aec3ad984ad932716cb23db806702ddbc2031adeabd03fc872b03ea66c16241c
Instruction ID: b836c97d8dc4386fa395a7cc624f2da24a9d6e2699f939cb384589bbdeedd740
Opcode Fuzzy Hash: aec3ad984ad932716cb23db806702ddbc2031adeabd03fc872b03ea66c16241c
Instruction Fuzzy Hash: CA515870A40249AFDB24DF25DC46FBA3BF9EB58310F104569F902972A0DBB4ED90DB60

Function 00B38E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00B38A84,00000B00,?,?), ref: 00B38E0C
HeapAlloc.KERNEL32(00000000,?,00B38A84,00000B00,?,?), ref: 00B38E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B38A84,00000B00,?,?), ref: 00B38E28
GetCurrentProcess.KERNEL32(?,00000000,?,00B38A84,00000B00,?,?), ref: 00B38E30
DuplicateHandle.KERNEL32(00000000,?,00B38A84,00000B00,?,?), ref: 00B38E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00B38A84,00000B00,?,?), ref: 00B38E43
GetCurrentProcess.KERNEL32(00B38A84,00000000,?,00B38A84,00000B00,?,?), ref: 00B38E4B
DuplicateHandle.KERNEL32(00000000,?,00B38A84,00000B00,?,?), ref: 00B38E4E
CreateThread.KERNEL32(00000000,00000000,00B38E74,00000000,00000000,00000000), ref: 00B38E68

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: e3a38e866beeed91e8540345f101bbe3b852f87e247770bdf8c68f08f6e9bb44
Instruction ID: 80887c669baa1f5c94553c19e5fedd08bc505c9916641f442a1f4544a6d7c257
Opcode Fuzzy Hash: e3a38e866beeed91e8540345f101bbe3b852f87e247770bdf8c68f08f6e9bb44
Instruction Fuzzy Hash: B601BBB5240309FFEB10ABA5EC4DF6B3BACEB89751F004421FA05DB1E1CAB59800CB20

Function 00B59428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B5947C
VariantInit.OLEAUT32(?), ref: 00B5954D
VariantInit.OLEAUT32(?), ref: 00B5964E
VariantClear.OLEAUT32(?), ref: 00B59658
VariantClear.OLEAUT32(?), ref: 00B596B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00B59631
Null Object assignment in FOR..IN loop, xrefs: 00B594DD, 00B5960B, 00B596C3

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 9d13e2c9ac27a63778ddc01b540a03fa570f37fb93897a49c0b6a6f5a4577639
Instruction ID: 78a4f958b8885590ff5f6c700aa5f8582b93708c03fec5582b335e189e964a1d
Opcode Fuzzy Hash: 9d13e2c9ac27a63778ddc01b540a03fa570f37fb93897a49c0b6a6f5a4577639
Instruction Fuzzy Hash: EE918C71A00215EBDF24DFA5D888FAEBBF8EF45711F1081D9F915AB290D7709909CBA0

Function 00B59A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00B37652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B3758C,80070057,?,?,?,00B3799D), ref: 00B3766F
Part of subcall function 00B37652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B3758C,80070057,?,?), ref: 00B3768A
Part of subcall function 00B37652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B3758C,80070057,?,?), ref: 00B37698
Part of subcall function 00B37652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B3758C,80070057,?), ref: 00B376A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00B59B1B
_memset.LIBCMT ref: 00B59B28
_memset.LIBCMT ref: 00B59C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00B59C97
CoTaskMemFree.OLE32(?), ref: 00B59CA2

Strings

NULL Pointer assignment, xrefs: 00B59CF0

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 797f7a7067ab3f348b364e5bab0a5ddf98dc9b660bd2b2a94f9e629765b4a6f9
Instruction ID: e2affbbb87a69c97bc7f6fdf104b2a620805c61fe3a39f50a4a206658c116afa
Opcode Fuzzy Hash: 797f7a7067ab3f348b364e5bab0a5ddf98dc9b660bd2b2a94f9e629765b4a6f9
Instruction Fuzzy Hash: 13912971D00219EBDF10DFA5DC85ADEBBB9EF08710F2041AAF919A7291DB715A44CFA0

Function 00B66FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00B67093
SendMessageW.USER32(?,00001036,00000000,?), ref: 00B670A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00B670C1
_wcscat.LIBCMT ref: 00B6711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00B67133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00B67161

Strings

SysListView32, xrefs: 00B67065

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 8116d91f27335df77063855dde2d1d23284ac5852b77fee28d087ca154cd562f
Instruction ID: 9967a04e0df41658f7dca9c7415bfb3bbfad49e6ae15d7f119bed3aa220bd342
Opcode Fuzzy Hash: 8116d91f27335df77063855dde2d1d23284ac5852b77fee28d087ca154cd562f
Instruction Fuzzy Hash: B641E271944308AFEB21DFA4CC85BEE77E8EF08354F1004AAF544E72D2DA759D848B60

Function 00B5EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00B43E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00B43EB6
Part of subcall function 00B43E91: Process32FirstW.KERNEL32(00000000,?), ref: 00B43EC4
Part of subcall function 00B43E91: CloseHandle.KERNEL32(00000000), ref: 00B43F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B5ECB8
GetLastError.KERNEL32 ref: 00B5ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B5ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00B5ED77
GetLastError.KERNEL32(00000000), ref: 00B5ED82
CloseHandle.KERNEL32(00000000), ref: 00B5EDB7

Strings

SeDebugPrivilege, xrefs: 00B5ECD6

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 50a252c36408f78999eefdd93654bd69a92a16f25a05a94cdf1845b478a391e9
Instruction ID: 36aa85f035bf7c4ed6a22ea15fd54b81099d571884386bbccd11e222b709a5f3
Opcode Fuzzy Hash: 50a252c36408f78999eefdd93654bd69a92a16f25a05a94cdf1845b478a391e9
Instruction Fuzzy Hash: 7A419C712002019FDB14EF24CD95F7EB7E5AF80714F1880A9F9529B2D2DBB5E908CB96

Function 00B43226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00B432C5

Strings

stop, xrefs: 00B43296
info, xrefs: 00B43266
question, xrefs: 00B4327E
warning, xrefs: 00B432AE
blank, xrefs: 00B43247

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: dc6baf27f4e4d028fe3fd0a1fd33b97d5aaa6439d4b934809b0eda74713f1b89
Instruction ID: a25b7a7e10dc34e9f20eda0725eb06c8a5a9566b409061d7fcdcfb1a3d10cc89
Opcode Fuzzy Hash: dc6baf27f4e4d028fe3fd0a1fd33b97d5aaa6439d4b934809b0eda74713f1b89
Instruction Fuzzy Hash: 2611E731208356BAEB015B54EC83C6AB7DCEF19B70F2400EAF900A61C1EBE55F4059E5

Function 00B44534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00B4454E
LoadStringW.USER32(00000000), ref: 00B44555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00B4456B
LoadStringW.USER32(00000000), ref: 00B44572
_wprintf.LIBCMT ref: 00B44598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B445B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00B44593

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 7200fe25c944fcee115a901f6c1ec3bbd62cd89eb71919eb227f6ac4e060af89
Instruction ID: e6cd81bca0b50c73306ba271dcc3eb6328b2f570d3a494032e2d20fd57feeb8b
Opcode Fuzzy Hash: 7200fe25c944fcee115a901f6c1ec3bbd62cd89eb71919eb227f6ac4e060af89
Instruction Fuzzy Hash: DF0144F2504209BFE7509794ED89EF677ACE708741F0005A5F745E3091EAB49E958F70

Function 00B6D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE2612: GetWindowLongW.USER32(?,000000EB), ref: 00AE2623

GetSystemMetrics.USER32(0000000F), ref: 00B6D78A
GetSystemMetrics.USER32(0000000F), ref: 00B6D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00B6D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00B6DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00B6DA24
ShowWindow.USER32(00000003,00000000), ref: 00B6DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 00B6DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 00B6DA8B

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 7837e9f3e3b5849a5bddf199fc5d6ae6d2abbcf5c72bd956de491c90dc117e98
Instruction ID: 4ea5580ca61a3bed2d88d9dd3bbed096c367efe45a3212db8a77e123dd458d70
Opcode Fuzzy Hash: 7837e9f3e3b5849a5bddf199fc5d6ae6d2abbcf5c72bd956de491c90dc117e98
Instruction Fuzzy Hash: B9B16871A04226ABDF14CF69C9C57BD7BF1FF44701F0881A9ED489B295DB38A950CB60

Function 00AE2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00B1C417,00000004,00000000,00000000,00000000), ref: 00AE2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00B1C417,00000004,00000000,00000000,00000000,000000FF), ref: 00AE2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00B1C417,00000004,00000000,00000000,00000000), ref: 00B1C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00B1C417,00000004,00000000,00000000,00000000), ref: 00B1C4D6

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 043ab491ebef16d34b42bd1459df94c3f898a17709a6a965a24fd0eb83764414
Instruction ID: 9472f565303f3aa2701340c4d73f8a42ba61407775d865f4ae75a8ef2636c492
Opcode Fuzzy Hash: 043ab491ebef16d34b42bd1459df94c3f898a17709a6a965a24fd0eb83764414
Instruction Fuzzy Hash: 0A41FC312086C09AD7358B2ADC9CBBB7BEAEB46350F58847EE047876A1CA7598C1D711

Function 00B47368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00B4737F

Part of subcall function 00B00FF6: std::exception::exception.LIBCMT ref: 00B0102C
Part of subcall function 00B00FF6: __CxxThrowException@8.LIBCMT ref: 00B01041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00B473B6
EnterCriticalSection.KERNEL32(?), ref: 00B473D2
_memmove.LIBCMT ref: 00B47420
_memmove.LIBCMT ref: 00B4743D
LeaveCriticalSection.KERNEL32(?), ref: 00B4744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00B47461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00B47480

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 25f50b22fc0cf057fc2e44c81179ec133e90856c6cf3bc8af9a4f85fd56bbfb7
Instruction ID: 0c706a6230c06cdc13fb305de6e62bc440e84d0082412e2d32842435788fbe30
Opcode Fuzzy Hash: 25f50b22fc0cf057fc2e44c81179ec133e90856c6cf3bc8af9a4f85fd56bbfb7
Instruction Fuzzy Hash: E6316E31904206EBDF10EF58DD85AAA7BB8EF45710B1441A5F904AB286DF749A14DBA0

Function 00B66442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B6645A
GetDC.USER32(00000000), ref: 00B66462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B6646D
ReleaseDC.USER32(00000000,00000000), ref: 00B66479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00B664B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B664C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B69299,?,?,000000FF,00000000,?,000000FF,?), ref: 00B66500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B66520

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: a42d9fccd552fa1dd7a1cbef2f5e2b37ec3252a68e563dc3d7821bcd866bd8bc
Instruction ID: 0829ea0bc4c889fccd0f86852cd200979ea81183754961709d68c976c0581de9
Opcode Fuzzy Hash: a42d9fccd552fa1dd7a1cbef2f5e2b37ec3252a68e563dc3d7821bcd866bd8bc
Instruction Fuzzy Hash: 66315C72201214BFEB118F50DC4AFFA3BA9EB19761F044065FE099A2A1DAB99841CB64

Function 00B3C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00B3C087
_memcmp.LIBCMT ref: 00B3C0A9
_memcmp.LIBCMT ref: 00B3C0C1
_memcmp.LIBCMT ref: 00B3C0D4
_memcmp.LIBCMT ref: 00B3C0EE
_memcmp.LIBCMT ref: 00B3C101
_memcmp.LIBCMT ref: 00B3C119
_memcmp.LIBCMT ref: 00B3C134

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e24b0071b8cd2a31f3764e1db092aa9bf4ae67003345e9107eb055598db859eb
Instruction ID: 5c24a2912836af6940f4343431a522dea6b46ee290cde8bd737c5c139e4bf791
Opcode Fuzzy Hash: e24b0071b8cd2a31f3764e1db092aa9bf4ae67003345e9107eb055598db859eb
Instruction Fuzzy Hash: 97219861600605BBD628A6654D52FBF3FDCDF203D4F2440E0FD09B62E2EB52DD1193A5

Function 00B4ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00AE9997: __itow.LIBCMT ref: 00AE99C2
Part of subcall function 00AE9997: __swprintf.LIBCMT ref: 00AE9A0C

Part of subcall function 00AFFEC6: _wcscpy.LIBCMT ref: 00AFFEE9

_wcstok.LIBCMT ref: 00B4EEFF
_wcscpy.LIBCMT ref: 00B4EF8E
_memset.LIBCMT ref: 00B4EFC1

Strings

X, xrefs: 00B4EFFE

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: c52d5ce8ec6acd16faf359070e8cd085e7baeb271d36494a87da27cd408203e3
Instruction ID: c64c4c1d402c1bfd2fd6839d55eced33c96d3471f52c503d5668e86a9cfed71d
Opcode Fuzzy Hash: c52d5ce8ec6acd16faf359070e8cd085e7baeb271d36494a87da27cd408203e3
Instruction Fuzzy Hash: 55C17B715083419FD724EF24C985A6EB7E4FF88310F1049ADF8999B2A2DB70ED45CB82

Function 00B56E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00B56F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00B56F35
WSAGetLastError.WSOCK32(00000000), ref: 00B56F48
htons.WSOCK32(?,?,?,00000000,?), ref: 00B56FFE
inet_ntoa.WSOCK32(?), ref: 00B56FBB

Part of subcall function 00B3AE14: _strlen.LIBCMT ref: 00B3AE1E
Part of subcall function 00B3AE14: _memmove.LIBCMT ref: 00B3AE40

_strlen.LIBCMT ref: 00B57058
_memmove.LIBCMT ref: 00B570C1

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 40894d616629921b6a0057b34652d47f6d27adc75d761ee5424ab9a6246b8ebf
Instruction ID: 09852596b87407205d38d271009a70fd5081e82c3c18d4feec387561826911ce
Opcode Fuzzy Hash: 40894d616629921b6a0057b34652d47f6d27adc75d761ee5424ab9a6246b8ebf
Instruction Fuzzy Hash: EA81FE31608300ABC710EB24DC86F6BB7E9EF84714F14499CF9459B2E2DE709D08CB92

Function 00AE1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ec32e2ec659b025cd0e6c103b7b07606bdb39cff1228bbcc27eecd452bf70db
Instruction ID: 74d3c84e170d53a2e840df74c7c7364a1e15dabcda345925fd05194067883048
Opcode Fuzzy Hash: 7ec32e2ec659b025cd0e6c103b7b07606bdb39cff1228bbcc27eecd452bf70db
Instruction Fuzzy Hash: BF716970900159EFCB148F99CC89EBEBBB9FF89310F148159F915AB291D734AA51CFA0

Function 00B6B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00C45F58), ref: 00B6B6A5
IsWindowEnabled.USER32(00C45F58), ref: 00B6B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00B6B795
SendMessageW.USER32(00C45F58,000000B0,?,?), ref: 00B6B7CC
IsDlgButtonChecked.USER32(?,?), ref: 00B6B809
GetWindowLongW.USER32(00C45F58,000000EC), ref: 00B6B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00B6B843

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 5d5dfc1d3b2baed060dfeba37f70ea664126e816c7cc006547d2372adbabd8e8
Instruction ID: 3a090f7071b38ea1a19f8882e8906ef7fb410a39e336c18c535002f474c6298b
Opcode Fuzzy Hash: 5d5dfc1d3b2baed060dfeba37f70ea664126e816c7cc006547d2372adbabd8e8
Instruction Fuzzy Hash: E6717C74604205AFDB249F64C8D4FBABBF9FF4A300F1440A9E956D72A1CB39AD91CB50

Function 00B5F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B5F75C
_memset.LIBCMT ref: 00B5F825
ShellExecuteExW.SHELL32(?), ref: 00B5F86A

Part of subcall function 00AE9997: __itow.LIBCMT ref: 00AE99C2
Part of subcall function 00AE9997: __swprintf.LIBCMT ref: 00AE9A0C

Part of subcall function 00AFFEC6: _wcscpy.LIBCMT ref: 00AFFEE9

GetProcessId.KERNEL32(00000000), ref: 00B5F8E1
CloseHandle.KERNEL32(00000000), ref: 00B5F910

Strings

@, xrefs: 00B5F839

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: c384d8d2cc1f471da6610d7e67ff53714e11c72347cac6593b05835ea7781f0f
Instruction ID: 00cccd5b320adad02f39f42d33ea048757b9627ecfc4f51b5a8de224115e64ee
Opcode Fuzzy Hash: c384d8d2cc1f471da6610d7e67ff53714e11c72347cac6593b05835ea7781f0f
Instruction Fuzzy Hash: A8618C75A0065ADFCB14EF55C580AAEFBF4FF48310F1484A9E846AB391CB30AD45CB90

Function 00B4145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00B4149C
GetKeyboardState.USER32(?), ref: 00B414B1
SetKeyboardState.USER32(?), ref: 00B41512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00B41540
PostMessageW.USER32(?,00000101,00000011,?), ref: 00B4155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00B415A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00B415C8

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3c4fb671307f34ab6d578f75a0260e9a6c939d9c987adb22e975152979a3aa8f
Instruction ID: b6db0c7f03e3bf3a46ea763867a7d18f265bcdb469fbc6045abe366d9227a506
Opcode Fuzzy Hash: 3c4fb671307f34ab6d578f75a0260e9a6c939d9c987adb22e975152979a3aa8f
Instruction Fuzzy Hash: 5E51D3A0E047D53DFB36462C8C45BBA7FE99B46304F0848C9E1D5568C2D6E8DEC4EB50

Function 00B41276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00B412B5
GetKeyboardState.USER32(?), ref: 00B412CA
SetKeyboardState.USER32(?), ref: 00B4132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00B41357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00B41374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00B413B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00B413D9

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: abd97e80fd4a99e877c7fd015d5d09cf44ab4cb739d2ee296a3e59c068b0dc6b
Instruction ID: 166c1fcec39bd0ab740ff5dc6c28b7c613628491b579e834b2672fafa4471db6
Opcode Fuzzy Hash: abd97e80fd4a99e877c7fd015d5d09cf44ab4cb739d2ee296a3e59c068b0dc6b
Instruction Fuzzy Hash: A051F6A0D047D53DFB3287288C55B7A7FE99B06300F0889C9E1D8968C2D794AED4F765

Function 00B4589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00B458AC
_wcsncpy.LIBCMT ref: 00B458E1
_wcsncpy.LIBCMT ref: 00B45913
_wcsncpy.LIBCMT ref: 00B45946
_wcsncpy.LIBCMT ref: 00B45988
_wcsncpy.LIBCMT ref: 00B459C2
_wcsncpy.LIBCMT ref: 00B459F1

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: c85730d6aa8e912bc5111a72e589b09996b4715440e7a3d48427a6f94a262a8a
Instruction ID: 5049b6ff5544a3b96dd63232aa280d548b79d7eaca5d805ac2ead1cde081951d
Opcode Fuzzy Hash: c85730d6aa8e912bc5111a72e589b09996b4715440e7a3d48427a6f94a262a8a
Instruction Fuzzy Hash: 794193A5C20618B6CB10EBB4CC8A9DFBBECAF04710F508596F518E3162E734E715C7A9

Function 00B438AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B448AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B438D3,?), ref: 00B448C7

Part of subcall function 00B448AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B438D3,?), ref: 00B448E0

lstrcmpiW.KERNEL32(?,?), ref: 00B438F3
_wcscmp.LIBCMT ref: 00B4390F
MoveFileW.KERNEL32(?,?), ref: 00B43927
_wcscat.LIBCMT ref: 00B4396F
SHFileOperationW.SHELL32(?), ref: 00B439DB

Strings

\*.*, xrefs: 00B43969

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: fd463a7a5b0297579023bb1ad72e8eb62708cd850e048bb98693b3fff4c99dd8
Instruction ID: 4f117027ba41385bb31012b93cbc3936ee9758920c2bf8b5145de30dfbaca0a7
Opcode Fuzzy Hash: fd463a7a5b0297579023bb1ad72e8eb62708cd850e048bb98693b3fff4c99dd8
Instruction Fuzzy Hash: B94181B140C3849AC751EF64D485AEFB7E8EF88740F5409AEB48AC3191EB74D788C752

Function 00B67500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B67519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B675C0
IsMenu.USER32(?), ref: 00B675D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B67620
DrawMenuBar.USER32 ref: 00B67633

Strings

0, xrefs: 00B6750D

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 8aa834fbd5b01c142c1fcc40a4958b05c53dba6038d0a526e82faa3f2caf7563
Instruction ID: 2868849f701c46c52fa4a40c64aa126514512105be57b27cc5f456a0490c50bf
Opcode Fuzzy Hash: 8aa834fbd5b01c142c1fcc40a4958b05c53dba6038d0a526e82faa3f2caf7563
Instruction Fuzzy Hash: 9C415C75A05609EFDB10DF54D884EAABBF8FF05324F1480A9F91697290DB34AD50CF90

Function 00B6122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00B6125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B61286
FreeLibrary.KERNEL32(00000000), ref: 00B6133D

Part of subcall function 00B6122D: RegCloseKey.ADVAPI32(?), ref: 00B612A3
Part of subcall function 00B6122D: FreeLibrary.KERNEL32(?), ref: 00B612F5
Part of subcall function 00B6122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00B61318

RegDeleteKeyW.ADVAPI32(?,?), ref: 00B612E0

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 2e234b0abd76592771b3fd795db613567819a0708e914c4a7e7671ac4c322cd3
Instruction ID: 174a940506da77b5b77de1fd4b0be350cceaeb4ab72a309c5216ac63f23646e7
Opcode Fuzzy Hash: 2e234b0abd76592771b3fd795db613567819a0708e914c4a7e7671ac4c322cd3
Instruction Fuzzy Hash: 25312DB1901109BFDB14DF94EC99AFEB7BCEF08340F0405A9E502E3251DA789E459AA4

Function 00B6653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B6655B
GetWindowLongW.USER32(00C45F58,000000F0), ref: 00B6658E
GetWindowLongW.USER32(00C45F58,000000F0), ref: 00B665C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00B665F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00B6661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00B66630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00B6664A

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: bf5c996bd5e91dea88062ecdd812ec76ec5e76bcf7e1b3919568fafd9e09ac8c
Instruction ID: 625233d9e40d5799d55361af32f983b54394b7c44aaacca0df4f733938612611
Opcode Fuzzy Hash: bf5c996bd5e91dea88062ecdd812ec76ec5e76bcf7e1b3919568fafd9e09ac8c
Instruction Fuzzy Hash: F3310F70604255AFDB208F28EC86F653BE5FB5A710F1801A9F512CB2F6CB69AC40DB91

Function 00B56486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B580A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B580CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00B564D9
WSAGetLastError.WSOCK32(00000000), ref: 00B564E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00B56521
connect.WSOCK32(00000000,?,00000010), ref: 00B5652A
WSAGetLastError.WSOCK32 ref: 00B56534
closesocket.WSOCK32(00000000), ref: 00B5655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00B56576

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: f5f5f7c71bd916031c1e75a62838d41572e107eed895de8641346430cff718a5
Instruction ID: 919b772f810201770cb7ae49cb75a5ca03c7ace89d795c258d6b796da43466c0
Opcode Fuzzy Hash: f5f5f7c71bd916031c1e75a62838d41572e107eed895de8641346430cff718a5
Instruction Fuzzy Hash: 9131AF71600218AFEB10AF24DC85BBE7BE8EF54711F4480A9FD05A7291DB74AD09CBA1

Function 00B3E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B3E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B3E120
SysAllocString.OLEAUT32(00000000), ref: 00B3E123
SysAllocString.OLEAUT32 ref: 00B3E144
SysFreeString.OLEAUT32 ref: 00B3E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 00B3E167
SysAllocString.OLEAUT32(?), ref: 00B3E175

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7d7188e0ae6232e4db9476b8e9c4d9338f6f2ca35b335606c9be53aa329c3107
Instruction ID: 19f6bb8a822bf4101b040b884e62fc4fe7863ea87f272a3820d4dfeef9bc599f
Opcode Fuzzy Hash: 7d7188e0ae6232e4db9476b8e9c4d9338f6f2ca35b335606c9be53aa329c3107
Instruction Fuzzy Hash: 26219035204109AFDB10AFA8DC89CBB77ECEB09760B108166FA24DB2E0DE74DC418B60

Function 00B6783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AE1D73
Part of subcall function 00AE1D35: GetStockObject.GDI32(00000011), ref: 00AE1D87
Part of subcall function 00AE1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AE1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B678A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B678AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B678B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B678C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B678D4

Strings

Msctls_Progress32, xrefs: 00B67872

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 7afe3f1ecaa59b4b3378973c5ffbdf81a4eb4fe7c28378ad1164c50f17378949
Instruction ID: 7e204f2b22a0bbb50bc67781ea972f5704a2e08e3b445fb7c0223fdba9f2b3c9
Opcode Fuzzy Hash: 7afe3f1ecaa59b4b3378973c5ffbdf81a4eb4fe7c28378ad1164c50f17378949
Instruction Fuzzy Hash: 91118EB2150219BEEF159E61CC85EE77F6DEF08758F014115BA04A30A0CB769C21DBA0

Function 00B041C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00B04292,?), ref: 00B041E3
GetProcAddress.KERNEL32(00000000), ref: 00B041EA
EncodePointer.KERNEL32(00000000), ref: 00B041F6
DecodePointer.KERNEL32(00000001,00B04292,?), ref: 00B04213

Strings

RoInitialize, xrefs: 00B041D2
combase.dll, xrefs: 00B041DE

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 9c68b969f6f9729ed1d0c3107c067d8967177f8a964e578233f578d5431f30d4
Instruction ID: 1a6da2d791bce1f967b2763745e116102a2c3a8ec9364cf0389ecd958d5f6d07
Opcode Fuzzy Hash: 9c68b969f6f9729ed1d0c3107c067d8967177f8a964e578233f578d5431f30d4
Instruction Fuzzy Hash: 54E0E5B0690301AEEB205BB0EC0AB243EE5FBA2B02F108474F521E71E0DFF944919E04

Function 00B0429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00B041B8), ref: 00B042B8
GetProcAddress.KERNEL32(00000000), ref: 00B042BF
EncodePointer.KERNEL32(00000000), ref: 00B042CA
DecodePointer.KERNEL32(00B041B8), ref: 00B042E5

Strings

combase.dll, xrefs: 00B042B3
RoUninitialize, xrefs: 00B042A7

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 750fe8156e4105e9373b971e6f7c4a9f5111643f6fe2795e40a71ce6bb1ca5c9
Instruction ID: e9157eb584c491adcac3a3d7083f439ecaff3469c6b83407ebe5474f7d298f2e
Opcode Fuzzy Hash: 750fe8156e4105e9373b971e6f7c4a9f5111643f6fe2795e40a71ce6bb1ca5c9
Instruction Fuzzy Hash: 2DE092B8691202AFEA109B60FE0AB243EA4BB65B42F204064F111F31E0CFF845448A18

Function 00B4675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B468AD
_memmove.LIBCMT ref: 00B467E8

Part of subcall function 00AE9997: __itow.LIBCMT ref: 00AE99C2
Part of subcall function 00AE9997: __swprintf.LIBCMT ref: 00AE9A0C

_memmove.LIBCMT ref: 00B4685B
_memmove.LIBCMT ref: 00B46942
_memmove.LIBCMT ref: 00B4695B
_memmove.LIBCMT ref: 00B46977

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: f6e37033759929decb2087947801ab21ceb05d87debeb2e0ea76df718db484de
Instruction ID: 285c55adc2f3a765545ee618557bed7944abdec63eccf0af16359ee8ed277110
Opcode Fuzzy Hash: f6e37033759929decb2087947801ab21ceb05d87debeb2e0ea76df718db484de
Instruction Fuzzy Hash: 2A61CE3050069A9BCF15EF25CD81EFE3BE4EF49308F044599F8955B292EB309E45DB51

Function 00B6046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82

Part of subcall function 00B610A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B60038,?,?), ref: 00B610BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B60548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B60588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00B605AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B605D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B60617
RegCloseKey.ADVAPI32(00000000), ref: 00B60624

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 94494cc337dd9c78c0f838fb70c61642bf5193a594a7f4874fb5e585041a0ac8
Instruction ID: 6e3e6a62db0e9ae5eee215fa94dd02a8968a566e6d14d43324c515be65cec5c5
Opcode Fuzzy Hash: 94494cc337dd9c78c0f838fb70c61642bf5193a594a7f4874fb5e585041a0ac8
Instruction Fuzzy Hash: 33516631218240AFCB14EF65D985E6FBBE8FF88314F04496DF586872A2DB75E904CB52

Function 00B65A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00B65A82
GetMenuItemCount.USER32(00000000), ref: 00B65AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B65AE1
GetMenuItemID.USER32(?,?), ref: 00B65B50
GetSubMenu.USER32(?,?), ref: 00B65B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00B65BAF

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: c649d6d524a4887f505992c3a83bdbd8d7d2f9d9373037a95164a4b9d6dcbc94
Instruction ID: fc03bad50c058f8cc4182cf59a3844c900b44655462dfb9eb2bcae35fb003c29
Opcode Fuzzy Hash: c649d6d524a4887f505992c3a83bdbd8d7d2f9d9373037a95164a4b9d6dcbc94
Instruction Fuzzy Hash: C4519135A00615EFCF21DFA4C945AAEB7F4EF48310F1444A9E941B7391CB74AE41CB90

Function 00B3F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B3F3F7
VariantClear.OLEAUT32(00000013), ref: 00B3F469
VariantClear.OLEAUT32(00000000), ref: 00B3F4C4
_memmove.LIBCMT ref: 00B3F4EE
VariantClear.OLEAUT32(?), ref: 00B3F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00B3F569

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: a438e34ba837db4dca4a1c0f33b8a945e42f0657fbbdf8a3bb63fee693392ada
Instruction ID: f3c205479d91911df4c8badd95a2d99bd9b227bdda25895f29b0a03cf083dc21
Opcode Fuzzy Hash: a438e34ba837db4dca4a1c0f33b8a945e42f0657fbbdf8a3bb63fee693392ada
Instruction Fuzzy Hash: 90514BB5A0020AAFCB14CF58D884AAAB7F8FF4C354F15856AE959DB350D734E911CFA0

Function 00B426F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B42747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B42792
IsMenu.USER32(00000000), ref: 00B427B2
CreatePopupMenu.USER32 ref: 00B427E6
GetMenuItemCount.USER32(000000FF), ref: 00B42844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00B42875

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 7ee15d0348069d777c49b0939e42490630c103cf007a2728f1f6ef7a0fb8d2e4
Instruction ID: 882715d3c3e3e53f0acc34ccc034f3c221bd32f0302822f17baf0cfb82c06da8
Opcode Fuzzy Hash: 7ee15d0348069d777c49b0939e42490630c103cf007a2728f1f6ef7a0fb8d2e4
Instruction Fuzzy Hash: D8519E70A0020AEBDF25CF68D988BAEBBF5EF54314F5041A9F8119B291D7709E44EB61

Function 00AE1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00AE2612: GetWindowLongW.USER32(?,000000EB), ref: 00AE2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00AE179A
GetWindowRect.USER32(?,?), ref: 00AE17FE
ScreenToClient.USER32(?,?), ref: 00AE181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00AE182C
EndPaint.USER32(?,?), ref: 00AE1876

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 24fb301384d6e68b46fbb3d6180ee8d882baa058602df1dccdcb5924acc55618
Instruction ID: 64a924fbf4e588c4542c9bcb1d584332e989a2c70378e4ccd72548839d55c048
Opcode Fuzzy Hash: 24fb301384d6e68b46fbb3d6180ee8d882baa058602df1dccdcb5924acc55618
Instruction Fuzzy Hash: 8341DB70100351AFC710DF26DC84FBA3BF8EB4A724F140669FAA5872A1CB749845CB61

Function 00B6B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00BA67B0,00000000,00C45F58,?,?,00BA67B0,?,00B6B862,?,?), ref: 00B6B9CC
EnableWindow.USER32(00000000,00000000), ref: 00B6B9F0
ShowWindow.USER32(00BA67B0,00000000,00C45F58,?,?,00BA67B0,?,00B6B862,?,?), ref: 00B6BA50
ShowWindow.USER32(00000000,00000004,?,00B6B862,?,?), ref: 00B6BA62
EnableWindow.USER32(00000000,00000001), ref: 00B6BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00B6BAA9

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: ccaa7da5f9effefe6e12499ef81fc0fe571c576db0ad77fd250175f3190532e3
Instruction ID: 22caddb13f6d3cd72fc70163555421da4763a498afc8cf6e1d4076af9222395d
Opcode Fuzzy Hash: ccaa7da5f9effefe6e12499ef81fc0fe571c576db0ad77fd250175f3190532e3
Instruction Fuzzy Hash: DC415030600241AFDB25CF94D489FA57BF1FB05314F1842F9EA48CF2A2CB79A885CB51

Function 00B573B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00B55134,?,?,00000000,00000001), ref: 00B573BF

Part of subcall function 00B53C94: GetWindowRect.USER32(?,?), ref: 00B53CA7

GetDesktopWindow.USER32 ref: 00B573E9
GetWindowRect.USER32(00000000), ref: 00B573F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00B57422

Part of subcall function 00B454E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B4555E

GetCursorPos.USER32(?), ref: 00B5744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00B574AC

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 2de930f1899900409145e9d349b007f17d9fdd1995e25f98f36fc1b0e5930ff6
Instruction ID: cf0f587d83e2e92f907f71d90b6899918a3b4bd105741faf2f0dac99a299648c
Opcode Fuzzy Hash: 2de930f1899900409145e9d349b007f17d9fdd1995e25f98f36fc1b0e5930ff6
Instruction Fuzzy Hash: 6131E872508306ABD720DF14E849F6BBBD9FF88314F000959F98597291CB74EE48CB92

Function 00B38D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B385F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B38608
Part of subcall function 00B385F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B38612
Part of subcall function 00B385F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B38621
Part of subcall function 00B385F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B38628
Part of subcall function 00B385F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B3863E

GetLengthSid.ADVAPI32(?,00000000,00B38977), ref: 00B38DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00B38DB8
HeapAlloc.KERNEL32(00000000), ref: 00B38DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00B38DD8
GetProcessHeap.KERNEL32(00000000,00000000,00B38977), ref: 00B38DEC
HeapFree.KERNEL32(00000000), ref: 00B38DF3

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: f13972605876618edad8aad581e49a25c2ff01aa21d6218b44543f632ebb70c2
Instruction ID: 2e370f00a01e7dda8f42715f7c3f994c77f2b09aa12f36609be664ac013593e9
Opcode Fuzzy Hash: f13972605876618edad8aad581e49a25c2ff01aa21d6218b44543f632ebb70c2
Instruction Fuzzy Hash: 2F11AC32500606FFDB109FA8DC09BBE7BA9FF55355F2040ADF945A7290CB76AA04CB61

Function 00B38AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00B38B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00B38B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00B38B40
CloseHandle.KERNEL32(00000004), ref: 00B38B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B38B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00B38B8E

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 811197733cc0efffba45abfb7661ff25e2d46d6eddda0535e35fbb9e930649df
Instruction ID: f75f0b12745f326d382d939200e1fa3d9b218a3e24d4e89d97e14a483baf823d
Opcode Fuzzy Hash: 811197733cc0efffba45abfb7661ff25e2d46d6eddda0535e35fbb9e930649df
Instruction Fuzzy Hash: 4D112EB250124AEBDF018F94ED49FEA7BE9EF08304F144065FE04A21A0DB769D609B61

Function 00B6C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00AE12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AE134D
Part of subcall function 00AE12F3: SelectObject.GDI32(?,00000000), ref: 00AE135C
Part of subcall function 00AE12F3: BeginPath.GDI32(?), ref: 00AE1373
Part of subcall function 00AE12F3: SelectObject.GDI32(?,00000000), ref: 00AE139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00B6C1C4
LineTo.GDI32(00000000,00000003,?), ref: 00B6C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B6C1E6
LineTo.GDI32(00000000,00000000,?), ref: 00B6C1F6
EndPath.GDI32(00000000), ref: 00B6C206
StrokePath.GDI32(00000000), ref: 00B6C216

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 804c90cf422aebf56c4c1dec0948f23c4740f22b908d6f9f76b5cdb5f4513f89
Instruction ID: 8cd16e08d27883a4dd74c8fe41a46401590a7902ea04cbdbeaf2257261b6db4f
Opcode Fuzzy Hash: 804c90cf422aebf56c4c1dec0948f23c4740f22b908d6f9f76b5cdb5f4513f89
Instruction Fuzzy Hash: 90113C7600010DBFDB019F90EC48EAA3FACEB08390F048021FA08561A1CB759D54DBA0

Function 00B003A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B003D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 00B003DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B003E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B003F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00B003F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B00401

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 517ca263281c53b5cd76e9ce5941c5d4189d80b806d2477d0c36f1bf6c04b451
Instruction ID: ff4cedb1693c875f1a013169fe2dec4a48fc6155a1e19358d6e329776e9987ff
Opcode Fuzzy Hash: 517ca263281c53b5cd76e9ce5941c5d4189d80b806d2477d0c36f1bf6c04b451
Instruction Fuzzy Hash: 3E016CB090175A7DE3008F5A8C85B52FFA8FF19354F00411BE15C47941C7F5A864CBE5

Function 00B4568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B4569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00B456B1
GetWindowThreadProcessId.USER32(?,?), ref: 00B456C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B456CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B456D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B456E0

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 5650ad6f6cd7c755f8c0bf028e9a44cf6ce20cb531c20c2dd5312dc4d320ca95
Instruction ID: 414e3891e124c2dcebdd22455ef94b2be46caf95dfff19e51f03648cdc339fc3
Opcode Fuzzy Hash: 5650ad6f6cd7c755f8c0bf028e9a44cf6ce20cb531c20c2dd5312dc4d320ca95
Instruction Fuzzy Hash: 20F01D3224155ABBE7215BA2EC0DEBB7A7CEBC7B51F000169FA04D20919AE91A01C6B5

Function 00B474D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00B474E5
EnterCriticalSection.KERNEL32(?,?,00AF1044,?,?), ref: 00B474F6
TerminateThread.KERNEL32(00000000,000001F6,?,00AF1044,?,?), ref: 00B47503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00AF1044,?,?), ref: 00B47510

Part of subcall function 00B46ED7: CloseHandle.KERNEL32(00000000,?,00B4751D,?,00AF1044,?,?), ref: 00B46EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00B47523
LeaveCriticalSection.KERNEL32(?,?,00AF1044,?,?), ref: 00B4752A

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 36380af025cf90736b0197be00d42c6664bb98cefdc1ed7b02c4f98e18a067de
Instruction ID: e45742552b8170f26015bfaca98c85827c40262993935010d84e829a77c4c7dc
Opcode Fuzzy Hash: 36380af025cf90736b0197be00d42c6664bb98cefdc1ed7b02c4f98e18a067de
Instruction Fuzzy Hash: 71F03A3A184613ABDB112B64FC989EA776AFF45302B000571F202A60E0CFB95901DE50

Function 00B38E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B38E7F
UnloadUserProfile.USERENV(?,?), ref: 00B38E8B
CloseHandle.KERNEL32(?), ref: 00B38E94
CloseHandle.KERNEL32(?), ref: 00B38E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00B38EA5
HeapFree.KERNEL32(00000000), ref: 00B38EAC

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: bfe19bd48bbae22b9b19d0ef5651086657162256bd9caa8a02ed807c39cd1e8b
Instruction ID: a60ee33ee980f88e76009cce13fc4a0b19a4efabfa0329e68f67ceacbe9d9318
Opcode Fuzzy Hash: bfe19bd48bbae22b9b19d0ef5651086657162256bd9caa8a02ed807c39cd1e8b
Instruction Fuzzy Hash: 28E0C236004002FBDA011FE1FC0C92ABB69FB8A362B108230F229921B0CFBA9420DB50

Function 00B58902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B58928
CharUpperBuffW.USER32(?,?), ref: 00B58A37
VariantClear.OLEAUT32(?), ref: 00B58BAF

Part of subcall function 00B47804: VariantInit.OLEAUT32(00000000), ref: 00B47844
Part of subcall function 00B47804: VariantCopy.OLEAUT32(00000000,?), ref: 00B4784D
Part of subcall function 00B47804: VariantClear.OLEAUT32(00000000), ref: 00B47859

Strings

Incorrect Parameter format, xrefs: 00B58960, 00B58B22
AUTOIT.ERROR, xrefs: 00B58A3D

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 5276a2a1b09ac066f74529037035114c9d20a0f5025c17703876dcaecacd5b6c
Instruction ID: d7ac0d8a3a7de9126755d73319bcc9e129ec0fa91666bb92b302c5dca5909c0c
Opcode Fuzzy Hash: 5276a2a1b09ac066f74529037035114c9d20a0f5025c17703876dcaecacd5b6c
Instruction Fuzzy Hash: 8C919F71608341DFC700DF25C584A6BBBE4EF88355F1449AEF88A9B362DB31E909CB52

Function 00B42F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AFFEC6: _wcscpy.LIBCMT ref: 00AFFEE9

_memset.LIBCMT ref: 00B43077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B430A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B43159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00B43187

Strings

0, xrefs: 00B43063

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 67562b1fc41169da8702d48797cfac68badce9eb41ee7b1732385239eb7f277d
Instruction ID: 387458985d4b54453d5ba32eac353bf471625a13e5ba4e4de78561f7548988ee
Opcode Fuzzy Hash: 67562b1fc41169da8702d48797cfac68badce9eb41ee7b1732385239eb7f277d
Instruction Fuzzy Hash: A751E1716083009AD7159F28D845B6BBBE8EF55B20F080AAEF895E32D0DB74CF44E752

Function 00B3DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B3DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00B3DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00B3DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00B3DB8E

Strings

DllGetClassObject, xrefs: 00B3DB01

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ec9082dfa0ee425150dfef1e222d95c18613cbb9642b286471704e08b0087d39
Instruction ID: 694890c346971b5ad84e53875edd2f9e66751e790753c1cea28f98dfed08b712
Opcode Fuzzy Hash: ec9082dfa0ee425150dfef1e222d95c18613cbb9642b286471704e08b0087d39
Instruction Fuzzy Hash: 8F417171600208EFDF15CF54E884A9ABBE9EF48350F2580E9ED059F255E7B1DA44CBA0

Function 00B42C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B42CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00B42CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00B42D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00BA6890,00000000), ref: 00B42D5A

Strings

0, xrefs: 00B42CA4

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 5888acecf46db86ce24dbf2761150a2621e447bad6d5b6d94e5cdef6f79a5b48
Instruction ID: eb325c61fbd3b0ae531568d3209b618326d36afcd0d8c8003ee5d21ed921cbbc
Opcode Fuzzy Hash: 5888acecf46db86ce24dbf2761150a2621e447bad6d5b6d94e5cdef6f79a5b48
Instruction Fuzzy Hash: F741A3705043029FDB10DF24DC85B1AB7E4EF85324F5446ADF966972D1DB70EA04EB92

Function 00B5DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00B5DAD9

Part of subcall function 00AE79AB: _memmove.LIBCMT ref: 00AE79F9

Strings

none, xrefs: 00B5DBB4
stdcall, xrefs: 00B5DB5B
cdecl, xrefs: 00B5DB30
winapi, xrefs: 00B5DB4A

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 65d1ddc9789ab44cd91342bcf0d7075767f6203e2a033c6c09bb51661aee0626
Instruction ID: 21d8e8ca3c3b95c7f377fff0a27016f41529c479432b0f30e604cb4060c5c21a
Opcode Fuzzy Hash: 65d1ddc9789ab44cd91342bcf0d7075767f6203e2a033c6c09bb51661aee0626
Instruction Fuzzy Hash: 3531A17190421AABCF10EF64CD81AAEB7F5FF15310F1087A9E865976D1CB71A909CB90

Function 00B39372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82

Part of subcall function 00B3B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00B3B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00B393F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00B39409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00B39439

Part of subcall function 00AE7D2C: _memmove.LIBCMT ref: 00AE7D66

Strings

ListBox, xrefs: 00B393B5
ComboBox, xrefs: 00B39380

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: ae5917a111b6278fa8b42477471c6b46ec415fb51fa115dbf994c7ba52388998
Instruction ID: d0e13a275eb2e43b5ff0b9bd6c0254cddbee0f68d988972b96647054a67e7069
Opcode Fuzzy Hash: ae5917a111b6278fa8b42477471c6b46ec415fb51fa115dbf994c7ba52388998
Instruction Fuzzy Hash: C221B171904104BADB28AB75DC85CFFB7A8DF45360F2041A9F926972E1DBB94E0A9620

Function 00B51B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B51B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B51B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B51B96
InternetCloseHandle.WININET(00000000), ref: 00B51BDD

Part of subcall function 00B52777: GetLastError.KERNEL32(?,?,00B51B0B,00000000,00000000,00000001), ref: 00B5278C
Part of subcall function 00B52777: SetEvent.KERNEL32(?,?,00B51B0B,00000000,00000000,00000001), ref: 00B527A1

Strings

, xrefs: 00B51B87

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: fdabef68c7b9660d2f9d10b136b3df20b074a8fdd397d08d9e13c8d6ffdc144c
Instruction ID: 11837403e21247b366bff5038e7933658333a944a160fa964306ac7ba924e693
Opcode Fuzzy Hash: fdabef68c7b9660d2f9d10b136b3df20b074a8fdd397d08d9e13c8d6ffdc144c
Instruction Fuzzy Hash: 2E21BEB1500209BFEB119F289CC5FBB77ECEB4974AF1005EAF905A7240EA649D089761

Function 00B66656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AE1D73
Part of subcall function 00AE1D35: GetStockObject.GDI32(00000011), ref: 00AE1D87
Part of subcall function 00AE1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AE1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B666D0
LoadLibraryW.KERNEL32(?), ref: 00B666D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B666EC
DestroyWindow.USER32(?), ref: 00B666F4

Strings

SysAnimate32, xrefs: 00B666AB

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 08ba6a998a96465365f09b250ef2ebf5506fb336186588103ccbf016bd42d694
Instruction ID: 3b6437d2b6022df26a1e712c451f2e9d689d439a6d7b86be537003df8483fcbc
Opcode Fuzzy Hash: 08ba6a998a96465365f09b250ef2ebf5506fb336186588103ccbf016bd42d694
Instruction Fuzzy Hash: DD216AB1600206ABEF104F64EC81EFB77EDEB59368F104669FA11931A0DBB9DC519760

Function 00B4703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00B4705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B47091
GetStdHandle.KERNEL32(0000000C), ref: 00B470A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00B470DD

Strings

nul, xrefs: 00B470D8

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: dbf56367c000ddac8b3fc686775ee6e8b0e569a035069d7e6d6f50187b6fff1a
Instruction ID: a3b734090e98891a498dc30cec303d0cd25346353e379bf40c1d6b43cbe511d5
Opcode Fuzzy Hash: dbf56367c000ddac8b3fc686775ee6e8b0e569a035069d7e6d6f50187b6fff1a
Instruction Fuzzy Hash: 3221817454520AABDF209F78DC05A9A77E8FF45720F204AA9FCA0D73D0DBB09A40DB51

Function 00B4710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B4712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B4715D
GetStdHandle.KERNEL32(000000F6), ref: 00B4716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00B471A8

Strings

nul, xrefs: 00B471A3

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: d4c8018f9d968666574bdefa0d0cdd8dc805a3399157393c670fab7fc03ddb46
Instruction ID: a7df1dbf79c6c7ef89e76c0bb35a75470dc82e945c2c0a3c04fe8e5906049a20
Opcode Fuzzy Hash: d4c8018f9d968666574bdefa0d0cdd8dc805a3399157393c670fab7fc03ddb46
Instruction Fuzzy Hash: 2021C5755843069BDF209F689C44AAAB7E8EF55730F200A99FCB0E32D0DF709A41DB51

Function 00B4AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B4AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00B4AF13
__swprintf.LIBCMT ref: 00B4AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,00B6F910), ref: 00B4AF6A

Strings

%lu, xrefs: 00B4AF26

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 1a239c70344bfa97c3c275c6b2bc7a4052fd9063cd2521002630941a4ae92d6c
Instruction ID: afd56fec415a2b000895479b4f2f6b301c47a28df144d1dfd4b553c468a21e9b
Opcode Fuzzy Hash: 1a239c70344bfa97c3c275c6b2bc7a4052fd9063cd2521002630941a4ae92d6c
Instruction Fuzzy Hash: 28214130A00249AFCB10DF65DD85DEE7BF8EF49704B1040A9F909EB251DB71EA45DB61

Function 00B3A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE7D2C: _memmove.LIBCMT ref: 00AE7D66

Part of subcall function 00B3A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00B3A399
Part of subcall function 00B3A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B3A3AC
Part of subcall function 00B3A37C: GetCurrentThreadId.KERNEL32 ref: 00B3A3B3
Part of subcall function 00B3A37C: AttachThreadInput.USER32(00000000), ref: 00B3A3BA

GetFocus.USER32 ref: 00B3A554

Part of subcall function 00B3A3C5: GetParent.USER32(?), ref: 00B3A3D3

GetClassNameW.USER32(?,?,00000100), ref: 00B3A59D
EnumChildWindows.USER32(?,00B3A615), ref: 00B3A5C5
__swprintf.LIBCMT ref: 00B3A5DF

Strings

%s%d, xrefs: 00B3A5D9

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: ef0385e5388935738956f4a4337184a798aeaf260b71b9ff749c93044f19530e
Instruction ID: 5b6bfa6168142791da5d3a4b6fd5ca06d6cdb920050563161b84fcb09941249e
Opcode Fuzzy Hash: ef0385e5388935738956f4a4337184a798aeaf260b71b9ff749c93044f19530e
Instruction Fuzzy Hash: 5811AF71604209ABDF10BF64EC8AFFA37B8AF48700F2440B5F948AA192CA7559458B75

Function 00B42017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B42048

Strings

KEYS, xrefs: 00B4205F
APPEND, xrefs: 00B42081
REMOVE, xrefs: 00B4204E
EXISTS, xrefs: 00B42070

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: e896710dd04b178d483ddc0b11166a243969051f0e8fcbfd849e36628c37565f
Instruction ID: fbe40cdae612deef70cabbc877a89c788a378115e0f420adfc94a39915cf13b5
Opcode Fuzzy Hash: e896710dd04b178d483ddc0b11166a243969051f0e8fcbfd849e36628c37565f
Instruction Fuzzy Hash: CF1139319101199FCF00EFA4D9815AEB7F4FF26304F5085E8E855A7392EB326A06EB50

Function 00B5EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B5EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00B5EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00B5F07E
CloseHandle.KERNEL32(?), ref: 00B5F0FF

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: c0861e24de3c23b7f27f3c648de6e407ccb46b034dcbf89fa479578e76e244e8
Instruction ID: a9fbab13bff9741229de76450bcbb317e60808341128039bd938723391102156
Opcode Fuzzy Hash: c0861e24de3c23b7f27f3c648de6e407ccb46b034dcbf89fa479578e76e244e8
Instruction Fuzzy Hash: 90816FB16043019FD720EF29C986B2AB7E5EF48710F14886DF999DB292DBB0ED058B51

Function 00B602C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82

Part of subcall function 00B610A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B60038,?,?), ref: 00B610BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B60388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B603C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B6040E
RegCloseKey.ADVAPI32(?,?), ref: 00B6043A
RegCloseKey.ADVAPI32(00000000), ref: 00B60447

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 07e2483a62de7a5eb5e89a911a040ed83f2af1b6e5adf356ade2dda83e231835
Instruction ID: c846f851292bf3601ecff966e150963381672cd6bfa6ebe90f5017908d74012f
Opcode Fuzzy Hash: 07e2483a62de7a5eb5e89a911a040ed83f2af1b6e5adf356ade2dda83e231835
Instruction Fuzzy Hash: B6516731218245AFD704EF65D981E6FB7E8FF88304F04896DF596872A2DB74E904CB52

Function 00B5DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE9997: __itow.LIBCMT ref: 00AE99C2
Part of subcall function 00AE9997: __swprintf.LIBCMT ref: 00AE9A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B5DC3B
GetProcAddress.KERNEL32(00000000,?), ref: 00B5DCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 00B5DCDA
GetProcAddress.KERNEL32(00000000,?), ref: 00B5DD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B5DD35

Part of subcall function 00AE5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B47B20,?,?,00000000), ref: 00AE5B8C
Part of subcall function 00AE5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B47B20,?,?,00000000,?,?), ref: 00AE5BB0

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: e15f6714e37449ce999a58b5a70fb092829f05293e4119b6b36e3353a50e70cb
Instruction ID: 6797020acafb76e12e079a78e87e6c3d6ecf95f4900afd77668056551b8b78ae
Opcode Fuzzy Hash: e15f6714e37449ce999a58b5a70fb092829f05293e4119b6b36e3353a50e70cb
Instruction Fuzzy Hash: 53514935A00205DFCB10EF68C584AAEB7F4FF49311B1481A9E815AB362DB70ED45CF90

Function 00B4E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00B4E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00B4E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00B4E8F2

Part of subcall function 00AE9997: __itow.LIBCMT ref: 00AE99C2
Part of subcall function 00AE9997: __swprintf.LIBCMT ref: 00AE9A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00B4E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00B4E91F

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: e9c9eebe82e0a3f79b05c29d347db237c563404ff8feebd8304a79bc6ff7145c
Instruction ID: 2e95a3a261a1c0145d9a821767a96f67e26fdf79dab3a75d28e0f89a5a67f007
Opcode Fuzzy Hash: e9c9eebe82e0a3f79b05c29d347db237c563404ff8feebd8304a79bc6ff7145c
Instruction Fuzzy Hash: 6F510A35A00245EFCF05EF65C9819AEBBF5FF48314B1480A9E949AB3A2DB31ED11DB50

Function 00B6A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5099b1a8b1b46bda84eda4c344958c7fbdf517669aa0e874dafa0b4c04b4a218
Instruction ID: 2fb22d3cb1523ca05b60b045093cb877aaa6537bd471f0c4a9ef22de2fdf578c
Opcode Fuzzy Hash: 5099b1a8b1b46bda84eda4c344958c7fbdf517669aa0e874dafa0b4c04b4a218
Instruction Fuzzy Hash: 4541B235900104ABDB10DF28DC98FB9BBE8FB09310F1441A5E866B73E1DB78AD41DE55

Function 00AE2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00AE2357
ScreenToClient.USER32(00BA67B0,?), ref: 00AE2374
GetAsyncKeyState.USER32(00000001), ref: 00AE2399
GetAsyncKeyState.USER32(00000002), ref: 00AE23A7

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: a09779fe503f6c2126f166f0c112dfd92ef8f2b1c879ec1dd6134f56320d03d2
Instruction ID: ab58e08fca7b8fd5c3fa5c55aea6935eddaff53c95b9c550040853c6fcc3abc7
Opcode Fuzzy Hash: a09779fe503f6c2126f166f0c112dfd92ef8f2b1c879ec1dd6134f56320d03d2
Instruction Fuzzy Hash: 44418E3150415AFBDF159F69C844BE9BBB8FB05320F20436AF829A62A0C774AD90DF91

Function 00B36920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B3695D
TranslateAcceleratorW.USER32(?,?,?), ref: 00B369A9
TranslateMessage.USER32(?), ref: 00B369D2
DispatchMessageW.USER32(?), ref: 00B369DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B369EB

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 3da3e5031b56dba6ce852ffd0be1ec18658f0fdf8c686ae89892864efd3075d6
Instruction ID: 8abca749482a7b9912b7c7e58bcc4435181b8622ebc81368579737f2d08baaf9
Opcode Fuzzy Hash: 3da3e5031b56dba6ce852ffd0be1ec18658f0fdf8c686ae89892864efd3075d6
Instruction Fuzzy Hash: 5831E571904246BADB21CF74DC85BB67BECEB16300F2482A5E421C71A0DB74D885D790

Function 00B38F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B38F12
PostMessageW.USER32(?,00000201,00000001), ref: 00B38FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00B38FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00B38FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00B38FDA

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: aa1819a4e56e37303691b3835a64007582147734f37220e2fea185486aa474bc
Instruction ID: d1a69ae2a42c37ede75609c29da105fedc79f4d9f58537aa8d619e80ee305b35
Opcode Fuzzy Hash: aa1819a4e56e37303691b3835a64007582147734f37220e2fea185486aa474bc
Instruction Fuzzy Hash: 9B31E07150021AEFDF00CF68D94CAAE7BB6FB04315F204669F924EB1D0CBB49910CB91

Function 00B3B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00B3B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00B3B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00B3B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00B3B742
_wcsstr.LIBCMT ref: 00B3B74C

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: fced4b920132af128fe77f144e3defaa179f5b69d013efdd27acd3c4a64bdfa1
Instruction ID: 2747b0c480f4b58001abf48848958848dae971312b8e0260a0969b3074f5002c
Opcode Fuzzy Hash: fced4b920132af128fe77f144e3defaa179f5b69d013efdd27acd3c4a64bdfa1
Instruction Fuzzy Hash: C5210732204204BAEB255B39EC4AE7B7BD8DF85710F2040ADF905CA1A5EF65CC4092A0

Function 00B6B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00AE2612: GetWindowLongW.USER32(?,000000EB), ref: 00AE2623

GetWindowLongW.USER32(?,000000F0), ref: 00B6B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00B6B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B6B489
GetSystemMetrics.USER32(00000004), ref: 00B6B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00B51184,00000000), ref: 00B6B4D0

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 7f5704a267e931129c011b26a29b24b24cf7402de3bc978d66d5a2afdda7faf2
Instruction ID: 9ac40388bdcf1d9bd3ea6cd9a0d34d733a2e701f4c0c334ed571482142944c1e
Opcode Fuzzy Hash: 7f5704a267e931129c011b26a29b24b24cf7402de3bc978d66d5a2afdda7faf2
Instruction Fuzzy Hash: 8A216071514256AFCB109F389C44E6A37E4FB05720B144779F926D72E1EF389890DB90

Function 00B397E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B39802

Part of subcall function 00AE7D2C: _memmove.LIBCMT ref: 00AE7D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B39834
__itow.LIBCMT ref: 00B3984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B39874
__itow.LIBCMT ref: 00B39885

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 5cb11c68208e2760b12a209a0620253aefdb127d7e8056376f3812501a8aa664
Instruction ID: 0fa226f9fadd5026301607061ffe05d7e27fcde736c9f93f891e4519335fedc3
Opcode Fuzzy Hash: 5cb11c68208e2760b12a209a0620253aefdb127d7e8056376f3812501a8aa664
Instruction Fuzzy Hash: 7D21C531B00244BBDB109A65DC8AEAE7BE8EF8A750F1400A9F904DB291DAB08D41C7A1

Function 00AE12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AE134D
SelectObject.GDI32(?,00000000), ref: 00AE135C
BeginPath.GDI32(?), ref: 00AE1373
SelectObject.GDI32(?,00000000), ref: 00AE139C

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: a131847c3b908001d029bbc27369447c25539c5af05acd15460c0e841515d202
Instruction ID: 0b89d42393cb608581bd8ca65b81d5e85d2d74006a87ea4fdf93366104a67f2a
Opcode Fuzzy Hash: a131847c3b908001d029bbc27369447c25539c5af05acd15460c0e841515d202
Instruction Fuzzy Hash: A12160B0900256EFDB108F26EC057A97BBDFB11721F184226F8109B1E0DBB99891DB90

Function 00B3C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00B3C176
_memcmp.LIBCMT ref: 00B3C194
_memcmp.LIBCMT ref: 00B3C1A7
_memcmp.LIBCMT ref: 00B3C1BF
_memcmp.LIBCMT ref: 00B3C1D7

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d2163d3ce5a9684874646cc4fa77f9cbf629a2a9a09df5fe0fa9f6a28731af51
Instruction ID: 4da7c571c91ca85e603397d853411738e6b78722d5eeacdd2cfb12f62d04f480
Opcode Fuzzy Hash: d2163d3ce5a9684874646cc4fa77f9cbf629a2a9a09df5fe0fa9f6a28731af51
Instruction Fuzzy Hash: 8D01B9726046057BD218A6645C52F7B7FDCDB213D4F1480A1FD14B6293EB61EE11A3E4

Function 00B44D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B44D5C
__beginthreadex.LIBCMT ref: 00B44D7A
MessageBoxW.USER32(?,?,?,?), ref: 00B44D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00B44DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00B44DAC

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: d1df664ec6a9f0fe3aaa2722c34c584d970eddd3505b5a4d1d5d1b23e0a67e81
Instruction ID: e27f1f5b792eea81f23f97dadcbbc2556c71c19cd2be221b9219f857bf0691a7
Opcode Fuzzy Hash: d1df664ec6a9f0fe3aaa2722c34c584d970eddd3505b5a4d1d5d1b23e0a67e81
Instruction Fuzzy Hash: 521108B2D04245BBC7119FA8EC04BAB7FECEB46320F1442B9F914D3291DBB58D1087A0

Function 00B3874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B38766
GetLastError.KERNEL32(?,00B3822A,?,?,?), ref: 00B38770
GetProcessHeap.KERNEL32(00000008,?,?,00B3822A,?,?,?), ref: 00B3877F
HeapAlloc.KERNEL32(00000000,?,00B3822A,?,?,?), ref: 00B38786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B3879D

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 5d0e6bd4494906c63e6dd9779e41df2380384ad8e0eedc1c04933d706b98d2e4
Instruction ID: 93ef8699e65a717b676c4bfcc437ab95ff550f8e9eb576fbf32cbab62bda8b1f
Opcode Fuzzy Hash: 5d0e6bd4494906c63e6dd9779e41df2380384ad8e0eedc1c04933d706b98d2e4
Instruction Fuzzy Hash: CC014F71600205EFDB104FA5EC48D677BADFF86395B200469F949C3260DE758C10CA60

Function 00B454E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B45502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B45510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B45518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B45522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B4555E

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 4389b844d0347753cf5e079553695ea9eb01f8a7c2b99ace8590d6e90e07f61d
Instruction ID: 7de786e574efed333247297c9a5b81ecba3262e016c2898c56e4a613db46309c
Opcode Fuzzy Hash: 4389b844d0347753cf5e079553695ea9eb01f8a7c2b99ace8590d6e90e07f61d
Instruction Fuzzy Hash: 91010936D00A1EDBCF109BE8E888AFDBBB9FB19711F400096E905B2151DB745654DBA1

Function 00B37652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B3758C,80070057,?,?,?,00B3799D), ref: 00B3766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B3758C,80070057,?,?), ref: 00B3768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B3758C,80070057,?,?), ref: 00B37698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B3758C,80070057,?), ref: 00B376A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B3758C,80070057,?,?), ref: 00B376B4

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: a50a525222cfb2857c32c71201424e425fb65fcd8ba9538b2e0b534798071ce9
Instruction ID: 7c3cc9905375e8db397964e4806cea9867d0115d9a945e3b472ff736fc324252
Opcode Fuzzy Hash: a50a525222cfb2857c32c71201424e425fb65fcd8ba9538b2e0b534798071ce9
Instruction Fuzzy Hash: 5301B1B2604605BBDB208F99EC45AAA7BECEB44751F2040A8FD04D3211EF75DD0087A0

Function 00B385F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B38608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B38612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B38621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B38628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B3863E

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: bcd8dc414f8079873e8c81cd30f8015ea36db8788162472c7c4063b395e2c1aa
Instruction ID: 944597a9d90be6f922da197278c37633567ca48de5a2fa01e5f5a3f3386a7238
Opcode Fuzzy Hash: bcd8dc414f8079873e8c81cd30f8015ea36db8788162472c7c4063b395e2c1aa
Instruction Fuzzy Hash: 50F04931241305AFEB100FA5EC8AE7B3BACEF8A794F100469FA49D7190CFA59C41DA61

Function 00B38652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B38669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B38673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B38682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B38689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B3869F

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 46d52ff915d62103fe86bb4d80a5300352aa4e00e586a1dc43ad1b73c1159fd5
Instruction ID: fe0662423256520705804e57f0e8d30e6af9a68b99a55758700e5eaca07566b3
Opcode Fuzzy Hash: 46d52ff915d62103fe86bb4d80a5300352aa4e00e586a1dc43ad1b73c1159fd5
Instruction Fuzzy Hash: 54F04FB1200305AFEB111FA5EC89E773BACEF8A754F200065F945D7190CEA9D941DA61

Function 00B3C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00B3C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 00B3C6D1
MessageBeep.USER32(00000000), ref: 00B3C6E9
KillTimer.USER32(?,0000040A), ref: 00B3C705
EndDialog.USER32(?,00000001), ref: 00B3C71F

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 770482a12882d8a54e2bdda421fbf91ffe9a7cdb82f215e11f41b0de9cca8187
Instruction ID: f036a800a66dac23d333ff3df05a24c539d141ea4f0b9b0e607cfd11d7cec952
Opcode Fuzzy Hash: 770482a12882d8a54e2bdda421fbf91ffe9a7cdb82f215e11f41b0de9cca8187
Instruction Fuzzy Hash: 8D014F30500705ABEB21AB64ED8EBA67BB8FB00745F1006A9F542A24E1DBE5AD54CF90

Function 00AE13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00AE13BF
StrokeAndFillPath.GDI32(?,?,00B1BAD8,00000000,?), ref: 00AE13DB
SelectObject.GDI32(?,00000000), ref: 00AE13EE
DeleteObject.GDI32 ref: 00AE1401
StrokePath.GDI32(?), ref: 00AE141C

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 3811e276d042b2e6a93f0eab4b10873850ee937fce218d860687b28765043c03
Instruction ID: c247d33ce331849defb4b50e7e2715744c18dbcc165954448e9dd4ddc82bd3b7
Opcode Fuzzy Hash: 3811e276d042b2e6a93f0eab4b10873850ee937fce218d860687b28765043c03
Instruction Fuzzy Hash: 4DF0FFB4004349EBDB155F26EC0D7683FA9A712726F08C226F4298A1F1CF794995DF51

Function 00B4C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B4C69D
CoCreateInstance.OLE32(00B72D6C,00000000,00000001,00B72BDC,?), ref: 00B4C6B5

Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82

CoUninitialize.OLE32 ref: 00B4C922

Strings

.lnk, xrefs: 00B4C631, 00B4C659, 00B4C663

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 6c942b0c09e2a6a7ac5f8be56038f71b8d48d443e8fd475b57c34531afcf1cc3
Instruction ID: 1463151c15a2d2e4ed3ad9989889e6f940f22dc6883d9466e5e532f0c27e5ff5
Opcode Fuzzy Hash: 6c942b0c09e2a6a7ac5f8be56038f71b8d48d443e8fd475b57c34531afcf1cc3
Instruction Fuzzy Hash: 3DA13DB1108345AFD700EF65C991EAFB7E8EF94744F00496CF1569B1A2EB70EA09CB52

Function 00AF2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00B00FF6: std::exception::exception.LIBCMT ref: 00B0102C
Part of subcall function 00B00FF6: __CxxThrowException@8.LIBCMT ref: 00B01041

Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82

Part of subcall function 00AE7BB1: _memmove.LIBCMT ref: 00AE7C0B

__swprintf.LIBCMT ref: 00AF302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00AF2EC6

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 71571d0fbd4c13b32df1f2ba9b027477d1f72918b1bccd1e5af8153f41041aee
Instruction ID: 9ad0a96ad3f96fe8ea8b05c7dbfcb93cacc06d2eb795829139ef23f65868edb0
Opcode Fuzzy Hash: 71571d0fbd4c13b32df1f2ba9b027477d1f72918b1bccd1e5af8153f41041aee
Instruction Fuzzy Hash: 8F918D325083559FCB18EF64DA85C7EB7E4EF85740F00495EF9869B2A1EA20EE44CB52

Function 00B4BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AE48A1,?,?,00AE37C0,?), ref: 00AE48CE

CoInitialize.OLE32(00000000), ref: 00B4BC26
CoCreateInstance.OLE32(00B72D6C,00000000,00000001,00B72BDC,?), ref: 00B4BC3F
CoUninitialize.OLE32 ref: 00B4BC5C

Part of subcall function 00AE9997: __itow.LIBCMT ref: 00AE99C2
Part of subcall function 00AE9997: __swprintf.LIBCMT ref: 00AE9A0C

Strings

.lnk, xrefs: 00B4BC08, 00B4BC16

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: bd28a97321b08e2124a42e979b8e562425352c4c7fdccc79c477b5127596cd7c
Instruction ID: f6357d2599319e39d0cc36befe0f5fc9026bd5a86ee31a4752455230402513fc
Opcode Fuzzy Hash: bd28a97321b08e2124a42e979b8e562425352c4c7fdccc79c477b5127596cd7c
Instruction Fuzzy Hash: A4A154756043419FCB00DF25C584E6ABBE5FF88314F148998F99A9B3A2CB31EE45CB91

Function 00B0524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00B052DD

Part of subcall function 00B10340: __87except.LIBCMT ref: 00B1037B

Strings

pow, xrefs: 00B052B5, 00B052D2

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: ebf5dee7f7a5d27c6ac60a8430355a4c6073794e1134fa6f854dc745e1f9ead2
Instruction ID: c3f0686ad4dde34c881bf8281b47e2eb12191facd80092f98a037301ef603311
Opcode Fuzzy Hash: ebf5dee7f7a5d27c6ac60a8430355a4c6073794e1134fa6f854dc745e1f9ead2
Instruction Fuzzy Hash: 8E513B21A2D60187D7317724D9813BF2FE4DF00750FA049D8E09A866E5EEB48CD49E4A

Function 00B0023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00B00277
#, xrefs: 00B00280

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 43a8e6954e139e522e74beacaf0189725226d10e3f21262a9506228d70dddb39
Instruction ID: 5d4e9c75761b9263e1a667f68873513168546bccd020d622f4acf610b4574abf
Opcode Fuzzy Hash: 43a8e6954e139e522e74beacaf0189725226d10e3f21262a9506228d70dddb39
Instruction Fuzzy Hash: FA5101755046469FDF26AF29D888AFE7BE4FF19310F2440A5EC919B2E0DB349D42CB60

Function 00AF62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AF63A8
_memmove.LIBCMT ref: 00AF6446
_memset.LIBCMT ref: 00AF646A

Strings

ERCP, xrefs: 00AF6313

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 9cff7d90b3edefcbedddc6009d94ec0d46b6d91dc42e5744e8a00d128476c3ac
Instruction ID: ae2c22e81e36854755efee6a740aacf2128a7987e1b0caddfa66bc9b6f4f8740
Opcode Fuzzy Hash: 9cff7d90b3edefcbedddc6009d94ec0d46b6d91dc42e5744e8a00d128476c3ac
Instruction Fuzzy Hash: 6551A5719007099BDB24DF95C981BEABBF8EF04715F2085AEEA4ADB241E771D584CB40

Function 00B67BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B6F910,00000000,?,?,?,?), ref: 00B67C4E
GetWindowLongW.USER32 ref: 00B67C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B67C7B

Strings

SysTreeView32, xrefs: 00B67C20

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: a01bf71fd0abf4bc1594198557fb3b02c0bff71912bf1dce3ac4e0bb623b08cd
Instruction ID: 02ff54d31defc5d78dca0117606a7c2d10764faa0dd34c855dd8c8e06ad24695
Opcode Fuzzy Hash: a01bf71fd0abf4bc1594198557fb3b02c0bff71912bf1dce3ac4e0bb623b08cd
Instruction Fuzzy Hash: B3319C31244206ABDB118F38DC45BEA77E9EB49328F244765F875A32E0DB39EC919B50

Function 00B67648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00B676D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00B676E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B67708

Strings

SysMonthCal32, xrefs: 00B6769B

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: dd135e73f5253f3dd1dd28d1a4e2db2101d518efb61590fe558f65311d0d96eb
Instruction ID: e4dfebb0af720eae67136ba89d7507b5796bacfcf47b5b71079701f95d9cf0ba
Opcode Fuzzy Hash: dd135e73f5253f3dd1dd28d1a4e2db2101d518efb61590fe558f65311d0d96eb
Instruction Fuzzy Hash: 4A21D132544219BBDF11CFA4CC86FEA3BB9EF48718F110254FE156B1D0DAB5AC508BA0

Function 00B66F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00B66FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00B66FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00B66FDF

Strings

Listbox, xrefs: 00B66F77

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: aca76ee4f15a160f4680b79f94eb3513477bcd731495ba963a7f0d925746b0b8
Instruction ID: 8e1be360e57057e1fb1a99a728ed958d6a073f2b8e2ce1c0016f99f2e09a76d7
Opcode Fuzzy Hash: aca76ee4f15a160f4680b79f94eb3513477bcd731495ba963a7f0d925746b0b8
Instruction Fuzzy Hash: 7D21A172610118BFDF118F54EC85FBB3BAAEF89764F018164FA149B1A0CA75AC51CBA0

Function 00B6797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B679E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B679F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B67A03

Strings

msctls_trackbar32, xrefs: 00B679B8

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: e01dbfedd46639750f31f50128811a1df2f53d88217163de0a73ee7ad9f45187
Instruction ID: 94c8f9b565d32d8dab937902f6ef040a16d0ac1ea58243a25838fdfd8d8071c2
Opcode Fuzzy Hash: e01dbfedd46639750f31f50128811a1df2f53d88217163de0a73ee7ad9f45187
Instruction Fuzzy Hash: F211E772294208BADF109F70CC45FAB37E9EF89768F110519FA41A70E0D6759851CB60

Function 00AE4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AE4C2E), ref: 00AE4CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00AE4CB5

Strings

GetNativeSystemInfo, xrefs: 00AE4CAF
kernel32.dll, xrefs: 00AE4C9E

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: ae78e103a9072c715cd90e514ce4c5a5ce414fd68712f2c0ffb9763b5ead8d6b
Instruction ID: 961b373b067470ea6a2e4ca6a1ddb77357daf7c7e44338afbed0a6aeb64919e5
Opcode Fuzzy Hash: ae78e103a9072c715cd90e514ce4c5a5ce414fd68712f2c0ffb9763b5ead8d6b
Instruction Fuzzy Hash: 44D05B30510723CFD7209F32ED5871676D9AF05791B25CC7DD885D71A0DBB8D480C650

Function 00AE4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AE4CE1,?), ref: 00AE4DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00AE4DB4

Strings

kernel32.dll, xrefs: 00AE4D9D
Wow64RevertWow64FsRedirection, xrefs: 00AE4DAE

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: efabf278cbcba020795a061cfa151a61db1097236187ba5013bea9c2ab3be3aa
Instruction ID: e81970fa7f96051af6408d891ebe2fd32f4e755e1f86689a5e90b9e1cae49b4c
Opcode Fuzzy Hash: efabf278cbcba020795a061cfa151a61db1097236187ba5013bea9c2ab3be3aa
Instruction Fuzzy Hash: 5AD01231550713CFD7209F31EC4879676D8AF09395B158879D8C5D61A0DBB4D480C650

Function 00AE4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AE4D2E,?,00AE4F4F,?,00BA62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00AE4D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00AE4D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 00AE4D7B
kernel32.dll, xrefs: 00AE4D6A

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 90bc526678b3d974d2ed80ce7a431afc6b3ff18cd68c54b441c85ce90e8f7100
Instruction ID: ab134ef772330e332d65d35ea9094aa66300b3dffabf0f6d3ada002062bf616d
Opcode Fuzzy Hash: 90bc526678b3d974d2ed80ce7a431afc6b3ff18cd68c54b441c85ce90e8f7100
Instruction Fuzzy Hash: 99D01230510753CFD7209F31EC4876676D8BF1A391B158879D486D66A0DAB4D480CA50

Function 00B61072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00B612C1), ref: 00B61080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B61092

Strings

RegDeleteKeyExW, xrefs: 00B6108C
advapi32.dll, xrefs: 00B6107B

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 7f5afdec3733b0844c8078e6abfc5eb4b47a198e5b15da5f1563daa52a0074a7
Instruction ID: a3eb2e0a6d4b3d2fad2ef996e2185fe2989a73109381b9fc70ee8aea8cb78abe
Opcode Fuzzy Hash: 7f5afdec3733b0844c8078e6abfc5eb4b47a198e5b15da5f1563daa52a0074a7
Instruction Fuzzy Hash: 1CD01231510713CFDB205F35E918A2676E4EF05791B15DC79E585D61A0DBB8C4C0C650

Function 00B593F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00B59009,?,00B6F910), ref: 00B59403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00B59415

Strings

kernel32.dll, xrefs: 00B593FE
GetModuleHandleExW, xrefs: 00B5940F

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: a9aaf494437667c0b579ae24ca2e5d41b27e4ae9ce2cb6cfd859f01ec653f6dc
Instruction ID: f4ef858ec8468322d6a32f72f0c36b92b5aaffb22828e17cdd6f8a4f00d5badc
Opcode Fuzzy Hash: a9aaf494437667c0b579ae24ca2e5d41b27e4ae9ce2cb6cfd859f01ec653f6dc
Instruction Fuzzy Hash: F5D01734514713CFDB209F31E90971676E5EF06392B15C8BAE886E66A0EAB8C884DA50

Function 00B21B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B21B42
__swprintf.LIBCMT ref: 00B21B73

Strings

%.3d, xrefs: 00B21B4D
WIN_XPe, xrefs: 00B21BB2

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 3a0c8c9c2155c705731cf54ee1d29ceb5d89b27a0f7dc7a0ca1cb27ae3c89afe
Instruction ID: c07b68cde15da104a931ffedfb1af1484e95cc77a999d0d09a55c11ecb18db68
Opcode Fuzzy Hash: 3a0c8c9c2155c705731cf54ee1d29ceb5d89b27a0f7dc7a0ca1cb27ae3c89afe
Instruction Fuzzy Hash: 40D01271C08168EACB049B94AC888F977FCAB18311F1049E2F90A92040F2749B859B21

Function 00B376C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7af0f85e6ad9413c4e28454049037190cd52bf66e1cd0bce691a31c7451c9669
Instruction ID: 46ad21119fbe3951d4964e5acfbffe6b980953710c658191b0f9e63e8ac3b3d4
Opcode Fuzzy Hash: 7af0f85e6ad9413c4e28454049037190cd52bf66e1cd0bce691a31c7451c9669
Instruction Fuzzy Hash: 36C12AB5A44216EFCB24CF94C884AAEB7F5FF48714B2186D9E805EB251DB30DD41DB90

Function 00B5E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00B5E3D2
CharLowerBuffW.USER32(?,?), ref: 00B5E415

Part of subcall function 00B5DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00B5DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00B5E615
_memmove.LIBCMT ref: 00B5E628

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 6f871fd23712f36f9fa5a70cbeebbd50d964a4afded71a191fe9fedc642eb7c1
Instruction ID: 0d40eb06b7f30e4f6b88423d22ccf05e0a991b4f7fe072514947f8ff4a7a31b9
Opcode Fuzzy Hash: 6f871fd23712f36f9fa5a70cbeebbd50d964a4afded71a191fe9fedc642eb7c1
Instruction Fuzzy Hash: 0BC16E716083519FC714DF28C480A6ABBE4FF48714F1489ADF8A99B351D771EA49CF82

Function 00B583A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B583D8
CoUninitialize.OLE32 ref: 00B583E3

Part of subcall function 00B3DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B3DAC5

VariantInit.OLEAUT32(?), ref: 00B583EE
VariantClear.OLEAUT32(?), ref: 00B586BF

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: c4ee31dd4444de55f5c143eb680898727195754424dc4a5f2b38d92de285736c
Instruction ID: bc3bacf87ce59e9eb88ce345283954a762e9a4ad0a89af83c076656020fdd512
Opcode Fuzzy Hash: c4ee31dd4444de55f5c143eb680898727195754424dc4a5f2b38d92de285736c
Instruction Fuzzy Hash: 06A138752047419FDB10EF15C581B2AB7E4FF88355F144499F99AAB3A2DB30ED04CB92

Function 00B37A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00B72C7C,?), ref: 00B37C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00B72C7C,?), ref: 00B37C4A
CLSIDFromProgID.OLE32(?,?,00000000,00B6FB80,000000FF,?,00000000,00000800,00000000,?,00B72C7C,?), ref: 00B37C6F
_memcmp.LIBCMT ref: 00B37C90

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 71652806e55dcf5b3d2b01084ac8ba6e50e6f8fcd2cf6f3e868fcf336a20bf1f
Instruction ID: 0580430ede6ec63d305d1729a194f53b921de634b15d8120947333508c138565
Opcode Fuzzy Hash: 71652806e55dcf5b3d2b01084ac8ba6e50e6f8fcd2cf6f3e868fcf336a20bf1f
Instruction Fuzzy Hash: EE811B75A00109EFCB14DF94C994EEEB7F9FF89315F208198E515AB250DB71AE05CB60

Function 00B36DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B36E04
SysAllocString.OLEAUT32(00000000), ref: 00B36EAD
VariantCopy.OLEAUT32 ref: 00B36EDC
VariantClear.OLEAUT32(?), ref: 00B36F03

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: aaeeb6c3fe0460dda47b8b4dd4b18efcc936c390785019cef40d0ddbf1740842
Instruction ID: 18c7c8d946595dd0f374338f15548202ead568223d4ac85b5db8ec95c3322778
Opcode Fuzzy Hash: aaeeb6c3fe0460dda47b8b4dd4b18efcc936c390785019cef40d0ddbf1740842
Instruction Fuzzy Hash: F551E374658302AADB34AF69D8D5A3EB3E4EF48310F30C85FE596DB691DF7098449B01

Function 00B69A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00C4EFA8,?), ref: 00B69AD2
ScreenToClient.USER32(00000002,00000002), ref: 00B69B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00B69B72

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: b42b58221e872786aa25e2fe1b11cad22d6d362c6f7219a7e8879f5b91c594a6
Instruction ID: e3f9292b2c5113088b50d3fef46fdb427a41661e5a788c99ba78a46ab06aef99
Opcode Fuzzy Hash: b42b58221e872786aa25e2fe1b11cad22d6d362c6f7219a7e8879f5b91c594a6
Instruction Fuzzy Hash: 2E515374A00209EFCF10DF64D9819AE7BF9FF55760F1481A9F8259B2A0D774AD41CB50

Function 00B56CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00B56CE4
WSAGetLastError.WSOCK32(00000000), ref: 00B56CF4

Part of subcall function 00AE9997: __itow.LIBCMT ref: 00AE99C2
Part of subcall function 00AE9997: __swprintf.LIBCMT ref: 00AE9A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00B56D58
WSAGetLastError.WSOCK32(00000000), ref: 00B56D64

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: c9c065983f39e988a569054ecf0b594e73f0d522d26f64dcfef3b6cd69ba14c5
Instruction ID: d15af0c4aa295c3fda9538ed2f9c901a8c86d711bbbc40eba8616e732bbf0d8a
Opcode Fuzzy Hash: c9c065983f39e988a569054ecf0b594e73f0d522d26f64dcfef3b6cd69ba14c5
Instruction Fuzzy Hash: 9141B474740300AFEB20AF25DD86F3A77E5EF48B10F4484A8FA599B2D2DAB49C008791

Function 00B5672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00B6F910), ref: 00B567BA
_strlen.LIBCMT ref: 00B567EC

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 4bfaab9e345672cc62553544a1e86b8cd5835c8d28c9859efc638332fdd15078
Instruction ID: 9bc3209db138c25907fe2269156ae668b21d7c2706585a2a7a93ddc2261696d5
Opcode Fuzzy Hash: 4bfaab9e345672cc62553544a1e86b8cd5835c8d28c9859efc638332fdd15078
Instruction Fuzzy Hash: 0B41C231A00204AFCB14EB65DDC5FAEB7E8EF58314F6481E9F8169B292DB30AD04C750

Function 00B4BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00B4BB09
GetLastError.KERNEL32(?,00000000), ref: 00B4BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00B4BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00B4BB80

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 597cf25d6fc8f58c7a7d84db7afc700f903e950fc8f7d06538b9a8f072f46a11
Instruction ID: 26644e1e0b6ef7ba58a353546be6fe6163d6098e543b85cb6c473746785411f9
Opcode Fuzzy Hash: 597cf25d6fc8f58c7a7d84db7afc700f903e950fc8f7d06538b9a8f072f46a11
Instruction Fuzzy Hash: 99412639200651DFCB10EF16C684A5EBBE1EF89310B198498F94A9B362CB34FD01DB91

Function 00B68AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B68B4D

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 6aaef161731937ec2e1aa22beace1994b7d8d0d4a0cbe2a0a98687a66f24e01e
Instruction ID: abde132d305ed000db8088a69b3687d8bcc1a85baede9f486f289bea0ce9bfe1
Opcode Fuzzy Hash: 6aaef161731937ec2e1aa22beace1994b7d8d0d4a0cbe2a0a98687a66f24e01e
Instruction Fuzzy Hash: 2C31C6B4604204BFEF209F58DC99FA937E5EB0A310F284796FA51D72E0CE7AA9409751

Function 00B6ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00B6AE1A
GetWindowRect.USER32(?,?), ref: 00B6AE90
PtInRect.USER32(?,?,00B6C304), ref: 00B6AEA0
MessageBeep.USER32(00000000), ref: 00B6AF11

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: e0bf70e12609bd632dd2269faa0e7c8d8c45aa2b72ee42ca5cdf0253aeee5416
Instruction ID: d3d408702d16d216539ff60a079007f1b13fef55247b212730b7576b2fe4908b
Opcode Fuzzy Hash: e0bf70e12609bd632dd2269faa0e7c8d8c45aa2b72ee42ca5cdf0253aeee5416
Instruction Fuzzy Hash: 4E417C70600119DFCF11DF58D885A69BBF5FB49740F2881A9E419EB291DB39A901CF92

Function 00B40FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00B41037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00B41053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00B410B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00B4110B

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 4fd23db7dd16ce90bf92e9802d03043fe6eed989c840534836657e3d4056457f
Instruction ID: f9900cb58a98c31039288a3e66c40f6ef9b3b44f912efde1260ecded46f3e532
Opcode Fuzzy Hash: 4fd23db7dd16ce90bf92e9802d03043fe6eed989c840534836657e3d4056457f
Instruction Fuzzy Hash: 8C314830E40688AEFF348B6D8C05BF9BBE9EB54310F04469AE591522D1C3748FC0B752

Function 00B41121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00B41176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00B41192
PostMessageW.USER32(00000000,00000101,00000000), ref: 00B411F1
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00B41243

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b0aa1c14f892fd4b42b4e950eec54bf1cf22890478689e6b07d3a905dc24e275
Instruction ID: 4619fb0d459d0f05b41a81f8a041138e02030f88efd23b29526e1f22960df8a6
Opcode Fuzzy Hash: b0aa1c14f892fd4b42b4e950eec54bf1cf22890478689e6b07d3a905dc24e275
Instruction Fuzzy Hash: 3531E730E407186AEF20DB6D88097FA7BFAEB49310F044B9AE695A21D1C3784FD5A751

Function 00B16415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00B1644B
__isleadbyte_l.LIBCMT ref: 00B16479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00B164A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00B164DD

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 1225fef7fea8ee32df0c449a5c3965ff625078ba648ce5e9ecccf395b191966e
Instruction ID: ecd32a87e3a528b7540f6566095908c579cf34567d97dfdce29b2fdc0fb6907c
Opcode Fuzzy Hash: 1225fef7fea8ee32df0c449a5c3965ff625078ba648ce5e9ecccf395b191966e
Instruction Fuzzy Hash: F831EF31600256AFDB21CF69CC84BFA7BE9FF41310F5540A9E864872A0EB31D990DB90

Function 00B65175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00B65189

Part of subcall function 00B4387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B43897
Part of subcall function 00B4387D: GetCurrentThreadId.KERNEL32 ref: 00B4389E
Part of subcall function 00B4387D: AttachThreadInput.USER32(00000000,?,00B452A7), ref: 00B438A5

GetCaretPos.USER32(?), ref: 00B6519A
ClientToScreen.USER32(00000000,?), ref: 00B651D5
GetForegroundWindow.USER32 ref: 00B651DB

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 022fe638ec98703ee93eabaadee479c0fcb108ffb2dd035cba63ff19951166d5
Instruction ID: 73ab733be9f919ca3309dbae34db9e5a8e7b4c3dc008057f68a5c59ab390e74c
Opcode Fuzzy Hash: 022fe638ec98703ee93eabaadee479c0fcb108ffb2dd035cba63ff19951166d5
Instruction Fuzzy Hash: 7831F0B1900248AFDB10EFA5DD859EFB7F9EF98300F1040AAE415E7251EA759E45CBA0

Function 00B6C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE2612: GetWindowLongW.USER32(?,000000EB), ref: 00AE2623

GetCursorPos.USER32(?), ref: 00B6C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00B1BBFB,?,?,?,?,?), ref: 00B6C7D7
GetCursorPos.USER32(?), ref: 00B6C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00B1BBFB,?,?,?), ref: 00B6C85E

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 53054d03954daa9bfe9543269fe7db497f9db59003c6191642ef71c1e565641d
Instruction ID: 943c33076804059a11f459f4f759633aa14a900eeb83d7f4fbbdf89fe8ad93ff
Opcode Fuzzy Hash: 53054d03954daa9bfe9543269fe7db497f9db59003c6191642ef71c1e565641d
Instruction Fuzzy Hash: 11317436600018AFCB25CF59D898EFA7FFAEB49710F0481A9F9458B2A1C7399D50DF60

Function 00B38B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B38652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B38669
Part of subcall function 00B38652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B38673
Part of subcall function 00B38652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B38682
Part of subcall function 00B38652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B38689
Part of subcall function 00B38652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B3869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00B38BEB
_memcmp.LIBCMT ref: 00B38C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B38C44
HeapFree.KERNEL32(00000000), ref: 00B38C4B

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 584e2572523d6d9a41a234fee6b6515f1a0188f3326ed0d0b57e9c8c492e563e
Instruction ID: ba476d31aa104a0f6c94b7104e6f2213611aad75e28f95e2cb5974fc5e22e031
Opcode Fuzzy Hash: 584e2572523d6d9a41a234fee6b6515f1a0188f3326ed0d0b57e9c8c492e563e
Instruction Fuzzy Hash: 1D21AC71E01209EFCB00CFA4C955BEEB7F8EF40340F644099E554A7240EB75AE06CB61

Function 00B00BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00B00BF2

Part of subcall function 00AE5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B47B20,?,?,00000000), ref: 00AE5B8C
Part of subcall function 00AE5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B47B20,?,?,00000000,?,?), ref: 00AE5BB0

_fprintf.LIBCMT ref: 00B00C29
OutputDebugStringW.KERNEL32(?), ref: 00B36331

Part of subcall function 00B04CDA: _flsall.LIBCMT ref: 00B04CF3

__setmode.LIBCMT ref: 00B00C5E

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 1f2f1f0095dcc4cec0dc7af73b04f314ecaf62ffca501c34fbc85307eeae5608
Instruction ID: 3e61ef3332ff1028db49140622369d58750dd1e2ea44ee2951adf2ba4813e04f
Opcode Fuzzy Hash: 1f2f1f0095dcc4cec0dc7af73b04f314ecaf62ffca501c34fbc85307eeae5608
Instruction Fuzzy Hash: 8A1136729042047EDB14B7B9AC83ABE7FE8DF45320F1441EAF204971E2DF605D819795

Function 00B51A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B51A97

Part of subcall function 00B51B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B51B40
Part of subcall function 00B51B21: InternetCloseHandle.WININET(00000000), ref: 00B51BDD

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: b43e1c6aff52642442f693a0874e3eaa08e656bb127c4622d487e7f96ef11153
Instruction ID: a3a54a688ea6424f55e61200a96e03b8c1890a1be87c9546922a447ff7c6a0a9
Opcode Fuzzy Hash: b43e1c6aff52642442f693a0874e3eaa08e656bb127c4622d487e7f96ef11153
Instruction Fuzzy Hash: 4721A135201601BFEB129F649C41FBAB7EDFF48702F14489AFE1196690EB71D8199BA0

Function 00B3E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00B3E1C4,?,?,?,00B3EFB7,00000000,000000EF,00000119,?,?), ref: 00B3F5BC
Part of subcall function 00B3F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00B3F5E2
Part of subcall function 00B3F5AD: lstrcmpiW.KERNEL32(00000000,?,00B3E1C4,?,?,?,00B3EFB7,00000000,000000EF,00000119,?,?), ref: 00B3F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00B3EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00B3E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 00B3E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,00B3EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00B3E237

Strings

cdecl, xrefs: 00B3E22E

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 1f3f17a48eedb3095a99f4deb378e8645b77d8b66a4a7e0b9129fc56638cf98b
Instruction ID: 2bc4aacc7403d0385bd6e70c2bd8d33622cdad797c3da4738d2b85682a56d787
Opcode Fuzzy Hash: 1f3f17a48eedb3095a99f4deb378e8645b77d8b66a4a7e0b9129fc56638cf98b
Instruction Fuzzy Hash: 25117C36200246EFCB25AF64DC45A7A77E9FF85350F50406AF816CB2A0EB71D85197A0

Function 00B15332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B15351

Part of subcall function 00B0594C: __FF_MSGBANNER.LIBCMT ref: 00B05963
Part of subcall function 00B0594C: __NMSG_WRITE.LIBCMT ref: 00B0596A
Part of subcall function 00B0594C: RtlAllocateHeap.NTDLL(00C30000,00000000,00000001,00000000,?,?,?,00B01013,?), ref: 00B0598F

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7327a4a365135e57d398200337be830b629918c0e995769377ed7aee2e484b06
Instruction ID: 112af60bd330b5efad37ce6e00cf22fd459141d7790801eed3403caa22541a62
Opcode Fuzzy Hash: 7327a4a365135e57d398200337be830b629918c0e995769377ed7aee2e484b06
Instruction Fuzzy Hash: 0F112B32404A05EFCB312F70BC4569D3BD8AF903E0B6046BAF456D71D0DFB48A809758

Function 00AE4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AE4560

Part of subcall function 00AE410D: _memset.LIBCMT ref: 00AE418D
Part of subcall function 00AE410D: _wcscpy.LIBCMT ref: 00AE41E1
Part of subcall function 00AE410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00AE41F1

KillTimer.USER32(?,00000001,?,?), ref: 00AE45B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AE45C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B1D6CE

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: a22c094a71bffb9a857dd9f64cb9b735a0d420ff7f236607b4c2a71ff02f3f79
Instruction ID: 1d676b0e8d2551e128f040a4480d117ad45372cf8ef2a53c8e0bf6c07f48f0f0
Opcode Fuzzy Hash: a22c094a71bffb9a857dd9f64cb9b735a0d420ff7f236607b4c2a71ff02f3f79
Instruction Fuzzy Hash: A521A4B0904794AFEB328B24DC95BFBBBEC9F05308F44009EE69E57281C7B45E849B51

Function 00B5667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B47B20,?,?,00000000), ref: 00AE5B8C
Part of subcall function 00AE5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B47B20,?,?,00000000,?,?), ref: 00AE5BB0

gethostbyname.WSOCK32(?,?,?), ref: 00B566AC
WSAGetLastError.WSOCK32(00000000), ref: 00B566B7
_memmove.LIBCMT ref: 00B566E4
inet_ntoa.WSOCK32(?), ref: 00B566EF

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 319298e7f82e7b89aea2533dd5a977f9bca97ffafed963cb59b536d0e1666e5f
Instruction ID: 64dd76a0e3782dfd066717969bcbd9b1bac5394e83fe577d6b18dd5f16c94f9e
Opcode Fuzzy Hash: 319298e7f82e7b89aea2533dd5a977f9bca97ffafed963cb59b536d0e1666e5f
Instruction Fuzzy Hash: B8116035900509AFCB04EBA5EE86DEEB7B8EF48315B1440A5F906A71A1DF70AE04CB61

Function 00B39023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00B39043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B39055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B3906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B39086

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bc923fea257c710168e751a87ba1695bcd09334a65d7bc7396e3f2133814e421
Instruction ID: 8fc3c433ebc54917c623648ba786a58fc22c8dd28a37e6b77e695a42b272e342
Opcode Fuzzy Hash: bc923fea257c710168e751a87ba1695bcd09334a65d7bc7396e3f2133814e421
Instruction Fuzzy Hash: E5112E79901218FFDB11DFA5CD85EADBBB4FB48710F204095E904B7290D6716E50DB94

Function 00AE1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00AE2612: GetWindowLongW.USER32(?,000000EB), ref: 00AE2623

DefDlgProcW.USER32(?,00000020,?), ref: 00AE12D8
GetClientRect.USER32(?,?), ref: 00B1B84B
GetCursorPos.USER32(?), ref: 00B1B855
ScreenToClient.USER32(?,?), ref: 00B1B860

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: c551057a020ed67b37da770552268b385e9952fbd753f248f92bbf2dcde03965
Instruction ID: 7dca236a59ed3cc1f23b626d0ca23c5183f76a6a885bac5386e92b78f7bf8245
Opcode Fuzzy Hash: c551057a020ed67b37da770552268b385e9952fbd753f248f92bbf2dcde03965
Instruction Fuzzy Hash: AE11283590006AABCB00DF95DC859FE77B8FB05300F1004A6FA11E7150CB74BA528BA5

Function 00B41652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00B401FD,?,00B41250,?,00008000), ref: 00B4166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00B401FD,?,00B41250,?,00008000), ref: 00B41694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00B401FD,?,00B41250,?,00008000), ref: 00B4169E
Sleep.KERNEL32(?,?,?,?,?,?,?,00B401FD,?,00B41250,?,00008000), ref: 00B416D1

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 97ecf11aebee225ada30420e5eebcfe7d0a3e913fed1d9e86bf20e819e1efaa6
Instruction ID: 2470bcd13c9db3226db277cd06118e18992711576ec26db09e7a9d71b98418f0
Opcode Fuzzy Hash: 97ecf11aebee225ada30420e5eebcfe7d0a3e913fed1d9e86bf20e819e1efaa6
Instruction Fuzzy Hash: DB113031C0151DD7CF009FA9E984AFEBBB8FF09751F064495D940B6180CB749690AB95

Function 00B17207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00B1722B

Part of subcall function 00B17912: __fltout2.LIBCMT ref: 00B1793B

__cftog_l.LIBCMT ref: 00B17251
__cftoe_l.LIBCMT ref: 00B17283

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: fe5fb4c47473e8db816b6e24c9bac1773000a4dbbf5a8eff2f6a0eb9acdd3b5a
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 2501833208414ABBCF125E84DC41CEE3FB2FF2A350B948595FA1856031CA37C9B2AB81

Function 00B6B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B6B59E
ScreenToClient.USER32(?,?), ref: 00B6B5B6
ScreenToClient.USER32(?,?), ref: 00B6B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B6B5F5

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: d863e93303c86fded5daac16233debf2eb3440d871c0c93d8a33ecf736aac8c8
Instruction ID: 5469daecd0f32b4b52c115811a33fdc510cf178a81b6e4de7fc20f8cc5486d8f
Opcode Fuzzy Hash: d863e93303c86fded5daac16233debf2eb3440d871c0c93d8a33ecf736aac8c8
Instruction Fuzzy Hash: 331164B5D0020AEFDB01DF99D4449EEBBF9FB18310F104166E915E3260D775AA51CF50

Function 00B6B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B6B8FE
_memset.LIBCMT ref: 00B6B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00BA7F20,00BA7F64), ref: 00B6B93C
CloseHandle.KERNEL32 ref: 00B6B94E

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 226e37064d3f91b93836efc34057c3af7621d1bf81ff870883610c7d0ebba3b3
Instruction ID: c321da806bd86b548593c9d52f0d0291935c508b840ea67891ac81121196398c
Opcode Fuzzy Hash: 226e37064d3f91b93836efc34057c3af7621d1bf81ff870883610c7d0ebba3b3
Instruction Fuzzy Hash: 46F0F4B258C3957FE2106765AC4AF7B7ADCDB0A754F004061FA08D62D1EF765A1087A8

Function 00B46E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00B46E88

Part of subcall function 00B4794E: _memset.LIBCMT ref: 00B47983

_memmove.LIBCMT ref: 00B46EAB
_memset.LIBCMT ref: 00B46EB8
LeaveCriticalSection.KERNEL32(?), ref: 00B46EC8

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 8aee7bac81a3d7da60c96ed3a085a04e3d4ac3d46ddcf602f7d8e1b0b807fe88
Instruction ID: 1ee9e9d9cda023490a5d297dc34efa06e76e8be079eead73101bcf3e0c3cd3aa
Opcode Fuzzy Hash: 8aee7bac81a3d7da60c96ed3a085a04e3d4ac3d46ddcf602f7d8e1b0b807fe88
Instruction Fuzzy Hash: 57F0543A104210BBCF016F55EC85A59BB69EF45320B0480A1FE085F256CB75A911DBB4

Function 00B6C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00AE12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AE134D
Part of subcall function 00AE12F3: SelectObject.GDI32(?,00000000), ref: 00AE135C
Part of subcall function 00AE12F3: BeginPath.GDI32(?), ref: 00AE1373
Part of subcall function 00AE12F3: SelectObject.GDI32(?,00000000), ref: 00AE139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B6C030
LineTo.GDI32(00000000,?,?), ref: 00B6C03D
EndPath.GDI32(00000000), ref: 00B6C04D
StrokePath.GDI32(00000000), ref: 00B6C05B

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 87dd5e4ea60c584ce43e04515a6bf92906390de53dd9c60f8e54d2693575b98e
Instruction ID: 9c138d8a6a5b68d71202e8b7bd39d6b53cb24069aa7d9324d6f5c630ccfa64da
Opcode Fuzzy Hash: 87dd5e4ea60c584ce43e04515a6bf92906390de53dd9c60f8e54d2693575b98e
Instruction Fuzzy Hash: D6F0BE3100525ABBDB122F51AC0AFEE3F98AF06310F044011FA11620E28BBD0550CFE5

Function 00B3A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00B3A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B3A3AC
GetCurrentThreadId.KERNEL32 ref: 00B3A3B3
AttachThreadInput.USER32(00000000), ref: 00B3A3BA

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 23f85a4531b5114d610ee98d583248c7b770aab80b7d0b19688df76eb56a12c2
Instruction ID: 4831b1530dab8663f2a2af69dd35c73df4e941837471dcf4a978cdc3b79a2f3b
Opcode Fuzzy Hash: 23f85a4531b5114d610ee98d583248c7b770aab80b7d0b19688df76eb56a12c2
Instruction Fuzzy Hash: 6DE06D31141328BADB201FA2EC0CEE73F5CFF167A1F108034F508960A0CAB5C540CBA1

Function 00AE2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00AE2231
SetTextColor.GDI32(?,000000FF), ref: 00AE223B
SetBkMode.GDI32(?,00000001), ref: 00AE2250
GetStockObject.GDI32(00000005), ref: 00AE2258
GetWindowDC.USER32(?,00000000), ref: 00B1C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 00B1C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 00B1C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 00B1C112
GetPixel.GDI32(00000000,?,?), ref: 00B1C132
ReleaseDC.USER32(?,00000000), ref: 00B1C13D

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 6461151ac5600d5ceb7ce49ccd0f3668d6d1df2d92e1d8e4673b7049de0659f8
Instruction ID: 62099b0ac864c57e1cb30678e060175d441d1c896474889a5c17a75805b5b185
Opcode Fuzzy Hash: 6461151ac5600d5ceb7ce49ccd0f3668d6d1df2d92e1d8e4673b7049de0659f8
Instruction Fuzzy Hash: 64E06D32544245EBDB215FA4FC0D7E83F14EB16336F0083A6FA69A80E18BB549D0DB12

Function 00B38C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00B38C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,00B3882E), ref: 00B38C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00B3882E), ref: 00B38C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,00B3882E), ref: 00B38C7E

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 65e9f77b6a9c837475c206f7388a6f7ee90331d58d0f23ecd5d7cdd13d7d7572
Instruction ID: 41b6713dcfddffc9a6167eb5e948d4a17ba9ad3c924ae016129747b7e868d4ec
Opcode Fuzzy Hash: 65e9f77b6a9c837475c206f7388a6f7ee90331d58d0f23ecd5d7cdd13d7d7572
Instruction Fuzzy Hash: D1E04F36646312ABD7205FB07D0CB663BA8EF50792F244868F245CA080DE7894418B61

Function 00B22187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00B22187
GetDC.USER32(00000000), ref: 00B22191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B221B1
ReleaseDC.USER32(?), ref: 00B221D2

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 64e4e960941807193e2a4d32d4bb2c56de005708e66fcebfa82327f7720efdcd
Instruction ID: b6539ec16c0addbb4f24641ee44c5a45fa22a89c1565e96ccb77cd38874ad740
Opcode Fuzzy Hash: 64e4e960941807193e2a4d32d4bb2c56de005708e66fcebfa82327f7720efdcd
Instruction Fuzzy Hash: A7E0E5B5800215EFDB019F61E808AAD7BF1FF4C351F108425F95AE72A0CBB88142DF40

Function 00B2219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00B2219B
GetDC.USER32(00000000), ref: 00B221A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B221B1
ReleaseDC.USER32(?), ref: 00B221D2

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f8c7a4aaf6c8d6949149aa8c77ec17225598578ba935ae80973667c85c24399f
Instruction ID: c202ec543e5c8a45960fa228de9be8c94c1115524db7aecdcd6631b303d5c74b
Opcode Fuzzy Hash: f8c7a4aaf6c8d6949149aa8c77ec17225598578ba935ae80973667c85c24399f
Instruction Fuzzy Hash: 98E0E5B5800205AFCB019F61E8086AD7BB1BB4C351F108025F95A972A0CBB89142DF40

Function 00B3B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00B3B981

Strings

AutoIt3GUI, xrefs: 00B3B8F9
Container, xrefs: 00B3B8FE

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 2825126e1cf55ba01f695ed5059f24d7d9d54c5f51e670a32e96375966e0bde9
Instruction ID: 0e7a6a1646860f60caead7d8de122ba6a993dfd48ceece76da493eb32b21c17a
Opcode Fuzzy Hash: 2825126e1cf55ba01f695ed5059f24d7d9d54c5f51e670a32e96375966e0bde9
Instruction Fuzzy Hash: 75914C706006019FDB64DF68C884F66BBE9FF48710F2485ADFA49CB695DB70E841CB50

Function 00B4B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00AFFEC6: _wcscpy.LIBCMT ref: 00AFFEE9

Part of subcall function 00AE9997: __itow.LIBCMT ref: 00AE99C2
Part of subcall function 00AE9997: __swprintf.LIBCMT ref: 00AE9A0C

__wcsnicmp.LIBCMT ref: 00B4B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00B4B361

Strings

LPT, xrefs: 00B4B292

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 0bc9fa6b312ea8421aef66cc1dd1eb656a422401e20f236f793392e5e24f0a21
Instruction ID: bedd92bc4a63c909dbe5f33f5a2317176b076f0c52a01ea8e2cda5db80e5c791
Opcode Fuzzy Hash: 0bc9fa6b312ea8421aef66cc1dd1eb656a422401e20f236f793392e5e24f0a21
Instruction Fuzzy Hash: FA615175A00215AFCB14DF99C985EAEB7F4EF08310F1540AAFA46AB291DB70EE40DB54

Function 00AF2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00AF2AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00AF2AE1

Strings

@, xrefs: 00AF2AD5

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 922fdfe5e37ad1e4c08fce7d504b4b2388abc231e82c1eae9a4717f44150d183
Instruction ID: 2082879b3d17b2096268a0232eeb0e053c0b79d56db875d79dfdf97c76c6bcf5
Opcode Fuzzy Hash: 922fdfe5e37ad1e4c08fce7d504b4b2388abc231e82c1eae9a4717f44150d183
Instruction Fuzzy Hash: D25149B14187859BD320AF15DD86BAFBBE8FF84310F82485DF1D9521A1DF308929CB16

Function 00B499BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00AE506B: __fread_nolock.LIBCMT ref: 00AE5089

_wcscmp.LIBCMT ref: 00B49AAE
_wcscmp.LIBCMT ref: 00B49AC1

Strings

FILE, xrefs: 00B499FA

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 256946da5479d424fe5ba4cab19d12b4088f0c62082dd4a10dd6338433069638
Instruction ID: ddbe1e93ec4ecbc76577c4b40e80adbde957c20130feb9638dd54ff39461483b
Opcode Fuzzy Hash: 256946da5479d424fe5ba4cab19d12b4088f0c62082dd4a10dd6338433069638
Instruction Fuzzy Hash: 3D41F471A00609BEDF219EA1DC86FEFBBFDDF45714F0000B9F900A7181DA75AA0497A1

Function 00B52882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B52892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00B528C8

Strings

|, xrefs: 00B52899

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 9b4875ba153317725ee296984fe8983d2ac34013e57a0cbc6a206b562c7901ad
Instruction ID: c5f4a409dc829da2c195a203fbf71b3b1b94271aeead000487d0560d3fd6849b
Opcode Fuzzy Hash: 9b4875ba153317725ee296984fe8983d2ac34013e57a0cbc6a206b562c7901ad
Instruction Fuzzy Hash: DA313D71801119AFCF41DFA1DC85EEEBFB9FF19300F1040A9F815A6265DB315A56DBA0

Function 00B66CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00B66D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B66DC2

Strings

static, xrefs: 00B66D22

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: b17a39037d1b7d3b327ff2f5cf3ad13f1f4bded4ccd471bb5b6106463da6e73a
Instruction ID: e87b91654631e855bd4825c5aa2c2882d4f7fc3323ba5b9d7472c65446517fab
Opcode Fuzzy Hash: b17a39037d1b7d3b327ff2f5cf3ad13f1f4bded4ccd471bb5b6106463da6e73a
Instruction Fuzzy Hash: 26317C71210604AADB109F68DC80AFB77F9FF48760F109629F9A697190DA75AC91CB60

Function 00B42D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B42E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B42E3B

Strings

0, xrefs: 00B42DF9

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: a3ee461a952230715bc6d9eda88fedaac6f65c5d2842283d33ad466babee5d00
Instruction ID: 9fe83fb8fab37f76b50367cafd4915ab7c2299bbbf1a6cfaec8eff86dc1e98b7
Opcode Fuzzy Hash: a3ee461a952230715bc6d9eda88fedaac6f65c5d2842283d33ad466babee5d00
Instruction Fuzzy Hash: EE31C131A40309ABEB248F58D985BAEBBF9EF05350F5404AAF985971A0E7709B44FB50

Function 00B66943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B669D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B669DB

Strings

Combobox, xrefs: 00B6699D

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 671cb55c6015d38bfeea34e26626b72b1bbbac11228722a125e78fd1f894bd85
Instruction ID: 7f6fc428091b7a5600a94b3a91c83ff440e011d1c99abd2ba8fda6a3755bea01
Opcode Fuzzy Hash: 671cb55c6015d38bfeea34e26626b72b1bbbac11228722a125e78fd1f894bd85
Instruction Fuzzy Hash: F511C4717002097FEF159F64DC80EBB3BAAEB893A4F110264FD58972E0D6799C518BA0

Function 00B66E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00AE1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AE1D73
Part of subcall function 00AE1D35: GetStockObject.GDI32(00000011), ref: 00AE1D87
Part of subcall function 00AE1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AE1D91

GetWindowRect.USER32(00000000,?), ref: 00B66EE0
GetSysColor.USER32(00000012), ref: 00B66EFA

Strings

static, xrefs: 00B66EBD

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: aae94415ea6e66fe12c9fba52bac4f5afefc2ba481ffacbf4ecd74d8161678b6
Instruction ID: aadbabd5d6da0e13758371033dba13cd84f5d9250ba778b6bb728e915130f3a5
Opcode Fuzzy Hash: aae94415ea6e66fe12c9fba52bac4f5afefc2ba481ffacbf4ecd74d8161678b6
Instruction Fuzzy Hash: 7A21597261020AAFDB04DFA8DD45AFA7BF8FB08314F004668FD55D3250D679E861DB50

Function 00B66B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00B66C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00B66C20

Strings

edit, xrefs: 00B66BF5

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 895a53f7998769b41c45bacbb7c8f32f664b5db78ef162d5a1edbfc8f7a206e2
Instruction ID: 570cf79158325f34edfd7529e8b008eef4851eedf3108bf912e1ca2054c251a8
Opcode Fuzzy Hash: 895a53f7998769b41c45bacbb7c8f32f664b5db78ef162d5a1edbfc8f7a206e2
Instruction Fuzzy Hash: 11116A71505208ABEB108F64DC82ABA37AAEB15368F244764F961D71E0CA79DC919B60

Function 00B42E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B42F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00B42F30

Strings

0, xrefs: 00B42F07

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 273289b46692830742115d01fed412ec55924967f182d360a0348a47ff59a5fc
Instruction ID: 334fc44396cf795accab6e73ab4fe403e296ff41d6afaab1d27c0a8276e55573
Opcode Fuzzy Hash: 273289b46692830742115d01fed412ec55924967f182d360a0348a47ff59a5fc
Instruction Fuzzy Hash: 1C11B672901124ABDF21DB98DC84BAD77F9EB15310F9800E5F855A72A0DBB0AF08F791

Function 00B524CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00B52520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00B52549

Strings

<local>, xrefs: 00B52511

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: bbbce9a2b9e3289eee72325cd8b9361daa1bd9d6bc19b3d7c528987c26e54532
Instruction ID: 79b9d5fdcebce600d659c904d664c863e1c1d2c05d40a5fc0914849051f3f3b0
Opcode Fuzzy Hash: bbbce9a2b9e3289eee72325cd8b9361daa1bd9d6bc19b3d7c528987c26e54532
Instruction Fuzzy Hash: 5711E070102225BADB248F519CD9FBBFFE8FB27352F1081EAFE4542140E2706949DAE0

Function 00B580A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B5830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00B580C8,?,00000000,?,?), ref: 00B58322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B580CB
htons.WSOCK32(00000000,?,00000000), ref: 00B58108

Strings

255.255.255.255, xrefs: 00B580E3

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: c95d620326fce9beeef0ccf47fea4870421c67ec61aac0df6244c61ce7dcd0e1
Instruction ID: 4c621c1ea0fea3624a5f0893c0b1e5773da116e8c04bfa468d4f4d041022b28f
Opcode Fuzzy Hash: c95d620326fce9beeef0ccf47fea4870421c67ec61aac0df6244c61ce7dcd0e1
Instruction Fuzzy Hash: 3611A135600245ABDB20AF64DC86FBDB3B4FF04321F2085AAFD11A72D1DE72A819C795

Function 00B392E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82

Part of subcall function 00B3B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00B3B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00B39355

Strings

ListBox, xrefs: 00B3931F
ComboBox, xrefs: 00B392F4

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: cbc75ad07dc99693ee478ec5e2a4758b86fd7adfb0611b35c21fc82703934d86
Instruction ID: 7e3bcba3b4d17327d6fc52ec1ddae1a39ff5489aec9575d16c514ca43d47a3c1
Opcode Fuzzy Hash: cbc75ad07dc99693ee478ec5e2a4758b86fd7adfb0611b35c21fc82703934d86
Instruction Fuzzy Hash: C501B571A45215ABCB04EB65CC91CFE77A9FF46320F240699F932572D1DB715908C650

Function 00B391DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82

Part of subcall function 00B3B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00B3B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00B3924D

Strings

ListBox, xrefs: 00B39217
ComboBox, xrefs: 00B391EC

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 474dd245255b7b3a9fee5d26dae318c9eb763f810572af9b43ce036b1429c730
Instruction ID: 1f5c117b689f76b41f67fb583360d695de1d62f36a8d25890bd9cd0c57d3285c
Opcode Fuzzy Hash: 474dd245255b7b3a9fee5d26dae318c9eb763f810572af9b43ce036b1429c730
Instruction Fuzzy Hash: ED018F71A412087BCB08EBA4CD96EFFB3E8DF55340F2400A9B91267291EA556E0C96B1

Function 00B39264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82

Part of subcall function 00B3B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00B3B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00B392D0

Strings

ListBox, xrefs: 00B3929C
ComboBox, xrefs: 00B39271

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 4879e2b8bb61a344a218bc9710775802df280255a40efbc9ba5e5ea59b15638c
Instruction ID: 96cc6b11af0780454d8571619ba5fffc2e3076f0a4e7e0d0303a09751626b0b9
Opcode Fuzzy Hash: 4879e2b8bb61a344a218bc9710775802df280255a40efbc9ba5e5ea59b15638c
Instruction Fuzzy Hash: 5E01A271A4120877CF04EAA4CD82EFF77EC9F15340F2401A9B91267292DA615E0C9671

Function 00B451CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00B451E8
_wcscmp.LIBCMT ref: 00B451FA

Strings

#32770, xrefs: 00B451F4

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: e57923a28512d69b57fdd99977d6b00f60d979643c794481b5b7b1f448591503
Instruction ID: e492041353e4fdbba2a464c05348b55abf9f9247d518ef7037518ec6cf8ef9f2
Opcode Fuzzy Hash: e57923a28512d69b57fdd99977d6b00f60d979643c794481b5b7b1f448591503
Instruction Fuzzy Hash: 9CE0D17390422D27D7209B95AC49FA7F7ECEB55B71F0001A7FD14D3051D9609E4587E1

Function 00B381BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00B381CA

Part of subcall function 00B03598: _doexit.LIBCMT ref: 00B035A2

Strings

Error allocating memory., xrefs: 00B381C3
AutoIt, xrefs: 00B381BE

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: a0569d8aecebfa061c4070b858c303c3e9f1bf475da1c7f1e0e2d697e8aef96f
Instruction ID: 7d8c7fa156a02f907410adc4325da2c0bef817c5162615d7fc485980dfae809f
Opcode Fuzzy Hash: a0569d8aecebfa061c4070b858c303c3e9f1bf475da1c7f1e0e2d697e8aef96f
Instruction Fuzzy Hash: E8D02B323C431832D21532FD6D0BFC539CC8B09F51F0044A6FB48551E38DD5488142ED

Function 00B1B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B1B564: _memset.LIBCMT ref: 00B1B571

Part of subcall function 00B00B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00B1B540,?,?,?,00AE100A), ref: 00B00B89

IsDebuggerPresent.KERNEL32(?,?,?,00AE100A), ref: 00B1B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00AE100A), ref: 00B1B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B1B54E

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 96adb746af73d0b8a2eb18eecec5b122b3fc9eb2359d956c44fad6ec30538e79
Instruction ID: eeb4c698504525d8501b881fc3eee881b90a41a0d6df7b6da5c541e3e16300e9
Opcode Fuzzy Hash: 96adb746af73d0b8a2eb18eecec5b122b3fc9eb2359d956c44fad6ec30538e79
Instruction Fuzzy Hash: 69E06DB16103528BD720EF28E414B827BE0EB14705F0489ACE446C36A0DBB8D484CBA1

Function 00B65BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B65BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00B65C08

Part of subcall function 00B454E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B4555E

Strings

Shell_TrayWnd, xrefs: 00B65BEE

Memory Dump Source

Source File: 00000000.00000002.2000294492.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.2000276077.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000341533.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000379055.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000393054.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_2aFb7hE00o.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a1e60799c2aa156950cb52674a4f56d1717c764798da19ce13e87465eaaf32d4
Instruction ID: e0f7930928e1317cba0b2b025edc9d1eb614a62f879d42a09bcf58b791131a06
Opcode Fuzzy Hash: a1e60799c2aa156950cb52674a4f56d1717c764798da19ce13e87465eaaf32d4
Instruction Fuzzy Hash: A7D0A931388312B7E774AB30BC0BFA32A50AB00B00F000835B306AA1E1CCE85800C240

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2aFb7hE00o.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut4A8E.tmp

C:\Users\user\AppData\Local\Temp\aut4ADE.tmp

C:\Users\user\AppData\Local\Temp\beeish

C:\Users\user\AppData\Local\Temp\unnervousness

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
2aFb7hE00o.exe

Function 00AE3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00AE4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00AE4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00B493DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00AE3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 00AE3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00AE71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00AE3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00AE3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00AE3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 00C12660 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00AE39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00C12410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150
fileCOMMON

Function 00AE410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Function 00B0564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre